Interactive security control system for computer communications and the like
First Claim
1. Apparatus for vertifying the authorization of a user of at least one communications station that is connected for accessing another communications station through a communications link, the apparatus comprising:
- (a) encryption means for being carried by an "authorized user," namely a person who is authorized to use at least one communications station to access another communications station through a communications link that connected the at least one station to the another station, the encryption means including a first encryption that has a value which has been assigned to the authorized user as an indicator of the authorized user'"'"'s authority to access the another station and a second variable portion representing the time of the last successful access of the another station;
(b) security means interposed in series between portions of the communications link for monitoring signals that are transmitted along the communications link, the security means defining port means for receiving the encryption means and for cooperating with the encryption means to detect a predetermined authentication query signal sequence of monitored signals that is transmitted along the communications link from the host computer and, in response to such detection, effecting transmission of an autheniticating signal sequence along the communications link, to the host computer with the value of the authenticating signal sequence being determined at least in part by the value of the first encryption and of a further encryption resident in said security means and representative of the identity of a predetermined terminal associated therewith so that the value of the authenticating signal sequence constitutes an indicator of the user'"'"'s and terminal'"'"'s authority to access the another station;
(c) authorization check means connected to the communications link for entering into a communications dialog with the security means as by transmitting the predetermined authentication query signal sequence along the communications link so that the authentication query signal sequence, when detected by the security means, will cause the security means to transmit the authenticating signal sequence along the communications link to indicate to the authorization check means whether the authorized user'"'"'s encryption means is received by the port means for cooperating with the security means to cause the authenticating signal sequence to constitute an indication of the user'"'"'s authority and the particular connected terminal'"'"'s authority to access the another station; and
,(d) the encryption means including control means for interactively cooperating with the security means in the conduct of said dialog whereby, in the absence of the encryption means being received by the port means, said dialog cannot be properly conducted.
1 Assignment
0 Petitions
Accused Products
Abstract
A security control system is provided for interactively identifying and authenticating the authorization of a user of a communications terminal, and optionally providing a means for decoding and encrypting communications signals transmitted to and from the terminal. The system utiizes a security unit that is associated with the terminal, and requires that an encryption device which has been assigned to the user be received in a port that is defined by the security unit in order that the security unit can respond properly to query signals which are sent along a communications link that couples the terminal to other communications equipment. Communications units at both ends of the communications link operate in synchronization such that each new authentication query signal that is sent from one of the units will be answered by an appropriate, newly calculated authenticating signal from the other, whereupon the unit that has sent the query signal checks the received response for correctness of calculation. A feature of the invention resides in requiring that each newly requested authenticating signal differ in a calculated manner from a previously sent authenticating signal, with the manner in which sequential authenticating signals differ being determined, at least in part, by the unique character of the user-assigned encryption device. Optional features that can be included in the encryption device include capabilities to select stored algorithms for use in encrypting, decoding and updating stored encryptions, and to effect control of system operation.
76 Citations
38 Claims
-
1. Apparatus for vertifying the authorization of a user of at least one communications station that is connected for accessing another communications station through a communications link, the apparatus comprising:
-
(a) encryption means for being carried by an "authorized user," namely a person who is authorized to use at least one communications station to access another communications station through a communications link that connected the at least one station to the another station, the encryption means including a first encryption that has a value which has been assigned to the authorized user as an indicator of the authorized user'"'"'s authority to access the another station and a second variable portion representing the time of the last successful access of the another station; (b) security means interposed in series between portions of the communications link for monitoring signals that are transmitted along the communications link, the security means defining port means for receiving the encryption means and for cooperating with the encryption means to detect a predetermined authentication query signal sequence of monitored signals that is transmitted along the communications link from the host computer and, in response to such detection, effecting transmission of an autheniticating signal sequence along the communications link, to the host computer with the value of the authenticating signal sequence being determined at least in part by the value of the first encryption and of a further encryption resident in said security means and representative of the identity of a predetermined terminal associated therewith so that the value of the authenticating signal sequence constitutes an indicator of the user'"'"'s and terminal'"'"'s authority to access the another station; (c) authorization check means connected to the communications link for entering into a communications dialog with the security means as by transmitting the predetermined authentication query signal sequence along the communications link so that the authentication query signal sequence, when detected by the security means, will cause the security means to transmit the authenticating signal sequence along the communications link to indicate to the authorization check means whether the authorized user'"'"'s encryption means is received by the port means for cooperating with the security means to cause the authenticating signal sequence to constitute an indication of the user'"'"'s authority and the particular connected terminal'"'"'s authority to access the another station; and
