WO2006091997A1 - Security system for computers - Google Patents

Security system for computers Download PDF

Info

Publication number
WO2006091997A1
WO2006091997A1 PCT/AU2005/000279 AU2005000279W WO2006091997A1 WO 2006091997 A1 WO2006091997 A1 WO 2006091997A1 AU 2005000279 W AU2005000279 W AU 2005000279W WO 2006091997 A1 WO2006091997 A1 WO 2006091997A1
Authority
WO
WIPO (PCT)
Prior art keywords
controller
computer
digital computer
security system
programmable means
Prior art date
Application number
PCT/AU2005/000279
Other languages
French (fr)
Inventor
Grover Latham Howard
Charles Cornelus Van Dongen
Lindsay Alfred Champion
Stuart Justin Evans
Original Assignee
Evatayhow Holdings Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Evatayhow Holdings Pty Ltd filed Critical Evatayhow Holdings Pty Ltd
Priority to PCT/AU2005/000279 priority Critical patent/WO2006091997A1/en
Publication of WO2006091997A1 publication Critical patent/WO2006091997A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss

Definitions

  • the present invention relates to a security system for a digital computer. It also relates to a method for providing security for a digital computer and to computer programs and program products for implementing the method or the security system.
  • a computer security system should address multiple security risks, that is, it should prevent unauthorised access, protect confidential information and protect hardware items.
  • the present invention seeks to provide a security system and associated method(s), computer programs and program products which combine a number of the above mentioned security technologies to thereby address multiple security risks.
  • a security system for a digital computer including a programmable controller; a digital computer comprising memory facilities including a hard disc, the memory facilities containing a BIOS, and the computer comprising further components and systems of at least a processing unit, a data input facility and a visual display screen; wherein the computer is programmed to encrypt data stored on the hard disc; wherein the programmable controller and the computer each include a signal transmitter and receiver and are linked via a communication medium whereby control signals are bi-directionally transmissible between the programmable controller and the computer; wherein the programmable controller is programmed and the BIOS has programming associated therewith such that on supply of start-up power to the computer, the computer transmits a "request-start" control signal to the controller and the controller in response transmits to the computer a "permission-to-start” control signal which includes an encryption key, wherein the computer upon receipt of the "permission to start” control signal initialises start-up of its components
  • a system mainly protects data stored on the hard disc but also incorporates an authentication function via the controller. It also provides a theft deterrence function in that removal of the computer from the environment of the controller will prevent start-up of the computer. This system also has the advantage that a user does not have to remember a security code as this is pre-programmed into the controller.
  • a security system for a digital computer including a programmable controller; a digital computer comprising a processing unit, memory facilities which include a hard disc, and further components and systems of at least a data input facility and a visual display; wherein the components and systems of the computer (apart from the processing unit) each have associated programmable means; wherein the computer is programmed to encrypt data stored on the hard disc; wherein the programmable controller and the computer each include a signal transmitter and receiver and are linked via a communication medium whereby control signals are bi-directionally transmissible between the programmable controller and the computer; wherein the programmable controller, the processing unit and the programmable means of the components and systems of the computer are programmed to provide security functions whereby on supply of start-up power to the computer, the computer transmits a "request-start" control signal to the controller and the controller in response transmits to the computer a "permission-to-start” control signal which includes an encryption key; wherein the processing unit of
  • a system combines an authentication function with protection of data stored on the hard disc. Furthermore, the authentication function operates at two levels, namely externally of the computer and then internally of it. This provides an improved level of security compared with that of the first aspect of the invention. That is, a stolen computer as a whole and its individual components and systems (should a thief dismantle the computer to sell the parts) are rendered useless in the absence of the controller or knowledge of a valid security key. Thus, in the case of theft, not only is the computer inoperable, but its individual components and systems are also inoperable.
  • the computer may be a portable computer such as a laptop.
  • the programmable controller may be a portable transponder in the form of, for example, a smart card or token.
  • the security system may include a secondary controller in the form of a portable transponder, which may be a smart card or token, (hereinafter "transponder controller"), and the computer is preferably programmed such that, if no "permission-to-start” control signal is transmitted to the computer from the first defined controller (hereinafter "main controller), the computer transmits a "request-start” control signal to the transponder controller and the transponder controller in response transmits to the computer the "permission-to- start" control signal including the encryption key.
  • a secondary controller in the form of a portable transponder, which may be a smart card or token, (hereinafter “transponder controller")
  • main controller the computer transmits a "request-start” control signal to the transponder controller and the transponder controller in response transmits to the computer the "permission-to- start” control signal including the encryption key.
