RU2126168C1 - Method for protection of personal computer against unauthorized access and device which implements said method - Google Patents

Abstract

FIELD: computer engineering. SUBSTANCE: device is designed as access system, which is connected to system bus of personal computer and performs physical connection without which computer does not work. EFFECT: increased reliability of protection, simplified method and device design. 6 cl, 2 dwg

Description

 The method and device for protecting a personal computer from unauthorized access belong to the field of computer technology and can be used both individually by the owner of the computer, and in corporate systems that have an administrator for safe operation. The method can be implemented by a device, which is a functionally complete module containing in the composition of the microcomputer. Structurally, the device is installed in a personal computer so as to connect the protection device to the computer bus.

 The prior art method of protecting a personal computer from unauthorized access, which consists in remembering the identification codes of various operating modes and users, comparing identification codes and according to the results of the comparison, they implement various types of access to the computing system (see EP, application, 0478126, cl G 06 F 13/12, 1992).

 A known system based on interconnected computer bus and an external device. The system contains a microprocessor as part of a microcomputer, a device having a multi-bit address and containing a register for storing data bits having multi-bit addresses used by the microprocessor when accessing the registers, connected to it using a serial bus. The microprocessor comprises a register access message generator. In a multi-bit register, the first number of bits contains the multi-bit address of the external device, the second number of bits is used to identify the message, one bit is used to identify the write or read mode, and the third number of bits is used to determine the last access address of the register.

 A unit is connected to the microprocessor for serial transmission of messages on the bus to an external device. The external device contains a block for receiving a register access message connected to the bus, and a block connected between the reception and registration block to allow access to the register in accordance with the address determined by the third number of bits of the second transmitted message (see ibid.).

 In a known system, access to the system is carried out by complex protection of parts of the system by software.

The closest in technical essence to this method is a method of protecting a personal computer from unauthorized access, which consists in pre-entering the identification codes of the system intended for storage, entering the user identification code, comparing the user identification code with the system identification codes, if the specified code matches with at least one of the system identification codes access the system (RU, 95100344, G 06 F 12/14, 11/10/96)
Closest to the claimed device is a device for protecting a computer from unauthorized access, containing a microcomputer associated with a storage device, an ID code input unit and a computer interface circuit.

 In the known method and device, access to a personal computer is as follows. The control processor as part of the microcomputer checks the access identification code. The access control processor as part of the microcomputer checks the access identification code, in the verification mode the processor receives commands from the central processor, checks and generates messages for exchanging information about the state interruption and management. Since in the known method and device access to a personal computer is carried out only programmatically, i.e. by analyzing messages and forming commands, the system as a whole does not have reliable protection against unauthorized access.

 All of the known methods listed above for protection against unauthorized access to a computer or memory and devices that implement them have special identification tools at the system input that are part of the system that identifies the user programmatically.

 This leads to the fact that access can be obtained by an unscrupulous user in the absence of the owner, knowing the general algorithm or login code.

 This invention uses the idea that a personal computer is used by one specific user (owner) "personally", and therefore there is no need to share its resources and protect the received parts separately. Hence, the main task of protecting a computer from unauthorized access is to exclude the possibility of managing it by an unauthorized person in the absence of the owner.

 The technical result of the proposal is to increase the functional reliability of protection by simplifying the method and creating a reliable and easy-to-use device for protection against unauthorized access connected to the system bus of a personal computer (PC) as a key for allowing access to a PC without a physical connection to which the computer cannot function.

 Creating a dedicated active processor element in the form of a protection device (microprocessor or microcomputer) that solves exclusively the tasks of user identification and access control.

 Storage of all programs in the ROM (read-only memory) of the device in order to exclude their distortion by another program, a person or a virus.

 In particular, the device includes a removable identifier for system codes, which, depending on the tasks of the computer, can store different sets of system identification codes.

 Blocking access to a PC by physically disabling input devices (keyboard, mouse, etc.), performed automatically when a user’s means or device is deleted.

 Minimal use of PC hardware resources - only one line of hardware interruption (memory, ports and disks are not used in order not to introduce any restrictions on PC operation).

 The technical result is achieved by the fact that in the method of protecting a personal computer from unauthorized access, which consists in pre-entering the identification codes of the system intended for storage, entering the user identification code, comparing the user identification code with the identification codes of the system, if the specified code matches at at least one of the identification codes of the system provides access to the system, and access to the system is carried out by closing the circuit, connecting yayuschey input device of a personal computer with a PC.

