CN1302408A - Multiuser computer environment access system and method - Google Patents

Multiuser computer environment access system and method Download PDF

Info

Publication number
CN1302408A
CN1302408A CN99805879.3A CN99805879A CN1302408A CN 1302408 A CN1302408 A CN 1302408A CN 99805879 A CN99805879 A CN 99805879A CN 1302408 A CN1302408 A CN 1302408A
Authority
CN
China
Prior art keywords
token
workstation
signal
data transmission
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN99805879.3A
Other languages
Chinese (zh)
Inventor
M·埃尔格雷斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FIRST ACCESS Ltd
Original Assignee
FIRST ACCESS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FIRST ACCESS Ltd filed Critical FIRST ACCESS Ltd
Publication of CN1302408A publication Critical patent/CN1302408A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Abstract

A method for providing continued access by a user to a workstation in a multi-user system wherein a plurality of users need to gain common or independent access to one or more workstation(s), and wherein said continued access is conditional to the user being at a predetermined maximal distance from the workstation to which he has gained access, comprising: (a) providing a plurality of access tokens, each access token being provided with data receiving and with data transmission means, said data transmission means being caused to transmit a predetermined signal comprising a data string, at preset time intervals; (b) providing in each token personal identification data unique to each token; (c) providing data transmission sensing means coupled to each workstation, to receive the signal transmitted by a token located within a preset maximal distance from the workstation; (d) providing mapping means connected to said data transmission sensing means, to receive and store data representative of the identity of a token and of its proximity to one or more workstations; (e) providing data transmission means coupled to each workstation, and transmitting therefrom a signal containing token identification data and a synchronization signal, wherein the synchronization signal is unique and characteristic of a specific workstation; (f) providing logic means in each token for storing only synchronization signals contained in a signal which also contains the token identification data; (g) transmitting from the token, for each signal received by the token and fulfilling the condition of step (f) above, a presence signal consisting of the token identification number, modulated with the synchronization signal of the specific workstation; (h) when said presence signal is received by the data transmission sensing means of the workstation to which the synchronization signal refers, allowing access of the user to the workstation, optionally by the further input of a password or PIN.

