(12) United States Patent
`Veneklase
`
`I 1111111111111111 11111 111111111111111 1111111111 11111 11111 1111111111 11111111
`US006609206B 1
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,609,206 Bl
`Aug. 19, 2003
`
`(54) COMPUTER SECURITY SYSTEM
`
`(76)
`
`Inventor: Brian J. Veneklase, 5011 Ashton
`Audrey, San Antonio, TX (US) 78249
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by O days.
`
`(21) Appl. No.: 09/245,249
`
`(22)
`
`Filed:
`
`Feb. 5, 1999
`
`(51)
`(52)
`(58)
`
`(56)
`
`Int. Cl.7 ................................................. G06F 11/30
`U.S. Cl. ........................ 713/202; 713/200; 713/201
`Field of Search .................................. 713/200, 201
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,484,306 A
`4,779,224 A
`5,226,080 A
`5,261,070 A
`5,375,243 A
`5,495,235 A
`5,566,169 A
`5,623,637 A
`5,657,452 A
`5,668,811 A
`5,682,475 A
`
`11/1984 Kulczyckyj et al.
`10/1988 Moseley et al.
`7/1993 Cole et al.
`11/1993 Ohta
`12/1994 Parzych et al.
`2/1996 Durinovic-Johri et al.
`10/1996 Rangan et al.
`4/1997 Jones et al.
`8/1997 Kralowetz et al.
`9/1997 Worsley et al.
`10/1997 Johnson et al.
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`0 558 326 Al
`0 844 551 Al
`
`9/1992
`5/1998
`
`GB
`WO
`
`2 229 020 A
`WO 95/19593
`
`9/1990
`7/1995
`
`OTHER PUBLICATIONS
`
`European Search Report, European Patent Office, Feb.,
`1998.
`Advanced Computer Architecture Parallelism, Scalability,
`Programmability, Kai Hwang, 1993.
`European Search Report, European Patent Office, May 15,
`1998.
`
`Primary Examiner-Norman M. Wright
`(74) Attorney, Agent, or Firm-Law Offices of John Chupa
`and Associates, P.C
`
`(57)
`
`ABSTRACT
`
`Several embodiments of computer security systems are
`described and which are adapted to grant an authorized
`individual access to a secured domain, such as a computer
`or data stream. In one embodiment, the security system
`comprises: an analyzing means for receiving first and second
`passwords, each of said passwords being transmitted over a
`first communication channel, analyzing said first password,
`transmitting a first signal output only if said first password
`is authorized, and granting access to said secured domain
`only if said second password is substantially identical to a
`code; and a random code generating means for generating
`said code, transmitting said code over a second communi(cid:173)
`cation channel upon receipt of first signal output, and
`transmitting said code to said analyzing means; and a
`notification means for receiving said code and for notifying
`said authorized individual of the identity of said code.
`
`7 Claims, 4 Drawing Sheets
`
`COMPUTER SECURITY
`
`)10 SYSTEM
`
`J (
`
`COMMUNICA110NS
`COMPUTERB•
`2
`
`di! ( CHANNEL
`
`18
`
`I
`
`ANAL¥ZING
`MEANS
`700 --------
`12
`""
`706_(1ill'
`702~
`: ~--...... ----,
`!
`CODE
`.---=H GENERATION
`MEANS 14
`.........
`
`COMPUTER
`BO
`...,..
`
`ENTRY
`GRANTED
`17
`CONNECTING
`BUS
`
`85
`
`◄
`
`84
`COMMUNICA1'IONS
`CHANNEL
`
`BANK OF AMERICA ET AL. EXHIBIT 1009
`
`Page 1 of 11
`
`

