Computer communications security control system

US 4,694,492 A
Filed: 11/09/1984
Issued: 09/15/1987
Est. Priority Date: 11/09/1984
Status: Expired due to Fees

First Claim

Patent Images

1. Apparatus for verifying the authorization of a user of a terminal for accessing a host computer through a communications link, the apparatus comprising:

(a) encryption means for being carried by an "authorized user," namely a person who is authorized to use terminal to access a host computer through a communications link that connects the terminal to the host computer, the encryption means including a first encryption that has a value which has been assigned to the authorized user as an indicator of the authorized user'"'"'s authority to access the host computer and also including a second variable encryption representative of the time of a prior successful authorized access with the host computer;

(b) security means interposed in series between portions of the communications link for monitoring signals as they are transmitted along the communications link, the security means defining port means for receiving the encryption means and for cooperating with the encryption means (1) to detect a predetermined authentication query signal sequence of monitored signals as the authetication query signal sequence is transmitted along the communications link from the host computer and, (2) in response to such detection, to effect transmission of a predetermined autheticating signal sequence along the communications link to the host computer, with the value of the authenticating signal sequence being determined at least in part by the value of the first encryption and of a further encryption resident in said security means and representative of the identity of a predetermined terminal associated therewith so that the predetermined authenticating signal sequence constitutes an indicator of the user'"'"'s and terminal'"'"'s authority to access the host computer; and

,(c) authorization check means associated with the host computer (1) for generating an authentication query signal sequence that, when detected by the security means, will cause the security means to transmit the autheticating signal sequnce along the communications link to indicate to the authorization check means whether the autorized user'"'"'s encryption means is received by the port means for cooperating with the security means to cause the authenticating signal sequence to constitute an indication of the user'"'"'s authority and the particular connected terminal'"'"'s authority to access the host computer, (2) for permitting host computer access upon receiving said predetermined authenticating signal sequence, and (3) for preventing host computer access upon receiving an autheticating signal sequence that is other than said predetermined autheticating signal sequence.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer communications control system is provided for authenticating the authorization of a user of computer equipment such as a terminal of a computer network, more specifically communicating data terminal equipment that is connected through a communications link to other computer equipment such as a host computer. The system utilizes a security unit that is associated with and connected to the user'"'"'s terminal. The security unit operates in conjunction with the other computer equipment to which the user'"'"'s terminal is linked, for example a host computer, to check the authorization of the user to access the host computer by requiring that an encryption device which has been assigned to the user be received in a port that is defined by the security unit in order that the security unit can respond properly to query signals which are sent along the communications link from the host computer. In the absence of a proper authenticating signal from a terminal'"'"'s security unit, the host computer denies the terminal'"'"'s requested access. The security unit and the user'"'"'s encryption device operate in synchronization with the host computer such that each new authentication query signal that is sent from the host computer will be answered by an appropriate, newly calculated authenticating signal that the host computer checks for correctness of calculation. A feature of the invention resides in requiring that each newly requested authenticating signal differ in a calculated manner from the user'"'"'s previously sent authenticating signal, with the manner in which sequential authenticating signals differ being determined, at least in part, by the unique character of th user'"'"'s encryption device.

118 Citations

28 Claims

1. Apparatus for verifying the authorization of a user of a terminal for accessing a host computer through a communications link, the apparatus comprising:
- (a) encryption means for being carried by an "authorized user," namely a person who is authorized to use terminal to access a host computer through a communications link that connects the terminal to the host computer, the encryption means including a first encryption that has a value which has been assigned to the authorized user as an indicator of the authorized user'"'"'s authority to access the host computer and also including a second variable encryption representative of the time of a prior successful authorized access with the host computer;
  
  (b) security means interposed in series between portions of the communications link for monitoring signals as they are transmitted along the communications link, the security means defining port means for receiving the encryption means and for cooperating with the encryption means (1) to detect a predetermined authentication query signal sequence of monitored signals as the authetication query signal sequence is transmitted along the communications link from the host computer and, (2) in response to such detection, to effect transmission of a predetermined autheticating signal sequence along the communications link to the host computer, with the value of the authenticating signal sequence being determined at least in part by the value of the first encryption and of a further encryption resident in said security means and representative of the identity of a predetermined terminal associated therewith so that the predetermined authenticating signal sequence constitutes an indicator of the user'"'"'s and terminal'"'"'s authority to access the host computer; and
  
