The present invention relates to the art of password generation. It finds particular application in conjunction with single-use passwords for smart paper interfaces, and will be described with particular reference thereto. However, it is to be appreciated that the present invention is also amenable to other like applications where high levels of security are desired.
Smart paper or smart form techniques refer to techniques for communicating with electronic devices, such as computers, printers, copiers, and the like, with hard-copy instructions (i.e. instructions written on paper). Typically, the instructions are in the form of checked boxes, circled objects, carefully printed text, and/or other like schemes. Generally, the paper or other hard copy containing the instructions scanned or otherwise read, the user""s marks are identified and interpreted, and the corresponding instructions are carried out. The technique is used to communicate with a remote device through a fax machine or other like device. The user""s instructions are scanned and transmitted by the fax to the remote device that then identifies and interprets them. Commonly, the device""s response is then sent back to the user through the same fax machine. This allows communication with a remote device without terminals, keyboards, workstations or local area networks.
However, in systems that provide access to information, it is advantageous to implement security measures in order to limit access to only those individuals who are authorized. Often data is personal, private, and/or otherwise sensitive and it is desirable to not have it openly available. Moreover, where the remote computer or device is being instructed to perform tasks, only those individuals authorized to operate it are to be granted access. A common approach to establishing access rights is through the use of a secret password and personal user name or identification number. The password is a sequence of characters that the authorized user alone knows and enters into the computer along with their user name or identification number. The computer then checks the password against that assigned to the user to verify authorization. One problem with using this scheme in smart paper applications is that the password would be written down. This greatly jeopardizes the systems security by potentially revealing otherwise secret passwords to unauthorized individuals. As an alternative, the password may be entered via the telephone buttons or numeric keypad as part of establishing the fax link. However, this would involve the establishment of a special connection protocol in every fax machine that was to be used. Generally, it is more desirous to use arbitrary conventional fax machines. It is therefore advantageous to send the authorization code on the smart paper along with the instructions.
The present invention contemplates a new and improved single-use password generator and security control system which overcomes the above-referenced problems and others.
In accordance with one aspect of the present invention, a security control system for remote computers is provided. It includes a first local input/output device for entering a user name and regular password. A password generator is accessed by the first local input/output device such that the password generator, in response to the user name and regular password, returns to the first input/output device a single-use password which is an encrypted combination of the user name, a representation of the regular password, and date and time information corresponding to the date and time the user name and regular password were entered. A second local input device is used for entering the single-use password. A remote computer which receives the single-use password includes a cache of previously received single-use passwords. The remote computer compares the single-use password to the cache of previously received single-use passwords. If there is a match further access to the remote computer is denied. Also included is a decryption key. The remote computer uses the decryption key to generate the user name, the representation of the regular password, and the date and time information from the single-use password. The remote computer compares the date and time generated by the decryption key to a predetermined date and time threshold such that if the date and time generated by the decryption key is older, further access to the remote computer is denied. Also included is a list of representations of regular passwords with corresponding user names. The remote computer compares the user name and the representation of the regular password generated from the decryption key to the list such that if there is no match further access to the remote computer is denied.
In accordance with a more limited aspect of the present invention, the first input/output device is a telephone and the password generator is remotely located.
In accordance with another aspect of the present invention, the user name and regular password are entered via a numeric keypad of the telephone.
In accordance with a more limited aspect of the present invention, the user name and regular password are entered verbally and are interpreted via voice recognition device included in the password generator.
In accordance with a more limited aspect of the present invention, the single-use password returned by the password generator is returned verbally.
In accordance with a more limited aspect of the present invention, the single-use password returned by the password generator is returned in hard-copy form via one of a fax and a printer.
In accordance with a more limited aspect of the present invention, the representations of the regular passwords are the same as the regular passwords.
In accordance with a more limited aspect of the present invention, the representations of the regular passwords are encrypted versions of the regular passwords.
In accordance with a more limited aspect of the present invention, the single-use password is entered by having the second local input device read the single-use password from a hard copy thereof.
In accordance with a more limited aspect of the present invention, the second local input device includes one of a fax machine and a scanner.
In accordance with another aspect of the present invention, a method of controlling access to a remote computer from a local device is provided. The method includes entering information including a user name and a regular password into a password generator.