 When realizing access to the system, when the indicated codes coincide, they form a command for controlling the inclusion of the indicated circuit, through which it closes.

 The technical result is also achieved by the fact that a device for protecting a personal computer from unauthorized access containing a microcomputer, a storage device, a user identification code input unit, a circuit for interfacing with a personal computer, a system code identifier, a blocking signal driver, and the first and second microcomputer input and outputs are introduced connected to the inputs / outputs of the identifier of the system codes and the block of the user identification code, the third input-output is connected to the control by the input of the driver of the blocking signal included in the circuit of the input device of the personal computer connected to the corresponding input of the interface circuit with the personal computer, the microcomputer data bus is connected to the data bus of the storage device, the control output of the microcomputer is connected to the first and second control inputs of the storage device, the bus of the interface circuit connected to the corresponding buses of the storage device with a personal computer; control outputs are connected to the corresponding inputs of the storage devices of huge capacity.

 A sound emitter connected to the signal output of the microcomputer is introduced into the device.

 The lock signal generator is made in the form of a controlled opening key. The system code identifier is made in the form of a non-volatile memory block.

 In FIG. 1 shows a block diagram of the proposed device for protecting a personal computer from unauthorized access that implements the proposed method, FIG. 2 is a block diagram of a device in which another embodiment of a storage device is presented.

 The device contains a microcomputer 1, designed to control the operation of the device, identifier 2 system codes, which is designed to store the system log; the list of users allowed to work with a PC, as well as program codes that ensure the functioning of microcomputer 1. Information is exchanged between identifier 2 and microcomputer 1 through links 3, 4.

 The user identification code input unit 5 is intended for storing information identifying the user and defining his category and access rights to a computer or information system. Information is exchanged between block 5 and microcomputer 1 via communication 6. As blocks 2 and 5, devices can be used that include non-volatile memory of the required size, for example, personal identifiers of Dallas Semiconductor.

 Shaper 7 of the lock signal is designed to provide communication between input devices of a personal computer (PC keyboard and a mouse-type manipulator) and the interface circuit with a personal computer. In case block 5 is not installed or the user is not allowed to work with this PC, the blocking signal generator 7 at the physical level disconnects the keyboard or mouse from the PC. Links 9 and 10 are for connecting a mouse and keyboard to a device. Communication 11 provides information exchange between the driver 7 and the microcomputer 1. Communication 12 provide information exchange between the input devices of the computer (keyboard, mouse) and the circuit 8 for interfacing with a personal computer directly connected to the computer during normal operation of the device. The storage device 13 (Fig. 1) can be performed on the register 14 for receiving data from a PC with a control input 15 and 16, the register 17 for transmitting data to a PC with control inputs 18 and 19, a block 20 of random access memory and a block 21 of permanent memory (BIOS) with control inputs 22, 23 and 24, data bus 25, bus 26.

 In another embodiment, the storage device 13 (Fig. 2) is connected to the microcomputer 1 data bus 25 and control bus 27 and to the circuit 8 of the interface with the PC bus 26 and buses 28. In this case, the memory 13 consists of a block 29 of permanent memory (BIOS) containing the program of the device when loading the operating system, an interrupt handler 30, containing interrupt processing programs from the device to the PC, a RAM block 31 for storing operational information necessary for executing BIOS programs, and an interrupt handler 30 register 32 state, designed to transfer device states to the PC during the BIOS and interrupt handler programs, data register 33, used to exchange information between the device and the PC during BIOS programs and the interrupt handler, synchronization register 34 for synchronization collaboration between the device and the PC.

 The storage device is arranged so that it is physically located in the device, and logically located in the address space of the PC. While the BIOS and the interrupt handler are running, PC memory is not used. The BIOS and interrupt processor blocks are made on the basis of ROM, and the rest - on the basis of RAM.

 PC interface circuit 8 is designed to combine buses 26 and 28 (address, data, and synchronization signals) into a bus that directly connects to the PC system bus.

 Sound emitter 35 is designed to generate sound signals during operation of the device when detecting violations of the access order.

 The protection device together with the personal computer make up a system in which the user is identified by the information stored in his personal identifier (not shown in the drawing). These identifiers are small-sized microcircuits with their own non-volatile memory, enclosed in a sealed metal case in the form of a tablet. They are reliably protected from external influences and are able to store information for more than ten years. The most important property of such an identifier is its uniqueness, which is provided by the manufacturer by writing an individual serial number to its unchangeable memory. Reading this number allows you to reliably identify the user of a personal computer. The device protects the personal computer from unauthorized access as follows.