  ,(c) authorization check means associated with the host computer (1) for generating an authentication query signal sequence that, when detected by the security means, will cause the security means to transmit the autheticating signal sequnce along the communications link to indicate to the authorization check means whether the autorized user'"'"'s encryption means is received by the port means for cooperating with the security means to cause the authenticating signal sequence to constitute an indication of the user'"'"'s authority and the particular connected terminal'"'"'s authority to access the host computer, (2) for permitting host computer access upon receiving said predetermined authenticating signal sequence, and (3) for preventing host computer access upon receiving an autheticating signal sequence that is other than said predetermined autheticating signal sequence.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1 wherein the security means includes means for cooperating with the encryption means to assure that each newly detected authetication query signal sequence will result in the transmission of an autheticating signal sequence that has a value which differs from the value of a previously transmitted autheticating signal sequence, with the difference between consecutively transmitted authenticating signal sequences being determined at least in part by the value of the first encryption.
  - 3. The apparatus of claim 1 wherein:
    - (a) the first encryption includes a first N-bit value that is representative of the value of the first encryption;
      
      (b) the encryption means includes first electrical signal storage means for at least temporarily retaining the first N-bit value therein; and
      
      ,(c) the security means and the encryption means cooperate to cause the value of the first encryption to be read and, as a part of effecting transmission of an authenticating signal sequence, to cause the value of the authenticating signal sequence to be determined, at least in part, by the value of the first encryption.
  - 4. The apparatus of claim 3 wherein:
    - (a) the encryption means includes second electrical signal storage means for at least temporarily retaining a second electrical signal string therein that is representative of the value of a second encryption; and
      
      ,(b) the security means and the encryption means cooperate to cause the value of the second encryption to be read and, as a part of effecting transmission of an autheticating signal sequence, to cause the value of the autheticating signal sequence to be determined, at least in part, by the value of the second encryption.
  - 5. The apparatus of claim 4 wherein the security means and the encryption means cooperate to cause the second N-bit value that is stored in the encryption means to be updated to a new value once the value of the second encryption has been so read, with the new value of the second N-bit value being determined, at least in part, by the value of the first encryption.

6. Apparatus for verifying the authorization of a user of communicating data terminal equipment for accessing a host computer through a communications link, the apparatus comprising:
- (a) user assigned means for being carried by an "authorized user," namely a person who is authorized to use communicating data terminal equipment to access a host computer through a communications link, the user assigned means defining first encryption means for serving as an indication of the authority of the authorized user to use communicating data terminal equipment to access the host computer through a communications link and second encryption means for indicating the time of a past successful access to the host computer;
  
  (b) terminal assigned means for being connected to communication data terminal equipment that is to be utilized by an authorized user to access a host computer through a communications link, and for being interposed in series between portions of the communications link for monitoring signals that are transmitted along the communications link;
  
  (c) port means connected to the terminal assigned means for receiving the user assigned means and for operably connecting the terminal assigned means thereto such that the user assigned means and the terminal assigned means cooperate to detect and respond to query signals sent along the communications link from the host computer;
  
  with the response taking the form of predetermined autheticating signals that are sent along the communications link to the host computer, with the character of the authenticating signals being determined at least in part by the first and second encryption means, whereby the autheticating signals constitute an indicator of the authorized user'"'"'s authority to access the host computer; and
  
  ,(d) authorization check means for generating the query signals that, the monitored by the terminal assigned means will cause the terminal assigned means to generate autheticating signals to indicate to the authorization check means whether the user assigned means is received by the port means for cooperating with the terminal assigned means to cause the autheticating signals to constitute an indication of the user'"'"'s authority to access the host computer, for maintaining continuity of the communications link upon receiving said predetermined autheticating signals, and for terminating communications along the communications link upon receiving autheticating signals that are other than said predetermined signals.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6 wherein the terminal assigned means includes control means for cooperating with the user assigned means to assure that each newly detected query signals will result in the sending of autheticating signals that differ from previously transmitted autheticating signals, with the difference between consecutively transmitted autheticating signal means being determined at least in part by the character of the first and second encryption means.
  - 8. The apparatus of claim 6 wherein:
    - the user assigned means includes first electrical signal storage means comprising the first encryption means for retaining a first multi-bit value therein.
  - 9. The apparatus of claim 8 wherein:
    - (a) the user assigned means includes second electrical signal storage means comprising the second encryption means for at least temporarily retaining a second multi-bit value therein; and
      
      ,(c) the control means is operable to cooperate with the user assigned means such that, in the sending of the authenticating signals, the second multi-bit value of the second encryption means is read, and the character of the authenticating signals are determined at least in part by the content of the second encryption means.
  - 10. The apparatus of claim 9 wherein the terminal assigned means and the user assigned means cooperate to cause the second multi-bit value to be updated to a new value once the second multi-bit value has been read and utilized in determining the character of the autheticating signals.

