METHOD AND DEVICE OF DISABLING THE UNAUTHORISED USE OF A COMPUTER
Field of the invention
This invention concerns a method of disabling the unauthorised usage of an IBM- compatible personal computer and/or data contained therein, using a chip card and chip card reader. It is also possible to integrate the hardware, required by the chip card reader, onto the motherboard of a computer. The invention disables the access to computer or data without a valid chip card. The invention includes a chip card, card ID, decrypting key, contained on the chip card, chip card reader, ISA bus add-on card for reader, reader BIOS (with address decoder and I/O ports) and chip card read/write electronics. There are different software solutions for keeping the decrypting key on the chip card and encrypting/decrypting algorithms in the card reader ROM. Also, in different solutions, the chip cards can be selected by type as required, i.e. the method and the reader are universal. The present invention is useful in the working places, where there are many people around and there is a danger of leaking confidential or secret data. However the use of the present invention is not restricted to this solution and the invention is applicable for various applications.
Background of the invention
When using computers for data processing and storage, it is very important to keep this data safe from unauthorised access. The contemporary methods are used widely to prevent data from unauthorised access, but they do not give enough protection. For example, US patent No. 5 187 352, G06K 005/00, (W. Blair, S. J. Brooks, 16.02.1993) discloses computer security system, that provides for controlled access to single or multiple components of a computer system. The system includes a magnetic card reading and encoding device that reads component access and time allotment data from a magnetically encoded card. In the US patent No. 4 575 703, G06K 013/04, (Sony Corporation, 1 1.03.1986) a card and device are disclosed for reading the data from the card.
The passwords, used in the boot process of a computer are easy to steal, one only has to look over the shoulder while the password is entered and memorise it. Also, there are factory passwords (Bypass password), which is the same for all motherboards of the same producer. Other authorisation methods, based on the chip cards, are relaying heavily on the software, which is easy to delete from the hard drive disk and after reboot, the safeguard is not active. For example, US patent No. 4 757 533, H04L, 009/00, (Computer Security Corporation, 12.07.1988) discloses a security system for a personal computer, in which hardware and software are combined to provide a tamper-proof manner of protecting user- access and file-access. This system for restricting unauthorised access uses chip card reader, which will use the software to check for the card, it's ID number, decrypting key and password during boot process, before the computer passes control to user. This process is not interruptible by user. The control over the computer stays with the card reader. After finishing the boot process, it is possible to use different software solutions, based on the chip card.
Chip cards and all the components used for electronics block (ISA card) are common and will not be discussed here. Also, the internal functions of a PC and used terminology are common.
Summary of the invention
The object of the present invention is to strengthen the security of the computer, i.e. disabling the theft of the data and unauthorised usage of a computer. At the same time, it is possible to use the invention to disable the access only to certain data (files, catalogues, logical drives, programmes), to collect and record different types of data (customer data, financial data, customer's recontra data, personal data and/or decrypting keys) to different chip cards, to process the data without physically typing the data in. The object of the invention is achieved by using the method and device described in more detail below, according to the appended claims.
Brief description of the drawings
Fig. 1 is the block diagram of the device according to the present invention.
Detailed description of the invention
According to the present invention, the authorisation of the user must be accomplished before giving control to the operating system. The card must be inserted in the card reader before the end of a boot process; the computer will then read the ID code from the card and compares it with the ID code, recorded during installation of the card reader. If there is decrypting algorithm present in the card reader's ROM, the decrypting key, used to access encrypted data, will also be read from the card. If there is no card present in the reader during boot process, the boot process will not be finished and the control will not be transferred to any operating system or external device (like floppy drive), thanks to the feature of the card reader of the invention. The data protection, using the chip card and reader, can be achieved in many ways.
According to the fist embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The card reader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the computer hard drive disk. If the signature is not present, the control will be given back to computer and the boot will continue normally. This solution will not control the boot process, but it enables data exchange between the card reader and the computer, using different pieces of software.
According to the second embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the computer's hard drive disk. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card
types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
According to the third embodiment of the invention the card reader is initialized, using the standard computer BIOS - POST ROM Scan subfunction (search for add-on card BIOS's). The cardreader BIOS will be found by extension BIOS attribute - the first two bytes (55h and Aah) in BIOS, beginning from address 0000. The control over the computer will be transferred to the card reader, which will read the installing signature from the card ROM. If the signature is present, the chip card will be initialized by the command, protocol of which differs between different card types. Then the ID code recorded in the card memory (offset 0) will be read and compared to the ID code on the hard drive disk. If the ID codes match, the control will be transferred back to computer BIOS and the boot process continues. In this situation the boot process is controlled and the data exchange between the computer and chip card is possible, using different pieces of software.
All these instances have in common the possibility to control the computer's hardware clock's interrupt int. lch by software - this is achieved by storing the contents of a card reader BIOS in the computer memory as a TSR program, which controls the operation of the computer.
It is clear, that all the possibilities of the chip card usage for strengthening the data securiy of a computer, can be mixed different applications as needed and add program solutions of OS control for different cards. This means, that one can use different types of cards and different ID numbers in the same computer. It is possible to use PIC (Programmable Integrated Circuit) card, to boot the computer, but some other user can access his/her data or logical drive through the OS, using SIM-card. There is no need to change the card reader in order to change the chip card type; it is enough to change the reader's software accordingly. The exemplary embodiment of the invention is described, based on fig. 1. On the fig. 1 is the block diagram of the device according to the invention. The electronics block of the card reader on fig. 1 is installed in the ISA or PCI bus connector. The card reader
slot is a separate unit, which is attached to a free 3.5" floppy disk slot. The card reader and electronics block are connected via flat-cable and according connectors.
The electronics block has a bi-directional bus buffer for buffering the data bus. The bus buffer is connected to chip card read/ write circuitry, which in turn is connected to card reader device, attached to 3.5" floppy disk slot. The ISA or PCI card address decoder inputs are built so, that only addresses C000 to e800 are selected. This address range is assigned to add-on card BIOS's. To avoid possible BIOS address conflicts, the address decoder has an option to change the cardreader BIOS address. During the boot process, the computer BIOS checks for add-on cards and finds the card reader. The card reader then assumes the control over the computer. The I/O port selector gives the possibility to select different I/O port address in the rage from 300h to 3e0. The I/O address selector is technically similar to BIOS address decoder. All the communications between the computer and the card reader will be accomplished at this address through the selected I/O port.