Description

Multiuser computer environment access system and method
Invention field
The present invention relates to computer system be carried out the method for unwarranted visit by the terminal that is arranged in the multiple terminals environment.
Background of invention
Prevention proposes in the art to the problem of the unwarranted visit of computer workstation.Proposed several solutions in these years, scope is keyed in password to logical method as using as using key from mechanical means, comprises that also electronic method is as using magnetic field or smart card to obtain the visit to workstation.
Early stage solution fails to solve a key issue, promptly in the registered unwarranted visit to workstation that enters authorized user its position away from keyboard of workstation and occur when not closing workstation or relative program.To obtain once more solution to this problem is attempted in the visit of workstation by providing behind certain empty lots, to close the program of workstation automatically or require to recover accessing step.Yet these solutions are unpractiaca, inconvenient, and and it is unsuccessful.
A kind of improved solution of this problem is based on approaching sensor, and it can detect automatically whether user (token (token)) has left the computing machine website, and automatically forbids computer resource visit all and that select.Approaching sensor uses the noncontact mechanics of communication, as RF, IR, sound, ultrasonic etc.Although prior art systems uses proximity sensor to make things convenient for the user, they show important disadvantages, especially they can not provide the advanced security that prevents unauthorized access, because they may be replicated, and because system makes dirigibility relatively poor when making user and predetermined workstation paired.
WO 97/39553 describes harmony and understands system based on the inquire agreement in cycle.The inquire agreement presents serious defective and requires the validity agreement of relative complex.In addition, the system of WO 97/39553 explanation has solved sole user's problem, the use of the safe ready in the multi-user environment is not provided, a plurality of users and a plurality of computer workstation must coexist and running in the detent position relation in multi-user system, and this is present prevailing working environment.
Yet prior art is difficult to solve the practical problems of finding in the work on hand environment.These problems come from and have a large amount of users in working environments, and all or part of user has different access rights, and National Games influence each other.This situation has schematically illustrated in Fig. 1.Express typical work place among the figure, included the workstation of several platform independent.The a plurality of users that indicate with its token (with square expression of band numeral) move in environment.In key diagram, several as can be seen different situations: a) user moves in and out the workspace; B) sole user's of two workstation detections existence; C) user moves on to another workstation from a workstation; And d) two users are found near the workstation.In addition, can also design more complex situations certainly, they are very general in daily life.But from example illustrated in fig. 1 as can be seen, the situation of multi-user environment is more different, and is more more complicated than the situation of single user environment independently.
Therefore, the purpose of this invention is to provide a kind of system and method that has overcome art methods and system's shortcoming.
Further object of the present invention provides a kind of security system and method, to provide in multi-user environment computer workstation safety and conditional visit.
Other purpose of the present invention and advantage will embody in the following description.
The invention summary
On the one hand, the present invention is a kind of method, the user is provided the connected reference to the workstation in the multi-user system, a plurality of users in this multi-user system need obtain the common of one or more workstations or independently visit, and this connected reference is with good conditionsi to the user, the distance that promptly obtains the place visited from the workstation to user will comprise in predetermined ultimate range:
A) provide a plurality of access token, each access token all provides Data Receiving and data transmission device, and this data transmission device is initiated on pre-set time interval and transmits the prearranged signals that comprises serial data;
B) in every kind of token, provide this token unique personal identification data;
C) provide the data transmission sensing device that is connected on each workstation, receive the signal that comes from the token transmission of workstation within predefined ultimate range;
D) provide the mapping device that is connected on this data transmission sensing device, receive and store and representing a token sign and this token to be identified to the data of the sign of one or more workstation degrees of approach;
E) provide the data transmission device that is connected on each workstation, and from then on transmit signal and the synchronizing signal that contains the token identification data, wherein synchronizing signal is unique, is that particular station is peculiar;
F) provide logical unit in every kind of token, only the synchronizing signal that comprises in the storage signal also contains the token identification data in the signal;
G) each signal that receives for token and comprise the token identification number and have a signal with what the synchronizing signal of particular station was modulated for the condition that realizes above-mentioned steps (f) sends from token;
H) when this exists the data transmission sensing device of the workstation that signal pointed to by synchronizing signal to receive, further enter password alternatively or PIN visits to workstation to allow the user;
I) check that periodically this exists signal to be received by this workstation,, just do not allow to visit on workstation and/or its selected resource if after predefined a period of time, there is not such signal to be received.
In the context of the present invention, the meaning of " modulation " is any suitable conversion of identification code of expression token, and this conversion determines by token, according to offer it and for stand and/or the system manager known to predefined instruction.This conversion can be used as the function of the synchronizing signal that comes from system that is received by token, or realize based on predefined any other parameter in token, but how modulated by the token decision identification code is, and system/workstation is fully passive in this respect.
