Field of the Invention
The present invention relates to methods and apparatus for controlling access to information processed by digital computers, and more particularly to methods and apparatus for controlling access to information processed by multi-user-accessible or non-isolated digital computers.
Description of the Prior Art
(The term "prior art" as used herein or in any statement made by or on behalf of applicants in connection herewith means only that any document or thing referred to as prior art bears, directly or inferentially, a date which is earlier than the effective filing date hereof.)
Methods and apparatus for controlling access to information processed by digital computers are well known in the prior art.
Prior art methods and apparatus for controlling access to information processed by digital computers can in general be classified in one of two categories or classes, viz., (1) accessant identification password systems (sometimes called "password systems" herein), and (2) cryptographic systems (sometimes called "cryptosystems" herein).
Password systems generally require the submission of a predetermined password or the like to the access-controlled digital computer in order to gain access to sequestered or protected information, which is information processed or to be processed by that digital computer. For example, many password systems require an individual seeking access to submit a purported password to an electronic device, which device compares the submitted purported password with an internally stored or generated authentic password and, if the two passwords match according to predetermined criteria, initiates an electronic operation to permit access to manually or automatically designated portions of sequestered or protected information, such as stored computer programs or data.
In the most elementary of such password systems a single authentic password is preset in the access-controlled computer system and all authorized accessants (users) are supplied with the authentic password. In other ones of such prior art password systems the authentic password may be altered from time to time, or different authentic passwords may be supplied to different authorized accessants or groups of authorized accessants, who then submit to the access-controlled computer system not only their assigned authentic passwords but also code words identifying themselves or the access groups to which they belong.
A problem with such elementary password systems, even when the authentic password is changed from time to time, or different authentic passwords are assigned to different groups of authorized accessants, is that the authentic passwords must be memorized by the authorized accessants. Once such an authorized password is known, particularly if by a large group of authorized accessants, it may be inadvertently imparted to unauthorized persons, and an individual accessant cannot be held accountable.
Another problem with such elementary password systems is that each authorized accessant may require access to multiple systems, and may thus be required to memorize many passwords. Thus, authorized accessants are tempted to make written records of their passwords in the event of memory lapse or confusion, which practice can lead to compromise of the system.
Another problem with such static password systems is that the authentic passwords tend to be repeated over and over in normal operation of the system. That is, these passwords must frequently be communicated over unsecured telephone lines, microwave links, or satellite links. Further, it sometimes occurs than an authorized accessant finds it necessary to type his authentic password on a teleprinter or CRT terminal thus openly displaying the authentic password and giving rise to the possibility that it will be discovered by an interloper.
A system for controlling access to data stored in time-shared computer systems was described in a paper by Lance J. Hoffman which appeared in Volume 1, No. 2, of the publication entitled "Computer Surveys" in June of 1969. In accordance with the teachings of this paper, each user of the time-shared computer system was assigned a very simple mathematical formula or algorithm by which to identify himself to the computer. Whenever a particular user logged onto the time-shared computer system, the computer issued a test number to that particular user by displaying it on his terminal. The particular user then mentally applied his identifying formula or algorithm to the test number and submitted the result to the computer via his terminal. Access to data stored in the time-shared computer was granted to the particular user by the computer only if the correct result was submitted. This access control system does not appear to have come into widespread use, due to the relatively limited capacity of computers of that day.
A considerable improvement in systems for controlling access to data and programs stored in computer systems is disclosed in U.S. patent application Ser. No. 370,902 which was filed by Robert J. Bosen on Apr. 22, 1982 and abandoned in favor of U.S. patent application Ser. No. 07/148,114. Access control systems of the kind shown and described in that patent application are made and sold by Enigma Logic, Inc. of Concord, Calif. U.S. under the trademark "SafeWord". These password-type access control systems will be called "asynchronous SafeWord systems" herein.