`

`VS 6,609,206 Bl
`
`)JO
`
`COMPUTER SECURITY
`SYSTEM
`
`U.S. Patent
`
`Aug. 19, 2003
`
`Sheet 1 of 4
`
`18
`
`I (
`~ (
`
`COMPUTERB•
`2
`
`COMMUNICA110NS
`
`CHANNEL
`
`I ' " - - , " " - -
`
`ANALfZING
`700_~ MEANS
`12
`rfilIJ
`706) -
`702-1.9m
`CODE
`704~
`GENERATION
`MEANS 14
`......._
`
`COMPUTER
`80
`""
`
`~-,..,
`ENTRY
`GRANTED
`
`17
`CONNECTING
`BUS
`
`85
`
`84
`COMMUNICATIONS
`CHANNEL
`
`Fig-1
`
`J9COMPU1'ER
`
`COMMUNICATIONS
`82 CHANNEI,
`
`COMPUTER
`(20 SECUilITY
`)
`SYSfEM
`
`. - · - - - - - · · · !
`' : .-----~1
`l
`ANALfZING
`:
`MEANS
`!
`12
`i '----,--
`' : i , - - - - - -1
`:
`CODE
`: GENERATION
`1 MEANS
`14
`!
`I '
`...,,..,.
`l L----=._-:._-:._--=.__
`t '
`
`18
`
`85
`
`I
`
`V--.
`
`I
`
`, - - - - - , : '
`
`t . - - - - -~
`
`84
`COMMUNICA1'IONS
`CHANNEL
`
`TIMING
`MEANS
`40
`"'
`
`.___~
`ENTRY
`GRANTED
`
`COMPUTER
`80
`"'
`
`'42 BUS
`
`Page 2 of 11
`
`

`

`U.S. Patent
`
`Aug. 19, 2003
`
`Sheet 2 of 4
`
`US 6,609,206 Bl
`
`?B COMMUNICATIONS
`72 INPUT DATA
`CHANNEL
`~ STREAM , - - - - - i
`t
`DIVIDING 1 - - - - -~ " ' 7
`
`~ - M~S
`· Fig=3__ \ 73
`vrcITAL
`DATA BITS
`
`------
`
`COMMUNICA 'flONS
`7B CIIANNF.f,
`
`)
`
`COMPUTER
`70 SECURITY
`SYSTEM
`SJNGLE
`89 CHANNEL
`_,,.)
`
`►~
`
`73
`
`DECODING
`MEANS
`88
`
`'-""
`
`COMMUNICATIONS
`102 CHANNEL
`
`COMPUTER SECURITY
`lOO SYSTEM
`\
`
`I
`r - - - - -~~ OF DATA BIT
`
`103 PWRMJTY
`
`I
`~ )1_
`rILiiR04DAT7·
`~ MICROPROCESSOR ~
`PLJ3:urr
`DATA
`%;.,,
`w
`
`!03
`
`SYSTEM OPERATING
`UNDER STORED
`PROGRAII CONTROL
`
`200
`CHANNEL
`
`DECODER
`
`UV
`
`202
`
`PLURAUTY OF
`DATA BITS
`
`MICROPROCESSOR
`ACTING UNDER
`STORED PROGRAM
`CONTROL
`
`202 AUTHORIZED
`PASSH!JRD
`)
`
`MASTER
`ZOO PASSWORD
`11ST
`206 TELEPHONE
`
`/
`
`f204 ENTRY f NUMBER
`
`FIRST
`
`X X
`X X
`X X
`
`X X
`X X
`X X
`
`X X X X
`X X X X
`X X X X
`
`X X X X
`X X X X
`X X X X
`
`Fig-.Q
`
`Page 3 of 11
`
`

`

`U.S. Patent
`
`Aug. 19, 2003
`
`Sheet 3 of 4
`
`US 6,609,206 Bl
`
`408
`
`COMPUTER
`
`406
`
`404
`
`USER I
`SUBSCRIBER
`
`PAGJ,,"'Jl
`
`420_
`
`CHANNEL
`422
`
`412 CHANNEL r 400 COMPUTER
`
`SYSTEM
`
`410
`
`HOST COMPUTER
`
`402
`
`USER I
`PASSWORD
`CHECK
`
`CODE
`GEN.
`
`415
`
`USER I
`TABLE
`
`414
`
`CODE
`COMPARE
`
`416
`
`418
`
`AUTOMA7'1C
`PHONE I
`PAGER DIALER
`
`Fig-6
`
`Page 4 of 11
`
`

