Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1998-11-19
2002-09-10
Breene, John (Department: 2177)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S219000, C709S203000, C709S237000, C713S150000, C380S259000, C235S382000
Reexamination Certificate
active
06449651
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to restricting access to computers and more particularly to a system and method for providing temporary remote access to a computer.
2. Description of Related Art
Businesses today typically store information on file servers connected to local area networks in their respective places of business. Employees connected to a local area network can gain access to information on a local file server if certain security criteria is met. For example, a traditional form of security requires the user to enter a username and password to authenticate the identity of the user. An employee entering his or her username and password will likely have read and write access to certain groups of files and read access to certain additional files on the file server. The typical user thus has limited access to files, and further cannot gain access to administrative facilities for the configuration and maintenance of the file server, which are usually reserved for a system administrator.
Through the proliferation of wide area computer networks, extranets, the Internet, and other forms of remote computer access, a computer user can log into a local area network from a remote location and access and/or destroy files on the file server. Although remote access to a computer network provides many advantages for a business, it also leaves the business more vulnerable to unauthorized and possibly destructive use of their computers.
Similar to the protocol used in a local area network, computer security for remote users is generally accomplished through the use of a username/password combination that uniquely identifies the user. Although virtually any combination of letters and numbers can be utilized for usernames and passwords, the use of a username/password combination provides a low level of security. Usernames on a network generally have a fixed format (e.g., first initial and first 7 letters of the user's last name) and are often equivalent to an email address. In addition, user's typically select passwords that are easy to remember such as the names of children or pets. An unscrupulous hacker can often guess a username/password combination with minimal information about the user, or can acquire the username/password combination by “eavesdropping” on the communications link between the remote computer and the network.
Another method for restricting access to a computer network involves the use of hardware tokens or dongles that must be physically connected to a remote user's computer before access will be granted. The server can be programmed to periodically check that a particular hardware device is connected to the remote computer, and terminate the remote access if the hardware device is not present. These hardware devices generally include username/password information or other information, such as a serial number, that can be used to identify the presence of the correct hardware device. Some drawbacks with these hardware devices include the difficulty of changing a user password, and in the case where the hardware device is lost or stolen, the ease at which a new owner can gain access to the system.
Despite the aforementioned problems, the use of a username/password combination and/or the use of hardware devices provides sufficient protection for most businesses. The information stored on a file server is often “backed-up” on a daily basis, and if an unauthorized user (i.e., “hacker”) is able to gain access to the computer system, the hacker will likely have limited access to files (e.g., only have access to the files of a single user), thus exposing the company to minimal risk. An extra level of security may also be added for high-level passwords to prevent their use from remote locations. For example, the system administrator who must perform maintenance or administrative functions may be required to access the computer network through a computer terminal that is physically connected to the file server—e.g., a terminal in the same room as the file server. As discussed above, a system administrator can have virtually unlimited access to the computer system through a username/password that provides access to system administration, configuration, and maintenance functions, as well as access to all of the files stored on the file server. Because a potential hacker must be physically in the room to gain access, hacking into the system from a remote location as a system administrator would be nearly impossible.
When a computer network requires maintenance, troubleshooting or a software upgrade, the manufacturer or vendor may need access the computer network as a high-level user, such as a system administrator. With fast speed modems and dedicated communications links, it is often beneficial to access the computer networks remotely to perform the necessary maintenance. As discussed above, if a standard username and password are used, the entire computer system can be made vulnerable to hackers. Although a hardware token or dongle can be used to restrict access, if such a hardware device is lost or stolen, it could provide an unauthorized user with unrestricted access to the computer network. Because such maintenance is temporary in nature, there exists a need in the art for a system and method for providing secure temporary access to a computer system from a remote location.
SUMMARY OF THE INVENTION
The present invention satisfies a need in the art by providing a system and method for providing secure temporary access to a computer system from a remote location through the use of a perishable password.
In one embodiment of the present invention, a method for providing temporary remote access to a host computer from a remote computer is provided. First, a dongle is provided, which includes a processor, a non-volatile memory, and a program memory for storing program logic for controlling the processor. A date range is selected, including a starting date and time for the temporary remote access and an ending date and time for the temporary remote access, and stored in the non-volatile memory of the dongle. The dongle is then connected to the remote computer.
Through the remote computer, a communications link is established with the host computer, such as through a direct telephone connection or over the Internet. The host computer will grant remote access to the remote computer only if a system date from the host computer is within the date range stored in the non-volatile memory of the dongle connected to the remote computer. To ensure that remote access is not granted outside of the date range stored in the dongle, the dongle is deactivated if the remote computer attempts to access the host computer when the system date is outside of the date range.
The method may further include selecting an encryption key and storing the encryption key in the non-volatile memory of the dongle. The dongle further includes an encryption algorithm which can be used to encrypt a seed in accordance with the encryption key. Before allowing remote access, the validity of the encryption key is determined. If the encryption key is invalid, remote access to the host computer will not be granted.
In addition, a second dongle may also be provided, including a second processor, a second program memory for storing program logic for controlling the second processor and a second non-volatile memory. The second program memory includes a copy of the encryption algorithm stored in the first dongle. A copy of the encryption key is also stored in the second non-volatile memory. The second dongle is then connected to the host computer. Access to the host computer will only be granted if the encryption key in the dongle connected to the remote computer is equal to the copy of the encryption key stored in the second dongle connected to the host computer.
One way to verify that the encryption keys are identical is through the encryption algorithm. The host computer selects a unique seed and transmits the unique seed and the system date to the re
Dorfman Alexander
Pence Jeffrey Wayne
Breene John
Morrison & Foerster / LLP
Pham Khanh
Toshiba America Information Systems Inc.
LandOfFree
System and method for providing temporary remote access to a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for providing temporary remote access to a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for providing temporary remote access to a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2864040