A still further improvement in password-type access control systems for controlling access to information processed or to be processed by digital computers is disclosed in U.S. patent application Ser. No. 796,884, which was filed by Robert J. Bosen, et al. on Nov. 12, 1985. Access control systems of the kind shown and described in this patent application are also made and sold by Engima Logic, Inc., under the trademark "SafeWord". These password-type access control systems will be called "synchronous SafeWord systems" herein. (The term "SafeWord systems" will be used to designate the improvements in password-type access control systems which are shown, described and claimed in both of the U.S. patent applications referred to immediately hereinabove.)
In all SafeWord systems authorized accessants are provided with password issuing devices which issue passwords, seriatim, when access to information sequestered in an associated digital computer is sought. In accordance with the fundamental principles of the SafeWord system, no two successively issued passwords are identical, and without the proper password issuing device those desiring access to the corresponding sequestered information cannot determine the correct password by which to gain access thereto. Thus, by the employment of SafeWord systems it is rendered much more difficult for an interloper to gain access to such sequestered information, as compared with the degree of protection provided by the static password systems described hereinabove.
As will be seen from the discussion immediately hereinabove, SafeWord systems comprise both hardware and software elements which cooperate in verifying the identities of authorized accessants requesting access to sequestered information stored in associated digital computers. For the sake of clarity, we refer to this concept as an "Accountable Domain". Each SafeWord system establishes an "Accountable Domain" within which computer users can operate. In accordance with the SafeWord system, an Accountable Domain is a group of computer resources which cannot be accessed by any user until:
(a) His or her identity is confirmed using tangible identifiers which are difficult or impossible to duplicate without special equipment, and
(b) His or her supervisor has access to the special equipment necessary to duplicate, modify, or disallow the identifiers if necessary, and
(c) An encrypted log of the accesses is recorded so that supervisors may access it at any time.
As will now be understood by those having ordinary skill in the art, informed by the preceding portion of the present specification, the SafeWord systems of the prior art are very powerful and sophisticated systems, which provide a high degree of protection for information sequestered in digital computers which are isolated from all but a few carefully selected users, e.g., digital computers which are part of data communication systems or are located in access-controlled locations, such as the computers of electronic funds transfer systems.
As noted above, the prior art also includes cryptographic systems for controlling access to information sequestered in digital computers, which are sometimes called "cryptosystems" herein.
These prior art crystosystems generally require knowledge of a prespecified cipher key value at both the source and destination of any information interchange. For example, if an authorized user at location "A" wishes to receive encrypted information from a computer at location "B" he will need to know the value of a cipher key which can decrypt the information after receipt (but prior to its use). Sometimes this cipher value is known only to electronic decryption equipment or programs, and sometimes the authorized users are required to memorize the prespecified cipher key value and to supply it to the decryption equipment or program as a primitive confirmation of personal identity. Some cryptographic methods of this type allow different cipher keys to be used in different situations, or to protect different groups of data or programs.
A fundamental difficulty with such prior art cryptosystems is that it is difficult to maintain the prespecified cipher key values in secret, particularly if a large number of authorized accessants must memorize them in order to decrypt data.
A further fundamental difficulty with such prior art cryptosystems for controlling access to information sequestered in digital computers is that it is difficult to assign different prespecified cipher key values to be used to encrypt information interchanges between different interactive users, since it is necessary to know the identity of the user (to learn his corresponding cipher key value) before decrypting his or her transmissions.
Further, these prior art cryptosystems, like the above-described prior art password systems, provide the optimum degree of protection for the sequestered information only when the access-controlled digital computer system is of the isolated type, such as those commonly found in data communications systems and electronic funds transfer systems, wherein the digital computer system itself is accessible only to a very limited number of carefully selected personnel.
It follows that the prior art information access control systems disclosed above offer far less actual protection when applied to non-isolated or multi-user-accessible digital computer systems, such as those commonly known as "personal computer systems" or "PC systems".