JPH08241144A - Password control method - Google Patents

Abstract

(57) [Summary] [Purpose] To provide a password control method for strengthening the security function of a computer system by managing and controlling passwords at multiple levels. [Structure] The system has a password function that requires the operator to enter a password when starting to use the system, and permits the system to be used only when the entered password matches the previously registered password. In a password control method for a computer system, a first password provided to an operator who has privileges including system environment settings, and a second password provided to an operator who has some restrictions on the use of the system. Two passwords with different levels of CMOS in RTC25
It is characterized by being stored in a memory and managed and controlled.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention requires an operator to enter a password when starting to use the system, and only when the entered password matches a previously registered password, the system The present invention relates to a password control method suitable for being applied to a computer system having a password function that permits use, and more particularly to a password control method for strengthening the security function of a computer system by managing and controlling passwords at multiple levels.

[0002]

2. Description of the Related Art In recent years, various notebook-type and laptop-type personal computers that are easy to carry and can be operated by a battery have been developed. Further, while these variously developed personal computers have been dramatically spread, the importance of security management regarding the use of personal computers has come to the forefront.

Currently, as security management related to the use of these personal computers, when starting the use of the system, the operator is requested to input a password,
A password function that permits the use of the system only when the entered password matches the pre-registered password, and the screen display is cleared when a predetermined key is pressed during the use of the system. An instant security function or the like is realized which suppresses subsequent key input and keeps this state until a predetermined password is input.

However, all of these functions merely determine whether or not to permit the use of the computer system. In practice, among those who should be permitted to use the computer system, for example, environment setting. The reality is that multi-step security levels are required, such as differentiating between operators who are allowed to perform highly important operations and those who are allowed to perform normal business processing only. .

[0005]

As described above, the security management related to the use of the conventional computer system requires the operator to enter the password when starting the use of the system, and the entered password is used. Password function that permits the use of the system only when the password and the password registered in advance match, and the screen display is cleared and the subsequent key input is performed when a predetermined key is pressed during the use of the system. Instant security functions that suppress acceptance and hold this state until a predetermined password is entered have been implemented, but all of these functions determine whether to permit the use of the computer system. Among those who should be allowed to use the computer system because they are still doing so, for example, Not being able to fully respond to the demand for multi-step security levels, such as differentiating between operators who can perform highly important operations including settings and those who can only perform normal business processing. There was a problem.

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a password control method for strengthening the security function of a computer system by managing and controlling passwords at multiple levels.

[0007]

SUMMARY OF THE INVENTION The present invention requires an operator to enter a password when starting to use the system, and only when the entered password matches a pre-registered password. In a password control method for a computer system having a password function for permitting the use of the system, a first password provided to an operator who is permitted all operations including the environment setting of the system, and a predetermined password for using the system. It is characterized by managing and controlling two passwords having different levels from the second password provided to the operator who is subject to the restriction.

According to the present invention, the first password is registered by activating a predetermined utility program, and the second password is a privileged operator who is provided with the registered first password. It is characterized in that it is registered according to the environment setting of the system.

According to the present invention, the computer system has a resume function, and if the operator at the time of suspending the system is the operator who is provided with the first password, the first password is used. If the operator is permitted to use the system only when is input, and the operator at the time of suspending the system is the operator who has been provided with the second password, either of the first and second The feature is that the use of the system is permitted even when the password is entered.

According to the present invention, the computer system has an instant security function, and when the operator at the time of starting the instant security is a privileged operator who is provided with the first password, the first system is provided.
When the password is entered, the instant security is released to allow the use of the system, and when the operator who starts the instant security is the operator who is provided with the second password, First
And when any of the second passwords is input, the instant security is released to permit the use of the system.

Further, the present invention is characterized in that an operator is required to input a password when the computer system is rebooted. Further, the present invention is characterized in that the operator provided with the second password can boot the computer system only from the hard disk device.

[0012]

According to the structure of the present invention, when a password is registered in the computer system for operation, first, the utility program is started to register the first password. When only the first password is used in the registered state, the security management is performed by dividing whether or not to permit the use of the computer system as in the conventional case.

