GB2197734A - Computer security system - Google Patents

Computer security system Download PDF

Info

Publication number
GB2197734A
GB2197734A GB8726373A GB8726373A GB2197734A GB 2197734 A GB2197734 A GB 2197734A GB 8726373 A GB8726373 A GB 8726373A GB 8726373 A GB8726373 A GB 8726373A GB 2197734 A GB2197734 A GB 2197734A
Authority
GB
United Kingdom
Prior art keywords
control unit
computer
password
line
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB8726373A
Other versions
GB8726373D0 (en
Inventor
Bernard John Regan
Herbert Collomosse
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LOUIS NEWMARK PLC
Original Assignee
LOUIS NEWMARK PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LOUIS NEWMARK PLC filed Critical LOUIS NEWMARK PLC
Publication of GB8726373D0 publication Critical patent/GB8726373D0/en
Publication of GB2197734A publication Critical patent/GB2197734A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

Apparatus for controlling access to a computer from peripheral equipment 11, such as a VDO terminal includes a first part such as a lock 12 which can be connected in the line between the equipment 11 and the computer 10 so that it normally isoiates them. A second part e.g. a portable unit can be located, 15, relative to the first part such that it can transmit a code to the control unit of the first part. The control unit checks the code and opens the line if a valid code is sensed. The lock also includes means permitting input from terminal 11 to the control unit of a character or characters relating to a password and the control unit is arranged on the basis of the input characters to generate according to a stored prooedure a password for transmission to the computer. <IMAGE>

