United States Patent r191
`Goodman et al.
`
`[75]
`
`[54] SECURITY SYSTEM FOR A STAND-ALONE
`COMPUTER
`Inventors: Michael K. Goodman, Tustin; Farzad
`Noorbehesht, Aliso Viejo; Charles F.
`Raasch, Lake Forrest, all of Calif.
`[73] Assignee: AST Research, Inc., Irvine, Calif.
`[21] Appl. No.: 79,630
`[22] Filed:
`Jun. 18, 1993
`[51]
`Int. Cl.6 ............................................... H04L 9/32
`[52] U.S. Cl ............................................ 380/25; 380/4
`[58] Field of Search ............................... 380/4, 44, 25;
`364/252.3, 252.4, 252.7, 958, 958.l, 958.4
`References Cited
`U.S. PATENT DOCUMENTS
`4,942,606 7/1990 Kaiser et al ............................. 380/4
`5,212,729 5/1993 Schafer ................................... 380/4
`5,222,133 6/1993 Chou et al .............................. 380/4
`5,265,163 11/1993 Golding et al ........................ 380/25
`5,297,200 3/1994 Murray ................................... 380/4
`
`[56]
`
`/()5
`
`DISPLAY
`
`,...-12()
`
`I lllll llllllll Ill lllll lllll lllll lllll lllll lllll lllll lllll llllll Ill lllll llll
`US005402492A
`5,402,492
`[11] Patent Number:
`[45] Date of Patent: Mar. 28, 1995
`
`Primary Examiner-Gilberto Barron, Jr.
`Attorney, Agent, or Firm-Knobbe, Martens, Olson &
`Bear
`
`[57]
`ABSTRACT
`A security system for stand alone and portable com(cid:173)
`puter hosts which utilizes both a hardware key and a
`password key to enable-access to the computer host.
`The entry of the password key and the hardware key is
`monitored by the keyboard controller. The keyboard
`controller alters a status bit during the POST portion of
`the host code if access is granted. The host security is
`divided into two levels of security, a first administrative
`level and a second user level. The administrative level is
`accessible by the entry of a first password or by the
`hardware key and enables access to all levels of the host
`SET-UP configuration. The user level is accessible by
`the entry of a second password and only enables access
`to a limited portion of the setup configuration.
`
`17 Claims, 16 Drawing Sheets
`
`/'()f!
`
`/
`r------~--------------------1
`I
`I
`I
`I
`I
`I
`RAM
`CONTROLLER "-__,__,,,1
`
`202
`
`HOST/CORE
`INTERFACE
`
`200
`
`20./
`
`CORE
`8-BIT
`CPU
`
`!./()
`
`15()
`
`211
`
`2()5
`
`KEYBOARD
`SCANNER
`
`INTERRUPT
`CONTROLLER 208
`
`I
`I
`I
`I
`I
`L---------------------------~
`
`222
`
`22()
`
`MEMORY
`
`2J()
`
`ELECTRONIC
`KEY
`
`125
`
`IPR2017-00430
`UNIFIED EX1016
`
`
`Goodman et al.
`
`[75]
`
`[54] SECURITY SYSTEM FOR A STAND-ALONE
`COMPUTER
`Inventors: Michael K. Goodman, Tustin; Farzad
`Noorbehesht, Aliso Viejo; Charles F.
`Raasch, Lake Forrest, all of Calif.
`[73] Assignee: AST Research, Inc., Irvine, Calif.
`[21] Appl. No.: 79,630
`[22] Filed:
`Jun. 18, 1993
`[51]
`Int. Cl.6 ............................................... H04L 9/32
`[52] U.S. Cl ............................................ 380/25; 380/4
`[58] Field of Search ............................... 380/4, 44, 25;
`364/252.3, 252.4, 252.7, 958, 958.l, 958.4
`References Cited
`U.S. PATENT DOCUMENTS
`4,942,606 7/1990 Kaiser et al ............................. 380/4
`5,212,729 5/1993 Schafer ................................... 380/4
`5,222,133 6/1993 Chou et al .............................. 380/4
`5,265,163 11/1993 Golding et al ........................ 380/25
`5,297,200 3/1994 Murray ................................... 380/4
`
`[56]
`
`/()5
`
`DISPLAY
`
`,...-12()
`
`I lllll llllllll Ill lllll lllll lllll lllll lllll lllll lllll lllll llllll Ill lllll llll
`US005402492A
`5,402,492
`[11] Patent Number:
`[45] Date of Patent: Mar. 28, 1995
`
`Primary Examiner-Gilberto Barron, Jr.
`Attorney, Agent, or Firm-Knobbe, Martens, Olson &
`Bear
`
`[57]
`ABSTRACT
`A security system for stand alone and portable com(cid:173)
`puter hosts which utilizes both a hardware key and a
`password key to enable-access to the computer host.
`The entry of the password key and the hardware key is
`monitored by the keyboard controller. The keyboard
`controller alters a status bit during the POST portion of
`the host code if access is granted. The host security is
`divided into two levels of security, a first administrative
`level and a second user level. The administrative level is
`accessible by the entry of a first password or by the
`hardware key and enables access to all levels of the host
`SET-UP configuration. The user level is accessible by
`the entry of a second password and only enables access
`to a limited portion of the setup configuration.