11. A method of providing a communication link for transmitting signals between a host computer and at least one terminal that is operated by an authorized user, the method comprising the steps of:
- (a) providing encryption means for being carried by a person who is authorized to use a terminal to access a host computer through a communications link, with the encryption means including a first encryption having a fixed value that is assigned to the authorized user as an indicator of his authority to access the host computer and also including a second variable encryption representative of the time of a prior successful authorized access with the host computer;
  
  (b) providing security means interposed between portions of the communications link for monitoring signals that are transmitted along the communications link, the security means serving to define port means for receiving the encryption means and to cooperate with the encryption means to detect a predetermined authetication query sequence of monitored signals from the host computer and, in response to such detection, to effect transmission of an authenticating signal sequence along the communications link to the security means, with the value of the authenticating signal sequence being determined at least in part by the value of said first and second encryptions so that the value of the autheticating signal sequence constitutes an indicator of the user'"'"'s authority to access the host computer;
  
  (c) providing authorization check means associated with the host computer for transmitting the predetermined authetication query sequence along the communications link that, when monitored by the security means, will cause the security means to transmit the authenticating signal sequence along the communications link;
  
  (d) positioning the encryption means to be received by the port means; and
  
  ,(e) conducting a user authorization check by;
  
  (i) operating the authorization check means to generate the predetermined authentication query signal sequence;
  
  (ii) operating the security means to detect the predetermined authetication query signal sequence and to cooperate with the encryption means to effect transmission of the autheticating signal sequence; and
  
  ,(iii) operating the authorization check means to maintain continuity of the communications link upon receiving said predetermined authenticating signal sequence, and to terminate communication of signals along the communications link upon receiving an authenticating signal sequence that is other than said predetermined sequence.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11 including the steps of conducting communications along the communications link between the host computer and the terminal, with such communications being interrupted at least once to conduct a further user authorization check by:
    - (a) operating the authorization check means to transmit the predetermined authentication query signal sequence along the communications link;
      
      (b) operating the security means to detect the predetermined authentication query signal sequence and to cooperate with the encryption means to effect transmission of the authenticating signal sequence; and
      
      ,(c) operating the authorization check means to maintain continuity of the communications link upon receiving said predetermined authenticating signal sequence, and to terminate communication of signals along the communications link upon receiving an authenticating signal sequence that is other than said predetermined sequence.
  - 13. The method of claim 11 wherein the step of effecting transmission of an autheticating signal sequence includes the step of calculating a new value to be used for the authenticating signal sequence so that no two consecutively used authenticating signal sequences have values that are identical, and so that the calculated difference between the values of consecutively used authenticating signal sequences is controlled, at least in part, by the value of the first and second encryptions.
  - 14. The method of claim 11 additionally including the steps of:
    - (a) providing within the encryption means first storage means for retaining therein, at least temporarily, at least one multi-bit value; and
      
      ,(b) storing in the first storage means a first multi-bit value representing the value of said first encryption.
  - 15. The method of claim 11 additionally including the steps of:
    - (a) providing within the encryption means second storage means for retaining therein, at least temporarily, a second multi-bit value;
      
      (b) storing in the second storage means a second multi-bit value representing the value of said second encryption; and
      
      ,(c) the step of effecting transmission of an authenticating signal sequence includes the step of causing the value of the authenticating signal sequence to be determined at least in part by the value of the second encryption.
  - 16. The method of claim 15 additionally including the step of updating the value of the second encryption after each transmission of an autheticating signals sequence.
  - 17. The method of claim 16 wherein the step of updating the value of the second encryption is done in a manner that is influenced by the value of the first encryption.