Description

COMPUTER SECURITY SYSTEM This invention relates to the security of computer systems.
It is well known. in computer systems to require the entry of the password or passwords in order to gain access to the system accounts. This type of arrangement provides only a relatively low level of security since the passwords tend to become shown and can in some cases be evaded. The present invention is concerned with apparatus which is designed to provide an improved level of security.
According to one aspect of the present invention there is provided apparatus for controlling access to a computer from peripheral equipment such as a VDU terminal, said apparatus including a first part which is arranged to be connected in the line between the equipment and the computer so that it normally isolates said equipment and computer, and a second part which can be located relative to the said first par such that rat ^ can communicate witn ne control uni or saio first part, said second part being arranged to transmit to the control unit a code and said control unit being arranged to check the va#idity or saic code and to open said line if a valid code is sensed, said first part also including means permitting input to said control unit of a cnaracter or characters relating to a password and said control unit being arranged on the basis of the input characters to generate according to a stored procedure a password for transmission to the computer. The communication between the second part and the control unit can be a two way communication.
The apparatus may be arranged to transmit the password to the computer only if that password is recognised as one validly associated with the code transmitted by the second part.
The entry of said character or characters may result in the production of two elements of the password which are manipulated by the control unit in accordance with an algorithm to produce the password.
Thls arrangement has the advantage that the passwords used in the system need never become known to the user. What a user does is input characters which select a particular system account and on the basis of those characters the control unit generates the appropriate password which is only transmitted to the computer if it is recognised as one validity associated with that user.
The second part may be a hand held unit insertable by by any user into a receiving slot or the like in the first part to permit communication with said control unit. The communication may be by way of an infra-red link, a radio type link, a magnetic type link or any other suitable means. The control unit may be arranged to check both that said second part is an authorised device and that the code transmitted to it is an authorised code.
The apparatus may include a facility for disabling a line between the peripheral equipment and the computer subsequent to that line having been opened in response to the generation of a valid password.
This facility may be operable when said control unit senses a predetermined period of inactivity on said line, when said control @@is senses that said second Dar- ~s no onger operationally coupled to the thirst part out said peripheral equipment is not logged off, or when said control unit senses that said peripheral equipment has been logged off but said second part is still operationally coupled to the control unit.
according to another aspect of the present invention there is provided apparatus for controlling access to a computer from a peripheral equipment such as a VDU terminal, said apparatus including a first part whicn 5 arranged to be connected in the line between the equipment and the computer so that it normally isolates said equipment and computer, and the second part which can be located relative to said first part so that it can communicate with a control unit of said first part, said second part being arranged to transmit to the control unit a code and said control unit being arranged to check the validity of said code to open said line if a valid code is sensed, and wherein said second part includes a facility for disabling the line between the peripheral equipment and computer subsequent to that line having been opened. The communication between the second part and the control unit can be a two way communication.
Said #-aciiity may be operable when said control unit senses a precetermined period of inactivity on said line, when said control unit senses that said second part is no longer operationally coupled to said control unit but that said peripheral equipment is not logged off, or when said control unit senses that said peripheral equipment has been logged off and that said second part is still operationally coupled to the control unit.
The invention will be described now by way of example only with particular reference to the accompanying drawings. In the drawings: Figure 1 is a block schematic diagram of a computer system incorporating security apparatus in accordance with the preset invention Figure 2 is a block schematic diagram of a security apparatus in accordance with the present invention, and Figure 3 is a block diagram illustrating the function of the apparatus.
Referring to Figure - a computer system comprises a main computer illustrated at u, a terminal 11, and security apparatus hereinafter referred to as a lock 12 which is connected in the line between the terminal i. and computer 10. The lock 12 has a button 14 wnose function will be referred to later.
The lock 12 also has a slot 15 which can receive 2 small nana held unit which will hereinafter be referred to as a commander.
The commander can communicate with circuitry in the lock 12 by any suitable means. In the present embodiment the communicatIon is by means of an infra-rec link but it will be appreciated that other types of arrangement could be used such as magnetic cards or radio tags. The lock 12 also incorporates a buzzer which acts as an alarm as will be described hereinafter. Also shown on Figure 1 is a security computer 16.
Referring now to Figure 2 the lock is a processor based device and includes an authenication module 20 and a control module 21 both of which are micro-processor based devices. The commander slot is shown at 15 and is terminated by an infra-red module 16 which is connected to the authentication module 20 The button 1t is connected to the control module which itself has connections both to the terminal ii and to the computer 10. It also has a connection to the security computer 16. A micro switch 22 is provided adjacent the slot 15 and is connected to the control module 21. The unit includes a power supply 24 for supplying the necessary power to the authentication module and control module.
The function of the lock 12 in conjunction with a commander is to control access to the computer 10 from the terminal 11.
In use on power-up the lock 11 assumes a locked state in which the terminal 11 and computer 10 are isolated via the control module 21. A user wishing to access the computer 10 can only do so by making use of his commander unit. Initially the commander is inserted into the commander slot 15. In this position the commander can communicate with the authentication module 20 by way of the module 16. The authentication module initially carries out a check to ensure that the commander unit inserted is an authorised unit.Information regarding those commander units which are authorised is stored within he authentication tnodula 2C to enable it to tarry out this unction. In addition to using a valid commander the user has to enter via the terminal keyboard a personal identification number or code which is unique to toat user. This number is communicated to the authentication module which checks trat it is the number of an authorised user associated with that particular commander. The authentcatnon module has previously been provided wit that number as an authorised number.If the correct identification number is entered then the control module 21 is instructed to open the link between the terminal 11 and the computer 10 so that the user wishing to gain access can transmit characters from the terminal to the computer although cannot gain access to an account at that stage.