`
`17 Claims, 16 Drawing Sheets
`
`/'()f!
`
`/
`r------~--------------------1
`I
`I
`I
`I
`I
`I
`RAM
`CONTROLLER "-__,__,,,1
`
`202
`
`HOST/CORE
`INTERFACE
`
`200
`
`20./
`
`CORE
`8-BIT
`CPU
`
`!./()
`
`15()
`
`211
`
`2()5
`
`KEYBOARD
`SCANNER
`
`INTERRUPT
`CONTROLLER 208
`
`I
`I
`I
`I
`I
`L---------------------------~
`
`222
`
`22()
`
`MEMORY
`
`2J()
`
`ELECTRONIC
`KEY
`
`125
`
`IPR2017-00430
`UNIFIED EX1016
`
`
`
`/()()
`
`120
`
`//()
`
`HOST
`
`115
`
`DISPLAY
`
`/()5
`
`FIG./
`
`,-----~--------1
`I
`I
`I KEYBOARD I
`I
`1-1d
`I
`I
`I
`I
`I
`~1
`~
`I
`I NON-VOLATILE r 125
`I
`I
`MEMORY
`I
`I
`L __ . _____________ J
`
`ctJ5
`
`15()
`
`/5()
`
`Cj
`•
`rLJ. •
`l"C
`
`~ a
`
`~
`
`1:-.)
`!'J
`"""" ~ (II
`
`r a
`
`~
`
`"""" Q
`"""" °'
`
`...
`(.11
`.i;:.
`0
`...
`N
`~
`N
`
`
`
`DISPLAY
`
`/()5
`
`115
`//{)
`
`I
`
`I
`
`l
`
`I
`
`HOST
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I.ti()
`
`15()
`
`/ / ( ) ( )
`
`..... - 12()
`
`/
`r------~-------------------
`1
`I
`
`.-2()2
`
`,.-2()()
`
`HOST/CORE
`INTERFACE
`
`CORE
`8-BIT
`CPU
`
`RAM
`CONTROLLER (\.
`
`211
`
`2()6'
`
`KEYBOARD
`SCANNER
`
`1/0
`CONTROL
`
`I
`
`r
`
`>,...
`KEYBOARD
`
`I
`
`IJ5
`
`INTERRUPT
`CONTROLLER
`
`2 ()8
`
`I
`
`I
`
`155/ I
`I
`I
`I
`I
`I
`I
`I
`L---------------------------~
`
`FIG.2
`
`222
`
`1
`
`:
`I
`I 16'()
`I I
`
`22()
`
`MEMORY
`
`I
`
`~ELECTRONIC
`NON-VOLATILE I
`
`r2J()
`
`/J()
`
`KEY
`
`-
`
`MEMORY
`
`125
`
`~ •
`rJJ. •
`~ a.
`~ a
`
`a:
`~
`N
`"' ...
`QC
`~
`UI
`
`00.
`t="
`(I)
`
`(I) -N
`Q ....., ...
`°'
`
`(.II
`
`...
`
`~ = ~ ...
`
`~
`~
`
`
`
`READ
`STATUS BYTE
`
`r
`
`JOO
`
`NO
`
`YES
`
`(j
`• 00
`•
`
`""d a ft) = "'*'
`
`~
`~
`~
`...
`QC
`1-ol
`IC
`IC
`Cl1
`
`00
`1:1"'
`(!)
`~
`CN
`e,
`1-ol °'
`
`...
`UI
`~
`0
`~ ....
`~
`~
`
`I
`
`J
`
`NO
`
`H
`
`FIG. 3A
`
`
`
`REQUEST VERIFY
`PASSWORD ROUTINE
`{FIG. 7)
`
`J()5
`
`READ STATUS
`BYTE
`
`JO#
`
`JOB
`
`NO
`
`J()7
`
`YES
`
`FIG. 38
`
`J/O
`
`ENABLE ADMIN
`LEVEL ACCESS
`'TO HOST COMPUTER
`
`JI-I
`
`ENABLE USER
`LEVEL ACCESS
`0 HOST COMPUTER
`
`COMPLETE
`BOOT OPERATIONS
`
`~ • 00. •
`"'C a.
`('D a
`
`~
`
`s::
`~
`~ ....
`~
`Cll
`
`00
`g'
`~
`
`~ e, ....
`°'
`
`...
`UI
`~ = ~ ...
