Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-03-16
2003-07-29
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S001000, C713S002000, C713S100000, C713S152000, C713S152000, C713S182000, C713S183000, C713S184000, C709S229000
Reexamination Certificate
active
06601175
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates in general to data processing and in particular to password protection of data processing systems. Still more particularly, the present invention relates to a method and system for providing password protection for data processing systems through the use of limited-use machine-specific passwords.
2. Description of the Related Art
Atypical corporate environment includes a distributed collection of laptop and/or desktop computers that are each assigned to a particular user who is responsible for his or her computer. Even though the individual users are entrusted with “ownership” of their respective machines, the computers are all typically administered by a centralized administrative department. Frequently, the administrative department, prior to distribution of a computer to a user, initializes the computer with hardware settings, software configurations, and other critical parameters that it is desirable for the user not to alter. For this reason, in addition to conventional power-on passwords (POPs), such centrally administered computers can also have secondary administrative password that must be entered into the computer before the critical settings of the computer can be changed. These administrative passwords are given to users only as needed, typically when the administrative department's help desk is assisting a user in rectifying a computer problem.
In order to enhance the security of administrative passwords, it is desirable for the administrative password of each computer in a collection of computers to be unique. However, the administrative password for a computer should not be related to the computer in a manner that permits the administrative password to be easily deduced. The first co-pending application referenced above describes a method and apparatus for establishing administrative passwords that satisfies these requirements by providing computer-specific administrative passwords that cannot easily be deduced from information known about the computer.
Despite the high level of administrative password security provided by the invention described in the first co-pending application referenced above, once a user has been given the administrative password for his computer, the user is thereafter able to reconfigure his computer at will. The present invention recognizes that it would also be desirable and useful to limit the ability of a user to reconfigure his computer once the user is informed of the administrative password for the computer.
SUMMARY OF THE INVENTION
The present invention satisfies the need to permit a user to have limited access to an administrative password that controls reconfiguration of a computer by providing a method and system for enforcing password protection of a computer system that limits reuse of an administrative password.
In accordance with the present invention, features of a data processing system, such as its configuration, are protected utilizing a machine-specific limited-life password. The data processing system includes execution resources for executing a watchdog program, a limited-life value generator, and non-volatile storage that stores a machine-specific value at least partially derived from relatively unique information associated with the data processing system. In response to each attempted access to the protected features of the data processing system, the watchdog program generates at least one machine-specific limited-life password from the machine-specific value and a limited-life value generated by the limited-life value generator. The watchdog program allows access to the protected features in response to entry of a valid machine-specific limited-life password and otherwise denies access. In accordance with the present invention, the limited-life value can represent a timestamp that limits the duration that the machine-specific limited-life value is valid or a nonce that limits the number of times that the machine-specific limited-life value can be used.
All objects, features, and advantages of the present invention will become apparent in the following detailed written description.
REFERENCES:
patent: 4759062 (1988-07-01), Traub et al.
patent: 4951249 (1990-08-01), McClung et al.
patent: 5091939 (1992-02-01), Cole et al.
patent: 5226080 (1993-07-01), Cole et al.
patent: 5351295 (1994-09-01), Perlman et al.
patent: 5402492 (1995-03-01), Goodman et al.
patent: 5436972 (1995-07-01), Fischer
patent: 5535409 (1996-07-01), Lavoire et al.
patent: 5611048 (1997-03-01), Jacobs et al.
patent: 5694595 (1997-12-01), Jacobs et al.
patent: 5699514 (1997-12-01), Durinovic-Johri et al.
patent: 5708777 (1998-01-01), Sloan et al.
patent: 5751812 (1998-05-01), Anderson
patent: 5757920 (1998-05-01), Misra et al.
patent: 5768373 (1998-06-01), Lohstroh et al.
patent: 5774650 (1998-06-01), Chapman et al.
patent: 5784612 (1998-07-01), Crane et al.
patent: 5797030 (1998-08-01), Hoaby
patent: 5944821 (1999-08-01), Angelo
patent: 6064736 (2000-05-01), Davis et al.
patent: 6122677 (2000-09-01), Porterfield
patent: 6311276 (2001-10-01), Connery et al.
patent: 6370649 (2002-04-01), Angelo et al.
patent: 6397337 (2002-05-01), Garrett et al.
patent: 6470454 (2002-10-01), Challener et al.
patent: 63040963 (1988-02-01), None
patent: 7129511 (1995-05-01), None
Nielsen, Providing Software Protection Capability or a CD-ROM drive, Dec. 1990, Hewlett-Packard Journal, v41, n6, p. 49(5).*
Harold, With Tokens, It's a New Password Every Time, Jun. 11, 1990, ComputerWorld, p. 88.*
Finlay, Don't Wait Until You Get Burned, Mar. 1988, Administrative Management, v49, p. 16.*
Chang, Remote Password Authentication With Smart Cards, May 1991, IEEE Processings, v138, p. 165.*
Webster's II New College Dictionary, Houghton Mifflin Company, 1995, p. 890, 1247.*
Weiss, Sep. 1998, Five Ways To Secure Your Network, Telecommunications Products and Tech, v6, N 9, p68(3).*
IBM Technical Disclosure Bulletin, “Safe Single-Sign-On Protocol With Minimal Password Exposure No-Decryption, and Technology-Adaptivity”, vol 38, No. 3, Mar. 1995, pp. 245-248.
Arnold Todd Weston
Challener David Carroll
Bracewell & Patterson LLP
Hayes Gail
International Business Machines - Corporation
Jackson Jenise
LandOfFree
Method and system for providing limited-life... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for providing limited-life..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for providing limited-life... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3100181