  • a system as described immediately above permits a portable (lap top) computer to be removed from a mains power supply and yet still be secured via a controller which is itself portable and may be carried by the computer user separated from the computer. Should the computer be stolen it will inevitably be removed from the vicinity of the controller in which case a "permission-to- start" control signal will not be able to be acquired by it and thus the computer will not start.
  • transmission of a request-start control signal to the main controller or to the transponder controller may be initiated by removal of the portable computer from a mains power supply or by an interruption to that supply.
  • the computer is programmed such that if the transponder controller does not responsively transmit a permission-to-start control signal, the computer requests entry of a security code, correct entry of which equates with the computer receiving the permission-to-start control signal.
  • the computer is programmed such that if the "identifier" signals from the "roll call" poll are not all present or not all correct, the computer requests entry of a security code, correct entry of which equates with the computer receiving the permission-to-start control signal.
  • the computer may be programmed to permit a pre-definable number of attempts at entry of the security code, and if the security code is not entered by said number of attempts, start-up of the computer is suspended.
  • the computer is programmed to transmit a "request-start" control signal upon starting the computer from a stand-by mode.
  • the computer is programmed to transmit periodically a "request-continue" control signal to the controller (being a main controller or transponder controller as appropriate in the circumstances) and the controller is programmed to transmit to the computer in response a "continue" control signal, wherein in the absence of a responsive "continue” control signal, the computer requests entry of a security code to continue, and if the security code is not entered, the computer shuts off.
  • the controller being a main controller or transponder controller as appropriate in the circumstances
  • the controller is programmed to transmit to the computer in response a "continue” control signal, wherein in the absence of a responsive "continue” control signal, the computer requests entry of a security code to continue, and if the security code is not entered, the computer shuts off.
  • the communication medium of the first or second aspects of the invention may be a mains power supply or wireless signal (for example, radio, microwave, infra-red, or ultrasonic) in respect of the main controller.
  • the communication medium will be a wireless signal.
  • the invention also includes a security system for a computer which does not require a separate controller.
  • a digital computer including a security system, the computer comprising a processing unit, memory facilities which include a hard disc, and further components and systems of at least a data input facility and a visual display screen; wherein the components and systems of the computer apart from the processing unit each have an associated programmable means; wherein the processing unit and the associated programmable means of the other components and systems are programmed to provide security for the other components and systems; the security including, on supply of start-up power to the computer, the processing unit conducts a "roll-call" poll of the other components and systems each of which returns an identifier control signal whereupon, provided the returned identifier signals are all present and correct, the computer requests entry of a security code without which start-up of the computer will not continue.
  • the computer is programmed to encrypt data stored on the hard disc, and the security code includes a key for decrypting that data on start-up of the computer.
  • the computer can be set up for the security system by modifying the BIOS and not the processing unit.
  • the computer will require changes to the processing unit and the programmable means of the components and systems of the computer.
  • Fig. 1 schematically illustrates a security system for a computer according to an embodiment of the invention.
  • FIG. 2 schematically illustrates the system of Fig. 1 , showing principal components of the computer in block diagram form.
  • Figs. 3 to 6 are flow charts illustrating the functions provided by the programming of the Fig. 1 system.
  • Fig. 1 schematically illustrates a secure computer system according to an embodiment of the invention.
  • the system basically comprises a digital computer 10 and a programmable controller 12 which are operationally linked via a bi-directional communication medium, in this case a mains power supply 14 into which the computer 10 and programmable controller 12 are plugged for their power supply.
  • the computer 10 may be a laptop computer and thus be unpluggable from the mains 14 to be powered by its own internal battery 15 (see Fig. 2), in which case the system additionally includes a portable transponder 16 for example a smart card or token referred to hereinafter as a "transponder" or "portable” controller.
  • the computer 10 and the transponder controller 16 are arranged such that wireless communication (represented by reference 18) can occur between them, as will be described in more detail below.
  • the computer 10 and controllers 12 and 16 each include a signal transmitter and receiver, respectively 11 , 13 and 17, to facilitate the bi- directional communications that occur between the computer 10 and one or the other or both of the controllers 12 and 16.
  • the digital computer 10 (shown in dashed outline in Fig. 2) includes a central processing unit (CPU) 20 and other usual components and systems linked by a system bus 22.