Next, the system environment cannot be set, etc.
When registering the second password provided to the operator who is subject to some restrictions, the operator who starts the system with the first password activates the environment setting (setup) of the system and Register your password.

That is, if these first and second passwords are registered, it is possible to discriminate between the use permission and the non-permission of the computer system, and also the operator who gives the use permission can be discriminated in multiple stages within the operable range. It is possible to implement security management with a wider range of applications.

Further, in the computer system having the resume function, the instant security function, etc., the resume and the instant security activated by the operator who has started up with the second password can use either the first password or the second password. It is released even when the first password is started, while the resume and instant security activated by the operator who was started with the first password is released only when the first password is started.

This makes it possible to clearly control the security management relationship between both the first password and the second password. Further, conventionally, the password input of the computer system is required only at the initial startup, but in the present invention, it is also required when the computer system is rebooted. This enables more reliable security management.

[0017]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings. FIG. 1 shows the system configuration of a personal computer according to an embodiment of the present invention. This personal computer is a laptop or notebook type system and, as shown, a CP
U local bus (processor bus) 10A, ISA specification system bus 10B, CPU 11, level shift gate array 12, system memory 13, display controller 14, video memory (VRAM) 15, and LCD
Etc. are equipped with a flat panel display 16.

The CPU 11 controls the entire system, and executes a program to be processed stored in the system memory 13. As the CPU 11,
A device capable of 3.3V / 5V operation, for example, a microprocessor SLE manufactured and sold by Intel Corp.
An enhanced Intel 486 or the like is used, and the CPU 11 thereof is supplied with a power supply voltage of 3.3 V by a power supply controller 23 described later. This CP
A 32-bit wide data bus, a 32-bit wide address bus, various status signal lines, and the like are defined in the local bus 10A of U11.

The system memory 13 stores an operating system, an application program to be processed, user data created by the application program, and the like. This system memory 13
It is composed of a 5V dynamic RAM.

The level shift gate array 12 is a CP
It is connected between the 32-bit data bus defined in the U local bus 10A and the system memory 13, and converts the voltage level of the data signal transferred between the 3.3V to 5V or 5V to 3.3V. To do. The voltage level conversion of the data signal is performed by the level shift gate array 12
Performed by a buffer circuit within. In order to enable asynchronous execution of the CPU bus cycle and the read access cycle of the system memory 13, the buffer circuit has a data latch function for latching read data from the system memory 13.

The display controller 14 is for controlling the display of a flat panel display 16 including an STN monochrome, STN color, or TFT color LCD panel, and the CPU local bus 10
Display data is received from the CPU 11 via A and written in the video memory (VRAM) 15.

The system bus 10B has a BIOS RO.
The M17, the system controller 18, and the I / O controller 19 are connected. BIOS ROM17
Is for storing a system BIOS (basic I / O system) and is composed of a flash memory so that the program can be rewritten. The system BIOS includes an IRT routine executed at power-on, a device driver for controlling various I / O devices, a system management program, a setup program, and the like.

The system controller 18 comprises a bridge device for connecting the CPU local bus 10A and the system bus 10B, a memory control logic for controlling various memories in the system, and the like.

The I / O controller 19 controls the I / O equipment connected to the serial port 20 and the printer / external FDD connected to the parallel port (printer port) 21 and 3.5 inch. Built-in FD
Control D22. The I / O controller 19 includes two DMA controllers for direct memory access control and an interrupt controller (PIC; Pro).
Two grammable interrupt controllers, system timer (PIT; Programmable Interval Timer)
), One serial I / O controller (SIO; S
It has two built-in erial Input / Output Controllers and one floppy disk controller (FDC).

Further, the I / O controller 19 includes an I / O register group used for communication between the power supply controller (PSC) 23 and the CPU 11, and an I / O register for setting the environment of the parallel port 21. There are also groups.

The system bus 10B further has a built-in H
A DD 24, a real-time clock (RTC) 25, a keyboard controller (KBC) 26, a PCMCIA controller 27, a CD-ROM 34, and a sound card 35 are connected.