`

`U.S. Patent
`
`Aug. 19, 2003
`
`Sheet 4 of 4
`
`US 6,609,206 Bl
`
`.ASSIGNING A UNIQUE
`PASSWOIW TO EACH. OF
`SAID CERTAJN GROUP
`OF INDIVJDUAJ.<:;
`
`ASSIGNING A TELEPHONE
`NUMBER TO EACH OF
`SAID UNIQUE PASSWORDS
`
`900
`
`)
`
`902
`
`904
`
`RECEIVING A ·DATA
`STREAM
`
`906
`
`COMPARING.THE'DATA
`STREAJl W EACH OF THE
`. UNIQUE PASSWORDS
`
`/908
`
`IDKNTJFYING ONE Of,' THE
`UNIQUE PASSP/ORDS WITH
`TJIE DATA STREAM
`
`910
`
`GENERATING AND TRANSMfrIING
`A FIRST-CODE TO THE TELEPHONE
`NUMBER ASSOCIATED· WffH THE
`· ONE IDENTIFIED PASSWORD
`
`912
`
`RECEIVING A SECOND CODE
`
`914
`
`COMPARING THE FIRST .AND
`SECOND CODE
`
`916
`
`ALLOWING ACCESS 1'0 THE COMPUTER.
`ONLY IF THE FIRST AND SECOND CODES
`ARE SUBSTAN'I'IAU.Y IDr.:NTICAL
`
`918
`
`Page 5 of 11
`
`