  • the other components and systems include at least memory facilities, for example RAM 24 and that provided by a hard disc drive 26, which is linked to system bus 22 via an input/output controller 28, a data input facility (for example a keyboard and/or mouse (not shown) via a controller 30) and a VDU (not shown) via adaptor 32.
  • Adaptor 32 translates graphics data received from CPU 20 via system bus 22 into video signals to drive the VDU.
  • the computer 10 includes programming to encrypt data stored on the hard disk 26.
  • the computer 10 may include additional components/sub-systems 34 as is known.
  • the components/sub-systems of the computer will each have a programmable means associated therewith, such as I/O controller 28 for hard disk drive 26, controller 30 associated with a keyboard and/or mouse and within adaptor 32 for a VDU.
  • programmable means are programmable via a dedicated data input/output sub-system 36 (generally the sub-systems of the computer 10 involved in the security system are labelled as "smart"), to which the data input/output components of the computer 10 (for example a keyboard and/or mouse, VDU) communicate via system bus 22 under timing control provided by sub-system 38.
  • the system bus 22 also links an interface 40 for the portable or transponder controller 16 to the CPU 20 and a sub-system ("smart" network sub-system) 42 for controlling the operation of the security system programming.
  • Th ⁇ portable controller interface 40 is optional and maybe omitted in one embodiment of the invention. Alternatively it may operate as the main controller if the programmable controller 12 is omitted.
  • the memory facilities of the computer 10 include a basic input/output system (BIOS), as is known. Additionally, the CPU 20 or "smart" network subsystem 42 of computer 10, and the security system programmable controller 12 and the portable transponder controller 16, each include software for driving the signal transmitter and receiver, respectively 11 , 13 and 17, associated with each component of the security system.
  • BIOS basic input/output system
  • the respective programmable means of the components/systems of computer 10 and the two controllers 12 and 16, and the computer as such, are programmed for operation in the security system and to operate all additional controlled components of the computer 10 in a manner which does not impose an undue burden on the user.
  • the programming provides for security and other functions as will now be described with reference to Figs. 3 to 6 which illustrate, respectively, flow charts 1 , 2, 3 and 4.
  • a secure computing system capable computer 10 initiates a power on sequence.
  • the computer 10 waits for a specified time interval to see if a roll call signal is received. 3. The computer 10 checks its receive buffer for a roll call signal with appropriate security codes from a controller 12.
  • the computer 10 will wait for a predetermined time interval then transmit its personal roll call response. 5.
  • the controller 12 determines if the roll call response from the computer 10 was valid or not. If the response was not valid, the process goes to step 9.
  • the controller 12 transmits to the computer 10 all passwords and encryption keys necessary for it to begin normal start up and proceeds to computer start up on flow chart 2 or 3.
  • step 6 If a controller 12 is present and it recognizes the computer 10 as a valid user, the process goes to step 6.
  • controller 12 If a controller 12 is present and does not recognize the computer 10 as a valid user, then the controller 12 issues a warning of an unauthorized user on the system and the computer 10 is Halted.
  • the computer 10 now requests the start up security keys from the user.
  • the computer 10 has completed its power up process.
  • the computer 10 receives an appropriate start up signal from a controller 12 or 16 complete with passwords and encryption keys. 3. The computer 10 decrypts and loads the BIOS.
  • the computer 10 decrypts the encryptions key and passes it to the disk IO portion of the BIOS.
  • the computer 10 and BIOS open the disk drive 26 and initialize the encrypt/decrypt on the fly system. 6. The computer 10 determines if it was started using the network or portable controller 12 or 16. 7. If using the network controller 12, the computer 10 sets an interrupt timer
  • the computer 10 has completed its power up process.
  • the computer 10 receives an appropriate start up signal from a controller 12 or 16 complete with passwords and encryption keys.
  • the computer processor 20 begins a roll call of its subsystems and components (e.g. 26, 32, 34).
  • the processor 20 decrypts and loads the BIOS.
  • step 4. 11 The processor 20 issues a warning of missing or new subsystems or devices, identifying each.
  • the processor 20 requests corrective action and appropriate security codes for each missing or new subsystem or device. 13. Has the user/owner entered the appropriate security code within the allowable time and either logged out, reconnected or reinstalled missing subsystems or devices and either removed, logged in and configured any new subsystems or components? If yes continue with step 4.
  • step 14 If a valid response has not been received, then the computer 10 determines if the maximum number of tries has been exceeded. If not, the count is incremented and process returns to step 12.
  • Flow chart 4 (Fig. 6) - Permission to continue timer interrupt; inactivity interrupt; Power change interrupt.
  • Computer 10 transmits a permission to continue request to the portable controller 16 and waits for reply.
  • the computer 10 receives permission to continue message from controller 16, resets interrupt timer 38 and continues to operate normally.
  • Computer 10 waits for controller 12 to respond. If a valid response is received, go to step 7.
  • Computer 10 resets the inactivity interrupt timer 38 and continues to operate normally.
  • a security system may include a plurality of computers, fixed or portable, and a dedicated main controller such as 12 for all, and/or portable transponder controllers, such as 16, for some or all of the computers. Additionally the function of the main controller