`~
`
`~
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 5of16
`
`5,402,492
`
`INITIALIZE SYSTEM
`SECURITY ROUTINE
`
`4()()
`
`YES
`
`406
`
`SET
`ADMIN PASSWORD
`ESTABLIHED FLAG
`
`CLEAR
`ADMIN PASSWORD
`ESTABLISHED FLAG
`
`YES
`
`412
`
`SET
`USER PASSWORD
`ESTABLISHED FLAG
`
`410
`
`CLEAR
`USER PASSWORD
`ESTABLISHED FLAG
`
`418
`
`YES
`
`416
`
`CLEAR KEY ID
`ESTABLISHED FLAG
`
`SET KEY ID
`ESTABLISHED FLAG
`
`FIG. 4A
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 6of16
`
`5,402,492
`
`-120
`
`COMPUTE KEY ID AND
`ADMIN PASSWORD
`CHECKSUM
`
`-122
`
`NO
`
`COMPUTE USER
`PASSWORD CHECKSUM
`
`CLEAR ALL STORED
`PASSWORD AND
`KEY ID VALUES
`
`-128
`
`CLEAR ALL SECURITY
`ESTABLISHED FLAGS
`
`./JO
`
`CLEAR STORED
`CHECKSUM VALUES
`
`CLEAR USER
`PASSWORD
`STORED VALUE
`
`NO
`
`./JB
`
`CLEAR USER
`PASSWORD
`ESTABLISHED
`FLAG
`
`CLEARED STORED
`CHECKSUM
`VALUE
`
`YES
`
`i - - - - - - ' -1
`
`NO
`
`NO
`
`CALL RESET KEY
`SUB-ROUTINE
`(FIG 5)
`
`FIG. 48
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 7 of 16
`
`5,402,492
`
`452
`
`NO
`
`CALL RESET KEY
`SUB-ROUTINE
`{FIG. 5)
`
`NO
`
`YES
`
`456
`
`SET KEY ATTACHED
`TO PORT #2 FLAG
`
`YES
`
`450\
`
`SET KEY ATTACHED
`TO PORT # 1 FLAG
`
`458
`
`CALL
`READ KEY
`SUB-ROUTINE
`FIG. 6
`
`NO
`
`SET ADMIN ENTERED
`PASSWORD MATCH FLAG
`
`CLEAR USER ENTERED
`PASSWORD MATCH FLAG
`
`END
`
`FIG. 4C
`
`
`
`RESET KEY
`
`500
`
`SEND LOGIC LOW
`SIGNAL TO PS/2 PORT
`
`502
`
`50-1
`
`WAIT FOR
`SOOuSEC
`
`SEND LOGIC HIGH
`SIGNAL TO PS/2 PORT
`
`500
`
`(j
`•
`7J.J.
`•
`
`"'C i ~
`
`~
`~ ... IC
`
`~
`
`IC
`(IJ
`
`NO
`
`I
`
`YES
`
`/
`
`lUUUSl:.C
`
`..........
`
`I
`
`(Tl -QO
`00. =-(Tl
`0 ...., ... Q\
`
`FIG.SA
`
`UI
`
`... ..s;:.
`0
`~ ...
`~
`
`~
`
`
`
`515~ ~ ~Mt.uuvNo
`.,
`XPIRED
`HAS
`PS/2 PORT
`RESPONDED WITH
`LOGIC LOW
`SIGNAL
`
`I
`
`NO/ 250uSEC ""
`
`52()
`
`DISABLE COMMUNICATIONS
`WITH PS/2 PORT
`
`FIG.58
`
`SET KEY ERROR' ,,,..- 5J()
`FLAG
`
`(RETURN)
`
`5JI
`
`~ •
`00
`•
`
`""= a a
`
`~
`~
`~
`S'J
`1-l
`\C
`\C
`f.11
`
`rJ1
`1:1"' m m
`.....
`\C
`Q
`,.....,
`1-l
`Q\
`
`...
`C.11
`~
`0
`...
`N
`~
`\C
`N
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 10 of 16
`
`5,402,492
`
`__ _..._
`
`500
`ID
`
`READ KEY
`
`502
`
`RESET CRC VALUE
`
`504
`SEND READ KEY COMMAND
`TO PS/2 PORT
`
`505
`SET BYTE,COUNTER TO SEVEN
`
`508
`SET BIT COUNTER TO EIGHT
`
`510
`ADVANCE REGISITER BY 1 BIT
`512
`
`SEND LOGIC LOW
`SIGNAL FOR 1 0 µsec
`
`SEND LOGIC HIGH
`FOR 10 µsec
`
`518
`
`SET BIT HIGH
`
`520
`
`522
`
`WAIT FOR 50 µsec
`
`DECREASE BIT
`COUNTER BY ONE
`
`YES
`
`FIG. 6A
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 11 of 16
`
`5,402,492
`
`PERFORM CRC
`CHECK ON NEW DATA
`
`UPDATE CRC VALUE
`WITH NEW CRC DATA
`
`SAVE DATA BYTE IN
`KEY ID REGISTER
`
`6'26'
`
`6'28
`
`6'J()
`
`6'J2
`
`DECREASE
`BYTE REGISTER BY ONE
`
`YES
`
`6'J6'
`
`READ STORED
`CRC VALUE FROM KEY
`
`NO
`
`SET KEY ERROR FLAG
`
`6'./2
`CLEAR KEY ID VALUE
`READ FROM KEY
`
`FIG. 68
`
`YES
`
`RETURN
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 12 of 16
`
`5,402,492
`
`VERIFY PASSWORD
`
`700
`
`702
`
`SEND REQUEST TO
`HOST TO DISPLAY
`PASSWORD ENTRY PROMPT
`
`KEYBOARD CONTROLLER
`STORES USER ENTERED
`KEYSTROKES IN
`PASSWORD BUFFER
`
`YES
`
`NO
`
`YES
`
`71./
`
`SET USER
`ENTERED PASSWORD
`MATCH FLAG
`
`716'
`