`

`US 6,609,206 Bl
`
`1
`COMPUTER SECURITY SYSTEM
`
`FIELD OF THE INVENTION
`
`The present invention relates to a security and/or access
`restriction system and, in one embodiment, to a security
`and/or access restriction system which is adapted to grant
`only authorized users access to a computer system and/or to
`certain data which may be resident within the computer
`system and/or resident within a communications channel
`and/or other communications medium.
`
`BACKGROUND OF THE INVENTION
`
`5
`
`2
`viduals mistakenly and unwittingly expose their password to
`an unauthorized user. Moreover, this technique of data
`security may be easily "broken" by a "hacker's" deliberate
`and concentrated attempt at automatically inputting, to the
`targeted computer, hundreds and perhaps thousands of pass(cid:173)
`words until an authorized password is created.
`In addition to the prior password technique other, more
`sophisticated access techniques are known and used. For
`example, there are known techniques which require the
`10 possession of a physical object or feature, such as "access
`cards" which are "read" by a card reading device and
`biometric authentication techniques ( e.g. requiring the initial
`input of such authorized user physical characteristics as
`fingerprints and eye patterns and the later comparison of
`these input patterns to those of a "would-be" user). Both of
`15 these prior techniques are relatively complicated, are rela(cid:173)
`tively costly, and are prone to error, such as and without
`limitation, mistaken unauthorized entry due to their com(cid:173)
`plexity. These techniques are also prone to unauthorized
`entry by use of counterfeit and/or stolen cards, objects, and
`20 fingerprint readers. Other prior data security techniques,
`such as encryption, attempt to prevent unauthorized use of
`transmitted data or unauthorized access to a computer sys(cid:173)
`tem by modifying and/or changing the transmitted data in a
`certain manner, and/or requiring the transmission and receipt
`25 of modified data before access is granted. While somewhat
`effective, these prior encryption techniques are relatively
`costly and complicated and require one or more known
`"encryption keys" which are in constant exchange between
`users and which are themselves susceptible to theft and/or
`inadvertent disclosure. Furthermore, the best-known and
`perhaps. strongest encryption algorithm is proprietary and
`cannot be used without a costly license. Moreover, since the
`encrypted message still provides all of the transmitted data,
`in some form, it is still possible for one to gain access to the
`entire data stream by "breaking the encryption code". Since
`35 no encryption algorithm is ever considered "unbreakable",
`encryption is not considered to be a "foolproof" security
`solution.
`There is therefore a need to provide a technique to
`substantially prevent the unauthorized access to one or more
`40 computer systems and which overcomes the various draw(cid:173)
`backs of these afore-described prior techniques. There is
`also a need to provide a technique to substantially prevent
`the unauthorized interception and use of transmitted data
`and which overcomes the various drawbacks of the prior art.
`45 Applicant's invention(s) seek and do meet these needs.
`Applicant's invention, in one embodiment, achieves these
`objectives by splitting the data into a plurality of separate
`communication channels, each of which must be "broken"
`for the entire data stream to be obtained. In essence, in this
`50 embodiment of Applicant's invention, cooperatively form
`the entire message. The splitting of the data in this manner
`may also "fool" the would be data thief into believing that
`he or she has obtained all of the data when, in fact, only
`several communication channels are obtained.
`
`30
`
`In recent years, computers have proliferated in all parts of
`worldwide society, including but not limited to, banking,
`financial services, business, education, and various govern(cid:173)
`mental entities. For instance and without limitation, these
`computer systems allow individuals to consummate finan(cid:173)
`cial transactions, to exchange confidential scientific and/or
`medical data, and to exchange highly proprietary business
`planning data. Hence, these computer systems require and/or
`allow very sensitive and confidential data to be stored and
`transmitted over great geographic distances.
`Moreover, the rise of multinational communications
`networks, such as the publicly available Internet communi(cid:173)
`cations system, has truly made the world a smaller place by
`allowing these computers, separated by great geographic
`distances, to very easily communicate and exchange data. In
`essence, these worldwide communications channels/
`networks; sometimes collectively. referred to as "the Infor(cid:173)
`mation Superhighway" have electronically connected the
`peoples of the world-both the good and the very bad.
`That is, while these computer systems have increased
`efficiency and greatly changed the manner in which we work
`and interact, they have been especially prone to unautho(cid:173)
`rized "break-ins", viral destruction, and/or unauthorized
`data modifications. Accordingly, the rather sensitive and
`confidential data which is stored and used within these
`computer systems and transmitted between these computer
`systems has been the target of attack by people known as
`"hackers" and by high level and very sophisticated espio(cid:173)
`nage and industrial spies. Computer access security and data
`transmission security has recently come to the forefront of
`importance and represents one of the great needs of our
`times.
`Many attempts have been made to create and utilize
`various techniques (hereinafter the term "technique" as used
`and/or employed in this Application refers to any combina(cid:173)
`tion of software, hardware, and/or firmware which comprise
`an apparatus and a methodology whose components coop(cid:173)
`eratively achieve an overall security objective) to "ensure"
`that only authorized users are allowed to gain access to these
`respective computer systems. These prior techniques, while
`somewhat effective, suffer from various drawbacks.
`For example, one such prior computer system security
`technique comprises the use of predetermined "passwords".
`That is, according to this security technique, each computer
`system has a list of authorized passwords which must be
`communicated to it before access is given or allowed. In 60
`theory, one or more "trusted" system administrators distrib(cid:173)
`ute these "secret" passwords to a group of authorized users
`of a computer system. The "secret" nature of the passwords,
`in theory, prevents unauthorized users from accessing the
`computer system (since presumably these unauthorized 65
`users do not have the correct passwords). This technique is
`not very effective since oftentimes those authorized indi-
`
`55
`
`SUMMARY OF THE INVENTION
`While a number of "objects of the invention" are set forth
`below, it should be realized by one of ordinary skill in the
`art that the invention(s) are not to be limited, in any manner,
`by these recited objects. Rather, the recited "objects of the
`invention" are to be used to place Applicant's various
`inventions in proper overall perspective and to enable the
`reader to better understand the manner in which Applicant's
`inventions are to be made and used, especially in the
`preferred embodiment of Applicant's invention.
`Accordingly, the various "objects of the invention" are set
`forth below:
`
`Page 6 of 11
`
`