The meaning that " has signal " is a kind of signal of expression, and token correct in this signal indication mechanism is all the time near workstation, promptly still within the ultimate range that system allows to be provided with.
Data transmission can realize by any proper device, comprise wireless and wire communication.According to the optimum embodiment of invention, realize the transmission of data by the method for from RF, IR, ultrasonic and their combination in any, selecting.
Synchronizing signal can by each independently workstation produce, in a kind of optimum embodiment of the present invention, the clock associated of synchronizing signal and workstation.The optimum embodiment of another kind according to the present invention, center resources such as system server produce synchronizing signal for each stand-alone workstation.
The optimum embodiment of another kind according to the present invention, only after " open channel " signal that comes from token was received, synchronizing signal was just by system and/or workstation transmission.This " open channel " signal gives a clue for system and/or workstation, and promptly token nearby.In a kind of optimum embodiment of invention, token is periodically transmitted " open channel " signal, for example about per 5 second one-period.
Modulation to the token identification number can realize that this point is apparent to a skilled reader by suitable arbitrarily method.According to a kind of embodiment of the present invention, the clock by making token CPU and the clock synchronised of system and/or workstation, and realize this modulation by producing as its signal of function.
Other different safety features can use simultaneously with method of the present invention.For example, in token with to be connected to the part or all of data of transmitting between the data transmission sensing device on each workstation encrypted.
Other situation also exists.For example, optimum embodiment according to invention, a kind of method is provided here, wherein a plurality of customer requirements obtain the visit common to one or more workstations, and this connected reference for all at one time, co-user in the predetermined ultimate range of the workstation that obtains access is with good conditionsi, comprising:
A) provide a plurality of access token, each access token all provides Data Receiving and data transmission device, and this data transmission device is initiated on pre-set time interval and transmits the prearranged signals that comprises serial data;
B) in every kind of token, provide this token unique personal identification data;
C) provide the data transmission sensing device that is connected on each workstation, receive the signal that sends from the token of workstation within predefined ultimate range;
D) provide the mapping device that is connected on this data transmission sensing device, receive and store and represent a token sign and this token to arrive the data of the sign of one or more workstation degrees of approach;
E) provide the data transmission device that is connected on this co-operation station, and from then on transmit signal and the synchronizing signal that contains the token identification data, wherein synchronizing signal is unique, is that particular station is peculiar;
F) in every kind of token, provide logical unit, the synchronizing signal that comprises in the storage signal only, this signal also contains the token identification data;
G) be token each signal that receives and the condition that realizes above-mentioned steps (f), comprise that from the token transmission token identification number is by the signal that exists of the synchronizing signal of particular station modulation;
H) when a plurality of data transmission sensing devices that have a workstation that signal related to by synchronizing signal receive, further enter password alternatively or PIN, to allow of the visit of a plurality of co-user to this co-operation station;
I) check that periodically this exists signal to be received by all co-user by this co-operation station, if not having such signal that exists after predefined a period of time is that one or more these co-user are received, just do not allow of the visit of part or all of co-user to workstation and/or its selected resource.
This situation also may exist, and for example, does not allow technician's maintenance system when not having the higher level on the scene, or allows the personnel that hold rudimentary secure access to visit specific application program under higher level's condition on the scene having.In this case, according to the another kind of optimum embodiment of invention, two or more token need be detected simultaneously, to obtain the visit to workstation or its selected resource jointly.
In another kind of situation, the sole user visits on a plurality of workstations simultaneously.In this case, according to the optimum embodiment of invention, this user's token sends a different signal that exists for each accessed workstation.Like this, each session that produces for a given token/workstation combination all is unique.Thereby, the user can by or nullify or stop action from a workstation through keyboard away from the mode (but it is all the time in another workstation scope) of workstation, the user still continues to work on one and a plurality of workstations simultaneously.
The present invention also is a kind of system, the user is provided the connected reference to the workstation in the multi-user system, a plurality of users in the multi-user system need obtain the independently visit to one or more workstations, wherein this connected reference is with good conditionsi to the user in the predetermined ultimate range of the workstation that obtains to visit at him, comprising:
Many access token of A-provide Data Receiving and data transmission device for each access token;
B-produces predefined signal that comprises serial data and the device of transporting a little signals on the preset time interval via this data transmission device transmission;
The C-personal identification data provides in each token, is unique for each token;
D-data transmission sensing device is connected on each workstation, receives the signal that comes from the token transmission of workstation within predetermined maximal distance;
E-is connected to the mapping tool on this data transmission sensing device, receives and store to represent a token sign and this token to arrive the data of the sign of one or more workstation degrees of approach;
The F-data transmission device is connected on the workstation, is used for transmission package and contains the signal of token sign and the signal of synchronizing signal, and wherein synchronizing signal is unique, is that particular station is peculiar;