`708
`
`SET ADMIN
`ENTERED
`PASSWORD
`MATCH FLAG
`
`CLEAR USER
`ENTERED
`PASSWORD
`MATCH FLAG
`
`720
`
`"-710
`
`CLEAR ADMIN
`ENTERED PASSWORD
`MATCH FLAG
`
`72J
`
`RETURN
`
`SET VERIFY
`PASSWORD FAIL
`FLAG
`
`FIG. 7
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 13 of 16
`
`5,402,492
`
`ESTABLISH KEY ID
`
`BOO
`
`CALL RESET KEY
`ROUTINE FOR PS/2
`PORT #1
`{FIG. 5)
`
`Bl./
`
`Bio
`
`CALL READ
`KEY ID ROUTINE
`FIG. 6
`
`STORE KEY ID IN
`· NON-VOLITILE MEMORY
`
`BIB
`
`SET KEY ID
`ESTABLISHED FLAG
`
`B20
`
`B21
`
`UPDATE KEY ID AND
`ADMIN PASSWORD
`CHECKSUM VALUE
`
`RETURN
`
`BIO
`
`CALL RESET
`KEY ROUTINE
`FOR PS/2
`PORT #2 FIG.5
`
`BO./
`
`SET ESTABLISH
`KEY ID
`FAIL FLAG
`
`FIG.8
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 14 of 16
`
`5,402,492
`
`900
`CREATE PASSWORD
`
`KEYBOARD CONTROLLER STORES
`USER ENTERD KEYSTROKES
`IN PASSWORD BUFFER 1
`910
`KEYBOARD CONTROLLER STORES
`SECOND SET OF USER KEYSTROKES
`IN PASSWORD BUFFER # 2
`
`908
`
`SET
`CREATE
`PASSWORD
`FAIL FLAG
`
`SET
`CREATE
`PASSWORD
`FAIL FLAG
`
`YES
`
`918
`SET ADMIN PASSWORD
`ESTABLISHED FLAG
`
`920
`SET USER PASSWORD
`ESTABLISHED FLAG
`
`922
`
`TARNSFER PASSWORD TO
`ADMIN PASSWORD STORAGE
`AREA IN NON-VOLITILE MEMORY
`928
`UPDATE KEY ID c!c ADMIN
`PASSWORD CHECK SUM
`
`TRANSFER PASSWORD TO
`USER PASSWORD STORAGE
`AREA IN NON-VOLATILE MEMORY
`92-1
`UPDATE KEY ID c!c USER
`PASSWORD CHECKSUM
`
`FIG. 9
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`____ ____.__
`
`Sheet 15 of 16
`
`5,402,492
`
`1000
`
`DELETE PASSWORD
`
`YES
`
`_____ __._ _____ _____
`
`1006
`
`STORE USER ENTERED KEYSTORES
`IN PASSWORD BUFFER #1
`
`NO
`
`1016
`CLEAR ADMIN PASSWORD
`FROM NON-VOLITILE MEMORY
`IOIB
`
`CLEAR ADMIN
`PASSWORD ESTABLISHED FLAG
`1020
`UPDATE KEY ID ANO ADMIN
`PASSWORD CHECK SUM VALUE
`
`CLEAR USER PASSWORD
`STORED IN NON-VOLATILE MEMOR
`
`YES
`
`IOI./
`
`1012
`
`. SET
`DELETE
`PASSWORD
`FAIL f'LAG
`
`CLEAR USER PASSWORD FROM STABLISHED f'LAG
`102./
`------------------"'--..
`UPDATE USER PASSWORD CHECKSUM VALUE
`
`1026
`
`RETURN
`
`FIG. 10
`
`
`
`U.S. Patent
`
`Mar. 28, 1995
`
`Sheet 16 of 16
`
`5,402,492
`
`//()()
`
`DELETE KEY ID
`
`STORE USER ENTERED
`KEYSTROKES IN PASSWORD BUFFER
`
`11()2
`
`NO
`
`YES
`
`DELETE KEY ID FROM NON-VOLITILE
`MEMORY
`
`11()5
`
`/1()8
`
`DELETE KEY
`
`ID ESTABLISHED FLAG
`
`1110
`ID AND ADMIN PASSWORD
`UPDATE KEY
`CHECKSUM VALUE
`
`1112
`
`RETURN
`
`FIG. II
`
`
`
`1
`
`5,402,492
`
`SECURITY SYSTEM FOR A STAND-ALONE
`COMPUTER
`
`BACKGROUND OF THE INVENTION
`1. Field of the Invention
`The present invention relates to the field of computer
`security systems. More particularly, the present inven(cid:173)
`tion relates to controlling access to a stand alone or
`portable computer system using both password entry 10
`and a hardware key.
`2. Description of the Related Art
`Computer security usually relates to a large computer
`network of a number of users where each user has ac(cid:173)
`cess to a limited portion of the network. Thus, the secu- 15
`rity system prevents each user from accessing another
`user's storage area and from accessing the system con(cid:173)
`trol portion of the network. This limiteq access main(cid:173)
`tains the integrity of the network, but is usually not
`required in a stand alone system.
