| 摘要 |
<p>A computer system according to the present invention utilizes a two-piece authentication procedure to securely provide user authentication over a network. In the disclosed embodiment of the invention, a user password is entered during a secure power-up procedure. The user password is encrypted by an external token or smart card that stores an encryption algorithm furnished with an encryption key that is unique or of limited production. A network password is thereby created. The network password is maintained in a secure memory space such as System Management Mode (SMM) memory. When the user desires to access a network resource such as a hard drive in a server, the network password is encrypted and communicated over the network. In the case of a server hard drive, the network password is encrypted using the server @ s public key (or another key that is known to the server). Optional node identification information is appended to the network password prior to communication over the network. The node identification information can be used for a variety of purposes, including limiting access to certain pieces of data to specified users on specified machines. Once received by the server, the encrypted network password is decrypted using the server @ s public key. A user verification process is then performed on the network password to determine which, if any, access privileges have been accorded the network user. Numerous other uses for the network password are disclosed, and permit the network resources to be securely compartmentalized with the option to have multiple user levels. The two-piece nature of the authentication process assures that if either the user password or the external token is stolen, it is of little value. Both pieces are required to access protected resources and uniquely identify a user to the network. Further, a network user @ s identity is maintained when working on different machines. <IMAGE></p> |