 When you turn on the personal computer, control is transferred to the initialization procedure of the device, located in the form of a separate board (not shown in the drawing). The device pauses the download and asks for the user password. Before entering the password, the user must install his personal identifier (not shown) in a special contact device 36 connected to the input of the user identification code input unit 5. The entered password is checked by the processor of the microcomputer device 1 using a special procedure, and if the result of this check is positive, the same processor checks the presence of this personal identifier in the list of authorized for work on this personal computer. This list is stored in the identifier 2 of the system codes. If this fact is established, then the operation of the personal computer continues as usual. It should be noted that all actions associated with user identification are performed by the microcomputer 1 of the proposed device, which is inaccessible to the central processor of a personal computer, this makes the identification procedure inaccessible to any outside interference.

 In the future, as soon as the user removes his personal identifier from the contact device 36, the keyboard and mouse are blocked on the channels 9 and 10 of the computer, thereby eliminating the possibility of unauthorized access from an outsider, although the computer continues to function. After returning the personal identifier, the keyboard and mouse become available, and depending on the configuration stored in the device’s memory, a password may be requested again. The keyboard and mouse are locked by the device’s own processor by physically breaking the communication lines of these devices with a personal computer.

 A distinctive feature of the device is also that the device continuously monitors the operation of a personal computer and all its actions are performed at the physical level and do not depend on the operating environment and PC operating mode.

 The protection device performs all functions exclusively using its own resources and does not use either the PC's RAM or its disk.

 The method and device for its implementation provides the implementation of the following functions: password protection, storage of identifying information in reliable personal identifiers such as touch memory, constant monitoring of the integrity of the system (invariance of the interrupt vector, physical connection conditions, etc.) and, if possible, its self-recovery , continuous confirmation of the keyboard and mouse lock when deleting the user ID, which significantly increases the reliability of the lock, the sound signal is set using th board sounder when it is impossible to neutralize unauthorized actions, maintaining a secure system log.

 The protection device located on a separate board practically does not affect the operation of the computer in any of the possible modes and does not change its operational characteristics.

 The device performs its functions at the physical level, using only BIOS interrupts. In this regard, its work does not depend on the operating system installed on the personal computer.

 The device is located, as mentioned above, on a board that has several switches to match its configuration with the real hardware environment of the computer and can be installed in any free expansion slot. Maintenance of the board during operation is not required.

 To implement the proposed method, the device for protection against unauthorized access to a personal computer is made in the form of a board with connectors (not shown in the drawing), on which are located an Intel 8052 microcomputer, its own BIOS ROM, and equipment for connecting to a personal computer and contact device 36. Functional software The proposed system is stored in a storage device and therefore cannot be changed during operation. To communicate with a personal computer, one of the hardware interrupt lines is used. The purpose of this line is tightly controlled and cannot be changed during the operation of a personal computer.

 The offer can be effectively used on any IBM compatible computer with an ISA bus, regardless of the type of operating system.

Claims (6)

 1. The way to protect a personal computer from unauthorized access, which consists in pre-entering the identification codes of the system intended for storage, entering the user identification code, comparing the user identification code with the system identification codes, if the specified code matches at least one of the identification codes system codes provide access to the system, characterized in that the system is accessed by closing the circuit connecting the person input device cial PC with a PC.  2. The method according to claim 1, characterized in that when accessing the system when the specified codes coincide, a command for controlling the inclusion of the circuit is formed, by which it is closed.  3. A device for protecting a personal computer from unauthorized access, containing a microcomputer, a storage device, a user identification code input unit, a interface circuit with a personal computer, characterized in that a system code identifier, a lock driver, and the first and second inputs and outputs of the microcomputer are connected with inputs and outputs, respectively, of the system code identifier and the user identification code input unit, the third input-output is connected to the control input of the the receiver of the blocking signal included in the circuit of the input device of the personal computer connected to the corresponding input of the interface circuit with the personal computer, the microcomputer data bus is connected to the data bus of the storage device, the control outputs of the microcomputer are connected to the first and second control inputs of the storage device, the bus of the interface circuit to the personal computer the computer is connected to the corresponding buses of the storage device, the control outputs are connected to the corresponding inputs of the storage device Twa.  4. The device according to claim 3, characterized in that a sound emitter is connected to it, connected to the signal output of the microcomputer.  5. The device according to claim 3, characterized in that the driver of the blocking signal is made in the form of a controlled opening key.  6. The device according to claim 3, characterized in that the identifier of the system codes is made in the form of a non-volatile memory block.

Images