The user then has to enter a password in order to access an account of the the computer 10. The present arrangement does not make use of a conventional scheme for entering passwords. The password itself is not known to a user of the system.
The system makes use of personal and system passwords. There can be a number of personal passwords and a number of system passwords. The user initially operates the button 14 on the lock 12 and in response to this a message is displayed on the terminal 11 which prompts the user to select either a personal or system password. After selecting the type the user has to enter a number which in the case of a personal password will be a single character and in the case of a system password will be a two digit number. On entry of a valid password number a word known as a password tag is displayed on the terminal screen and the user is invited to either accept or reject this taa by pressing the return key.If the user accepts the tag then an algorithm stored within the control circuitry of the lock 12 generates a password for transmission to the computer 10. This password generation involves manipulation of a password seed and a password base. If the password is recognized as one which the user Ls entitled to use te user will be allowed access to the appropriate account within the computer. If not then access will be refused. Thus it will be seen that whilst the two elements required to generate a password may be known the actual password transmitted to the computer is not known and can be maintained completely secret.
During access to an account in toe computer 10 toe user 5 required to retain his commander in toe siot 15. If the user removes his commander without logging off this is sensed by the control circuitry of the lock i2 and a message is displayed on the terminal 11 requesting replacement of the commander anc toe warning buzzer is also sounded. Tf the commander is not replaced within a given time which has previously been selected by the system manager the control circuitry of the lock 12 attempts to log toe user off automatically.If this is successful the lock returns to its locked state so that the user can no longer access the computer 10. If automatic log-off is unsuccessful the lock alarm sounds for a programabie time and sends a message to the security computer 16 to indicate that the automatic logoff has been unsuccessful. The users name and the commander number and the reason for the error condition are displayed on the terminal and repeated every ten seconds. The user must then replace his commander and complete the log-off procedure in order to remove this error condition. Alternatively a security officer may load a device in the slot 15 to correct the situation.
Automatic log-off is initiated by the control unit of the lock 12 transmitting a log-off command to the computer 10. The control unit then awaits a response from the computer following which it generates a further signal or signals to complete the log-off If the user replaces his commander in response to the warning referred to above he can again gain access to the computer by operating his commander and inserting his identification number as in the manner described above.
The lock also incorporates other functions operable in connection with log-off. These are as follows.
If the user removes his commander immediately after a valid log-off has been recognised by the lock the lock checks that the user has logged off correctly.
If the lock identifies a correct logoff then it assumes the condition in which the new user can gain access to the system in the manner described above.
If the log-off is found to be incomplete, an automatic log-off procedure will be attempted in the manner described above.
If a valid log-off command is detected by toe lock and this is followed by a pre-seiected period of inactivity a short warning tone is generated.If following this the user does not enter any further information within a time specified by the system manager the lock carries out a cneck to see whether the user has logged off If this is not the case the ioct will attempt automatic ogoff in the manner described above If however, the user has already logged off an alarm is sounded and a message produced to indicate that the user has logged off but left the commander in the slot 15. When the commander is removed the alarm is cancelled and the lock assumes a condition in which it is ready to receive the next user.
If whilst logged on in the manner described above the lock detects a long period of inactivity on the line between the terminal and the main computer the user is requested to activate his commander and enter his identification number. If this operation is performed correctly the link between the terminal 11 and the computer 10 is maintained so that the user may continue interaction with the computer. If however che commanser is not operated or an incorrect Identification number is entered toe lock again attempts to logoff the user If this is unsuccessful an alarm condition occurs. IF however the log-off is successful an alarm is sounded to indicate that the user has left the commander in the slot 15.Again removal of the commander will cancel the alarm so that the lock again assumes a state in which it is ready to receive the next commander. Timing of automatic log-off 15 controlled by a system of timeouts which can configured to suit each particular installation.
It will be appreciated that generation of system passwords and information relating to valid commanders will be under the control of a security manager. The security manager can enter data relevant to these parameters into the authentication and control modules 20,21 using a special device knout as a loader. Thus at any time the security manager can introduce details or a newly authorised commander or can delete details of a commander which is no longer to be used. instead of using the loader it is possible to use an arrangement in which the security manager configures the system from a remote location.
It will be appreciated that the system software Incorporates a piuraiity of timeout ror example to control the timing of automatic loo-of fs. These timeouts are user configurable.
An important feature of the present system is the password facility. In the present embodiment up to 16 system passwords may be defined. A list of the password accessible to each user is entered when a new commander is introduced and may be edited by selecting a number from a main menu. batch system password has its own tag and is derived from its own base and the system seed. The tag is a string of characters which are displayed after the number of the password has been chosen by the user as a final check that this is the account required. For example a tag for a password used to gain entry to a mailing list may be MAIL LIST, The base is also a string of characters.When the password has been chosen and the tag determined to be correct the base is combined with the system seed and the resulting password sent to the main computer as described above. The system seed Is also a string of characters and these can be set to a number of different characters values to give more distinct passwords. By changing the password seed toe security manager can simuitaneousi changes all system passwords. The lock allows passwords to be generated from the previous'seed facilitating the mechanism of changing passwords.
User passwords are derived in a similar manner up to 4 for each user. Each user password has its own tag and base, each user has his own seed.
As a further feature which will provide an added level of security a plug in encryption unit can be provided between the terminal and computer.