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

The systems and methods described herein relate to a security system for a digital computer for enabling, not enabling or disabling said computer and for enabling, not enabling or disabling components of said computer. The security system comprises a computer (10) or a computer and one or more additional electrical devices (12) which are all linked via a bi-directional communications medium, which may be on any medium including the mains power.

Description

SECURITY SYSTEM FOR COMPUTERS
Technical Field
The present invention relates to a security system for a digital computer. It also relates to a method for providing security for a digital computer and to computer programs and program products for implementing the method or the security system.
Background Generally for computers, and particularly for portable (laptop) computers, there are five types of security technologies that are available. These are user authentication (to confirm an authorised user and prevent unauthorised access), physical locking devices (to deter theft), encryption (to protect data), monitoring and tracing software (to locate and assist in recovery of stolen computers) and alarms (to deter theft). Ideally, a computer security system should address multiple security risks, that is, it should prevent unauthorised access, protect confidential information and protect hardware items.
The present invention seeks to provide a security system and associated method(s), computer programs and program products which combine a number of the above mentioned security technologies to thereby address multiple security risks.
Disclosure of the Invention According to a first aspect of the invention there is provided a security system for a digital computer including a programmable controller; a digital computer comprising memory facilities including a hard disc, the memory facilities containing a BIOS, and the computer comprising further components and systems of at least a processing unit, a data input facility and a visual display screen; wherein the computer is programmed to encrypt data stored on the hard disc; wherein the programmable controller and the computer each include a signal transmitter and receiver and are linked via a communication medium whereby control signals are bi-directionally transmissible between the programmable controller and the computer; wherein the programmable controller is programmed and the BIOS has programming associated therewith such that on supply of start-up power to the computer, the computer transmits a "request-start" control signal to the controller and the controller in response transmits to the computer a "permission-to-start" control signal which includes an encryption key, wherein the computer upon receipt of the "permission to start" control signal initialises start-up of its components and systems and decryption of data on the hard disc is enabled only if the encryption key is recognised.
A system according to the first aspect of the invention mainly protects data stored on the hard disc but also incorporates an authentication function via the controller. It also provides a theft deterrence function in that removal of the computer from the environment of the controller will prevent start-up of the computer. This system also has the advantage that a user does not have to remember a security code as this is pre-programmed into the controller.
According to a second aspect of the invention there is provided a security system for a digital computer including a programmable controller; a digital computer comprising a processing unit, memory facilities which include a hard disc, and further components and systems of at least a data input facility and a visual display; wherein the components and systems of the computer (apart from the processing unit) each have associated programmable means; wherein the computer is programmed to encrypt data stored on the hard disc; wherein the programmable controller and the computer each include a signal transmitter and receiver and are linked via a communication medium whereby control signals are bi-directionally transmissible between the programmable controller and the computer; wherein the programmable controller, the processing unit and the programmable means of the components and systems of the computer are programmed to provide security functions whereby on supply of start-up power to the computer, the computer transmits a "request-start" control signal to the controller and the controller in response transmits to the computer a "permission-to-start" control signal which includes an encryption key; wherein the processing unit of the computer, upon receipt of the permission-to-start control signal conducts a "roll-call" poll of the other components and systems each of which returns "identifier" control signal whereupon, provided the returned identifier control signals are all present and correct, start-up of the computer's components and systems is initialised with decryption of data on the hard disc being enabled only if the encryption key is recognised.
A system according to the second aspect of the invention combines an authentication function with protection of data stored on the hard disc. Furthermore, the authentication function operates at two levels, namely externally of the computer and then internally of it. This provides an improved level of security compared with that of the first aspect of the invention. That is, a stolen computer as a whole and its individual components and systems (should a thief dismantle the computer to sell the parts) are rendered useless in the absence of the controller or knowledge of a valid security key. Thus, in the case of theft, not only is the computer inoperable, but its individual components and systems are also inoperable.
In a system of the first or second aspects of the invention, the computer may be a portable computer such as a laptop. Furthermore, the programmable controller may be a portable transponder in the form of, for example, a smart card or token.
In a security system according to the first or second aspects of the invention wherein the computer is portable, the security system may include a secondary controller in the form of a portable transponder, which may be a smart card or token, (hereinafter "transponder controller"), and the computer is preferably programmed such that, if no "permission-to-start" control signal is transmitted to the computer from the first defined controller (hereinafter "main controller), the computer transmits a "request-start" control signal to the transponder controller and the transponder controller in response transmits to the computer the "permission-to- start" control signal including the encryption key.
A system as described immediately above permits a portable (lap top) computer to be removed from a mains power supply and yet still be secured via a controller which is itself portable and may be carried by the computer user separated from the computer. Should the computer be stolen it will inevitably be removed from the vicinity of the controller in which case a "permission-to- start" control signal will not be able to be acquired by it and thus the computer will not start.
Additionally, transmission of a request-start control signal to the main controller or to the transponder controller may be initiated by removal of the portable computer from a mains power supply or by an interruption to that supply.
Preferably the computer is programmed such that if the transponder controller does not responsively transmit a permission-to-start control signal, the computer requests entry of a security code, correct entry of which equates with the computer receiving the permission-to-start control signal.