The real time clock (RTC) 25 is
It is a timepiece module having its own battery for operation, and has a static RAM (referred to as a CMOS memory) of CMOS structure to which power is constantly supplied from the battery. This CMOS memory is used to store environment setting information indicating the system operating environment. The two types of passwords, which are the features of the present invention, are respectively held and managed in this CMOS memory. This specific configuration will be described later with reference to FIG.

Keyboard controller (KBC) 26
Is for controlling the built-in keyboard 29 built in the computer body.
The key matrix of 9 is scanned to receive a signal corresponding to the pressed key, and the signal is converted into a predetermined key code (scan code).

The keyboard controller 26 has a function of controlling an external keyboard 30 which is optionally connected, and a dedicated processor (IPS controller) 28.
Is used to control the pointing stick 31 and the mouse 32. The pointing stick 31 is provided integrally with the keyboard unit of the built-in keyboard 29.

The PCMCIA controller 27 controls access to the JEIDA / PCMCIA specification PC card 33 installed as an option. The sound card 25 includes a PCM sound source, a digital signal processing circuit for audio signals, and the like. The sound card 25 includes a line input terminal 36, a line output terminal 37, and a headphone terminal 3.
8, microphone terminal 39, and joystick terminal 40
Is connected.

In the computer system according to this embodiment, two types of passwords are managed and controlled. These management controls are realized by a management table (configuration shown in FIG. 2) set in the CMOS memory of the RTC 25. To be done.

In this embodiment, the first password is Superv
Called isor Password, the second password is User Passw
Called ord. Then, each password is registered and managed with an arbitrary 4-digit character.

If these passwords are registered, the operator is requested to enter the password when the system is started up, and the entered password and RTC2
5 and the password held in the CMOS memory. If it matches the Supervisor Password, the password discrimination flag is set to "0", while Us
If it matches the er Password, the password discrimination flag is set to "1". This allows this operator to see this flag while the system is running.
Is the Supervisor Password Provider User Passwor
You can always recognize who is the provider of d.

Further, in the computer system according to the embodiment, the operator provided with the User Password is Su
Compared with the operator who provided the pervisor password, it is subject to the following restrictions. (1) The boot is only from the HDD 24, and the FDD 22
Cannot be booted from FDD2 after boot processing.
2 is accessible). (2) System environment settings (setup) cannot be started.

If the password is not registered, the operator is not requested to input the password when the system is started up, and "0" is set in this password discrimination flag.

Here, the operation principle at the time of registering the Supervisor Password and User Password of the embodiment will be described with reference to FIGS. In the computer system of the embodiment, the Supervisor Password is registered by starting the utility program.

This utility program operates, for example, as an external command of DOS, and here, a utility program called SPSETUP3 is provided.

Here, as shown in FIG. 3, SPSETUP
When you start 3, as shown in Figure 4, Supervisor Passwor
A screen indicating that d is not registered is displayed, and when a predetermined key input is performed in this state, a setup screen as shown in FIG. 6 is subsequently displayed.

On this screen, the operator operates the cursor (or mouse or the like) to set the input target portion as the password input portion and input any four-digit character as the password. Then, when the Esc key (escape key) is pressed after the password is input, the screen shown in FIG. 6 is displayed.

If Yes is selected, the Supe
The rvisor password is stored in the CMOS memory of the RTC 25, and the screen returns to the DOS input screen. If No is selected, Supervisor Password RTC25 CMO
When the screen returns to the DOS input screen without storing in S memory and Cancel is selected, Supervisor P
Return to the utility program display screen without storing the assword in the CMOS memory of the RTC 25.

On the other hand, the User Password is the Supervisor Pas
Only the provided operator can register the sword, and register it by starting the setup (Supervisor P
After assword is registered, Supervisor Password
It is controlled so that setup cannot be started unless the computer system is started up. When this setup is started, the screen for setup shown in Fig. 5 will be displayed, similar to when registering the Supervisor Password.
Register by entering any 4-digit character in the password entry area.

These passwords are scrambled by the CPC calculation and then the CMOS of the RTC 25 is used.
Stored in memory. Next, an operation procedure of the embodiment will be described with reference to FIGS.

