Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-03-25
2001-03-06
Hua, Ly V. (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C380S001000
Reexamination Certificate
active
06199167
ABSTRACT:
BACKGROUND AND SUMMARY OF THE INVENTION
This application is related to computer systems and security passwords.
Computer Passwords
The widespread commercial use of computers in society today has generated a market for a number of security schemes to ensure that access to data and hardware are protected against unauthorized access and theft. The most common method for restricting access to systems is with the use of passwords. However, current methods of password security are susceptible to password-interception by snooping keystrokes as they are entered into memory. In this context, snooping may be defined as the unauthorized interception of information, as it is being transmitted from one process or component to another by a third process or component. Snooping may occur by using software applications designed specifically for capturing or displaying memory data (e.g. hacking programs), or perhaps by connecting electronic equipment which may read and interpret bus or port digital traffic. CMOS-based passwords, in extensive use in computer systems, can be snooped. In many computing systems, a user may define a start-up password which may restrict operation of the machine and is stored in nonvolatile memory such as flash or EEPROM. The comparison of the user input password and the predefined password may occur in unprotected memory which may be snooped. Moreover, passwords stored in CMOS memory can be easily defeated by simply removing the battery supplying the voltage to the CMOS memory.
Another approach applied to enhance system security uses System Management Mode (“SMM”) to let the microprocessor perform functions independent of the operating system environment, or the operating mode. See U.S. patent application Ser. No. 08/693,458, filed Aug. 7, 1996, A Method and Apparatus for Secure Execution of Software (Compaq application number P1097), hereby incorporated by reference. SMM may be used to protect a hard disk from viruses. However, some viruses may capture a password in memory before it is overwritten with other data. Therefore, if SMM password security has been breached, virus protection may not be able to be implemented. Additionally, future systems may not incorporate SMM, thereby requiring a change in design to restore security features.
Hash Functions
Alternative methods of password protection include the use of “hash” functions. Hash functions have been used in computer science for some time. A hash function is a function that takes a variable-length input string (called a “pre-image”) and converts it to a fixed-length (generally smaller) output string (called a “hash value”). A simple hash function would be a function that takes the pre-image and returns a byte consisting of the logical XOR of all the input bytes. However, a hash function is public; there is no secrecy to the process. Given a particular byte value, it is trivial to generate a string of bytes whose XOR is that value. The point here is to fingerprint the pre-image: to produce a value that indicates whether a candidate pre-image is likely to be the same as the image. Because hash functions are typically many-to-one, they cannot be used to determine with certainty that the two strings are equal, but can be used to get a reasonable assurance of accuracy.
Microprocessor Support Chipsets
The CPU normally requires a number of support chips to handle buffering of data from memory, interfacing to legacy architectures, and caching and bus arbitration. These functions are managed by custom-designed chipsets which perform a “bridging” function. More specifically, a bridging device may provide a connection between two independent buses.
FIG. 1
shows a typical design where bridging occurs between the host processor bus
122
and the PCI bus
104
, between the PCI bus
104
and a standard expansion bus
106
(such as ISA or EISA), and between two PCI buses,
102
and
104
. For example, a host/PCI bridge
108
may take various actions based upon an action initiated by the CPU
126
; if the CPU is performing a main memory read/write, the bridge
108
takes no action; if the CPU is targeting a device memory located on a bus behind the bridge, the bridge
108
must act as a surrogate target of the CPU's transaction; if the CPU
126
accesses a PCI device configuration register, the bridge
108
must compare the target bus to the range of PCI buses that exist beyond the bridge, and initiate a transaction message based upon the location of the targeted bus. This particular rendition shows a multi-processor implementation using two processors,
126
and
128
.
One popular support chipset is the VL82C59x series designed by VLSI Technology. A function of the “south bridge”
112
(e.g. VLSI82C593 chip) is to provide bridging between, for example, an ISA bus
106
and the PCI bus
104
. The south bridge chip
112
may also bridge other bus architectures (such as USB and 1394) to the PCI bus
104
. An input controller
110
is shown connected to the south bridge chip
112
, by way of a bus
106
. A variety of input devices may be used to provide the user input; a smart card reader
114
, token reader
116
, a standard keyboard
118
, and other more sophisticated devices such as voice recognition and fingerprint readers
120
. A function of the “north bridge” chip
108
(e.g. VLSI 82C591 CPU system controller) is to provide bridging between a host microprocessor local bus
122
and the PCI bus
104
. The bridge
108
may also provide transaction translation in both directions. Lastly, a function of the data buffer
124
(e.g. VLSI 82C592) is to provide bridging between the host data bus
102
, system memory data bus
126
, and the PCI data bus
104
. Other popular support chipsets include, for example, Intel 440 and 430 series.
Architecture with Password-Checking Bridge
This application discloses a method for enabling secure password communications without exposing a password to snooping. It provides an enhancement to bridge chip features that allows the password to be checked in a more secure environment (the bridge chip) before any operation on the system side is enabled. This memory can be used, for example, to store passwords and enabler bits, such as bits to allow for flash or EISA configuration modifications, or even a “hoodlock” (which prevents anyone from opening the case without a password). This innovative design solves the issues surrounding secure communication of passwords to the system. It also enables several functions that previously required power-cycles in order to protect the transactions.
An advantage is that the innovative method eliminates access to the password by providing a dedicated environment in which the password is checked.
REFERENCES:
patent: 5377343 (1994-12-01), Yaezawa
patent: 5388156 (1995-02-01), Blackledge, Jr. et al.
patent: 5421006 (1995-05-01), Jablon et al.
patent: 5451934 (1995-09-01), Dawson et al.
patent: 5533125 (1996-07-01), Bensimon et al.
patent: 5537540 (1996-07-01), Miller et al.
patent: 5537544 (1996-07-01), Morisawa et al.
“PCI BUS Power Management Interface Specificaiton”, Version 1.0, Jun. 30, 1997, PCI Local BUS, 65 pages.
“Network PC System Design Guidelines”, by Compaq, Dell, Hewlett Packard, Intel and Microsoft Corp., Version 1.0b, Aug. 5, 1997, 144 pages.
U.S. Patent application Ser. No. 08/693,458 filed Aug. 7, 1996, P-1097, “Method and Apparatus for Secure Execution of Software”.
Collins, Robert, “Intel's System Management Mode”, url www.x86.org/ddj/Jan97/Jan97.html downloaded Nov. 5, 1997.
Greenleaf, Graham, “Privacy Implications of Digital Signatures”, url www/anu.au/people/Roger.Clarke/DV/DigSig.html, downloaded Nov. 5, 1997.
Angelo Michael F.
Heinrich David F.
Le Harry Q.
Waldorf Richard O.
Compaq Computer Corporation
Conley & Rose & Tayon P.C.
Hua Ly V.
LandOfFree
Computer architecture with password-checking bus bridge does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Computer architecture with password-checking bus bridge, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Computer architecture with password-checking bus bridge will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2482244