In a system according to the second aspect of the invention, preferably the computer is programmed such that if the "identifier" signals from the "roll call" poll are not all present or not all correct, the computer requests entry of a security code, correct entry of which equates with the computer receiving the permission-to-start control signal. The computer may be programmed to permit a pre-definable number of attempts at entry of the security code, and if the security code is not entered by said number of attempts, start-up of the computer is suspended. Preferably in either the first or second aspects of the invention, the computer is programmed to transmit a "request-start" control signal upon starting the computer from a stand-by mode.
Preferably also the computer is programmed to transmit periodically a "request-continue" control signal to the controller (being a main controller or transponder controller as appropriate in the circumstances) and the controller is programmed to transmit to the computer in response a "continue" control signal, wherein in the absence of a responsive "continue" control signal, the computer requests entry of a security code to continue, and if the security code is not entered, the computer shuts off. This feature increases security in that a periodical monitoring is involved.
The communication medium of the first or second aspects of the invention may be a mains power supply or wireless signal (for example, radio, microwave, infra-red, or ultrasonic) in respect of the main controller. In respect of the transponder controller, the communication medium will be a wireless signal.
The invention also includes a security system for a computer which does not require a separate controller. Thus according to a third aspect of the invention there is provided a digital computer including a security system, the computer comprising a processing unit, memory facilities which include a hard disc, and further components and systems of at least a data input facility and a visual display screen; wherein the components and systems of the computer apart from the processing unit each have an associated programmable means; wherein the processing unit and the associated programmable means of the other components and systems are programmed to provide security for the other components and systems; the security including, on supply of start-up power to the computer, the processing unit conducts a "roll-call" poll of the other components and systems each of which returns an identifier control signal whereupon, provided the returned identifier signals are all present and correct, the computer requests entry of a security code without which start-up of the computer will not continue.
Preferably in the third aspect of the invention, the computer is programmed to encrypt data stored on the hard disc, and the security code includes a key for decrypting that data on start-up of the computer.
In a system according to the first aspect of the invention, the computer can be set up for the security system by modifying the BIOS and not the processing unit. In a security system according to the second aspect of the invention, the computer will require changes to the processing unit and the programmable means of the components and systems of the computer.
For a better understanding of the invention and to show how the same may be carried into effect, embodiments thereof will now be described, by way of non-limiting example only, with reference to the accompanying drawings.
Brief Description of Drawings
Fig. 1 schematically illustrates a security system for a computer according to an embodiment of the invention.
Fig. 2 schematically illustrates the system of Fig. 1 , showing principal components of the computer in block diagram form.
Figs. 3 to 6 are flow charts illustrating the functions provided by the programming of the Fig. 1 system.
Detailed Description Fig. 1 schematically illustrates a secure computer system according to an embodiment of the invention. The system basically comprises a digital computer 10 and a programmable controller 12 which are operationally linked via a bi-directional communication medium, in this case a mains power supply 14 into which the computer 10 and programmable controller 12 are plugged for their power supply. The computer 10 may be a laptop computer and thus be unpluggable from the mains 14 to be powered by its own internal battery 15 (see Fig. 2), in which case the system additionally includes a portable transponder 16 for example a smart card or token referred to hereinafter as a "transponder" or "portable" controller. The computer 10 and the transponder controller 16 are arranged such that wireless communication (represented by reference 18) can occur between them, as will be described in more detail below. Generally the computer 10 and controllers 12 and 16 each include a signal transmitter and receiver, respectively 11 , 13 and 17, to facilitate the bi- directional communications that occur between the computer 10 and one or the other or both of the controllers 12 and 16.
With reference to both Figs. 1 and 2, the digital computer 10 (shown in dashed outline in Fig. 2) includes a central processing unit (CPU) 20 and other usual components and systems linked by a system bus 22. The other components and systems include at least memory facilities, for example RAM 24 and that provided by a hard disc drive 26, which is linked to system bus 22 via an input/output controller 28, a data input facility (for example a keyboard and/or mouse (not shown) via a controller 30) and a VDU (not shown) via adaptor 32. Adaptor 32 translates graphics data received from CPU 20 via system bus 22 into video signals to drive the VDU. Also the computer 10 includes programming to encrypt data stored on the hard disk 26. The computer 10 may include additional components/sub-systems 34 as is known. Generally the components/sub-systems of the computer will each have a programmable means associated therewith, such as I/O controller 28 for hard disk drive 26, controller 30 associated with a keyboard and/or mouse and within adaptor 32 for a VDU. These programmable means are programmable via a dedicated data input/output sub-system 36 (generally the sub-systems of the computer 10 involved in the security system are labelled as "smart"), to which the data input/output components of the computer 10 (for example a keyboard and/or mouse, VDU) communicate via system bus 22 under timing control provided by sub-system 38. The system bus 22 also links an interface 40 for the portable or transponder controller 16 to the CPU 20 and a sub-system ("smart" network sub-system) 42 for controlling the operation of the security system programming. Thθ portable controller interface 40 is optional and maybe omitted in one embodiment of the invention. Alternatively it may operate as the main controller if the programmable controller 12 is omitted.
The memory facilities of the computer 10 include a basic input/output system (BIOS), as is known. Additionally, the CPU 20 or "smart" network subsystem 42 of computer 10, and the security system programmable controller 12 and the portable transponder controller 16, each include software for driving the signal transmitter and receiver, respectively 11 , 13 and 17, associated with each component of the security system.
The respective programmable means of the components/systems of computer 10 and the two controllers 12 and 16, and the computer as such, are programmed for operation in the security system and to operate all additional controlled components of the computer 10 in a manner which does not impose an undue burden on the user. The programming provides for security and other functions as will now be described with reference to Figs. 3 to 6 which illustrate, respectively, flow charts 1 , 2, 3 and 4.
Flow chart 1 (Fig. 3) - Power up of computer.
1. A secure computing system capable computer 10 initiates a power on sequence.
2. The computer 10 waits for a specified time interval to see if a roll call signal is received. 3. The computer 10 checks its receive buffer for a roll call signal with appropriate security codes from a controller 12.