FIG. 7 is a flow chart for explaining the operation procedure when registering the Supervisor Password. Su
When registering a pervisor password, firstly enter Supervisor P
A utility program for assword registration is started (step A1 in FIG. 7). The utility program for registering Supervisor Password is
The input screen is displayed, and the operator inputs a password composed of an arbitrary combination of characters here (step A2 in FIG. 7). Then, when the registration is selected (Y in step A3 of FIG. 7), the entered password is CP
It is scrambled by the C operation and stored in the CMOS memory of the RTC 25 (step A4 in FIG. 7). And Su
The utility program for registering the pervisor password is terminated (step A5 in FIG. 7).

FIG. 8 is a flow chart for explaining the operation procedure when registering a User Password. User Pas
When registering the sword, first, the setup is activated (step B1 in FIG. 8). At this time, this system is Us
It is determined by referring to the password discrimination flag whether or not it has been activated by the er password (step B2 in FIG. 8). Then, if it is determined by this determination that the user password has been activated (Y in step B2 of FIG. 8), the setup is immediately terminated (FIG. 8).
Step B6).

On the other hand, if it has been started with Supervisor Password (N in step B2 of FIG. 8), the setup screen is displayed and the operator inputs a password consisting of a combination of arbitrary characters. (Step B3 in FIG. 8). Then, when the registration is selected (Y in step B4 in FIG. 8), the input password is scrambled by the CPC calculation, and the CMO of the RTC 25 is obtained.
It is stored in the S memory (step B5 in FIG. 8). Then, the setup ends (step B6 in FIG. 8).

FIG. 9 is a flow chart for explaining the operating procedure at the time of booting the computer system. When the power of the computer system is turned on (step C1 in FIG. 9), the system first requests the operator to input the password (step C2 in FIG. 9). Then, the password entered by the operator is compared with the password stored in the CMOS memory of the RTC 25 (step C3 in FIG. 9), and if they match the User Password (Y in step C3 in FIG. 9). ), The password discrimination flag
1 "(step C4 in FIG. 9), and Supervisor P
If it matches the assword (N in step C3 in FIG. 9), the password discrimination flag is set to "0" (step C5 in FIG. 9).

Next, it is judged whether or not boot from the FDD 22 is requested (step C6 in FIG. 9), and the FDD
If the boot from 22 is requested (Y in step C6 of FIG. 9), it is further determined by referring to the password determination flag set previously to see if the user password has not been started (step of FIG. 9). C7). If the result of this determination is that it has been activated with the User Password (Y in step C7 of FIG. 9), the FDD22
The boot from HDD 25 is forcibly performed without permitting the boot from (step C8 in FIG. 9). On the other hand, Superv
If it is found that the isor Password is activated (N in step C7 of FIG. 9), the FDD2 is as requested.
Boot from 2.

On the other hand, when booting from the HDD 25 is requested (N in step C6 of FIG. 9), Supervis
The boot from the HDD 25 is immediately executed regardless of the "or Password" and the "User Password" (step C8 in FIG. 9).

FIG. 10 is a flow chart for explaining the operation procedure when the setup is activated. When the setup is started, the system will move to RTC25 CMO
By referring to the password determination flag in the S memory, it is determined which password the system is started up with (step D1 in FIG. 10). If it is determined by this determination that the user password has been activated (Y in step D1 of FIG. 10), the setup is immediately terminated (step D3 of FIG. 10).

On the other hand, if it has been started with the Supervisor Password (N in step D1 of FIG. 10), the setup is continued and various environment settings are made (step D2 of FIG. 10), and then the setup is completed. (Step D3 in FIG. 10).

FIG. 11 is a flow chart for explaining the operation procedure when the resume and instant security is activated from the activated state. When the computer system is powered on (step E1 in FIG. 11),
The system requires the operator to enter the password (see FIG. 11).
Step E2), the password entered by the operator and the UserPanel stored in the CMOS memory of the RTC 25.
First, ssword is compared (step E3 in FIG. 11).

