WO2000016179A1 - Method and device of disabling the unauthorised use of a computer - Google Patents

Method and device of disabling the unauthorised use of a computer Download PDF

Info

Publication number
WO2000016179A1
WO2000016179A1 PCT/EE1999/000001 EE9900001W WO0016179A1 WO 2000016179 A1 WO2000016179 A1 WO 2000016179A1 EE 9900001 W EE9900001 W EE 9900001W WO 0016179 A1 WO0016179 A1 WO 0016179A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
card
chip card
card reader
bios
Prior art date
Application number
PCT/EE1999/000001
Other languages
French (fr)
Inventor
Mart Marandi
Original Assignee
Mart Marandi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mart Marandi filed Critical Mart Marandi
Priority to AU57281/99A priority Critical patent/AU5728199A/en
Publication of WO2000016179A1 publication Critical patent/WO2000016179A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/1097Boot, Start, Initialise, Power

Definitions

  • This invention concerns a method of disabling the unauthorised usage of an IBM- compatible personal computer and/or data contained therein, using a chip card and chip card reader. It is also possible to integrate the hardware, required by the chip card reader, onto the motherboard of a computer.
  • the invention disables the access to computer or data without a valid chip card.
  • the invention includes a chip card, card ID, decrypting key, contained on the chip card, chip card reader, ISA bus add-on card for reader, reader BIOS (with address decoder and I/O ports) and chip card read/write electronics.
  • reader BIOS with address decoder and I/O ports
  • chip card read/write electronics There are different software solutions for keeping the decrypting key on the chip card and encrypting/decrypting algorithms in the card reader ROM.
  • the chip cards can be selected by type as required, i.e. the method and the reader are universal.
  • the present invention is useful in the working places, where there are many people around and there is a danger of leaking confidential or secret data.
  • the use of the present invention is not restricted to this solution and the invention is applicable for various applications.
  • US patent No. 5 187 352, G06K 005/00 discloses computer security system, that provides for controlled access to single or multiple components of a computer system.
  • the system includes a magnetic card reading and encoding device that reads component access and time allotment data from a magnetically encoded card.
  • a card and device are disclosed for reading the data from the card.
  • chip card reader which will use the software to check for the card, it's ID number, decrypting key and password during boot process, before the computer passes control to user. This process is not interruptible by user. The control over the computer stays with the card reader. After finishing the boot process, it is possible to use different software solutions, based on the chip card.
  • Chip cards and all the components used for electronics block are common and will not be discussed here. Also, the internal functions of a PC and used terminology are common.
  • the object of the present invention is to strengthen the security of the computer, i.e. disabling the theft of the data and unauthorised usage of a computer.
  • the object of the invention is achieved by using the method and device described in more detail below, according to the appended claims. Brief description of the drawings
  • Fig. 1 is the block diagram of the device according to the present invention.
  • the authorisation of the user must be accomplished before giving control to the operating system.
  • the card must be inserted in the card reader before the end of a boot process; the computer will then read the ID code from the card and compares it with the ID code, recorded during installation of the card reader. If there is decrypting algorithm present in the card reader's ROM, the decrypting key, used to access encrypted data, will also be read from the card. If there is no card present in the reader during boot process, the boot process will not be finished and the control will not be transferred to any operating system or external device (like floppy drive), thanks to the feature of the card reader of the invention.
  • the data protection, using the chip card and reader can be achieved in many ways.
  • the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's).
  • the card reader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000.
  • the control over the computer will be transferred to the card reader, which will read the installing signature from the computer hard drive disk. If the signature is not present, the control will be given back to computer and the boot will continue normally. This solution will not control the boot process, but it enables data exchange between the card reader and the computer, using different pieces of software.
  • the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's).
  • the cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000.
  • the control over the computer will be transferred to the card reader, which will read the installing signature from the computer's hard drive disk. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
  • the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's).
  • the cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000.
  • the control over the computer will be transferred to the card reader, which will read the installing signature from the card ROM. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
  • the electronics block has a bi-directional bus buffer for buffering the data bus.
  • the bus buffer is connected to chip card read/ write circuitry, which in turn is connected to card reader device, attached to 3.5" floppy disk slot.
  • the ISA or PCI card address decoder inputs are built so, that only addresses C000 to e800 are selected. This address range is assigned to add-on card BIOS's. To avoid possible BIOS address conflicts, the address decoder has an option to change the cardreader BIOS address.
  • the computer BIOS checks for add-on cards and finds the card reader. The card reader then assumes the control over the computer.
  • the I/O port selector gives the possibility to select different I/O port address in the rage from 300h to 3e0.
  • the I/O address selector is technically similar to BIOS address decoder. All the communications between the computer and the card reader will be accomplished at this address through the selected I/O port.