The entered information is combined with date and time information to generate combined data. The combined data is encrypted to generate a single-use password. The single-use password is then input into the local device. It is then determined if the single-use password had been previously input. Access to the remote computer is denied if it is determined that the single-use password had been previously input. The single-use password is then decrypted to generate the combined data. If the date and time information from the combined data is older than a predetermined threshold, access to the remote computer is denied. It is next determined if the entered information from the combined data is valid and access to the remote computer is denied if the entered information is not valid. Access to the remote computer is granted if access is not otherwise denied.
In accordance with a more limited aspect of the present invention, the step of combining further includes encrypting the regular password prior to combining such that the combined data generated includes the entered user name and encrypted version of the entered regular password, and the date and time information.
In accordance with a more limited aspect of the present invention, the step of determining if entered information from the combined data is valid further includes comparing the entered user name and encrypted version of the regular password against a list of valid user names and corresponding valid encrypted versions of regular passwords.
In accordance with a more limited aspect of the present invention, the step of inputting further includes reading the single-use password from a hard copy thereof.
In accordance with a more limited aspect of the present invention, the step of determining if the single-use password had been previously input further includes comparing the single-use password against a cache of previously input single-use passwords.
In accordance with a more limited aspect of the present invention, those previously input single-use passwords which have time and date information older than the predetermined threshold are deleted from the cache of previously input single-use passwords.
In accordance with a more limited aspect of the present invention, the step of determining if entered information from the combined data is valid further includes encrypting the entered regular password to generate an encrypted version thereof. The entered user name and encrypted version of the regular password are then compared against a list of valid user names and corresponding valid encrypted versions of regular passwords.
In accordance with a more limited aspect of the present invention, the step of entering information further includes entering information via a telephone to a remote location housing the password generator.
In accordance with another aspect of the present invention, an access control system for remote devices is provided. It includes a first local input/output device for entering authorization information. A password generator is accessed by the first input/output device such that the password generator, in response to the authorization information, returns to the first input/output device a limited-use password which is an encrypted version of a combination of the authorization information with instance-dependent information. A second local input device is used for entering the limited-use password. An access controller receives the limited-use password. The access controller interprets and determines validity of the limited-use password such that access to a remote device is denied for invalid limited-use passwords.
In accordance with a more limited aspect of the present invention, the remote device is one of a printer, a copier, and a computer.
In accordance with a more limited aspect of the present invention, the limited-use password is entered by having the second input device read a hard copy thereof.
In accordance with a more limited aspect of the present invention, the second input device is one of a fax machine and a scanner.
In accordance with a more limited aspect of the present invention, the first input/output device is a computer and the password generator is locally located.
In accordance with a more limited aspect of the present invention, the first input/output device is a telephone and the password generator is remotely located.
In accordance with a more limited aspect of the present invention, the authorization information is entered via a numeric keypad of the telephone.
In accordance with a more limited aspect of the present invention, the authorization information is entered verbally and is interpreted via a voice recognition device included in the password generator.
In accordance with a more limited aspect of the present invention, the authorization information includes a user name and system password.
In accordance with a more limited aspect of the present invention, the instance-dependent information includes date and time information corresponding to a date and time when the authorization information is entered.
In accordance with a more limited aspect of the present invention, the encrypted version of the combination of the authorization information with the instance-dependent information is an encrypted version of a combination of the user name, an encrypted version of the system password, and the date and time information.
In accordance with a more limited aspect of the present invention, the access controller uses the date and time information to determine if the limited-use password is expired.
In accordance with a more limited aspect of the present invention, the limited-use password is valid for a single use and the access controller uses a cache of previously received limited-use passwords to determine if the limited-use password has already been entered.
In accordance with a more limited aspect of the present invention, the limited-use password is valid for a predetermined number of uses and the access controller uses a cache of previously received limited-use passwords to determine if the limited-use password has already been entered more than the predetermined number of times.
One advantage of the present invention is that it permits smart paper access to remote computers without breaching security measures and without employing special fax connection protocols.
Another advantage of the present invention is that non-authorized users are denied access to secured computers and/or information.
Another advantage of the present invention is that authorized users can employ their regular system passwords and user names without divulging them.
Another advantage is that the system can generate and communicate a single use password for secure data communications using arbitrary conventional fax machines.
Still further advantages and benefits of the present invention will become apparent to those of ordinary skill in the art upon reading and understanding the following detailed description of the preferred embodiments.