System and method for controlling user access to a service processor

US 8,904,507 B2
Filed: 11/29/2011
Issued: 12/02/2014
Est. Priority Date: 11/29/2011
Status: Active Grant

First Claim

Patent Images

1. A service processor, comprising:

a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for a target computer, wherein the service processor is provided within the target computer, and the firmware includes;

(a) a registration module configured to perform functions including;

receiving a device identifier associated with a personal computing device over a communications link;

associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data;

obtaining a cryptographic key for the device identifier; and

transmitting the cryptographic key to the personal computing device over the communications link;

(b) a management access module configured to perform functions including;

performing a first authentication operation, wherein the first authentication operation includes;

(i) receiving a first set of login data from a management computer, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and the target computer;

(ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and

when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes;

(iii) retrieving the device identifier associated with the user access data;

(iv) retrieving the cryptographic key corresponding to the device identifier;

(v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module;

(vi) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key;

(vii) verifying whether the received second set of login data corresponds to the second set of the user access data; and

(viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, a system for managing user access to a service processor is disclosed. In one embodiment, the system includes a computer-executable management access module for performing functions to authenticate a user. A management computer that is communicatively coupled to the service processor is operative to perform management functions for at least one target computer. User authentication functions include receiving a first set of login data from a user of the management computer and verifying whether the received login data corresponds to an approved user. If the first set of login data corresponds to an approved user, a code is generated and then displayed on the management computer. When recognized by the personal computing device, data from the code is used for providing a second set of login information to the user, for permitting the user to access the service processor via the management computer.

22 Citations

View as Search Results

24 Claims

1. A service processor, comprising:
- a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for a target computer, wherein the service processor is provided within the target computer, and the firmware includes;
  
  (a) a registration module configured to perform functions including;
  
  receiving a device identifier associated with a personal computing device over a communications link;
  
  associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data;
  
  obtaining a cryptographic key for the device identifier; and
  
  transmitting the cryptographic key to the personal computing device over the communications link;
  
  (b) a management access module configured to perform functions including;
  
  performing a first authentication operation, wherein the first authentication operation includes;
  
  (i) receiving a first set of login data from a management computer, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and the target computer;
  
  (ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and
  
  when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes;
  
  (iii) retrieving the device identifier associated with the user access data;
  
  (iv) retrieving the cryptographic key corresponding to the device identifier;
  
  (v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module;
  
  (vi) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key;
  
  (vii) verifying whether the received second set of login data corresponds to the second set of the user access data; and
  
  (viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The service processor of claim 1, wherein the personal computing device comprises a user module configured to, when executed by one or more processors, capture the image of the visual representation of the encrypted code displayed on the management computer, process and decrypt the captured image of the visual representation of the encrypted code based on the cryptographic key received by the personal computing device, generate the second set of login data, and display the second set of login data on the personal computing device.
  - 3. The service processor of claim 2, wherein the personal computing device comprises a digital camera component for capturing the image of the visual representation of the encrypted code.
  - 4. The service processor of claim 1, wherein the management computer comprises a web-based application configured to, when executed by one or more processors of the management computer, perform functions including:
    - receiving the first set of login data, and transmitting the first set of login data to the service processor over the communications link;
      
      receiving the visual representation of the encrypted code from the service processor, and displaying the visual representation of the encrypted code; and
      
      receiving the second set of login data, and transmitting the second set of login data to the service processor over the communications link.
  - 5. The service processor of claim 4, wherein the web-based application is operative to provide a graphical user interface (GUI) with interactive user controls displayed on the management computer for receiving the first set of login data and the second set of login data in response to interactions of the user with the interactive user controls.
  - 6. The service processor of claim 1, wherein the first set of login data comprises at least one of an IPMI username and password that is associated with an approved user of the management computer.
  - 7. The service processor of claim 1, wherein the service processor is configured as a baseboard management controller (BMC).
  - 8. The service processor of claim 1, wherein the personal computing device comprises a smartphone.
  - 9. The service processor of claim 1, wherein the second set of login data is generated and displayed at the personal computing device based on decrypted data, and the personal computing device obtains the decrypted data by decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key.

10. A system, comprising:
- a service processor provided within a target computer; and
  
  a management computer communicatively coupled to the service processor via a communications link;
  
  wherein the service processor comprises a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for the target computer, wherein the firmware includes;
  
  (a) a registration module configured to perform functions including;
  
  receiving a device identifier associated with a personal computing device over the communications link;
  
  associating the device identifier with a first set of user access data of a user at the service processor, wherein the first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data;
  
  obtaining a cryptographic key based on the device identifier; and
  
  transmitting the cryptographic key to the personal computing device over the communications link;
  
  (b) a management access module configured to perform functions including;
  
  performing a first authentication operation, wherein the first authentication operation includes;
  
  (i) receiving a first set of login data from the management computer;
  
  (ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and
  
  when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes;
  
  (iii) retrieving the device identifier associated with the user access data;
  
  (iv) retrieving the cryptographic key corresponding to the device identifier;
  
  (v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module;
  
  (vi) receiving a second set of login data from the-management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key;
  
  (vii) verifying whether the received second set of login data corresponds to a second set of the user access data; and
  
  (viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the BMC to the management computer; and
  
  wherein the management computer comprises a web-based application configured to, when executed by one or more processors, perform functions including;
  
  receiving the first set of login data, and transmitting the first set of login data to the service processor over the communications link;
  
  receiving the visual representation of the encrypted code from the service processor, and displaying the visual representation of the encrypted code; and
  
  receiving the second set of login data, and transmitting the second set of login data to the service processor over the communications link;
  
  wherein the personal computing device comprises a user module configured to, when executed by one or more processors,capture the image of the visual representation of the encrypted code displayed on the management computer,process and decrypt the captured image of the visual representation of the encrypted code based on the cryptographic key received by the personal computing device,generate the second set of login data, anddisplay the second set of login data on the personal computing device.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the visual representation of the encrypted code comprises a QR code.
  - 12. The system of claim 10, wherein the personal computing device comprises a digital camera component that is operative to capture the image of the visual representation of the encrypted code displayed on the management computer in response to an interaction of the user with the personal computing device.
  - 13. The system of claim 10, wherein the first set of login data comprises at least one of an IPMI username and password associated with an approved user of the management computer.
  - 14. The system of claim 10, wherein the web-based application is operative to provide a graphical user interface (GUI) with interactive user controls displayed on the management computer for receiving the first set of login data and the second set of login data in response to interactions of the user with the interactive user controls.
  - 15. The system of claim 10, wherein the second set of login data is generated and displayed at the smartphone based on decrypted data, and the smartphone obtains the decrypted data by decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key.
  - 16. The system of claim 10, wherein the service processor is configured as a baseboard management controller (BMC), and the personal computing device comprises a smartphone.

17. A method for managing user access to a service processor, comprising the steps of:
- (a) executing, at a processor of the service processor, a registration module to perform functions including;
  
  (i) receiving a device identifier from a personal computing device over a communications link;
  
  (ii) associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data;
  
  (iii) obtaining a cryptographic key based on the device identifier; and
  
  (iv) transmitting the cryptographic key to the personal computing device over the communications link;
  
  (b) executing, at the processor of the service processor, a management access module to perform a first authentication operation, wherein the first authentication operation includes;
  
  (v) receiving a first set of login data from a management computer over the communications link, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and a target computer, wherein the service processor is provided within the target computer to perform management functions for the target computer, and wherein the first set of login data is entered by the user at the management computer; and
  
  (vi) verifying whether the received first set of login data corresponds to the first set of the user access data;
  
  (c) when the first set of login data corresponds to the first set of the user access data, performing, by the management access module executed at the processor of the service processor, a second authentication operation, wherein the second authentication operation includes;
  
  (vii) retrieving the device identifier associated with the user access data;
  
  (viii) retrieving the cryptographic key corresponding to the device identifier; and
  
  (viii) encrypting the second set of user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer such that the management computer displays the visual representation of the encrypted code, wherein the second set of user access data is dynamically generated at the management access module; and
  
  (ix) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key;
  
  (x) verifying whether the received second set of login data corresponds to a second set of the user access data; and
  
  (xi) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method of claim 17, further comprising the steps of:
    - installing a user module on the personal computing device associated with the user, wherein the user module is configured to, when executed by one or more processors, process and decrypt the captured image of the visual representation of the encrypted code based on the cryptographic key received by the personal computing device, generate the second set of login data and display the second set of login data on the personal computing device; and
      
      causing the one or more processors to execute the user module.
  - 19. The method of claim 18, wherein the personal computing device comprises a digital camera component.
  - 20. The method of claim 19, wherein the digital camera component is operative to capture the image of the visual representation of the encrypted code displayed on the management computer in response to interactions of the user with the personal computing device.
  - 21. The method of claim 17, wherein the service processor is configured as a baseboard management controller (BMC).
  - 22. The method of claim 17, wherein the personal computing device comprises a portable wireless communications device.
  - 23. The method of claim 22, wherein the portable wireless communications device comprises a smartphone.
  - 24. The method of claim 17, wherein the second set of login data is generated and displayed at the personal computing device based on decrypted data, and the personal computing device obtains the decrypted data by decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
American Megatrends International, LLC
Original Assignee
American Megatrends Incorporated
Inventors
Maity, Sanjoy
Primary Examiner(s)
Desrosiers, Evans

Application Number

US13/306,194
Publication Number

US 20130139233A1
Time in Patent Office

1,099 Days
Field of Search

726 4- 7, 726/9, 713169-170, 713/184
US Class Current

726/7
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/36   by graphic or iconic repres...

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 9/32   including means for verifyi...

H04W 12/71   Hardware identity

H04W 12/77   Graphical identity

System and method for controlling user access to a service processor

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for controlling user access to a service processor

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links