The G-logical unit provides in every kind of token, is used for the synchronizing signal that storage package only is contained in signal, also comprises the token identification data in this signal;
To be each signal of receiving of token and the condition that realizes above-mentioned steps (F) from token send H-comprises the token identification number and by the device that has signal of the synchronizing signal of particular station modulation;
When I-exists signal to be received by the data transmission sensing device of the related workstation of synchronizing signal when this, further enter password alternatively or the device of PIN to allow the user to visit to the workstation;
J-periodically detects this device that exists signal to be received by this workstation;
When K-exists signal not to be received when this, forbid device to workstation and/or selection resource access after the preset time section.
The data transmission sensing device that is connected on the workstation is connected by suitable FPDP.According to optimum embodiment of the present invention, FPDP chooses from RS232, keyboard, parallel port or USB.
According to another optimum embodiment of the present invention, the data transmission sensing device that is connected on the workstation is connected " onboard " (on board).According to this embodiment of invention, sensing device can move in the mode similar to the mode of external connection device, or forbids that mainboard work is up to new user-workstation work relationship foundation.
The accompanying drawing summary
The various situations that Fig. 1 explanation exists in the multi-user system environment;
Fig. 2 is the process flow diagram of example 1;
Fig. 3 is the process flow diagram of example 2;
Fig. 4 is the process flow diagram of example 3;
Fig. 5 a and 5b are the process flow diagrams of example 4;
Fig. 6 a to 6c is the process flow diagram of example 5; With
Fig. 7 a to 7c is the process flow diagram of example 6.
Optimum embodiment describes in detail
By following diagram and non-limiting description to optimum embodiment, above-mentioned characteristics and the advantage with other that mention of the present invention will be understood better.
Example 1
Process #1: token advertisement (advertisement)
Token " keeps activating " advertisement:
1. token: create the message T that comprises the token sign
2. token: message T is passed to system's (step 201 among Fig. 2)
3. token: produce (at random) number (step 202 among Fig. 2) for the circulation time spot
4. token:, and make it fall away (Fig. 2 step 204) with circulation advertisement waiting timer (step 203 among Fig. 2) second number of being arranged to circulate the time spot
5. token: wait for up to the circulation advertisement stand-by period being 0 (step 205 among Fig. 2), and begin to re-execute from step 1.
The process advertisement:
6. system: wait for the message T (step 206 among Fig. 2) that receives from token
7. system: detect the token sign that whether obtains and whether equal the token sign selected for login process,, then begin to repeat (step 207 and step 208 Fig. 2) from step 6 if do not wait from message T
8. system: carry out " conversation establishing request " (process #4-#7) (step 209 among Fig. 2) and also use specific system-specific key, it only gets in touch (it is unavailable to mean that token has in the public keys-process 5 of a system-specific key) with specific token sign.
Example 2
Process #2: system's advertisement
System's advertisement:
1. system: create the message S that comprises system banner
2. system: message S is passed to token (step 303 among Fig. 3)
3. system: be the circulation time spot to produce one (at random) number (step 304 among Fig. 3)
4. system: circulation advertisement waiting timer is set at circulation number second time spot, and makes it fall away (step 305 and 306 among Fig. 3)
5. system: wait for up to the signal advertisement stand-by period being 0, and begin to re-execute (step 307 Fig. 3) from step 1.
The token advertisement:
6. token: wait for receiving message S (step 301 among Fig. 3)
7. token: create message T token sign
8. token: message T is passed to system's (step 302 among Fig. 3)
The process advertisement
9. system: wait for receiving the message T (step 308 among Fig. 3) that comes from token
10. system: detect the token sign that whether obtains and equal the token sign that login process is selected, do not begin to re-execute (step 309 and 310 Fig. 3) if do not wait from step 1 from message T
System: carry out conversation establishing request (step 311 among Fig. 3) (process #4-#7) and use the specific system-specific key (meaning that token contains the Public key of system-specific key, unavailable among the-process #5) that identifies connection with specific token.
Example 3
Process #3: command execution
The token command request:
1. token: create the message M that comprises order
2. token: message M is passed to system's (step 401 among Fig. 4)
3. token: the loop command waiting timer is arranged to number and make it fall away (step 402 and 403 among Fig. 4) second loop command time
4. token: wait for up to the loop command stand-by period being 0 (step 404 among Fig. 4), then command execution failure (step 405 among Fig. 4)
Procedure command:
5. system: wait for the message M (step 408 among Fig. 4) that receives from token
6. system: fill order (step 409 among Fig. 4)
7. system: create the message N (step 410 among Fig. 4) that comprises command result
8. system: message N is passed to token (step 411 among Fig. 4).
Reception result:
9. token: wait for and receive message N (step 406 among Fig. 4) from system
10. token: use the command result (step 407 among Fig. 4) that from message N, obtains
Note: can two-way operation, token to system and system to token.
Example 4
Process #4: synchronous flow verification process
The conversation establishing request:
1. system: expect that session counter is set to 0 (or use value X) (step 509 among Fig. 5 a)
2. system: produce session synchronizing information (step 510 in Fig. 5 a)
3. system: create the message A (step 511 among Fig. 5 a) that comprises the session synchronizing information
4. system: to token pass-along message A (step 7)
5. system: the maximum wait timer is set to number second maximum time, and makes it fall away (step 512 and 513 among Fig. 5 a)
6. system: check on the backstage whether the maximum wait timer is not 0 (step 514 among Fig. 5 a), if end session (step 519 among Fig. 5)
Conversation initialization:
7. token: wait for the message A (step 4) that receives from system
8. token: the session synchronizing information that storage obtains from message A is also only used (step 501 among Fig. 5 a) this session
9. token: the session counter is set to 0 (or value X) (step 502 among Fig. 5 a)
Produce " keeping activating " stream:
10. token: increase session counter (or using function X) (step 503 among Fig. 5 a)
11. token: dialogue-based counter calculates session stream registers (step 504 among Fig. 5 a)
12. token: create the message B (step 505 among Fig. 5 a) that comprises the session stream registers
13. token: to systems communicate message B (step 16)
14. token: the circular wait timer is set at number second cycling time, and makes it fall away (step 506 and 507 among Fig. 5 b)
15. token: wait for up to the circular wait time being 0, and re-execute (step 508 Fig. 5 b) from step 11
Process " keeps activating " stream:
16. system: wait for receiving from token (the message B of step 13) (step 515 among Fig. 5 a)
17. system: increase expection session register (or using function X) (step 516 among Fig. 5 b)
18. system: calculate expection session stream registers (step 517 among Fig. 5 b) based on the expection session counter
19. system: will compare with expection session stream registers (step 518 Fig. 5 b) from the session stream registers that message B obtains, if do not wait end session (step 519 among Fig. 5)
20. system: restart circulation in step 5 and step 6.
Parameter:
A fixed number of value X log-on data stream
The function of next number in the function X computational data stream
Maximum time between the transmission of maximum time system's permission good " keeping activating ".It is with calculating second
One of cycling time stream each transmission between the time interval.Use second calculating, and be a random number between minimum value and the maximal value.
Example 5
Process #5: have the synchronous flow verification process that the token synchronizing information generates
System initialization:
1. system: initial next session synchronizing information is set to initial session synchronizing information (step 603 among Fig. 6 a)
2. system: the session synchronizing information is set to 0 (or value S) (step 604 among Fig. 6 a)
The token initialization:
3. token: initial next session synchronizing information is set to initial session synchronizing information (step 601 among Fig. 6 a)
4. token: the session synchronizing information is set to 0 (or value S) (step 602 among Fig. 6 a)
The conversation establishing request:
5. system: expect that session counter is set to 0 (or use value X) (step 605 among Fig. 6 a)
6. system: next session synchronizing information (storing in a last session) is added in (or calculate with function S) session synchronizing information (step 606 among Fig. 6 a)
7. system: create the message A (step 607 among Fig. 6 a) that comprises confirmation
8. system: to token pass-along message A (step 11)
9. system: the maximum wait timer is set to number second maximum time, and makes it fall away (step 608 and 609 among Fig. 6 b)
10. system: detect on the backstage whether the maximum wait timer is not 0 (step 610 among Fig. 6 b), if end session (step 628 among Fig. 6 c)
Conversation initialization:
11. token: wait for receiving from (the message A of step 8) (step 611 among Fig. 6 a) of system
12. token: detect the affirmation information whether from message A, obtain and be effectively (step 612 among Fig. 6 b), if not with regard to end session (step 623 among Fig. 6 c)
13. token: next session synchronizing information (storing from a last session) is added in (or calculate with function S) session synchronizing information (step 613 among Fig. 6 b)
14. token: produce next session synchronizing information (step 614 among Fig. 6 b)
15. token: the session counter is set to 0 (or use value X) (step 615 among Fig. 6 b)
Produce " keeping activating " stream:
16. token: create the message B (step 616 among Fig. 6 b) that comprises next session synchronizing information
Produce " keeping activating " stream:
17. token: increase session counter (or using function X) (step 617 among Fig. 6 b)
18. token: dialogue-based counter calculates session stream registers (step 618 among Fig. 6 b)
19. token: the session stream registers is added to (step 619 among Fig. 6 c) among the message B (message B may for empty or comprise next session synchronizing information from step 16)
20. token: to systems communicate message B (step 23)
21. token: the circular wait timer is set to number second cycling time, and makes it fall away (step 620 and 621 among Fig. 6 c)
22. token: wait for up to the circular wait time being 0 (step 622 among Fig. 6 c) and beginning to re-execute from step 21.
Process " keeps activating " stream:
23. system: wait for the message B (step 624 among Fig. 6 c) that receives from token (step 20)
24. system:, store this information for next session so if message B comprises next session synchronizing information
25. system: the session counter (or using function X) (step 625 among Fig. 6) that increases expection
26. system: calculate expection session stream registers (step 626 among Fig. 6 c) based on the expection session counter
27. system: will compare (step 627 Fig. 6 c) with expection session stream registers from the session stream registers that message B obtains, if do not wait with regard to end session (step 628 among Fig. 6 c)
28. system: restart circulation in step 9 and 10.
Parameter:
A fixed number of value X log-on data stream
The function of next number in the function X computational data stream
Maximum time between the transmission of maximum time system's permission good " keeping activating ", it is with calculating second
One of cycling time stream each transmission between the time interval, use and second calculate, and be a random number between minimum value and the maximal value.
The initial synchronisation information of initial session synchronizing information session for the first time
Value S starts a fixed number of session synchronizing information
Function S is calculated the function of the difference of each session synchronizing information.
Example 6
Process #6: the synchronous flow verification process that has system validation
The conversation establishing request:
1. system: expect that session counter is set to 0 (or use value X) (step 701 among Fig. 7 a)
2. system: produce session synchronizing information (step 702 among Fig. 7 a)
3. system: create the message A (step 703 among Fig. 7 a) that comprises the session synchronizing information
4. system: to token pass-along message A (step 7)
5. system: system's maximum wait timer is set to system's number second maximum time (step 704 among Fig. 7 a), and makes it fall away (step 705 among Fig. 7 a)
6. system: detect on the backstage whether system's maximum wait timer is not 0 (step 706 among Fig. 7 a), if end session (step 716 among Fig. 7 b)
Conversation initialization:
7. token: wait for the information (step 4) that receives from system
8. token: the session synchronizing information that storage obtains from message A is also only used (step 709 Fig. 7 a) during this session