Claims (12)

CLAIMS:
1. Apparatus for controlling access to a computer from peripheral equipment such as a VDU terminal, said apparatus including a first part which is arranged to be connected in the line between the equipment and the computer so that it normally isolates said equipment and computer, and a second part which can be located relative to the said first part such that it can communicate with ~the control unit of said first part, said second part being arranged to transmit to the control unit a code and said control unit being arranged to check the validity of said code and to open said line if a valid code is sensed, said first part also including means permitting input to said control unit of a character or characters relating to a password and said control unit being arranged on the basis of the input characters to generate according to a stored procedure a password for transmission to the computer.
2. Apparatus as claimed in claim 1, wherein the communication between the second part and the control unit is a two way communication.
3. Apparatus as claimed in claim 1 or claim 2, wherein the apparatus is arranged to transmit the password to the computer only if that password is recognised as one validly associated with the code transmitted by the second part.
4. Apparatus as claimed in any preceding claim, wherein the entry of said character or characters results in the production of two elements of the password which are manipulated by the control unit in accordance with an algorithm to produce the password
5. Apparatus as claimed in any preceding claim, wherein the second part is a hand held unit insertable by by any user into a receiving slot or the like in the first part to permit communication with said control unit.
6. Apparatüs as claimed in any preceding claim, wherein the communication is by way of an infra-red link, or a a radio type link, or a magnetic type link.
7. Apparatus as claimed in any preceding claim, wherein the control unit is arranged to check both that said second part is an authorised device and that the code transmitted to it is an authorised code.
8. Apparatus as claimed in any preceding claim, including a facility for disabling a line between the peripheral equipment and the computer subsequent to that line having been opened in response to the generation of a valid password.
9. Apparatus for controlling access to a computer from a peripheral equipment such as a VDU terminal, said apparatus including a first part which is arranged to be connected in the line between the equipment and the computer so that it normally isolates said equipment and computer, and the second part which can be located relative to said first part so that it can communicate with a control unit of said first part, said second part being arranged to transmit to the control unit a code and said control unit being arranged to check the validity of said code to open said line if a valid code is sensed, and wherein said second part includes a facility for disabling the line between the peripheral equipment and computer subsequent to that line having been opened.
10. Apparatus as claimed in claim 9, wherein the communication between the second part and the control unit is a two way communication.
11. Apparatus as claimed in claim 9 or claim 101 wherein said facility is operable when said control unit senses a predetermined period of inactivity on said line, when said control unit senses that said second part is no longer operationally coupled to said control unit but that said peripheral equipment is not logged off, or when said control unit senses that said peripheral equipment has been logged off and that said second part is still operationally coupled to the ccntrol unit.
12. Apparatus for controiling access to a computer substantially as hereinbefore described with reference to and as shown in the accompanying drawings.
GB8726373A 1986-11-14 1987-11-11 Computer security system Pending GB2197734A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB8627253A GB8627253D0 (en) 1986-11-14 1986-11-14 Computer security system

Publications (2)

Publication Number Publication Date
GB8726373D0 GB8726373D0 (en) 1987-12-16
GB2197734A true GB2197734A (en) 1988-05-25

Family

ID=10607354

Family Applications (2)

Application Number Title Priority Date Filing Date
GB8627253A Pending GB8627253D0 (en) 1986-11-14 1986-11-14 Computer security system
GB8726373A Pending GB2197734A (en) 1986-11-14 1987-11-11 Computer security system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB8627253A Pending GB8627253D0 (en) 1986-11-14 1986-11-14 Computer security system

Country Status (1)

Country Link
GB (2) GB8627253D0 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6070240A (en) * 1997-08-27 2000-05-30 Ensure Technologies Incorporated Computer access control
GB2398664A (en) * 2002-07-31 2004-08-25 Trek 2000 Int Ltd System and method for authentication
US7650470B2 (en) 2001-06-28 2010-01-19 Trek 2000 International, Ltd. Method and devices for data transfer
US8209462B2 (en) 2000-02-21 2012-06-26 Trek 2000 International Ltd. Portable data storage device
ITUB20152318A1 (en) * 2015-07-21 2017-01-21 Vodafone Automotive Spa SYSTEM FOR COMMUNICATION CONTROL BETWEEN A MAIN DEVICE AND AN AUXILIARY DEVICE AND RELATED MAIN DEVICE AND AUXILIARY DEVICE USED IN THE SYSTEM
ITUB20152317A1 (en) * 2015-07-21 2017-01-21 Vodafone Automotive Spa SAFETY SYSTEM FOR COMMUNICATION CONTROL BETWEEN ONE UNIT AND AN AUXILIARY DEVICE