`

`US 6,609,206 Bl
`
`4
`tion from one or more sources to one or more receivers.
`Moreover, the term "communications channel" should be
`given the broadest known interpretation covering any
`method and/or medium which facilitates the transfer of
`information and/or over which such information is trans(cid:173)
`ferred.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`5
`
`3
`It is a first object of the present invention to provide a
`technique to substantially ensure that only authorized users
`gain access to a computer system.
`It is a second object of the invention to provide a
`technique to substantially ensure that only authorized users
`gain access to a computer system and which overcomes the
`various previously delineated drawbacks of the prior com(cid:173)
`puter system security techniques.
`It is a third object of the invention to provide a technique
`to substantially ensure that only authorized users have 10
`access and use of certain transmitted data appearing, for
`example, within a data stream.
`It is a fourth object of the invention to provide a technique
`to substantially ensure that only authorized users have
`access and use of certain transmitted data and/or certain
`hardware, software, and/or firmware which cooperatively
`form and/or comprise a computer system, and that this
`technique overcomes the various previously delineated
`drawbacks of the prior techniques.
`According to a first aspect of the present invention, a
`security system is provided. Particularly, the security system
`is adapted to be used in combination with a computer and to
`only grant an authorized individual access to the computer.
`The security system comprises, in one embodiment, pass- 25
`word means for receiving a password by use of a first
`communications channel; and code generation means,
`coupled to said password means, for generating a code by
`use of a second communications channel, and to allow that
`individual access to the computer system only if that indi(cid:173)
`vidual generates and communicates the code to the code
`generation means.
`According to a third aspect of the present invention, a
`method is provided for use with a computer and effective to
`substantially prevent an unauthorized user from accessing
`the computer. The method comprises, in one embodiment,
`the steps of assigning a password to the user; receiving, the
`password by use of a first communications channel; gener(cid:173)
`ating a code in response to the received password; trans(cid:173)
`mitting the code by use of a second communications channel 40
`to the user; transmitting the code to the computer; and
`allowing access to the computer only after the code is
`transmitted to the computer.
`According to a fourth aspect of the present invention, a
`security system is provided to grant an authorized individual 45
`access to a secured stream of data bits. In one embodiment,
`the data security system comprises a data stream dividing
`means for receiving said stream of data bits and dividing
`said stream of data bits into a plurality of sub-streams;
`transmitting means for transmitting said sub-streams in a 50
`predetermined order over a communication channel; and a
`decoding means for receiving said sub-streams and for
`recombining said received sub-streams to create said
`secured stream of data bits.
`Further objects, features, and advantages of the present
`invention will become apparent from a consideration of the
`following description, the appended claims, and/or the
`appended drawings. It should further be realized by one of
`ordinary skill in the art that the previously delineated objects
`and aspects of the invention are for illustration purposes
`only and are not to be construed so as to limit the generality
`of the inventions and/or to limit the interpretation to be given
`to the various appended claims. Moreover, it should also be
`realized by those of ordinary skill in the art that the term
`"communications channel" as used throughout this, Appli(cid:173)
`cation refers to any physical and/or electromagnetic means
`or method of transferring and/or communicating informa-
`
`15
`
`For a fuller and more complete understanding of the
`nature and objects of the present invention, reference should
`be had to the following drawings wherein:
`FIG. 1 is a block diagram of a computer security system
`made in accordance with the teachings of the preferred
`embodiment having the preferred security techniques of the
`invention;
`FIG. 2. is a block diagram of another embodiment of a
`computer security system made in accordance with the
`teachings of the preferred embodiment having the preferred
`20 techniques of the invention;
`FIG. 3 is a block diagram of yet another embodiment of
`a security system made in accordance with the teachings of
`the preferred embodiment having the preferred techniques of
`the invention;
`FIG. 4 is a block diagram of another embodiment of a
`computer security system made in accordance with the
`teachings of the preferred embodiment having the preferred
`techniques of the invention;
`FIG. 5 is a schematic diagram of a password table used by
`30 the computer security systems shown in FIGS. 1 and 2; and
`FIG. 6 is a block diagram of one embodiment of the
`preferred embodiment of the invention.
`FIG. 7 is a flow chart of the methodology of the preferred
`35 embodiment of the invention.
`DETAILED DESCRIPTION OF THE
`INVENTION
`Referring now to FIG. 1, there is shown a block diagram
`of a computer security system 10, made in accordance with
`the principles of the preferred embodiment of the invention
`and adapted for use in combination with computer 80. More
`particularly, computer security system 10 selectively allows
`communication and/or data processing access to computer
`80 in a manner which is technically described throughout the
`remainder of this Application. As shown, security system 10
`includes an "analyzing means" 12 and a "random code
`generating means" 14.
`In one embodiment of the preferred embodiment of the
`invention, analyzing means 12 comprises one or more
`software subroutines .which are adapted to execute upon
`and/or within computer 80. Alternatively, analyzing means
`12 may comprise a microprocessor and/or similar type of
`computer which is adapted to operate under stored program
`55 control in the manner set forth in this Application. One
`example of another type of computer operating under stored
`program control and which may be used by the preferred
`embodiment of the invention is shown and described within
`chapter eight of the text entitled Advanced Computer Archi-
`60 tecture: Parallelism, Scalability, Programmability, which
`was authored by Kai Hwang, which is published by
`McGraw-Hill, Inc., which has a library reference number of
`ISBN 0-07-031622-8, and the entire text of all of the
`chapters of which are fully and completely incorporated
`65 herein by reference, word for word and paragraph for
`paragraph. In either embodiment, analyzing means 12
`receives and compares at least two "sets" or streams of data.
`
`Page 7 of 11
`
`

