Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-11-20
2003-01-21
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C710S120000, C710S100000, C710S120000
Reexamination Certificate
active
06510522
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to computer system security and, more particularly, to an apparatus and method for securing against accessing a securable slave device (or address range within the slave device) coupled to an I
2
C bus.
2. Description of the Related Art
Securing a computer system involves preventing unauthorized access to sensitive data and/or instructions contained within various hardware resources attributed to that system. The terms “instructions” and “data” refer generically to all forms of electronic information, including data entries and files created by the instructions as well as the executable instructions themselves.
Typically a computer system will include a plurality of hardware resources, henceforth referred to as “devices.” A group or set of devices may contain sensitive information and therefore must be periodically secured. Alternatively, a device may be an electromechanical mechanism, such as a latch, which prevents unauthorized access to the interior of the computer chassis. Thus, the device is interchangeably referred to as a hardware resource which either contains sensitive information or provides a gateway, or securement, to that information. One form of securement involves a technique of known as “password matching.”
Upon reset or boot-up of the computer system, a password stored within non-volatile memory will be entered into volatile memory proximate to a comparator. The previously stored password can then be compared against a user-entered password to determine if the user is allowed access. Typically, the volatile memory which receives the previously stored password, as well as a comparator locally linked to the volatile memory, are contained in what is often referred to as a “black box”. Description of a black box security device is generally set forth in U.S. Pat. No. 5,748,888 (herein incorporated by reference).
The password stored in non-volatile memory, and loaded into the black box, is derived from various non-volatile resources. For example, the password can be derived from electrically erasable ROM (EEROM) coupled to a specially designed bi-directional two wire bus, often referred to as the inter integrated circuit (or “I
2
C”) bus. The I
2
C bus is generally well-known and is set forth, for example, in numerous publications to Phillips Semiconductor Corporation. General purpose circuits, such as liquid crystal display drivers, remote I/O ports, microcontrollers, RAM, and EEROM/EEPROM, can be connected to an I
2
C bus. The basic protocol and bus specification is described in numerous articles, some of which define electrically erasable or electrically erasable and programmable ROMs coupled to the I
2
C bus, and containing passwords which are maintained even though power to the computer system is terminated.
Depending on the number of passwords stored in non-volatile memory and then loaded into the black box, at least one comparison can be carried forth. In this fashion, a black box may serve to compare multiple stored passwords against multiple user-entered passwords, the result of each compare being placed on a corresponding conductor or “slot” as a lock or unlock signal. The intent of storing multiple passwords and comparing against those passwords is to provide a hierarchical structure of security. For example, a user may enter a password to gain access to only his or her computer, whereas a system administrator can enter a password mutual to numerous computers across, for example, a network of computers.
Storage of multiple passwords within a non-volatile media connected to an I
2
C bus presents numerous challenges. Firstly, an I
2
C bus is typically not securable and therefore can be accessed by undesired personnel. Secondly, once accessed, passwords (or any other information requiring security) that is stored in an I
2
C memory device can be quickly ascertained thus allowing an unwanted “hacker” to match his or her input to that sensitive information to obviate the security and integrity of not only that computer, but many other computer networked thereto. As defined hereinbelow, the term “password” encompass any and all types of sensitive information and extends beyond the normal definition of a password in general.
If the boot-up operation involves the Basic Input Output System (“BIOS”) loading stored password (or passwords) from an I
2
C non-volatile memory, measures must be taken to protect against improper access to that memory. In addition, if a device other than memory is coupled to the I
2
C bus and contains sensitive information, that device along with memory must be maintained securable. Thus, not only must memory coupled to the I
2
C bus be securable, but the I
2
C bus in general must be securable since other non-memory devices may also contain sensitive information. Still further, measures must be taken to account for multiple passwords stored in separate and distinct regions of the I
2
C non-volatile memory. Securing one area separate from another will ensure certain passwords will be protected separate from others, and that the potential hierarchical status of those passwords is maintained depending on a particular user seeking access. Thus, while it would be desirable to allow a system administrator access to all areas within I
2
C non-volatile memory, a single computer user of the system administrator network may only be granted access to only a portion (i.e., one password) of the entire non-volatile memory space. The need for securing an I
2
C bus, various I
2
C devices (including non-volatile memory), and securing select portions of an I
2
C non-volatile memory would prove highly desirable if passwords or other sensitive information is contained upon a specific I
2
C bus, within an I
2
C device, or within a portion of an I
2
C device.
SUMMARY OF THE INVENTION
The problems outlined above are in large part solved by an improved computer security system hereof. The security system encompasses at least one I
2
C bus and multiple I
2
C devices connected thereto. Securing those devices is achieved by placing security components within a southbridge of the computer system, or any device within the I
2
C engine. The southbridge includes a black box having multiple slot outputs, each of which may carry a lock or unlock signal depending on whether comparison of the stored password corresponds with a respective user-entered password. The lock or unlock signal can then be assigned via a slot assignment register to a particular device coupled upon the I
2
C bus. For example, one slot may be assigned or mapped to a particular I
2
C device, whereas another slot may be assigned to another I
2
C device. Yet further, one slot may be assigned to a particular portion of an I
2
C non-volatile memory device, separate from another slot assigned to an altogether different portion of the same I
2
C non-volatile memory device.
In addition to the black box and the slot assignment register, the southbridge may also include an I
2
C controller. The controller contains at least one security mapping register. That register includes fields which have been programmed with I
2
C slave addresses that are securable, and are also programmed with a word address range that is securable within each of the securable slave addresses. As such, an address of an I
2
C transaction issued from a processor will be compared against the secured slave addresses and secured word addresses stored within the security mapping registers. Comparison is carried forth in logic, interchangeably referred to as security control logic. If the incoming address matches the protected slave or word address and a corresponding unlock is issued from the slot assignment register, then access is granted to that protected device, or word address range within that device.
The keyboard includes any device into which a user can enter data. Also, the password could simply be implemented as a hash, absent a black box, wherein the hash can be used to decrypt an entered password and compare the decrypted results with the previously stor
Heinrich David F.
Le Hung Q.
Rawlins Paul B.
Stancil Charles J.
Compaq Information Technologies Group L.P.
Conley & Rose & Tayon P.C.
Daffer Kevin L.
Ha Leynna
Hayes Gail
LandOfFree
Apparatus and method for providing access security to a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for providing access security to a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for providing access security to a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3006790