Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-11-20
2002-10-01
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06460139
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to computer system security and, more particularly, to an apparatus and method for assigning passwords to various devices of a computer system and programmably altering that assignment to impart flexibility in the locking and unlocking of those devices with different levels of password security.
2. Description of the Related Art
Securing a computer system involves preventing unauthorized access to sensitive data and/or instructions contained within various hardware resources attributed to that system. The terms “instructions” and “data” refer generically to all forms of electronic information, including data entries and files created by the instructions as well as the executable instructions themselves.
Typically a computer system will include a plurality of hardware resources, henceforth referred to as “devices.” A group or set of devices may contain sensitive information and therefore must be periodically secured. Alternatively, a device may be an electromechanical mechanism, such as a latch, which prevents unauthorized access to the interior of the computer chassis. Thus, device is interchangeable referred to as a hardware resource that either contains sensitive information or provides a gateway, or securement, to that information. One form of securement involves a technique known as “password matching.”
Upon reset or boot-up of the computer system, a password stored within non-volatile memory will be entered into volatile memory proximate to a comparator. The previously stored password can then be compared against a user-entered password to determine if the user is allowed access. Typically, the volatile memory which receives the previously stored password, as well as a comparator locally linked to the volatile memory, are contained in what is often referred to as a “black box”. Description of a black box security device is generally set forth in U.S. Pat. No. 5,748,888 (herein incorporated by reference).
The password stored in non-volatile memory, and loaded into the black box during boot-up, is derived from either a battery-backed CMOS static RAM memory, electrically programmable or electrically erasable non-volatile memory (i.e., EEPROM, EEROM or Flash ROM). The non-volatile memory is generally contained within a device linked to a peripheral bus of a computer system. During boot-up operation, the computer Basic Input Output System (BIOS) will load the stored password from non-volatile memory into the black box where it can then be compared against a user-entered password. If a match occurs, then an unlock signal can be forwarded from the black box across a conductor or “slot”.
A black box security device may be configured to receive multiple stored passwords and therefore can match against multiple user-entered passwords against the stored passwords. In this fashion a black box may serve to compare respective dissimilar pairs of stored and user-entered passwords. This allows a user to enter a first password to gain access to only his or her computer, whereas a system administrator can enter a second password mutual to numerous computers across, for example, a network of computers.
Each slot of a black box may therefore be attributed to the comparison result of a previously stored and currently entered password. Since multiple stored and entered passwords can exist, multiple slots occur, each indicating either a lock or unlock signal status for a respective matched password pair.
Conventional black box security systems hardwire the slot output to various securable devices. More specifically, a first slot output from the black box is routed to, for example, a first set of devices and a second slot is routed to a second set of devices. Unfortunately, hardwiring or fixing a connection from a slot to a respective group of devices does not allow a system administrator flexibility to change the slot assignments.
It would be desirable to introduce a computer system which can programmably map a slot output from a black box to various securable devices. The system administrator can thereafter programmably modify the slot mapping assignments to impart flexibility on who should be granted access to various peripheral devices. This will afford benefit to the system administrator of allowing or disallowing select individuals or groups from accessing, and thereby modifying, any secured device attributed to a computer system.
SUMMARY OF THE INVENTION
The problems outlined above are in large part solved by an improved computer security system hereof. The security system encompasses a volatile memory medium. According to one embodiment, the security system includes a slot assignment register which receives the hardwired slot outputs from the black box and re-routes that output, i.e., maps that output to various devices requiring security. The slot assignment register contains multiple fields, each having a series of bits which can be programmed by the system administrator once that administrator is given access.
Each field of the slot assignment register is assigned to a particular securable device. The field can be programmed to accept one of the various slots emanating from the black box, or possibly a subset of slots. Still further, the fields can be programmed to possibly accept no black box protection whatsoever. The number of bits within each field corresponds to possibly the number of slots accommodated by the black box and/or possibly the number of slot combinations which the device assigned to the field will accept.
In order to account for a hierarchical or prioritize slot assignment, an encoder (or logic unit) may be coupled between the volatile memory and the slot assignment register. The encoder may serve to encode various groupings of slot signals and place the encoded output on a field entry within the slot assignment register programmed to the receive the coded slot. For example, the encoder may recognize a priority of slot
2
being higher than slot
0
or slot
1
. In this manner, the encoder will forward an unlocked signal of slot
2
to all fields programmed to either slot
1
or slot
0
, as well as to all fields programmed to slot
2
. This allows a system administrator unlock signal on the higher priority slot
2
to unlock devices assigned to slots
0
,
1
, and
2
. In this example, a system administrator having the highest password security can unlock all securable devices. However, a lower prioritized user of a particular computer or workstation will only be allowed access to a subset of securable devices on his or her computer but not all devices of his or her computer.
According to one embodiment, a computer system is provided incorporating a plurality of securable hardware devices. The computer system includes a keyboard and a storage unit operably coupled to the keyboard. The keyboard includes any device into which a user can enter data. Also, the password could simply be implemented as a hash, absent a black box, wherein the hash can be used to decrypt an entered password and compare the decrypted results with the previously stored data. The storage unit is adapted to produce an unlocked signal upon an output conductor of the storage unit if a stored password within the storage unit favorably compares with a password entered upon the keyboard. A register is operably coupled to the storage unit to direct the unlock signal to a first set of the plurality of hardware devices during a first time and to direct the unlock signal to a second set of the plurality of hardware devices partially dissimilar from the first set during a second time subsequent to the first time. In this manner the register is programmable to alter the mapping of the unlock signal from one hardware device to another. The register may be further coupled to direct another unlock signal upon another output conductor (or slot) of the storage unit to the first set of the plurality of hardware devices during the first time. In this manner, two or more slots, and associated unlock signals can be mapped to the same set
Heinrich David F.
Le Hung Q.
Compaq Information Technologies Group L.P.
Conley & Rose & Tayon P.C.
Daffer Kevin L.
Ha Leynna
Hayes Gail
LandOfFree
Apparatus and method for programmably and flexibly assigning... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for programmably and flexibly assigning..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for programmably and flexibly assigning... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2939550