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2061578A (en) * 1979-05-30 1981-05-13 Stockburger H Data transmission system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2061578A (en) * 1979-05-30 1981-05-13 Stockburger H Data transmission system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6070240A (en) * 1997-08-27 2000-05-30 Ensure Technologies Incorporated Computer access control
US8209462B2 (en) 2000-02-21 2012-06-26 Trek 2000 International Ltd. Portable data storage device
US7650470B2 (en) 2001-06-28 2010-01-19 Trek 2000 International, Ltd. Method and devices for data transfer
US7434251B2 (en) 2002-07-31 2008-10-07 Trek 2000 International Ltd. System and method for authentication
GB2398664B (en) * 2002-07-31 2005-04-20 Trek 2000 Int Ltd System and method for authentication
US7797736B2 (en) 2002-07-31 2010-09-14 Trek 2000 International Ltd. System and method for authentication
GB2398664A (en) * 2002-07-31 2004-08-25 Trek 2000 Int Ltd System and method for authentication
US8234700B2 (en) 2002-07-31 2012-07-31 Trek 2000 International Ltd. System and method for authentication
US8429416B2 (en) 2002-07-31 2013-04-23 Trek 2000 International Ltd. Method and apparatus of storage anti-piracy key encryption (SAKE) device to control data access for networks
ITUB20152318A1 (en) * 2015-07-21 2017-01-21 Vodafone Automotive Spa SYSTEM FOR COMMUNICATION CONTROL BETWEEN A MAIN DEVICE AND AN AUXILIARY DEVICE AND RELATED MAIN DEVICE AND AUXILIARY DEVICE USED IN THE SYSTEM
ITUB20152317A1 (en) * 2015-07-21 2017-01-21 Vodafone Automotive Spa SAFETY SYSTEM FOR COMMUNICATION CONTROL BETWEEN ONE UNIT AND AN AUXILIARY DEVICE
EP3121754A1 (en) * 2015-07-21 2017-01-25 Vodafone Automotive S.p.A. Safety system for controlling the communication between at least one control unit and an auxiliary device
EP3121753A1 (en) * 2015-07-21 2017-01-25 Vodafone Automotive S.p.A. System for controlling the communication between a main device and an auxiliary device and associated main device and auxiliary device used in the system

Also Published As

Publication number Publication date
GB8726373D0 (en) 1987-12-16
GB8627253D0 (en) 1986-12-17

Similar Documents

Publication Publication Date Title
US6070240A (en) Computer access control
US5774058A (en) Remote access system for a programmable electronic lock
US5774059A (en) Programmable electronic lock
EP0301740B1 (en) Method for locking to the user&#39;s card in a portable radio telephone
US6710700B1 (en) Vehicle key system
CN100409617C (en) System and method of authenticating validity and dropoff
US7131139B1 (en) Method for authorizing access to computer applications
US20060267727A1 (en) Intelligent locking system using biometrics
US5982894A (en) System including separable protected components and associated methods
JP2002516445A (en) How to authenticate an IC card user&#39;s personal code
US20100327055A1 (en) Code Based Access Systems
WO2001016909A1 (en) Method for controlling fingerprint identification door lock system
GB2197734A (en) Computer security system
US20050071673A1 (en) Method and system for secure authentication using mobile electronic devices
EP1398737B1 (en) Identification system
EP0388840B1 (en) Security extension procedure for electronic remote setting meter
US20030014642A1 (en) Security arrangement
JP3834056B1 (en) Authentication system, reader / writer device and storage
JP3318094B2 (en) Security locker system and device
US6622014B1 (en) Method for authorizing a communication between at least two devices
JPH09112092A (en) Multiple dwelling house interphone device
US20040190756A1 (en) Biometric enabled mailbox system
KR100597482B1 (en) Method for authenticate in/out using wireless telecommunication terminal
RU2260840C2 (en) Protection means
KR100483236B1 (en) Door Lock Opening/Setting System