`

`US 6,609,206 Bl
`
`5
`
`5
`Should the individually received "sets" match, analyzing
`means 12 generates and communicates an "access granted"
`command to computer 80, allowing individual 18 access to
`the computer 80. Moreover, random code generating means
`14 may similarly comprise a conventional pseudo-random
`number generator which may be constructed or developed
`on one or more software subroutines which reside and
`operate/execute upon and/or within computer 80 or may
`comprise a microprocessor and/or similar type of computer
`which operates under stored program control.
`In operation, individual 18, desiring access to and within
`computer 80 utilizes a first communication channel 82 (e.g.
`a first telephone line, radio channel, and/or satellite channel)
`and communicates, by use of his or her voice or by use of
`a computer 19 a first password to analyzing means 12.
`Analyzing means 12 then checks and/or compares this first
`received password with a master password list which con(cid:173)
`tains all of the authorized passwords associated with autho(cid:173)
`rized entry and/or access to computer 80.
`As shown in FIG. 5, in the preferred embodiment of the 20
`invention, analyzing means 12 contains a master password
`list 200 having a first column of entries corresponding to
`authorized passwords necessary to gain access to computer
`80. Moreover, as further shown in FIG. 5, each authorized
`password 202, contained in this master password list 200,
`has a unique first entry 204 associated with it and which
`identifies the name of the authorized user who has been
`assigned that corresponding password and at least one
`telephone number 206 and/or network address associated
`with the identified user.
`If the received password matches an entry of the master
`password list, analyzing means 12 generates a command, by
`means of connecting bus 17 or software message or function
`call to random code generating means 14 and causes the
`random code generation means 14 to generate a substantially 35
`random and/or pseudo-random number or code, of program(cid:173)
`mable length, and to transmit the number and/or code, by
`means of a second communications channel 84, to the
`individual 85 associated with the received password 202 in
`the master password list. That is, as should be apparent to 40
`one of ordinary skill in the. art, code generation means 14
`includes both a random number generator and a conven(cid:173)
`tional and commercially available communications interface
`(e.g. modem and/or telephone/pager interface), allowing the
`generated pseudo-random code to be generated or commu- 45
`nicated over a wide variety of mediums.
`Further, it should be apparent that individual 85 may or
`may not be the same person as individual 18. If individual
`18 was the individual identified in the master password list
`( e.g. "was authorized"), that individual 18 receives the 50
`pseudo-random number and transmits the number to the
`analyzing means 12, by means of communications channel
`82. Once the pseudo-random number is received by the
`analyzing means 12, from channel 82, it is compared with
`the number generated by generation means 14. If the two 55
`codes are substantially the same, entry to computer 80
`and/or to a certain part of computer 80 such as, without
`limitation, the hardware, software, and/or firmware portions
`of computer 80 is granted to individual 18. For instance, in
`another embodiment, table 200 of FIG. 5 could contain yet 60
`another set of entries specifying the directories or portions of
`computer 80 that the individual 18 was allowed to have
`access to. In this manner, allowed access to computer 80
`would be further restricted to those computer portions which
`are specified within table 200. It should be apparent to one 65
`of ordinary skill in the art that these portions may be
`different for different users and that each authorized user
`
`6