,(d) the encryption means including control means for interactively cooperating with the security means in the conduct of said dialog whereby, in the absence of the encryption means being received by the port means, said dialog cannot be properly conducted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. Apparatus for verifying the authorization of a user of communicating data terminal equipment for accessing a host computer through a communications link, the apparatus comprising:
-
(a) user assigned means for being carried by an "authorized user," namely a person who is authorized to use communicating data terminal equipment to access a host computer through a communication link, the user assigned means defining first encryption means for serving as an indication of the authority of the authorized user to use communicating data terminal equipment to access the host computer through a communication link, second encryption means for representing the time of a past successful access to the host computer, and including control means for interpreting and responding to predetermined signals; (b) terminal assigned means for being connected to communicating data terminal equipment that is to be utilized by an authorized user to access a host computer through a communications link, and for being interposed in series between portions of the communications link for monitoring signals that are transmitted along the ccommunications link, and for directing predetermined monitored signals to the control means; (c) port means connected to the terminal assigned means for receiving the user assigned means and for operably connected the terminal assigned means thereto such that the user assigned means and the terminal assigned means cooperate to detect and respond to a query signal sent along the communications link from the host computer, with the response taking the form of an authenticating signal sent along the communications link to the host computer, with the character of the authenticating signal being determined at least in part by the first and second encryption means, whereby the authenticating signal constitutes an indicator of the authorized user'"'"'s authority to access the host computer; and
,(d) authorization check means at the host computer for generating the query signal that, when monitored by the terminal assigned means will cause the terminal assigned to generate the authenticating signal to indicate to the authorization check means whether the user assigned means is received by the port means for cooperating with the terminal assigned means to cause the authenticating signal to constitute an indication of the user'"'"'s authority to access the host computer, for maintaining continuity of the communications link upon receiving a predetermined authenticating signal, and for terminating communications along the communications link upon receiving an authenticating signal that is other than said predetermined authenticating signal. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A method of providing a communication link for transmitting signals between a host computer and at least one terminal that is operated by an authorized user, the method comprising the steps of:
-
(a) providing encryption means for being carried by a person who is authorized to use a terminal to access a host computer through a communications link, with the encryption means including a first fixed encryption that is assigned to the authorized user an an indicator of his authority to access the host computer, a second variable encryption representative of the time of prior successful authorized access with the host computer and including a first algorithm together with encoding means for encrypting uncoded signals that are transmitted along the communications link, and for decoding encrypted signals that are transmitted along the communications link; (b) providing security means interposed between portions of the communications link for monitoring signals as they are transmitted along the communications link between the terminal and the host computer, the security means serving to define port means for receiving the encryption means and to cooperate with the encryption means to detect a predetermined authentication query sequence of monitored signals and, in response to such detection, to effect transmission of an authenticating signal sequence along the communications link, with the character of the authenticating signal sequence being determined at least in part by the encryption of the user'"'"'s encryption means so that the authenticating signal sequence constitutes an indicator of the user'"'"'s authority to access the host computer; (c) providing authorization check means for generating the predetermined authentication query sequence that, when monitored by the security means will cause the security means to generate the authenticating signal sequence; (d) positioning the encryption means to be received by the port means; (e) operating the authorization check means to the predetermined authentication query signal sequence along the communications link; (f) operating the security means to detect the predetermined authentication query signal sequence and to cooperate with the encryption means to effect transmission of the authenticating signal sequence; (g) operating the authorization check means to maintain continuity of the communications link upon receiving a predetermined authenticating signal sequence, and to terminate communication of signals along the communications link upon receiving an authenticating signal sequence that is other than said predetermined sequence and, (h) operating the encoding means to encrypt uncoded signals that are transmitted along the communications link and to decode encrypted signals taht are transmitted along the communications link. - View Dependent Claims (25)
-
-
26. A method of providing a secure communication link for transmitting signals between a host computer and at least one terminal that is operated by an authorized user, the method comprising the steps of:
-