`Another area where security has become prevalent is
`in the area of computer software. In certain circum(cid:173)
`stances, in order to run a software program, a hardware
`key must be installed in one of the serial ports of the
`computer. The key prevents users from copying soft- 25
`ware. The keys are usually active keys which are de(cid:173)
`signed to be difficult to decode to prevent a user from
`being able to reproduce the key device.
`Development in the area of computer security at the
`stand alone computer level or for portable computer 30
`systems has been limited. Examples of security that is
`provided on a stand alone computer include systems
`such as the IBM AT, which has a mechanical lock and
`key system. A mechanical key is matched to a mechani-
`cal lock which enables the rotation of a lock from one 35
`position to another position. The lock must be in the on
`position to enable the stand alone system to operate.
`Mechanical lock systems are primitive, and can be eas-
`ily defeated. Another example of computer security is a
`password which the operating system requires during 40
`each boot sequence. Most portable computer systems
`today do not have any security system. The small size of
`the portable computer and lack of security has made
`portable computers an attractive target for thieves.
`
`SUMMARY OF THE INVENTION
`The present invention is a security device for com(cid:173)
`puter systems. The security system of the present inven(cid:173)
`tion utilizes a hardware key and a password to enable
`access to the computer system. A keyboard controller 50
`manages the system security. The security system is,
`therefore, transparent to the operating system, making
`it more secure from access by a fraudulent user who
`wishes to intercept the security communications.
`The security system is divided into two levels of 55
`password security, a first administrative level and a
`second user level. The hardware key overrides all sys(cid:173)
`tem security. The administrative level is accessible by
`the entry of a first password. The administrative level of
`access enables the modification of all of the parameters 60
`of the system setup program. The user level is accessible
`by the entry of a second password, and only enables
`access to certain portions of the system setup program.
`By enabling two separate levels of security, a system
`administrator can control the access to certain system 65
`level configuration options while still allowing users to
`access all other operational portions of the system. Fur(cid:173)
`ther, if the administrator or user forgets a password, the
`
`20
`
`2
`hardware key can be used to override all system secu(cid:173)
`rity.
`The entry of a password is monitored by the key(cid:173)
`board controller during system start-up. The keyboard
`5 controller compares the password to a previously
`stored password value. The keyboard controller sends
`the operating system "go" or "no go" status bits during
`the Power On Self Test (POST) portion of the boot
`operation. The status bits correspond to the administra(cid:173)
`tive level or user level code depending on whether the
`password is correct. A status bit is also sent indicating
`whether override hardware key is installed. To access
`the computer using the electronic hardware key, the
`key is inserted into a mouse port such as a PS/21 ®port
`(or any port which is controlled by a non-system level
`microcontroller) which is controlled by the keyboard
`controller. An ID value stored in the key is read from
`the key and compared to a stored key ID value by the
`keyboard controller. The system provides for the stor(cid:173)
`age of at least two password values and one hardware
`key value, each of which, if properly matched, enables
`access to the computer system.
`1 PS/2 is a registered trademark of IBM Corporation.
`One aspect of the present invention involves a secu(cid:173)
`rity system for controlling access to a host computer.
`The security system monitors a set of security settings
`during system boot operations and controls access to
`the host computer based upon the security settings. The
`security system has at least one peripheral device com-
`munications port and a key which is adapted for con(cid:173)
`nection to the communications port. The key has an
`associated key ID value stored therein. The security
`system executes with a microprocessor-based periph(cid:173)
`eral controller which is in communication with a non(cid:173)
`volatile memory, a keyboard, the communications port
`and the host computer. The non-volatile memory has
`defined therein a stored key ID value and a first pass(cid:173)
`word value. The stored key ID value corresponds to
`the key ID value in the key and the first password value
`corresponds to a selected first access password. The
`microprocessor-based peripheral controller responds to
`either the key being connected to the communications
`port or entry of the first access password on the key-
`45 board to permit access to the host computer.
`In one embodiment, the non-volatile memory has
`further defined therein a second password value which
`. corresponds to a selected second access password. In
`this embodiment, the peripheral controller is further
`responsive to entry of the second access password on
`the keyboard to permit access to less than all of a set of
`setup parameters for said host computer. The communi(cid:173)
`cations port, in one embodiment, comprises a PS/2 @(cid:173)
`type mouse port, and the key comprises an electronic
`key having a second non-volatile memory containing
`the key ID value. In the present embodiment, the sec-
`ond non-volatile memory of the key operates based on
`a one-wire data communication protocol and has only
`one data line and one ground line.
`Another aspect of the present invention involves a
`method of controlling access to a host computer. The
`host computer is in communication with the peripheral
`device controller, and the peripheral device controller
`is in communication with at least one communications
`port and with a first non-volatile memory. The non(cid:173)
`volatile memory has defined therein a stored key ID
`value corresponding to a key ID value in an access key.