`may have a different portion that may be accessed in an
`authorized manner.
`It should be apparent to one of ordinary skill in the art that
`Applicant's foregoing computer security technique is a
`relatively low-cost, but effective technique, for properly
`ensuring that only authorized users gain access to a com(cid:173)
`puter system, such as computer system 80. That is, Appli(cid:173)
`cant's foregoing computer security embodiment, utilizes
`two distinct communications channels and a random number
`10 generator in order to ensure that an authorized user of a
`computer system is notified that someone or something is
`seeking access to the computer system with his or her
`password. Moreover, Applicant's foregoing invention is
`very cost effective as it employs substantially "off the shelf"
`15 and readily available components. Further, the use of a
`"secret" password, a "secret" substantially random number,
`and a "secret" second channel allows for multiple levels of
`security before access to the computer system is achieved
`and provides enhanced security over the prior art.
`Referring now to FIG. 6 there is shown a computer system
`400 made in accordance with the teachings of the preferred
`embodiment of the invention and representing one example
`and/or implementation which is made in accordance with the
`various teachings of the preferred embodiment of the inven-
`25 tion. As shown, computer system 400 includes a host
`computer 402 ( corresponding to computer 80 of the system
`shown in FIG. 1) to which a user or other individual 404
`(corresponding to individual 18 ofFIG. l) desires access to.
`As further shown in FIG. 6. As shown, individual 404, in this
`30 implementation example, utilizes a commercially available
`and conventional computer 406 and a commercially avail(cid:173)
`able and conventional modem 408 to communicate with a
`commercially available and conventional modem 410 by
`means of a typical communications channel (e.g. a conven(cid:173)
`tional "dial-up" telephone line) 412. Hence, the user 404, in
`this embodiment, only requires conventional computer
`equipment. Host computer 402, in this embodiment, requires
`a conventional and commercially available automatic dialer
`which is altered, in a known manner, to receive and pass one
`or more passwords and/or codes as data.
`In operation, user 404 dials through and/or by means of
`his or her computer 406 and modem 408 in the usual and
`conventional manner to connect and access host computer
`402. The host computer 402, using the principles of the
`preferred embodiment of this invention, answers the
`requester's call, which occurs over channel 412, and
`requests and receives the user's identification code. Host
`computer 402 checks the received identification code and
`cross references the received password code against a pager
`phone number list resident within the user table 414 which
`is stored within computer 402. This comparison, is a match
`is made, causes the "code generator" software subroutine
`415, resident within computer 402, to generate a pseudo(cid:173)
`random number code and passes the received code along
`with the authorized user's pager number to the commercially
`available and conventional automatic dialer 418. The auto-
`matic dialer 418 telephones the conventional and commer(cid:173)
`cially available pager 420 by means of conventional and
`commercially available communication channel 422 (e.g.
`voice line) and transmits the code to the user's pager. As this
`happens, the host computer 402 awaits the reply from the
`user attempting to gain access to the computer.
`The user 404 now enters the code he or she has received
`from the pager 420 and any timing instructions which, in yet
`another embodiment of the invention may also be transmit(cid:173)
`ted from computer 402, and sends this password or pseudo-
`random code back to computer 402 where it is compared
`
`Page 8 of 11
`
`