4. If a roll call message has been received, the computer 10 will wait for a predetermined time interval then transmit its personal roll call response. 5. The controller 12 determines if the roll call response from the computer 10 was valid or not. If the response was not valid, the process goes to step 9.
6. The controller 12 transmits to the computer 10 all passwords and encryption keys necessary for it to begin normal start up and proceeds to computer start up on flow chart 2 or 3.
7. If no roll call request has been received, then the computer 10 transmits a request on message complete with security keys.
8. If a controller 12 is present and it recognizes the computer 10 as a valid user, the process goes to step 6.
9. If a controller 12 is present and does not recognize the computer 10 as a valid user, then the controller 12 issues a warning of an unauthorized user on the system and the computer 10 is Halted.
10. Does the computer 10 have a portable controller 16 available? 11. If a portable controller 16 is available, then the computer 10 transmits a request to start up signal to that device 16 and awaits a reply. 12. If the portable controller 16 responds with a valid response complete with all passwords and encryption keys, then it begins normal start up and proceeds to computer start up on flow chart 2 or 3. 13. If a valid response has not been received, then the computer 10 determines if the maximum number of tries has been exceeded. If not, the count is incremented and process returns to step 11.
14. The computer 10 now requests the start up security keys from the user.
15. Was a valid key received from the user? If so then the computer 10 begins normal start up and proceeds to computer start up on flow chart 2
or 3. 16. If a valid response has not been received, then the computer 10 determines if the maximum number of tries has been exceeded. If not, the count is incremented and process returns to step 14.
17. No valid start up available go to a hard Halt condition.
Flow chart 2 (Fig. 4) - Computer Start Up - first aspect.
1. The computer 10 has completed its power up process.
2. The computer 10 receives an appropriate start up signal from a controller 12 or 16 complete with passwords and encryption keys. 3. The computer 10 decrypts and loads the BIOS.
4. The computer 10 decrypts the encryptions key and passes it to the disk IO portion of the BIOS.
5. The computer 10 and BIOS open the disk drive 26 and initialize the encrypt/decrypt on the fly system. 6. The computer 10 determines if it was started using the network or portable controller 12 or 16. 7. If using the network controller 12, the computer 10 sets an interrupt timer
38 to request permission to continue from the controller 12 on a regular basis. 8. Load and operate operating system from encrypted disk drive. Operate normally. 9. If the computer 10 was started using a portable controller 16, then set user inactivity timer to check for presence of portable controller 16 whenever user not active. Flow chart 3 (Fig. 5) - Computer Start Up - second aspect.
1. The computer 10 has completed its power up process. The computer 10 receives an appropriate start up signal from a controller 12 or 16 complete with passwords and encryption keys.
2. The computer processor 20 begins a roll call of its subsystems and components (e.g. 26, 32, 34).
3. Have any subsystems or components registered with the system failed to respond to the roll call? Have any new subsystems or components been added to the system? If so continue with step 10.
4. The processor 20 decrypts and loads the BIOS.
5. The processor 20 sends each security capable subsystem or device a start up command complete with all necessary passwords, encryption keys or security keys. Each subsystem or device initializes for operation. 6. The computer 10 determines if it was started using the network or portable controller 12 or 16. 7. If using the network controller 12, the computer 10 sets an interrupt timer
38 to request permission to continue from the controller 12 on a regular basis. 8. Load and operate operating system from encrypted disk drive 26.
Operate normally. 9. If the computer 10 was started using a portable controller 16, then set user inactivity timer 38 to check for presence of portable controller 16 whenever user not active. 10. Are the/all missing devices logged as transitory or as a guest device
(such as a PCMCIA card). If yes continue with step 4. 11. The processor 20 issues a warning of missing or new subsystems or devices, identifying each.
12. The processor 20 requests corrective action and appropriate security codes for each missing or new subsystem or device. 13. Has the user/owner entered the appropriate security code within the allowable time and either logged out, reconnected or reinstalled missing subsystems or devices and either removed, logged in and configured any new subsystems or components? If yes continue with step 4.
14. If a valid response has not been received, then the computer 10 determines if the maximum number of tries has been exceeded. If not, the count is incremented and process returns to step 12.
15. Unauthorized changes to the system have occurred, go to a hard Halt condition.
Flow chart 4 (Fig. 6) - Permission to continue timer interrupt; inactivity interrupt; Power change interrupt.
1. Permission to continue timer interrupt.
2. Permission to continue interrupt timer expires.
3. Was the computer 10 started using network 12 or portable controller 16. If network controller 12, go to step 8.
4. Computer 10 transmits a permission to continue request to the portable controller 16 and waits for reply.
5. Was a valid response received from the portable controller 16? If yes, go to step 7. 6. No valid response has been received. Has the maximum time/number of tries been exceeded? If not, the count is incremented and process returns to step 4. If the maximum number of tries has been exceeded, then the portable controller 16 is not present or not working properly, Halt the computer 10.
7. The computer 10 receives permission to continue message from controller 16, resets interrupt timer 38 and continues to operate normally.
8. If the computer 10 was started using the network controller 12, then it transmits a Permission to continue request to the controller 12 complete with security data.
9. Computer 10 waits for controller 12 to respond. If a valid response is received, go to step 7.
10. If no response from the controller 12 is received and the computer 10 has a portable controller 16, then the system forces an interrupt with mode set to portable controller, otherwise, the computer 10 halts.
11. Inactivity timer interrupt. 12. Request start up security key from user.
13. Was a valid key received from the user? If so go to step 15.
14. No valid response has been received. Has the maximum time/number of tries been exceeded? If not, the count is incremented and process returns to step 12. If the maximum number of tries has been exceeded, Halt the computer 10.
15. Computer 10 resets the inactivity interrupt timer 38 and continues to operate normally.
16. Power Change Interrupt.
17. Was power on mains 14 or battery 15? 18. If the computer 10 changed from battery 15 to mains 14, force a permission to continue interrupt with mode set to mains. 19. If the computer 10 changed from mains 14 to battery 15, force a permission to continue interrupt with mode set to portable controller 16.
It is to be understood that a security system according to the invention may include a plurality of computers, fixed or portable, and a dedicated main controller such as 12 for all, and/or portable transponder controllers, such as 16, for some or all of the computers. Additionally the function of the main controller
12 may optionally be performed by one of the computers.
The invention described herein is susceptible to variations, modifications and/or additions other than those specifically described and it is to be understood that the invention includes all such variations, modifications and/or additions which fall within the spirit and scope of the above description.