Abstract

The present invention relates to a method for avoiding unauthorised use of a personal computer by means of chip card and a respective installation. The booting of main processor unit is possible after entering of ID code stored on the chip card, during the power on self-test only. The chip card reader can be placed in 3.5'' floppy drive slot.

Description

METHOD AND DEVICE OF DISABLING THE UNAUTHORISED USE OF A COMPUTER
Field of the invention
This invention concerns a method of disabling the unauthorised usage of an IBM- compatible personal computer and/or data contained therein, using a chip card and chip card reader. It is also possible to integrate the hardware, required by the chip card reader, onto the motherboard of a computer. The invention disables the access to computer or data without a valid chip card. The invention includes a chip card, card ID, decrypting key, contained on the chip card, chip card reader, ISA bus add-on card for reader, reader BIOS (with address decoder and I/O ports) and chip card read/write electronics. There are different software solutions for keeping the decrypting key on the chip card and encrypting/decrypting algorithms in the card reader ROM. Also, in different solutions, the chip cards can be selected by type as required, i.e. the method and the reader are universal. The present invention is useful in the working places, where there are many people around and there is a danger of leaking confidential or secret data. However the use of the present invention is not restricted to this solution and the invention is applicable for various applications.
Background of the invention
When using computers for data processing and storage, it is very important to keep this data safe from unauthorised access. The contemporary methods are used widely to prevent data from unauthorised access, but they do not give enough protection. For example, US patent No. 5 187 352, G06K 005/00, (W. Blair, S. J. Brooks, 16.02.1993) discloses computer security system, that provides for controlled access to single or multiple components of a computer system. The system includes a magnetic card reading and encoding device that reads component access and time allotment data from a magnetically encoded card. In the US patent No. 4 575 703, G06K 013/04, (Sony Corporation, 1 1.03.1986) a card and device are disclosed for reading the data from the card. The passwords, used in the boot process of a computer are easy to steal, one only has to look over the shoulder while the password is entered and memorise it. Also, there are factory passwords (Bypass password), which is the same for all motherboards of the same producer. Other authorisation methods, based on the chip cards, are relaying heavily on the software, which is easy to delete from the hard drive disk and after reboot, the safeguard is not active. For example, US patent No. 4 757 533, H04L, 009/00, (Computer Security Corporation, 12.07.1988) discloses a security system for a personal computer, in which hardware and software are combined to provide a tamper-proof manner of protecting user- access and file-access. This system for restricting unauthorised access uses chip card reader, which will use the software to check for the card, it's ID number, decrypting key and password during boot process, before the computer passes control to user. This process is not interruptible by user. The control over the computer stays with the card reader. After finishing the boot process, it is possible to use different software solutions, based on the chip card.
Chip cards and all the components used for electronics block (ISA card) are common and will not be discussed here. Also, the internal functions of a PC and used terminology are common.
Summary of the invention
The object of the present invention is to strengthen the security of the computer, i.e. disabling the theft of the data and unauthorised usage of a computer. At the same time, it is possible to use the invention to disable the access only to certain data (files, catalogues, logical drives, programmes), to collect and record different types of data (customer data, financial data, customer's recontra data, personal data and/or decrypting keys) to different chip cards, to process the data without physically typing the data in. The object of the invention is achieved by using the method and device described in more detail below, according to the appended claims. Brief description of the drawings
Fig. 1 is the block diagram of the device according to the present invention.
Detailed description of the invention
According to the present invention, the authorisation of the user must be accomplished before giving control to the operating system. The card must be inserted in the card reader before the end of a boot process; the computer will then read the ID code from the card and compares it with the ID code, recorded during installation of the card reader. If there is decrypting algorithm present in the card reader's ROM, the decrypting key, used to access encrypted data, will also be read from the card. If there is no card present in the reader during boot process, the boot process will not be finished and the control will not be transferred to any operating system or external device (like floppy drive), thanks to the feature of the card reader of the invention. The data protection, using the chip card and reader, can be achieved in many ways.
According to the fist embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The card reader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the computer hard drive disk. If the signature is not present, the control will be given back to computer and the boot will continue normally. This solution will not control the boot process, but it enables data exchange between the card reader and the computer, using different pieces of software.
According to the second embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the computer's hard drive disk. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
According to the third embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the card ROM. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
All these instances have in common the possibility to control the computer's hardware clock's interrupt int. lch by software - this is achieved by storing the contents of a card reader BIOS in the computer memory as a TSR program, which controls the operation of the computer.
It is clear, that all the possibilities of the chip card usage for strengthening the data securiy of a computer, can be mixed different applications as needed and add program solutions of OS control for different cards. This means, that one can use different types of cards and different ID numbers in the same computer. It is possible to use PIC (Programmable Integrated Circuit) card, to boot the computer, but some other user can access his/her data or logical drive through the OS, using SIM-card. There is no need to change the card reader in order to change the chip card type; it is enough to change the reader's software accordingly. The exemplary embodiment of the invention is described, based on fig. 1. On the fig. 1 is the block diagram of the device according to the invention. The electronics block of the card reader on fig. 1 is installed in the ISA or PCI bus connector. The card reader slot is a separate unit, which is attached to a free 3.5" floppy disk slot. The card reader and electronics block are connected via flat-cable and according connectors.
The electronics block has a bi-directional bus buffer for buffering the data bus. The bus buffer is connected to chip card read/ write circuitry, which in turn is connected to card reader device, attached to 3.5" floppy disk slot. The ISA or PCI card address decoder inputs are built so, that only addresses C000 to e800 are selected. This address range is assigned to add-on card BIOS's. To avoid possible BIOS address conflicts, the address decoder has an option to change the cardreader BIOS address. During the boot process, the computer BIOS checks for add-on cards and finds the card reader. The card reader then assumes the control over the computer. The I/O port selector gives the possibility to select different I/O port address in the rage from 300h to 3e0. The I/O address selector is technically similar to BIOS address decoder. All the communications between the computer and the card reader will be accomplished at this address through the selected I/O port.