9. token: the session counter is set to 0 (or use value X) (step 710 among Fig. 7 a)
Produce " keeping activating " announcement
10. token: increase session counter (or using function X) (step 711 among Fig. 7 a)
11. token: dialogue-based counter calculates session stream registers (step 726 among Fig. 7 a)
12. token: create the message B (step 712 among Fig. 7 b) that comprises the session stream registers
13. token: to systems communicate message B (step 16)
14. token: token maximum wait timer is set to token number second maximum time (step 713 among Fig. 7 b) and makes it fall away (step 718 among Fig. 7 b)
15. token: detect on the backstage whether token maximum wait timer is not 0 (step 719 among Fig. 7 b), if end session (step 727 among Fig. 7 b)
Process " keeps activating " announcement:
16. system: wait for receiving from token (the message B of step 13) (step 707 among Fig. 7 b)
17. system: increase expection session counter (or using function X) (step 708 among Fig. 7 b)
18. system: calculate expection session stream registers (step 714 among Fig. 7 b) based on the expection session counter
19. system: will compare with expectation session stream registers (step 715 Fig. 7 b) from the session stream registers that message B obtains, if do not wait with regard to end session (step 716 among Fig. 7 b)
20. system: the circulation that restarts in step 5 and 6.
Produce " keeping activating " affirmation
21. system: create the message C (step 717 among Fig. 7 c) that comprises confirmation
22. system: to token pass-along message C (step 23)
Process " keeps activating " to be confirmed:
23. token: wait for the message C (step 720 among Fig. 7 c) that receives from system's (step 22)
24. token: whether check is effectively (step 721 among Fig. 7 c) from the affirmation information of message C, if not with regard to end session (step 727 among Fig. 7 c)
25. token: restart circulation in step 14 and 15
26. token: the circular wait timer is set to number second cycling time (step 723 among Fig. 7 c), and makes it fall away (step 724 among Fig. 7 c)
27. token: wait for up to the circular wait time being 0 (step 725 among Fig. 7 c) and beginning to re-execute from step 12.
Parameter
A fixed number of value X log-on data stream
The function of next number in the function X computational data stream
Maximum time between the transmission of good " keeping activating " that maximum time system of system allows, it is with calculating second
Maximum time between the transmission of good " keeping activating " that token maximum time token allows is with calculating second
One of cycling time stream each transmission between the time interval, use and second calculate, and be a random number between minimum value and the maximal value.
Example 7
Process #7: the synchronous flow verification process that has system validation and channel parameters
The conversation establishing request:
1. system: expect that session counter is set to 0 (or use value X)
2. system: transmission channel is set to normal channel
3. system: produce the session synchronizing information
4. system: create the message A that comprises the session synchronizing information
5. system: message A is passed to token (step 8) by normal channel
6. system: system's maximum wait timer is set to system's number second maximum time and it is fallen away
7. system: check on the backstage whether system's maximum latency is not 0, if end session like this
Conversation initialization:
8. token: wait for receiving by the message A (step 5) of normal channel from system
9. token: the session synchronizing information that storage obtains from message A, and only during this session, use it
10. token: the session counter is set to 0 (or use value X)
11. token: receiving cable is set to normal channel
Produce " keeping activating " announcement:
12. token: increase session counter (or using function X)
13. token: dialogue-based counter calculates the session stream registers
14. token: create the message B that comprises the session stream registers
15. token: by normal channel to systems communicate message B (step 15)
16. token: token maximum wait timer is set to token number second maximum time and it is fallen away
17. token: check on the backstage whether token maximum wait timer is not 0, if finish this session like this
Process " keeps activating " announcement
18. system: wait for receiving by the message B (step 15) of normal channel from system
19. system: increase expection session counter (or using function X)
20. system: calculate expection session stream registers based on the expection Session Timer
21. system: will compare with expection session stream registers from the session stream registers that message B obtains, if do not wait with regard to end session
22. system: restart circulation in step 5 and 6
Produce " keeping activating " affirmation:
23. system: for next transmission channel produces random number
24. system: create the message C that comprises confirmation and next transmission channel
25. system: by transmission channel to token pass-along message C (step 27)
26. system: (via function C) transmission channel is set to next transmission channel
Process " keeps activating " to be confirmed:
27. token: wait for receiving by the message C (step 25) of receiving cable from system
28. token: (via function C) receiving cable is set to the next transmission channel that obtains from message C
29. token: whether check is effectively from the affirmation information of message C, if not with regard to end session
30. token: restart circulation in step 14 and 15
31. token: the circular wait timer is set to number and it is fallen away second cycling time
32. token: wait for up to the circular wait time being 0 and re-executing from step 12
Parameter:
A fixed number of value X log-on data stream
The function of next number in the function X computational data stream
Maximum time between the transmission that well " keeps activating " that maximum time system of system allows, it uses second calculating
Maximum time between the transmission of good " keeping activating " that token maximum time token allows is with calculating second
One of cycling time stream each transmission between the time interval, use and second calculate, and be a random number between minimum value and the maximal value.
This passage of normal channel is exactly employed normal channel
Function C is used to calculate transmission channel and the function of difference between next time last time
During by graphic mode explanation working of an invention scheme, should be clear and definite: when those of skill in the art do not deviate from the essence of invention or surmount the scope of claim through some modifications, variation and reorganization invention, still can realize this invention.