Claims

1. A security system for a digital computers for enabling, not enabling or disabling said computer and for enabling, not enabling or disabling components of said computer, for deterring theft, or preventing unauthorised use, of such digital computer.
Such a security system includes a plurality of digital computers and other electrical devices which are operationally linked via a bi- directional communication medium, each computer and electrical device including a programmable means for controlling operation of the device, each programmable means having a signal transmitting and receiving means associated therewith for transmitting and receiving control signals over the communication medium, wherein the programmable means of one of the devices is programmed as a controller for the other electrical devices.
2. A security system as claimed in claim 1 wherein the device which includes the programmable means that provides the controller can be a digital computer or other electrical appliance which includes a data entry facility for its programmable means, and wherein its programmable means is programmed both to operate the divice as such and to provide the controller functions for the security system.
3. A security system as claimed in claim 1 or 2 wherein the controller programmable means and the programmable means of the digital computer are programmed for a request-on control signal to be sent from digital computer to the controller upon restoration of power to that digital computer device following a power interruption thereto, and for the controller to return a turn-on control signal only if power to the controller has remained uninterrupted, whereby that electrical device is enabled only if the controller has remained enabled.
4. A security system as claimed in claim 1 or 2 or 3, wherein if a digital computer device to which power is restored sends a request-on control signal to the controller and the controller does not recognise the requesting digital computer device, then the controller sends a turn-off control signal to the digital computer which will remain inoperable until an appropriate security code for that digital computer device is provided through the controller or through the digital computer device's manual start up procedure or the digital computer device is returned to its normal security system environment.
5. A security system as claimed in claim 1 wherein the digital computer device which having been given permission to start initiates a roll call of the other smart subsystems of that digital computer upon determining that all subsystems are present and no foreign subsystems have been added, the digital computers security system control programmable means provides each of the smart subsystems with permission to start commands and any necessary private encryption keys needed to operate.
6. A security system as claimed in claims lor 2 or 3 wherein the digital computer device can operate on any number of networks that have been set to recognize said digital computer and allow its operation.
7. A security system as claimed in claims lor 2 or 3 wherein the digital computer device has been disabled by being removed from networks which recognize said digital computer and operation attempted can be made to operate normally by returning it to any of the networks that have been set to recognize said digital computer and allow its operation.
8. A security system as claimed in claim 5, wherein the digital computer device will not operate if any of its smart subsystems are missing of if any foreign subsystem is discovered.
9. A security system as claimed in claim 5, wherein the smart subsystems of a digital computer device will not operate if not given permission to start and any necessary keys by the digital computer security control programmable means.
PCT/AU2005/000279 2005-03-01 2005-03-01 Security system for computers WO2006091997A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/AU2005/000279 WO2006091997A1 (en) 2005-03-01 2005-03-01 Security system for computers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/AU2005/000279 WO2006091997A1 (en) 2005-03-01 2005-03-01 Security system for computers