(a) providing encryption means for being carried by a person who is authorized to use a terminal to access a host computer through a communications link, with the encryption means including a first encryption having a fixed value that is assigned to the authorized user as an indicator of his authority to access the host computer, a second encryption that is progressively updated to represent the time of a prior successful access to the host computer after each reading of its value, and control means for updating the value of the second encryption after each reading of its value, with the difference between consecutive values of the progressively updated second encryption being determined at least in part by the value of the first encryption; (b) providing security means interposed between portions of the communications link for monitoring signals that are transmitted along the communications link, the security means serving to define port means for receiving the encryption means and to cooperate with the encryption means to detect a predetermined authentication query sequence of monitored signals and, in response to such detection, to effect transmission of an authenticating signal sequence along the communications link, with the value of the authenticating signal sequence being determined at least in part by the value of first encryption so that the value of the authenticating signal sequence constitutes an indicator of the user'"'"'s authority to access the host computer; (c) providing authorization check means associated with the host computer for generating the predetermined authentication query sequence that, when monitored by the security means will cause the security means to generate the authenticating signal sequence; (d) positioning the encryption means to be received by the port means; and (e) conducting a user authorization check by; (i) operating the authorization check means to generate the predetermined authentication query signal sequence; (ii) operating the security means to detect the predetermined authentication query signal sequence and to cooperate with the encryption means to effect transmission of the authenticating signal sequence; (iii) operating the authorization check means to maintain continuity of the communications link upon receiving an a predetermined authenticating signal sequence, and to terminate communication of signals along the communications link upon receiving an authenticating signal sequence that is other than said predetermined sequence; and
,(iv) operating the control means to update the value of the second encryption. - View Dependent Claims (27, 28, 29)
-
-
30. A method of establishing the authority of a user of a station of communications network to use facilities of the communications network, comprising the steps of:
-
(a) providing in authorized user with encryption means (1) for carrying a first encryption that has a value which is representatrve of the authority of the user to utilize at least one station of a communications network to communicate through the network with means defining another station of the network, and (2) for carrving a second encryption that is progressively updated after each reading of its value to represent the time of the last successful communication through the network, and control means for updating the value of the second encryption after each reading of its value, with the difference between consecutive values of the progressively updated second encryption being determined at least in part by the value of the first encryption; (b) providing the at least one station of the communications network with signalling means for reading the values of the first and second encryptions and for transmitting an authenticating electrical signal through the network to the another station, with the authenticating signal having a value that is determined, at least in part, by the values of both of the first and second encryptions; (c) causing the signalling means to read the values of the first and second encryptions and to transmit said authenticating signal as a request by the user to utilize facilities of the communicatins network; (d) receiving the authenticating signal at the another station and comparing the value represented by the authenticating electrical signal with a predetermined value that is predetermined through a calculation that is made at the another station, wherein said calculation takes into account the values of the first and second encryptions; (e) permitting use of the facilities of the communications network by the user only if the value of the authenticating signal is identical with the predetermined value; and
,(f) operating the control means to update the value of the second encryption. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
37. An interactive computer communications security system for serial disposition within a communication link between a host computer and a remote user terminal, said security system comprising:
-
a portable user-carried device including (i) data storage means for storing readable data having a first machine fixed data portion representative of an assigned user'"'"'s identify and a second variable data portion which is changed to represent the time of a successful prior communication link usage and (ii) first signal coupling means for coupling signals representative of said first and second data portions from user-carried device; terminal control means for serial disposition in said communication link and having a second signal coupling means mated with said first signal coupling means for passing onto said communication link onto said communication link authentication signals which are representative of said first and second data portions of the user-carried device; and said portable user-carried device further comprising security control means which may be coupled to said terminal control means through said first and second signal coupling means and which security control means actively controls a signal dialog over said communication link.
-
-
38. An interactive method for effecting user security within a multi-user communication link between a host computer site and plural remote user terminal sites said method comprising the steps of:
-
maintaining a user-carried device which includes stored machine readable data having a first fixed data portion representative of an assigned user'"'"'s identity and a second variable data portion which is changed to represent the time of a successful prior communication link usage and which collectively is processed to provide unique authenticating data; maintaining at said host computer corresponding authenticating data; accessing and using said stored data at a remote user terminal to generate and transmit said unique authenticating data to said host computer site over said link when the corresponding user desires use of said link; permitting use of asid link only if the authenticating data received at the host computer site corresponds to the authenticating data maintained thereat; and controlled a signal dialog over said communication link using a mirror processor-based control circuit carried by said user-carried device.
-
Specification