Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2001-02-26
2004-11-23
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S600000, C713S600000, C713S600000, C713S600000
Reexamination Certificate
active
06823464
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention generally relates to remote management of data processing systems and in particular to remote management extending to “hard-locked” security information for a data processing system. Still more particularly, the present invention relates to permitting a remote entity to change “hard-locked” security data after correct authentication without compromising security.
2. Description of the Related Art
Critical security information, including passwords, boot sequences, security options, and the like, are frequently kept within a data processing system in a nonvolatile storage device which can be locked down “hard” (i.e., requiring a reset to unlock) prior to the operating system load, thereby effectively hiding the information during operation of the data processing system to prevent unauthorized access to this information. The information is therefore accessible only during startup of the data processing system (i.e., the “pre-boot” environment), and usually is only available to selected, trusted routines within the power on self test (POST) basic input/output system (BIOS). The information is not accessible at run time or anytime after the operating system begins loading, which protects the information from an unauthorized attack (e.g., a virus).
However, this treatment of the security information also prevents remote access by authorized users since there exists no completely secure method to identify the authorized user or to restrict access to the security information to only an authorized user. For complete remote manageability of a data processing system, remote access to the security data, including the ability to change the security data, is required. Currently, the only way to allow such remote access to the security data is to leave the data unprotected and allow configuration utilities to access the security information after booting of the operating system. The data processing system user is thus required to choose between a highly secure system with local maintenance or a remote maintenance strategy with less security.
It would be desirable, therefore, to permit remote access of critical information for the purpose of remote maintenance without compromising the security of such information, and to allow a remote entity to change the security data upon correct authentication.
SUMMARY OF THE INVENTION
It is therefore one object of the present invention to provide improved remote management of data processing systems.
It is another object of the present invention to provide remote management of data processing systems extending to “hard-locked” security information for a data processing system.
It is yet another object of the present invention to provide a mechanism permitting a remote entity to change “hard-locked” security data after correct authentication without compromising security.
The foregoing objects are achieved as is now described. Authentication of an entity remotely managing a data processing system is enabled to allow changes by the remote entity to hard-locked critical security information normally accessible only during the POST and only to trusted entities such as the system BIOS. The remote entity builds a change request and generates a hash from the change request with a current password appended. The change request and the hash are stored in a lockable non-volatile buffer which, once locked, requires a system reset to access. During the next POST, a trusted entity such as the system BIOS reads the change request, generates an authentication hash from the change request and the current password within the hard-locked security information, and compares the buffered hash with the generated hash. If a match is determined, the security information is updated; otherwise a tamper error is reported.
The above as well as additional objectives, features, and advantages of the present invention will become apparent in the following detailed written description.
REFERENCES:
patent: 5444850 (1995-08-01), Chang
patent: 5719941 (1998-02-01), Swift et al.
patent: 5757920 (1998-05-01), Misra et al.
patent: 5859911 (1999-01-01), Angelo et al.
patent: 5940508 (1999-08-01), Long et al.
patent: 5944821 (1999-08-01), Angelo
patent: 5953422 (1999-09-01), Angelo et al.
patent: 5963142 (1999-10-01), Zinsky et al.
Cromer Daryl Carvis
Freeman Joseph Wayne
Goodman Steven Dale
Springfield Randall Scott
Ward James Peter
Dillon & Yudell LLP
Grosser George E.
Peeso Thomas R.
LandOfFree
Method of providing enhanced security in a remotely managed... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method of providing enhanced security in a remotely managed..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method of providing enhanced security in a remotely managed... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3284335