Publications (1)

Publication Number Publication Date
WO2006091997A1 true WO2006091997A1 (en) 2006-09-08

Family

ID=36940766

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2005/000279 WO2006091997A1 (en) 2005-03-01 2005-03-01 Security system for computers

Country Status (1)

Country Link
WO (1) WO2006091997A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9824226B2 (en) 2012-10-25 2017-11-21 Intel Corporation Anti-theft in firmware

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020087877A1 (en) * 2000-12-28 2002-07-04 Grawrock David W. Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
US6463537B1 (en) * 1999-01-04 2002-10-08 Codex Technologies, Inc. Modified computer motherboard security and identification system
WO2002095571A1 (en) * 2001-05-18 2002-11-28 O2 Micro, Inc. Pre-boot authentication system
WO2004010395A1 (en) * 2002-07-24 2004-01-29 Evatayhow Holdings Pty Ltd Theft deterrence security system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6463537B1 (en) * 1999-01-04 2002-10-08 Codex Technologies, Inc. Modified computer motherboard security and identification system
US20020087877A1 (en) * 2000-12-28 2002-07-04 Grawrock David W. Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations
WO2002095571A1 (en) * 2001-05-18 2002-11-28 O2 Micro, Inc. Pre-boot authentication system
WO2004010395A1 (en) * 2002-07-24 2004-01-29 Evatayhow Holdings Pty Ltd Theft deterrence security system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9824226B2 (en) 2012-10-25 2017-11-21 Intel Corporation Anti-theft in firmware
US10762216B2 (en) 2012-10-25 2020-09-01 Intel Corporation Anti-theft in firmware

Similar Documents

Publication Publication Date Title
US6628198B2 (en) Security system for preventing a personal computer from being stolen or used by unauthorized people
US9507918B2 (en) Always-available embedded theft reaction subsystem
EP0865695B1 (en) An apparatus and method for cryptographic companion imprinting
US6108785A (en) Method and apparatus for preventing unauthorized usage of a computer system
US20070192652A1 (en) Restricting devices utilizing a device-to-server heartbeat
US20130275770A1 (en) Always-available embedded theft reaction subsystem
US20140013455A1 (en) Always-available embedded theft reaction subsystem
AU5065998A (en) Information security method and apparatus
WO2013095590A1 (en) Always-available embedded theft reaction subsystem
WO2013095583A1 (en) Always-available embedded theft reaction subsystem
EP2795512A1 (en) Always-available embedded theft reaction subsystem
WO2013095593A1 (en) Always-available embedded theft reaction subsystem
CN108933668A (en) For providing the system and method for protected password and authentication mechanism that software or firmware are programmed and are updated
CN101930409B (en) Control device of storage device and method of controlling storage device
WO2013095586A1 (en) Always-available embedded theft reaction subsystem
CN111236105B (en) Parking space lock management method, device and system and parking space lock
CN111259463A (en) Anti-theft protection method and device, electronic equipment and computer readable storage medium
CN101324911B (en) Access protection method and system of computer system internal information with first level verification
WO2006091997A1 (en) Security system for computers
CN101847111B (en) Terminal apparatus, data providing system, and data providing method
CN116821020A (en) BMC controller, information security system and information interaction method
CN105393254A (en) Enabling access to data
CN113014579A (en) Control instruction transmission method, system, server and storage medium
KR100910541B1 (en) Computer security system using a tag and the method thereof
US20040186987A1 (en) Component for a computer

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

122 Ep: pct application non-entry in european phase

Ref document number: 05706313

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 5706313

Country of ref document: EP