Claims (18)

1. one kind provides the user method to the workstation connected reference in the multi-user system, in multi-user system, a plurality of users need obtain common or independently to the visit of one or more workstations, and be with good conditionsi for this connected reference of user in the predetermined ultimate range of the workstation that obtains visit, comprising:
(a) provide a plurality of access token, each access token provides Data Receiving and data transmission device, and this data transmission device is initiated the prearranged signals that comprises serial data with transmission on pre-set time interval;
(b) in every kind of token, provide this token unique personal identification data;
(c) provide the data transmission sensing device that is connected on each workstation, be received in the signal that the token transmission within the predefined ultimate range of workstation comes;
(d) provide the mapping device that is connected on this data transmission sensing device, the sign of a reception and a token of storage representation and this token are to the data of the sign of the degree of approach of one or more workstations;
(e) provide the data transmission device that is connected on each workstation, and from then on transmit signal and the synchronizing signal that contains the token identification data, wherein synchronizing signal is unique, is that particular station is peculiar;
(f) provide logical unit in every kind of token, only the synchronizing signal that comprises in the storage signal also contains the token identification data in the signal;
(g) each signal that receives for token and comprise the token identification number and have a signal with what the synchronizing signal of particular station was modulated for the condition that realizes above-mentioned steps (f) sends from token;
(h) when this exists the data transmission sensing device of the workstation that signal pointed to by synchronizing signal to receive, further enter password alternatively or PIN visits to workstation to allow the user;
(i) check that periodically this exists signal to be received by this workstation,, just do not allow to visit on workstation and/or its selected resource if after predefined a period of time, there is not such signal to be received.
2. according to the process of claim 1 wherein that data transmission can realize by the method for choosing any one kind of them from RF, IR, ultrasound wave or their combination in any.
3. according to the method for claim 1 and 2, wherein synchronizing signal is produced by each station that works independently.
4. according to any method in the claim 1 to 4, wherein only when " open channel " signal is received from token, synchronizing signal is just by system and/or workstation transmission.
5. according to the method for claim 4, wherein token is periodically transmitted " open channel " signal.
6. according to the method for claim 5, about per 5 seconds transmission primaries " open channel " signals of token wherein.
7. according to the method for claim 3, wherein synchronizing signal is the clock of workstation and/or token, or relevant with workstation and/or token clock.
8. according to the method for claim 1 or 2, wherein center resources is that each independent workstation produces synchronizing signal.
9. method according to Claim 8, wherein this center resources is a system server.
According to the process of claim 1 wherein clock by making token CPU and system and/or workstation the clock synchronised and produce as their signal of function and realize modulation the token identification number.
11. it is, wherein encrypted in token and the part or all of transmission data that are connected between the data transmission sensing device on each workstation according to any method of claim 1 to 10.
12. method according to claim 1, wherein a plurality of users need obtain the visit common to one or more workstations, and wherein this connected reference is with good conditionsi to all co-user of same time in the predefined ultimate range of the workstation that obtains visit, comprising:
A) provide a plurality of access token, each access token all provides Data Receiving and data transmission device, and this data transmission device is initiated on pre-set time interval and transmits the prearranged signals that comprises serial data;
B) in every kind of token, provide this token unique personal identification data;
C) provide the data transmission sensing device that is connected on each workstation, receive the signal that comes from the token transmission of workstation within predefined ultimate range;
D) provide the mapping device that is connected on this data transmission sensing device, receive and store and representing a token sign and this token to arrive the data of the sign of one or more workstation degrees of approach;
E) provide the data transmission device that is connected on each workstation, and from then on transmit signal and the synchronizing signal that contains the token identification data, wherein synchronizing signal is unique, is that particular station is peculiar;
F) provide logical unit in every kind of token, only the synchronizing signal that comprises in the storage signal also contains the token identification data in the signal;
G) each signal that receives for token and comprise the token identification number and have a signal with what the synchronizing signal of particular station was modulated for the condition that realizes above-mentioned steps (f) sends from token;
H) when this exists the data transmission sensing device of the workstation that signal pointed to by synchronizing signal to receive, further enter password alternatively or PIN visits to workstation to allow the user;
I) check that periodically this exists signal to be received by this workstation,, just do not allow to visit on workstation and/or its selected resource if after predefined a period of time, there is not such signal to be received.
13. according to the method for claim 12, wherein two or more token need simultaneously detected, to obtain simultaneously the visit on workstation or the selected resource.
14. according to the process of claim 1 wherein that the sole user visits simultaneously on a plurality of workstations, this user's token produce one for each accessed workstation all different have a signal.
15. system that the connected reference of the workstation of user to being arranged in multi-user system is provided, in multi-user system, a plurality of users need obtain independently the visit to one or more workstations, and be with good conditionsi for this connected reference of user in the predetermined ultimate range of the workstation that obtains visit wherein, comprising:
Many access token of A-provide Data Receiving and data transmission device for each access token;
B-produces predefined signal that comprises serial data and the device that transmits these signals on the preset time interval via this data transmission device;
The C-personal identification data provides in each token, is unique for each token;
D-data transmission sensing device is connected on each workstation, receives the signal that comes from the token transmission of workstation within predetermined maximal distance;
E-is connected to the mapping tool on this data transmission sensing device, receives and the data represented token sign of storage and the sign that this token arrives one or more workstation degrees of approach;
The F-data transmission device is connected on the workstation, is used for transmission package and contains the signal of token sign and the signal of synchronizing signal, and wherein synchronizing signal is unique, is that particular station is peculiar;
The G-logical unit provides in every kind of token, is used for the synchronizing signal that storage package only is contained in signal, also comprises the token identification data in this signal;
To be each signal of receiving of token and the condition that realizes above-mentioned steps (F) from token send H-comprises the token identification number and by the device that has signal of the synchronizing signal of particular station modulation;
When I-exists signal to be received by the data transmission sensing device of the related workstation of synchronizing signal when this, further enter password alternatively or the device of PIN to allow the user to visit to the workstation;
J-periodically detects this device that exists signal to be received by this workstation;
When K-exists signal not to be received when this, forbid device to workstation and/or selection resource access after the preset time section.
16. according to the system of claim 15, the data transmission sensing device that wherein is connected on the workstation connects by suitable FPDP.
17. according to the system of claim 16, wherein FPDP is chosen from RS232, keyboard, parallel port or USB.
18. according to the system of claim 15, the data transmission sensing device that wherein is connected on the workstation is connected " onboard ".
CN99805879.3A 1998-03-05 1999-03-01 Multiuser computer environment access system and method Pending CN1302408A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL12356298A IL123562A0 (en) 1998-03-05 1998-03-05 Multiuser computer environment access system and method
IL123562 1998-03-05