Here, the entered password and User
If the password matches the password (step E in FIG. 11)
3 Y), Startup at suspend is Supervisor Passw
It is determined whether or not it was not done in ord (step E4 in FIG. 11). By this judgment, the startup at the time of suspend
When it is determined that the password is used with the Supervisor Password (Y in step E4 in FIG. 11), the password input request screen is displayed again without performing the system recovery.
Then, when it is determined that the startup at the time of suspension is performed with the User Password (N in step E4 of FIG. 11), the system is returned to the state of suspension (step E6 of FIG. 11).

On the other hand, if the entered password is User Passw
If it does not match with ord (N in step E3 in FIG. 11), the comparison with the Supervisor Password stored in the CMOS memory of the RTC 25 is further performed (step E5 in FIG. 11).

If it is found by this comparison that the input password matches the Supervisor Password (step E5 in FIG. 11), it does not matter which password was used to start the system during suspension. Then, the system is returned to the suspended state (step E6 in FIG. 11).

Also, if the entered password is Supervisor
If the password does not match, the password input request screen is displayed again. As described above, in the computer system of the present invention, by managing and controlling two types of passwords, it is possible to realize security management with a wide range of applications.

[0056]

As described above in detail, according to the present invention, the security management by the password is not limited to the distinction between the permission and the non-permission of use of the computer system, and the range in which the operator who is permitted to use the operation can operate it. Differentiation can be achieved, and security management with a wider range of applications can be realized.

[Brief description of drawings]

FIG. 1 is a diagram showing a system configuration of a personal computer according to an embodiment of the present invention.

FIG. 2 is a conceptual diagram showing the structure of a password management table according to the embodiment.

FIG. 3 is a conceptual diagram for explaining the operating principle of the embodiment.

FIG. 4 is a conceptual diagram for explaining the operating principle of the embodiment.

FIG. 5 is a conceptual diagram for explaining the operation principle of the embodiment.

FIG. 6 is a conceptual diagram for explaining the operation principle of the embodiment.

FIG. 7 is a flowchart for explaining an operation procedure when registering a Supervisor Password according to the embodiment.

FIG. 8 is a flowchart for explaining an operation procedure when registering a User Password according to the embodiment.

FIG. 9 is an exemplary flowchart for explaining an operation procedure at the time of booting the computer system according to the embodiment.

FIG. 10 is a flowchart for explaining an operation procedure when the environment setting (setup) of the system according to the embodiment is started.

FIG. 11 is a flowchart for explaining an operation procedure when the resume and instant security according to the embodiment is activated from the activated state.

[Explanation of symbols]

11 ... CPU, 25 ... RTC, 22 ... FDD, 25 ... H
DD.

Claims (6)

[Claims] 1. A password function for requesting an operator to enter a password when starting to use the system and permitting the system to be used only when the entered password matches a pre-registered password. A password control method for a computer system having a first password provided to an operator who is permitted to perform all operations including environment setting of the system, and provided to an operator who is subject to predetermined restrictions on the use of the system. A password control method characterized by managing and controlling two passwords having different levels from the second password that is used. 2. The first password is registered by activating a predetermined utility program, and the second password is set by the operator who is provided with the registered first password. The password control method according to claim 1, wherein the password control method is performed by registering. 3. The computer system has a resume function, and if the operator at the time of suspending the system is the operator provided with the first password, the first password is input. Only when the system is allowed to be used and the operator at the time of suspending the system is the operator provided with the second password, either the first password or the second password is input. 2. The password control method according to claim 1, wherein the use of the system is permitted even when the password is controlled. 4. The computer system has an instant security function, and when the operator who starts the instant security is the operator who is provided with the first password, the first password is input. Only when the instant security is released to permit the use of the system, and the operator at the time of starting the instant security is the operator provided with the second password, the first and second 2. The password control method according to claim 1, wherein the instant security is released and the use of the system is permitted regardless of which password is input. 5. The password control method according to claim 1, wherein an operator is required to input a password when the computer system is rebooted. 6. The password control method according to claim 1, wherein the operator provided with the second password can boot the computer system only from a hard disk device.