`The method follows the steps of coupling a key having
`
`
`
`5,402,492
`
`3
`a key ID value corresponding to the stored key ID
`value to the communications port, reading, with the
`peripheral controller, the key ID value from the key,
`comparing, with the peripheral controller, the key ID
`value to the stored key ID value, and permitting access 5
`to the host computer if the peripheral controller deter(cid:173)
`mines that the stored key ID value and the key ID value
`correspond. In one embodiment, the non-volatile mem(cid:173)
`ory has further defined therein a first password value
`which corresponds to a first access password. In this 10
`embodiment, the method further involves the steps of
`monitoring entries made on a keyboard until a desig(cid:173)
`nated on the keyboard is pressed, comparing the entries
`monitored by the keyboard controller to the first pass(cid:173)
`word value to determine ifthe entries correspond to the 15
`first access password, and permitting access to the host
`computer if the entries correspond to the first access
`password. In a further embodiment, the non-volatile
`memory has further defined therein a second password
`value corresponding to a second access password. In 20
`this further embodiment, the method further involves
`the steps of comparing the entries monitored by the
`keyboard controller to the second password value to
`determine if the entries correspond to the second access
`password, and permitting access to less than all of the 25
`set of setup parameters for the host computer if the
`entries correspond to the second access password.
`
`40
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a block diagram of a computer system 30
`which includes the security system of the present inven(cid:173)
`tion.
`FIG. 2 is a block diagram of the security system of
`the present invention.
`FIGS. 3A-3B depict a flowchart which details oper- 35
`ating system level operations of the security system of
`the present invention during system boot operations.
`FIGS. 4A-4C depict a flowchart which details the
`general method employed within an initialize system
`security routine.
`FIGS. SA-SB depict a flowchart which details the
`general method employed within a reset key subroutine.
`FIGS. 6A-6B depict a flowchart which details the
`general method employed within a read key ID subrou-
`tine.
`FIG. 7 depicts a flowchart which details the general
`method employed within a verify password subroutine.
`FIG. 8 depicts a flowchart which details the general
`method performed within the establish key ID routine
`which is employed by the computer security system of 50
`the present invention.
`FIG. 9 depicts a flowchart which details the general
`method performed by the create password routine
`which is employed by the computer security system of
`the present invention.
`FIG. 10 depicts a flowchart which details the general
`method performed by the delete password routine em(cid:173)
`ployed by the computer security system of the present
`invention.
`FIG. 11 depicts a flowchart which details the general 60
`method performed by the delete key ID routine em(cid:173)
`ployed by the computer security system of the present
`invention.
`
`45
`
`4
`tronic hardware key and passwords to enable access to
`the computer system. The security system is transparent
`to the operating system during runtime, so it is not
`accessible by a fraudulent user who wishes to intercept
`the security communications.
`FIG. 1 is a block diagram of the security system 100
`and its interface with the host computer 110. The host
`110 may, for instance, be an IBM compatible computer
`based on INTEL 80X86 architecture. FIG. 1 further
`illustrates a display terminal lOS connected to the host
`110 via signal lines llS. The security system 100 com-
`prises a keyboard controller 120, a non-volatile memory
`125, at least one PS/2 ® type mouse port 130 and a
`keyboard 13S. The keyboard controller 120 controls the
`operations of the security system and communicates
`with the operating system of the host 110 via signal lines
`140. In one embodiment, the keyboard controller 120
`has a display blanking port which connects to the host
`computer 110 via a signal line 14S. As is well known in
`the art, the display blanking port is used to blank the
`display lOS. The signal lines 140 comprise an input/out-
`put bus between the host 110 and the keyboard control(cid:173)
`ler 120. The keyboard controller 120 is in communica(cid:173)
`tion with a keyboard 13S via signal lines lSO, and with
`the non-volatile memory 12S, via signal lines lSS. Addi(cid:173)
`tionally, the keyboard controller is in communication
`with the at least one PS/2 @-type mouse port 130 (or
`any other port which is in communication with the
`keyboard controller) via signal lines 160. The keyboard
`controller 120 is advantageously a microprocessor(cid:173)
`based controller, such as AST® Research, Inc.'s Miki
`controller, or an Intel® 80C51SL-AG, 8742, 8042, or
`similar microprocessor-based keyboard controller. As is
`well-known in the art, the keyboard controller 120
`provides an interface between the host 110 and the
`peripheral input devices such as the keyboard 13S and
`devices connected through the PS/2 @-type ports 130.
`FIG. 2 is a more detailed block diagram of the secu(cid:173)
`rity system 100 with the specific control elements of the
`keyboard controller 120 shown in more detail. The
`keyboard controller 120 comprises a core 8-bit central
`processing unit CPU 200, a host/core interface 202, a
`RAM Controller 204, a keyboard scanner 206, an inter(cid:173)
`rupt controller 208 and 1/0 control logic 212, all of
`which communicate via an internal bus 214. The core
`8-bit CPU 200, such as an Intel 8031or8051 controller,
`controls the operation of the keyboard and its associ(cid:173)
`ated functions. The host/ core interface, as is well
`known in the art, is used to control the communications
`between the host processor 110 and the keyboard con(cid:173)
`troller 120. The keyboard scanner 206 scans the key-
`board 13S and calculates the scan codes for the keys
`which have been depressed on the keyboard 13S. The
`interrupt controller 208 receives and processes the in(cid:173)
`terrupts for the core 8-bit CPU 200. The 1/0 control
`logic 212 controls the communications between the
`core 8-bit CPU 200 and the at least one PS/2 @-type
`port 130 via lines 160 and the non-volatile memory 125
`via lines 155.