`

`US 6,609,206 Bl
`
`5
`
`7
`within the software subroutine module. denoted as "code
`compare" 416 in FIG. 6. If the comparison yields a match,
`the user 404 is allowed access to computer 402 and/or to a
`portion of computer 402.
`Referring now to FIG. 2, there is shown a second embodi-
`ment of a computer security system made in accordance
`with the teachings of the preferred embodiment of the
`invention. This second embodiment 20 is substantially simi(cid:173)
`lar to system 10 but also includes a timer or "timing means"
`40 which may comprise one or more software subroutines 10
`which are adapted to operate and/or execute within and/or
`upon computer 80 or may comprise a microprocessor which
`operates under stored program control. In one embodiment,
`timing means 40 comprises a conventional "watchdog
`timer" as will be apparent to those of ordinary skill in the art. 15
`In operation, timing means 40 records the time at which
`the first and second passwords are received by analyzing
`means 12. Timing means 40, in one embodiment which is
`coupled to analyzing means 12 and code generation means
`14 by bus 42 and in another embodiment which is in 20
`software communication with means 12 and 14, then com(cid:173)
`pares the times to determine whether the second password
`was received within a predetermined period or predeter(cid:173)
`mined "window" of time after the first password was
`received. In the preferred embodiment of the invention, the 25
`predetermined period of time is programmable. The prede(cid:173)
`termined period of time, will typically need to vary accord(cid:173)
`ing to the nature or the communications medium used by
`means 14 to notify individual 85 of the value of the
`generated code. For example, the predetermined period of 30
`time would be shorter when communications channel 84
`comprises a pager or cellular phone, since the owner has
`immediate access to the code upon transmission; and longer
`when communications channel 84 comprises a voice-mail
`system which the owner has to affirmatively access to
`receive the code. If the second password was not received
`within the predetermined period of time, analyzing means
`12 denies entry to the secured domain (e.g. computer 80). If
`the second password was received within the predetermined
`period of time, analyzing means 12 compares it to the code 40
`which was previously generated. If the second password is
`not substantially identical to the previously generated code,
`analyzing means 12 denies individual 18 entry to the secured
`domain (e.g. computer 80). If the received password is
`substantially identical to the code, analyzing means 12 45
`grants individual 18 entry into the secured domain. As will
`be readily apparent to those of ordinary skill in the art,
`timing means 40 provides yet a third level of security to
`computer system 80. Moreover, it should also be apparent to
`one of ordinary skill in the art that this "predetermined time" 50
`may be as short or as small as several milli-seconds or
`micro-seconds. This is particularly true if, in yet another
`embodiment of Applicant's invention, the password gener(cid:173)
`ated by communication means 14 is received by a comput(cid:173)
`erized device which is adapted to received the password and 55
`to generate a new password code in a substantially automatic
`manner.
`Referring now to FIG. 3, there is shown a block diagram
`of a third embodiment of a computer security system made
`in accordance with the principles of the preferred embodi(cid:173)
`ment of the invention. As shown, computer security system
`70 is adapted to receive an input data stream 72, comprising
`in a first embodiment, a plurality of digital data bits 73,
`which are to be securely transmitted to a distant site. System
`70, as further shown, includes a data stream dividing means
`74 which in one embodiment comprises a commercially
`available one input and two channel output time division or
`
`8
`statistical multiplexor which samples the bits of received
`data and places, in a certain predetermined manner (e.g.
`alternately) some of the received data bits onto the first
`communications channel 76 and some of the received data
`bits onto the second communications channel 78. In this
`manner, one attempting to wrongfully intercept and/or
`access the data s