1. Field of the Invention
The invention relates to security in a computer system, and more particularly to a self-modifying, single-use password that limits access to the system and automatically changes each time it is used.
2. Description of the Related Art
A known method of securing information has been to encrypt the information. A known way to authenticate information has been to generate a hash code of the information by using a hash algorithm and signing the result with a key. In a typical application, the secure hash algorithm is publicly available and the encryption key is private. The decryption key may be private or public depending on the application. A hash code may be generated using a secure hash algorithm (SHA), a message digest algorithm (e.g., MD5) or a similar algorithm. SHA takes a message of varying length and produces a fixed length message digest. Message digest algorithms are meant for digital signature applications where a large message is to be compressed in a secure manner before being signed with a private key. The MD5 algorithm takes a message of arbitrary length and produces a 128 bit message digest. SHA is slightly slower than MD5, but the larger message digest makes it more secure from brute force, collision, and inversion attacks. SHA and MD5 are well known to those of ordinary skill in the art.
A known method of offering limited access to a computer system has been through the use of passwords. Passwords have typically been stored in battery-backed CMOS RAM. Before users were allowed to access the computer system, they were required to enter a password. When a password was entered, the computers power-up routine compared the entered password to the password stored in CMOS RAM and if the two matched, the user was allowed access to the computer system.
Providing sufficient security for portable computers has been even more difficult than protecting desktop computers. Due to their size, portable computers are more easily stolen than their desktop counterparts. If a computer system is stolen, the security afforded by passwords stored in battery-backed CMOS RAM may be bypassed. Like a user who forgets or misplaces the system password, a thief could open the box and remove the CMOS RAM battery in order to gain access to the system. When the CMOS RAM battery was removed, the area where the password was stored was cleared. When the CMOS RAM battery was reinstalled, the system powered-up without a password, allowing a user to access the computer system.
An alternative to storing a password in CMOS RAM is to store the password in a non-volatile memory. If the computer system password is stored in non-volatile memory, the password cannot be defeated by removing the CMOS RAM battery. An issue with this approach arises when legitimate users lose their password and cannot access the computer system. When the computer system password is stored in non-volatile memory, another method is required to allow legitimate users access to the computer system if they have forgotten or lost their password.
Briefly, a computer system according to the present invention implements a self-modifying xe2x80x9cfail-safexe2x80x9d password system that allows a manufacturer to securely supply a single-use password to users who lose or misplace a system password. The fail-safe password system utilizes a fail-safe counter, an encryption/decryption algorithm, a manufacturer""s public key, and a secure non-volatile memory space. The manufacturer""s public key may be specific to a computer system, customer, or site. The fail-safe counter is stored in the secure non-volatile memory space which is large enough to cover a reasonable amount of usage. The fail-safe counter can be a changeable seed value which can be augmented with additional changeable criteria. The encryption/decryption algorithm and the manufacturer""s public key are stored in the secure memory space of the computer system. Protecting the public key in secure memory will help prevent brute force attacks. Alternatively, the encryption/decryption algorithm can be stored in an unsecure memory space or on a mass storage device. Preferably, the encryption/decryption algorithm is executed within secure memory.
In another embodiment of the invention, an administrator""s private key is also utilized. The administrator""s public key (local on the machine) allows a site administrator to provide access to a local user who has lost or forgotten their password. The administrator""s public key is different than the manufacturer""s public key and also resides within a secure memory space of the individual computer system.
In any of the embodiments, each time a fail-safe password is entered into the computer system, an application decrypts the fail-safe password and compares the resulting value (which is a hash code) to an internal hash value and increments the fail-safe counter or modifies the seed value when the hashes match. When the fail-safe counter is incremented, the previous fail-safe password is no longer valid. In one embodiment, the fail-safe password is decrypted with the manufacturer""s public key and compared to the internal hash value that is generated by the computer system. In another embodiment, the fail-safe password is first decrypted with the administrator""s public key and compared to the internal hash value. If there is no match, the application then decrypts the fail-safe password with the manufacturer""s public key and compares the result to the internal hash value.
The technique is initiated when users, who have lost their password, contact the manufacturer""s representative with the serial number of their computer system. In another embodiment, a site administrator is contacted before the manufacturer is contacted. In the preferred embodiment both a manufacturer fail-safe password and an administrator fail-safe password would be implemented. If for some reason the site administrator cannot supply the administrator fail-safe password, the manufacturer""s representative can be contacted.
After the users"" identity is validated, the administrator or manufacturer""s representative executes a program that generates the next administrator or manufacturer fail-safe password for the computer system. The manufacturer or administrator fail-safe password is derived by generating a hash code using SHA, MD5, or a similar algorithm and encrypting the result. The hash code may be generated from a date stamp, the serial number of the computer system, and the number of times the user has obtained a fail-safe password for the system or a combination of less than all of the items. It should be apparent that other information could be utilized providing that at least one of the items is transitory in nature. The hash code is then encrypted with the administrator""s or manufacturer""s private key, to generate the fail-safe password.
The fail-safe password is then communicated to the user. After the user enters the password, the computer system generates the internal hash value and compares it with the hash code of the decrypted manufacturer or administrator fail-safe password. When the decrypted manufacturer or administrator fail-safe password matches the internal hash value the user is allowed access to the computer system. Before the system boots, the fail-safe counter is incremented, or the seed value is changed, and the password bit is cleared, which causes the system to boot as if there is no password. If an administrator fail-safe password is implemented, a separate fail-safe counter may be used or other transitory items can be utilized to create the hash code of the administrator fail-safe password. Upon boot-up, the user is requested to enter a new power-up password. Since the fail-safe counter has been incremented, or the seed value changed, the previous fail-safe password is no longer valid.
The present invention is an improvement over the discussed prior art because it allows for a hardened password security infrastructure. When the computer system password is stored in non-volatile memory, the computer system will likely be of a lesser value to a potential thief-thus discouraging theft. An important aspect of the invention is the self-modifying capability which allows the fail-safe password to only be used once.