18. A method of establishing the authority of a user of a station of communications network to use facilities'"'"'of the communications network, comprising the steps of:
- (a) providing an authorized user with encryption means for carrying (a) a first encryption that has a fixed value which is representative of the authority of the user to utilize at least one station of a communications network to communicate through the network with means defining another station of the network and (b) a second variable encryption value representative of the time of a prior successful authorized access with the host computer;
  
  (b) providing the at least one station of the communications network with signalling means for reading the value of the first and second encryptions and for transmitting an authenticating electrical signal through the network to the another station, with the autheticating signal having a value that is determined, at least in part, by the value of the first and second encryptions;
  
  (c) causing the signalling means to read the value of the encryptions and to transmit said authenticating signal as a request by the user to utilize facilities of the communications network;
  
  (d) receiving the autheticating signal at the another station and comparing the value represented by the authenticating electrical signal with a predetermined value that is predetermined through a calculation that is made at the another station, wherein said calculation takes into account the value of the first and second encryptions; and
  
  ,(e) permitting use of the facilities of the communications network by the user only if the value of the authenticating signal is identical with said predetermined value.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The method of claim 18 wherein the step of transmitting the authenticating signal includes the step of assembling the authenticating signal from a plurality of multi-bit components, with one of the multi-bit components including a multi-bit value that is determined, at least in part, by the value of the first encryption.
  - 20. The method of claim 19 wherein another of the multi-bit components that is utilized in assembling the authenticating signal has a value that is assigned to the signalling means as an identifier of the signalling means.
  - 21. The method of claim 19 wherein another of the multi-bit components that is utilized in assembling the authenticating signal has a value that is assigned to the encryption means as an identifier of the encryption means.
  - 22. The method of claim 18 wherein the value of the authenticating signal and the predetermined value are calculated separately and independently at the at least one station and at the another station, respectively, with no indication of the manner in which these values are calculated being transmitted through the communications network, whereby, even if an unauthorized user seeks to obtain access to facilities of the network by monitoring signals that are transmitted through the network, the unauthorized user will not be taught the manner in which the values are calculated.
  - 23. The method of claim 22 wherein the encryption means comprises a pocket-size structure that houses electrical signal storage means, and the step of providing an authorized user with encryption means includes the step of storing a multi-bit signal in the storage means that is indicative of the value which is representative of the authority of the user.
  - 24. The method of claim 23 additionally including the steps of:
    - (a) storing in the electrical signal storage means a second multi-bit signal that is representative of a value of said second encryption; and
      
      ,(b) the step of causing the signalling means to transmit said authenticating signal includes the step of causing the value of the authenticating signal to be determined, at least in part, by the value of the second encryption.
  - 25. The method of claim 24 additionally including the step of updating the value of the second encryption after each transmission of an authenticating signal sequence.
  - 26. The method of claim 25 wherein the step of updating the value of the second encryption is done in a manner that is influenced by the value of the first encryption.

27. An interactive computer communications security system for serial disposition within a communication link between a host computer and a remote user terminal, said security system comprising:
- a portable user-carried device including (i) data storage means for storing machine readable data having a first fixed data portion representative of an assigned user'"'"'s identity and a second variable data portion which is changed to represent the time of successful prior communication link usage and (ii) first signal coupling means for coupling signals representative of said first and second data portions from said user-carried device; and
  
  terminal control means for serial disposition in said communication link and having second signal coupling means mated with said first signal coupling means for passing onto said communication link authentication signals which are representative of said first and second data portions of the user-carried device.

28. An interactive method for effecting user security within a multi-user communication link between a host computer site and plural remote user terminal sites said method comprising the steps of:
- maintaining a user-carried device which includes stored machine readable data having a first fixed data portion representative of an assigned user'"'"'s identity and a second variable data portion which is changed to represent the time of successful prior communication link usage and which collectively is processed to provide unique authenticating data;
  
  maintaining at said host computer corresponding authenticating data;
  
  accessing and using said stored data at a remote user terminal to generate and transmit said unique authenticating data to said host computer site over said link when the corresponding user desires use of said link; and
  
  permitting use of said link only if the authenticating data received at the host computer site corresponds to the authenticating data maintained thereat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pirmasafe Incorporated
Original Assignee
Pirmasafe Incorporated
Inventors
Wirstrom, Peter, Cork, William H.
Primary Examiner(s)
Cangialosi, Salvatore
Assistant Examiner(s)
Lewis, Aaron J.

Application Number

US06/670,471
Time in Patent Office

1,040 Days
Field of Search

178/22.08, 178/22.09, 178/22.16, 235/379, 235/380, 235/382, 235/382.5, 235/487, 340/825.31, 340/825.34, 380/23, 380/24, 380/25, 380/47
US Class Current

713/159
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2103   Challenge-response

H04L 9/3271   using challenge-response

Computer communications security control system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Computer communications security control system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links