Apparatus and method for controlling access to and interconnection of computer system resources
First Claim
1. A system for transferring secure data across a data communication medium between first and second computer system resources, comprising:
- first and second access controllers electrically connected to the data communication medium and to respective ones of the first and second resources, for transferring the secure data during a data transfer session after verifying that the first and second resources are both associated with at least one authorized access code;
the access controllers each including;
a memory storing a table of encryption keys, a table of algorithms, and a table of authorized resources that associates pairs of resources with authorized access control codes, the encryption keys and algorithms being identical in each access controller;
a processor randomly generating for the data transfer session, plural numbers and utilizing an access controller identifying number, the randomly generated numbers, selected ones of the stored algorithms, and a predetermined one of the stored encryption keys to generate in cooperation with the other access controller a unique session key; and
an encryption/decryption processor using the unique session key to encrypt the secure data transferred across the data communication medium.
2 Assignments
0 Petitions
Accused Products
Abstract
A compact, physically secure, high-performance access controller (16, 18) is electrically connected to each access-managed resource (12, 14) or group of resources (10) in a computer system. Whenever access managed resources attempt to establish communications, their associated access controllers exchange sets of internally generated access authorization codes (106, 112, 120, 132, 202, 208, 216, 270, 272) utilizing protocols characterized by multiple random numbers, resource authorization keys, serial number (48, 72) verification, and session authorization keys. Each new session employs different encryption keys derived from multiple random numbers and multiple hidden algorithms. Tables of authorized requesting and responding resources are maintained in a protected memory (34, 38) in each access controller. An authorization table building procedure is augmented by an optional central access control system (56) that employs a parallel control network (62, 64, 66) to centrally manage the access control tables in an access-controlled system of resources.
326 Citations
33 Claims
-
1. A system for transferring secure data across a data communication medium between first and second computer system resources, comprising:
-
first and second access controllers electrically connected to the data communication medium and to respective ones of the first and second resources, for transferring the secure data during a data transfer session after verifying that the first and second resources are both associated with at least one authorized access code; the access controllers each including; a memory storing a table of encryption keys, a table of algorithms, and a table of authorized resources that associates pairs of resources with authorized access control codes, the encryption keys and algorithms being identical in each access controller; a processor randomly generating for the data transfer session, plural numbers and utilizing an access controller identifying number, the randomly generated numbers, selected ones of the stored algorithms, and a predetermined one of the stored encryption keys to generate in cooperation with the other access controller a unique session key; and an encryption/decryption processor using the unique session key to encrypt the secure data transferred across the data communication medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for generating a table of authorized resources entry for use in a secure access control system, comprising:
-
establishing a secure data communication dialog between first and second access controllers; storing in each access controller, a table of encryption keys, a table of algorithms, and a table of authorized resources that associates pairs of access controllers with authorized access control codes, the tables of encryption keys and algorithms being identical in each access controller; generating a unique base key associated with the first and second access controllers by using the secure data communication dialog to exchange data derived from predetermined ones of the encryption keys and the algorithms; and associating the first and second access controllers with the unique base key in the table of authorized resources of the first and second access controllers. - View Dependent Claims (11)
-
-
12. A method for generating and using encryption keys to authorize and encrypt data exchanged between first and second computer system resources, comprising:
-
providing a master access controller and a slave access controller each including a processor and a memory; storing in the memories tables of authorized resources and identical base key tables, encryption key tables, and algorithm tables; randomly generating in the master access controller a number alpha1; selecting a predetermined base key "a" from the master access controller base key table; calculating "a" alpha1; randomly generating in the slave access controller a number beta1; selecting the predetermined base key "a" from the slave access controller base key table;
determining a key A in the slave access controller by calculating "a" alpha1) beta1;calculating "a" beta1; determining key A in the master access controller by calculating ("a" beta1) alpha1; selecting a base key x at random from the master access controller base key table; determining a key B by calculating (x) alpha1*beta1; determining base key x in the slave access controller by calculating (key B) (1/beta1*alpha1); and determining that base key x exists in the slave access controller base key table to verify the validity of key B. - View Dependent Claims (13, 14)
-
-
15. A system for transferring secure data across a data communication medium between first and second computers comprising:
-
first and second access control means in communication with the data communication medium and with associated ones of the first and second computers, for transferring the secure data after verifying that the first and second computers are both associated with the authorized access control code; the first and second access control means each having an associated memory for storing a table of predetermined encryption keys and a table of authorized resources for associating the first and second computers with an authorized access control code, and an associated processor for randomly generating numbers and using the randomly generated numbers in cooperation with a predetermined one of the stored encryption keys to generate in data communication with the other access control means a session key; and an encryption/decryption processor using the session key to encrypt the secure data transferred across the data communication medium. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A method for generating and using encryption keys to authorize and encrypt data transferred between first and second computer system resources, comprising:
-
providing a master access controller and a slave access controller each including a processor and a memory; storing in the memories tables of authorized resources and identical encryption key tables; randomly generating in the master access controller and the slave access controller respective first and second numbers; selecting from the master access controller encryption key table and the slave access controller encryption key table a first predetermined encryption key; determining in the master access controller and the slave access controller a key A by processing the first predetermined encryption key with the first and second randomly generated numbers; selecting at random from the master access controller encryption key table a second encryption key; determining a key B in the master access controller by processing the second encryption key with the first and second randomly generated numbers; and encrypting key B with key A and sending encrypted key B to the slave access controller, - View Dependent Claims (24, 25, 26)
-
-
27. A method for authorizing access to and encrypting data transferred between first and second computer system resources, comprising:
-
connecting together through a first data communication medium first and second access controllers each associated with a table of authorized resources; generating in the table of authorized resources an authorized resource pair entry associating the first and second access controllers; detaching the first and second access controllers; attaching the first and second access controllers to respective ones of the first and second computer system resources; connecting the first and second access controllers through a second data communication medium; exchanging data between the first and second access controllers to verify that both access controllers are associated by the authorized resource pair entry in the associated table of authorized resources; establishing a session encryption key; and encrypting and decrypting with the session key data transferred across the second data communication medium between the first and second computer system resources. - View Dependent Claims (28, 29, 30, 31, 32, 33)
-
Specification