`The RAM controller 204 is further connected to a
`memory 220 (preferably, a static memory) via signal
`lines 222. Although the memory 220 is shown in FIG. 2
`as being external to the keyboard controller 120, it
`should be understood that the memory 220 may also be
`65 internal to the keyboard controller 120.
`In operation, the keyboard controller 120 performs a
`number of pre-programmed procedures which relate to
`the interaction between the host system 110 and the
`
`55
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`The present invention is a security system for com(cid:173)
`puter systems. The security system utilizes both an elec-
`
`
`
`5,402,492
`
`5
`keyboard 135. Additionally, the keyboard controller
`120 controls the interaction between other peripherals
`which are connected to the system via the PS/2 ®
`ports 130, such as a mouse, a keypad, and the electronic
`hardware key 230 of the present invention. Instructions 5
`for the keyboard controller's operation may be down(cid:173)
`loaded from the host 110, or may be pre-programmed
`within the memory 220. In one embodiment, the key(cid:173)
`board controller 120 executes the instructions in re(cid:173)
`sponse to an interrupt generated by the keyboard 135 or 10
`the peripheral devices connected to PS/2 ® ports 130.
`The general method used by the keyboard controller
`120 to provide security for access to the host 110 is
`described in more detail below.
`The security system 100 is controlled by the key- 15
`board controller 120 and is initiated during the Power
`On Self Test (Posn portion of the system boot opera(cid:173)
`tions. The system boot operations, as is well known in
`the art, are controlled by the system BIOS. All of the
`boot operations must be completed before runtime con- 20
`trol by the operating system of the host 110 begins. One
`way to access the secured system is by matching a 48-bit
`number that is stored in the hardware key 230, referred
`to as a key ID, to a stored key ID value. This hardware
`key 230 functions as a security system override. An- 25
`other way to access the secured system is to enter one of
`at least two stored passwords using the keyboard 135.
`The stored key ID value and passwords are maintained
`in the non-volatile memory 125, such as an E2PROM,
`access to which is controlled by the keyboard control- 30
`ler 120.
`
`6
`The security system 100 of the present invention is
`divided into two levels of security, a first administrative
`level, or admin level, and a second user level. The ad(cid:173)
`ministrative level is accessible by the entry of a first
`password, referred to as an admin password. In addi(cid:173)
`tion, this level is accessible by the installation of the
`hardware key 130 into the PS/2 ® port 130 which
`overrides all security. The administrative level enables
`access to all of the system setup commands and to all of
`the operational portions of the host system. The user
`level is accessible by the entry of a second password,
`referred to as a user password, and enables access to all
`of the operational portions of the host, but only enables
`access to a certain portion of the system setup com(cid:173)
`mands. In a preferred embodiment, a third password,
`also referred to as a user password, enables access to the
`user level. In the two-user password embodiment, each
`of the user passwords are differentiated as userl and
`user2 passwords. By enabling two separate levels (i.e.,
`admin and user) of security, a system administrator can
`control the access to certain system level configuration
`commands while still enabling the user to access other
`operational portions of the host system.
`If an administrative level access has been enabled, the
`user will be enabled access all parameters during setup
`operation.
`In one embodiment, if a user level access has been
`enabled, the user will not have access to certain parame(cid:173)
`ters which the administrator can access in the setup
`operation. For instance, the security panel in the setup
`operations may appear as follows for admin level ac(cid:173)
`cess:
`
`<Clear, Establish>
`
`<Enabled, Disabled>
`
`<Enabled, Disabled>
`
`<Disabled, 5min ... 30min>
`<Inhibited, Enable, Disable>
`
`Security Panel:
`<OVERVIEW>
`SMARTKEYID
`PASSWORD
`ADMIN SECURITY
`ENTER PASSWORD:[••••••••]
`VERIFY the PASSWORD:[••••••••]
`USER SECURITY
`ENTER PASSWORD:[••••••••]
`VERIFY the PASSWORD:[••••••••]
`LOCK KEYBOARD
`PASSWORD AT BOOT
`<EXIT TO MAIN MENU>
`And the same security panel may appear as follows for
`user level access:
`Security Panel
`<OVERVIEW>
`PASSWORD
`USER SECURITY
`ENTER PASSWORD:[********)
`VERIFY the PASSWORD:[********)
`<EXIT TO MAIN MENU>
`Other differences may also be advantageous:
`Admin Level:
`Update BIOS
`<OVERVIEW>
`REVISION
`BIOS
`Battery Controller
`BIOS Loader
`BIOS UPDATE
`<SAVE CHANGES, EXIT, AND UPDATE BIOS>
`<EXIT WITHOUT SAVING CHANGES, AND UPDATE BIOS>
`<EXIT TO MAIN MENU>
`USER LEVEL:
`Update BIOS
`<OVERVIEW>
`REVISION
`BIOS
`Battery Controller
`BIOS Loader
`<EXIT TO MAIN MENU>
`
`<Enabled, Disabled>
`
`xx.yy.zz
`xx.yy.zz
`xx.yy.zz
`
`xx.yy.zz
`xx.yy.zz
`xx.yy.zz
`
`
`
`7
`
`-continued
`
`5,402,492
`
`8
`
`Admin Level:
`
`SETUP Main Menu
`<OVERVIEW>
`Date and Time
`Date (MM/DD/YY)
`Time (HH:MM:SS)
`<Power Management>
`<System Configuration>
`<Security>
`<Update BIOS>
`<Exit System Setup>
`User Level:
`
`SETUP Main Menu
`<OVERVIEW>
`Date and Time
`Date (MM/DD!YY)
`Time (HH:MM:SS)
`<Power Management>
`<System Configuration>
`<Security>
`<Update BIOS>
`<Exit System Setup>
`Admin Level:
`
`Power Management Panel.