Publications (1)

Publication Number Publication Date
CN1302408A true CN1302408A (en) 2001-07-04

Family

ID=11071304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN99805879.3A Pending CN1302408A (en) 1998-03-05 1999-03-01 Multiuser computer environment access system and method

Country Status (5)

Country Link
JP (1) JP2003526826A (en)
CN (1) CN1302408A (en)
AU (1) AU2637599A (en)
IL (1) IL123562A0 (en)
WO (1) WO1999049378A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104823207A (en) * 2012-09-25 2015-08-05 谷歌公司 Securing personal identification numbers for mobile payment applications by combining with random components

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001072107A2 (en) * 2000-03-24 2001-10-04 International Paper Rfid tag for authentication and identification
CN1672382B (en) 2002-07-26 2010-09-01 皇家飞利浦电子股份有限公司 Secure authenticated distance measurement
WO2005088420A1 (en) * 2004-03-10 2005-09-22 Siemens Aktiengesellschaft Method for adjusting an electronic device to a user profile and an additional component for carrying out said method
US7627341B2 (en) 2005-01-31 2009-12-01 Microsoft Corporation User authentication via a mobile telephone
US8929528B2 (en) 2005-02-11 2015-01-06 Rockstar Consortium Us Lp Method and system for enhancing collaboration
US7676380B2 (en) * 2005-02-11 2010-03-09 Nortel Networks Limited Use of location awareness to establish and suspend communications sessions in a healthcare environment
US7213768B2 (en) * 2005-03-16 2007-05-08 Cisco Technology, Inc. Multiple device and/or user association
US7523141B2 (en) 2006-07-31 2009-04-21 Microsoft Corporation Synchronization operations involving entity identifiers

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104823207A (en) * 2012-09-25 2015-08-05 谷歌公司 Securing personal identification numbers for mobile payment applications by combining with random components
CN104823207B (en) * 2012-09-25 2019-02-22 谷歌有限责任公司 The Personal Identification Number for mobile payment application program is protected by combining with random element

Also Published As

Publication number Publication date
WO1999049378A2 (en) 1999-09-30
IL123562A0 (en) 1998-10-30
AU2637599A (en) 1999-10-18
JP2003526826A (en) 2003-09-09

Similar Documents

Publication Publication Date Title
CN1149492C (en) Remote control method, server and recording medium
CN1264327C (en) Radio communication system, communication apparatus and portable terminal for realizing higher safety grade
CN100345416C (en) Network communication device, method of maintenance of network communication device, program, recording medium, and maintenance system
CN1275152C (en) System and method for manufacturing and updating insertable portable operating system module
CN1914591A (en) Secure device, terminal device, gate device, and device
CN101047507A (en) Authentication system, device
CN1758590A (en) Information processing apparatus, information processing method, and program
CN1542584A (en) Program electronic watermark processing apparatus
CN1794256A (en) Data processing device, telecommunication terminal equipment and method for processing data by data processing equipment
CN1214488A (en) Portable card medium, method for managing memory space of portable card medium, method for issuing portable card medium, method for writing program data on portable card medium
CN1705923A (en) Distributed processing in authentication
CN1394312A (en) Authentication system, authentication agent apparatus, and terminal
CN1581118A (en) Secure device, information processing terminal, integrated circuit, application apparatus and method
CN1942886A (en) Secure device and system for issuing ic cards
CN1736082A (en) Group entry approval system, server apparatus, and client apparatus
CN101051292A (en) Reliable U disc, method for realizing reliable U disc safety and its data communication with computer
CN1788263A (en) Login system and method
CN1756150A (en) Information management apparatus, information management method, and program
CN101034988A (en) Network login authentication protection device and its using method
CN1612133A (en) Communication apparatus
CN1633649A (en) Individual authentication method using input characteristic of input apparatus by network, program thereof, and recording medium containing the program
CN1302408A (en) Multiuser computer environment access system and method
CN1679332A (en) Protocol for adapting the degree of interactivity among computer equipment items
CN1601556A (en) Secure device and information processing unit
CN1902605A (en) Data communicating apparatus and method for managing memory of data communicating apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C01 Deemed withdrawal of patent application (patent law 1993)
WD01 Invention patent application deemed withdrawn after publication