Claims

1. Method of disabling the unauthorised access to computer, the method comprising: inserting a chip card into the card reader and reading of data, stored on the chip card by the computer, wherein the card must be inserted before the end of a boot process - i.e. the chip card and the ID code contained on the chip card are read before any other program takes over.
2. Method according to the claim 1 , comprising the steps of: - initializing of the card reader by POST subfunction ROM SCAN, built in the computer's internal BIOS,
- finding of the card reader BIOS by the first two bytes of an extension BIOS of a cardreader, which are 55h and Aah, beginning from address 0000,
- transferring of the control over the computer to the card reader, which then reads the installation signature from the computer's hard drive disk,
- in the absence of the signature, transferring the control back to computer BIOS and the boot process resumes normally.
3. Method according to the claim 1 , further comprising the steps of: - on finding the installation signature present on the hard drive disk, the chip card will be initialized, using the protocol, which is corresponding to current chip card; the ID code stored on the chip card memory (offset 0) is read and compared to the ID code stored on the hard drive disk,
- if both ID codes match, the control is transferred back to computer and the boot process will resume normally.
4. Method according to the claim 1, further comprising the steps of:
- transferring the control over the computer to the card reader, which will read the installing signature from the card ROM, - on finding the installation signature present on the hard drive disk, the chip card will be initialized, using the protocol, which is corresponding to current chip card; the ID code stored on the chip card memory (offset 0) is read and compared to the ID code stored on the hard drive disk,
- if both ID codes match, the control is transferred back to computer and the boot process will resume normally.
5. Method according to the claim 1 , wherein the boot process can be controlled or not controlled and data can be exchanged between the chip card and the computer, using different software solutions.
6. Method according to any preceding claims, wherein it is possible to take software control of the computer hardware clock interrupt 1 ch by reading the card reader BIOS into the computer memory as a TSR (resident) program, which controls the computer.
7. Method according to any preceding claims, wherein the described steps can be combined or added to operating system program solutions for different card types.
8. Device of disabling the unauthorised access to computer, comprising: card reader device, bi-directional data bus buffer, electronic circuitry for reading and writing chip cards, ISA or PCI bus connector, card reader BIOS, address decoder for selecting address range COOO to e800 and input/output port with address selector for address range 300h to 3e0.
9. Device according to the claim 8, characterized in that the card reader device can be mounted into the 3.5" floppy disk slot.
10. Device according to the claim 8, characterized in that the device is interchangeable between other IBM-compatible PC-s.
PCT/EE1999/000001 1998-09-11 1999-09-13 Method and device of disabling the unauthorised use of a computer WO2000016179A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU57281/99A AU5728199A (en) 1998-09-11 1999-09-13 Method and device of disabling the unauthorised use of a computer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EEP199800237 1998-09-11
EE9800237A EE9800237A (en) 1998-09-11 1998-09-11 A method for preventing unauthorized use of a computer and for performing a device method