`This panel allows one mutually exclusive choice. The
`options are presented this columnar way in order to give each
`one its own context sensitive help panel on the right of the
`display.
`
`[01/01/80]
`[00:00:00]
`
`[01/01/80]
`[00:00:00]
`
`<OVERVIEW>
`Power Management
`Characterize Battery
`System Suspend Options
`Smart Sleep
`
`Resume On Modem Ring
`Resume On Schedule
`Time
`Date
`<Exit to Main Menu>
`User Level:
`
`Power Management Panel
`This panel allows one mutually exclusive choice. The
`options are presented this columnar way in order to give each
`one its own context sensitive help panel on the right of the
`display.
`
`<Max Battery Life, Max Performance>
`<Enable, Disable>
`
`<No Delay, 0.5hr, !hr, 2hr,
`3hr, 4hr, 5hr>
`<Enable, Disable>
`<Enable, Disable>
`[00:00:00]
`[00/00/00]
`
`<OVERVIEW>
`Power Management
`System Suspend Options
`Resume On Modem Ring
`Resume On Schedule
`Time
`Date
`<Exit to Main Menu>
`Admin Level:
`
`System Configuration Panel
`<OVERVIEW>
`BOOT OPTIONS
`Mouse Connected To
`
`Parallel Port Type
`Boot Device
`
`Speaker
`Keyboard Clicks
`Font Expand
`Simultaneous Video
`Serial Ports
`
`MEMORY
`Modify Refresh Rate
`PowerStation Options
`Floppy Drive B
`
`Ext Video Adapter
`<Exit to Main Menu>
`User Level:
`
`System Configuration Panel
`<OVERVIEW>
`
`<Max Battery Life, Max Performance>
`
`<Enable, Disable>
`<Enable, Disable>
`[00:00:00]
`[00/00/00]
`
`<None, Serial I, Serial 2,
`Key Pad Port>
`<Disable, Standard, Enhanced>
`<Try Floppy First, Try Hard Drive
`Only, Try PowerStation>
`<Enable, Warnings Only, Disable>
`<Enable, Disable>
`<Enable, Disable>
`<Enable, Disable>
`<Port I, 2 Disabled>
`<Port I = 3F8h, 2 Disabled>
`<Port I = 3F8h, Port 2 = 2F8h>
`
`<Enable, Disable>
`
`<None>
`<1.44 MB 3.5">
`<720 KB 3.5">
`<1.2 MB 5.25">
`<360 KB 5.25">
`<Enable, Disable>
`
`
`
`9
`
`-continued
`
`5,402,492
`
`10
`
`BOOT OPTIONS
`Speaker
`Keyboard Clicks
`Font Expand
`Simultaneous Video
`
`<Enable, Warnings Only, Disable>
`<Enable, Disable>
`<Enable, Disable>
`<Enable, Disable>
`
`Of course, other variations can be implemented de-
`system. The user level password established flag indi-
`pending upon security concerns.
`An advantage of the security system of the present 10 cates that a user level password has been established for
`invention is that it enables access to the administrative
`the security system. The admin entered password match
`level of the security system by overriding all security
`flag indicates that either the hardware electronic key
`with the hardware key 230. Thus, if the admin password
`has been connected to the PS/2 ® port and matches a
`is lost or forgotten, access is still possible via the hard-
`stored key ID, or that the admin level password has
`ware key 230. Advantageously, the security system of 15 been entered by the administrator and matches the
`stored admin level password. The user entered pass-
`the present invention provides a secure system and yet
`provides at least one backup form of entry. This system
`word match flag indicates that a user level password has
`also provides the advantage of allowing a system ad-
`been entered and matches the value established for the
`security system. The key ID exists flag indicates that the
`ministrator to use the same electronic hardware key 230
`for all, or a selected group, of computers over which 20 key ID value from the electronic hardware key 230 is
`stored in the non-volatile memory 125 (e.g., the E2-
`the administrator has responsibility.
`The hardware key 230 is a passive device and is pref-
`PROM). The use of the these flags will become more
`erably made from a ROM. The memory on the key 230
`apparent upon discussion of the security system opera-
`contains a unique multi-bit key ID value. The ROM in
`tions below. By transferring the status byte to the host
`the key 230 is connected to a standard PS/2 @ port 25 100, the security system informs the host system 110 of
`male connector. Preferably the ROM is a DS2400 sili-
`the status of the security system without requiring that
`con ROM produced by Dallas semiconductor. Because
`the host system 100 actually access the associated hard-
`the hardware key 230 is a passive device, the ROM of
`ware of the security system 100.
`the key 230 obtains its operational power from the host
`Many keyboard controllers 120 pre
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