Publications (1)

Publication Number Publication Date
WO2000016179A1 true WO2000016179A1 (en) 2000-03-23

Family

ID=8161720

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EE1999/000001 WO2000016179A1 (en) 1998-09-11 1999-09-13 Method and device of disabling the unauthorised use of a computer

Country Status (3)

Country Link
AU (1) AU5728199A (en)
EE (1) EE9800237A (en)
WO (1) WO2000016179A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2391983B (en) * 2001-05-18 2005-08-10 O2Micro Inc Pre-boot authentication system
US6975725B1 (en) * 2000-04-14 2005-12-13 Sony Corporation Method for standardizing the use of ISO 7816 smart cards in conditional access systems
WO2006010462A1 (en) * 2004-07-27 2006-02-02 Siemens Aktiengesellschaft Method for accessing to a computer firmware
US7797729B2 (en) 2000-10-26 2010-09-14 O2Micro International Ltd. Pre-boot authentication system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5610981A (en) * 1992-06-04 1997-03-11 Integrated Technologies Of America, Inc. Preboot protection for a data security system with anti-intrusion capability
WO1997016779A2 (en) * 1995-11-03 1997-05-09 Esd Information Technology Entwicklungs Gmbh Input security and transactions unit and process for input security and transactions involving digital information

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5610981A (en) * 1992-06-04 1997-03-11 Integrated Technologies Of America, Inc. Preboot protection for a data security system with anti-intrusion capability
WO1997016779A2 (en) * 1995-11-03 1997-05-09 Esd Information Technology Entwicklungs Gmbh Input security and transactions unit and process for input security and transactions involving digital information

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6975725B1 (en) * 2000-04-14 2005-12-13 Sony Corporation Method for standardizing the use of ISO 7816 smart cards in conditional access systems
US7797729B2 (en) 2000-10-26 2010-09-14 O2Micro International Ltd. Pre-boot authentication system
GB2391983B (en) * 2001-05-18 2005-08-10 O2Micro Inc Pre-boot authentication system
US7000249B2 (en) 2001-05-18 2006-02-14 02Micro Pre-boot authentication system
WO2006010462A1 (en) * 2004-07-27 2006-02-02 Siemens Aktiengesellschaft Method for accessing to a computer firmware

Also Published As

Publication number Publication date
AU5728199A (en) 2000-04-03
EE9800237A (en) 2000-04-17

Similar Documents

Publication Publication Date Title
US8528096B2 (en) Secure universal serial bus (USB) storage device and method
US5854891A (en) Smart card reader having multiple data enabling storage compartments
KR100205740B1 (en) A secure application card for sharing application data and procedures among a plurality of microprocessors
US5841868A (en) Trusted computer system
US5293424A (en) Secure memory card
US5513261A (en) Key management scheme for use with electronic cards
US5325430A (en) Encryption apparatus for computer device
US6182217B1 (en) Electronic data-processing device and system
US7392404B2 (en) Enhancing data integrity and security in a processor-based system
JP3613687B2 (en) PC card for microcomputer
US20030041248A1 (en) External locking mechanism for personal computer memory locations
US20050108532A1 (en) Method and system to provide a trusted channel within a computer system for a SIM device
US7003676B1 (en) Locking mechanism override and disable for personal computer ROM access protection
KR20000048718A (en) Secure boot
US20070288689A1 (en) USB apparatus and control method therein
WO1998007092A9 (en) Smart card reader having multiple data enabling storage compartments
JPS63127335A (en) Security system
US20080126810A1 (en) Data protection method for optical storage media/device
US7353403B2 (en) Computer systems such as smart cards having memory architectures that can protect security information, and methods of using same
US7216362B1 (en) Enhanced security and manageability using secure storage in a personal computer system
WO2000016179A1 (en) Method and device of disabling the unauthorised use of a computer
JPH09265254A (en) Mutual authentication system for information recording medium
KR19990058372A (en) How to secure your computer using smart cards
US20090055660A1 (en) Security flash memory, data encryption device and method for accessing security flash memory
WO1995024698A1 (en) A secure memory card

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase