[go: up one dir, main page]

GB2488944A - Using a soft keyboard when a pre-boot password is entered incorrectly - Google Patents

Using a soft keyboard when a pre-boot password is entered incorrectly Download PDF

Info

Publication number
GB2488944A
GB2488944A GB1211243.9A GB201211243A GB2488944A GB 2488944 A GB2488944 A GB 2488944A GB 201211243 A GB201211243 A GB 201211243A GB 2488944 A GB2488944 A GB 2488944A
Authority
GB
United Kingdom
Prior art keywords
password
user
bios
computer
keyboard
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1211243.9A
Other versions
GB2488944B (en
GB201211243D0 (en
Inventor
David Kurt Gillespie
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to GB1211243.9A priority Critical patent/GB2488944B/en
Publication of GB201211243D0 publication Critical patent/GB201211243D0/en
Publication of GB2488944A publication Critical patent/GB2488944A/en
Application granted granted Critical
Publication of GB2488944B publication Critical patent/GB2488944B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Input From Keyboards Or The Like (AREA)
  • Storage Device Security (AREA)

Abstract

Before the operating system of a computer has booted, a password is entered to the computer. If the password is incorrect, a soft keyboard is displayed on the screen of the computer to allow the user to enter the password. Characters may be selected from the soft keyboard using the computers s pointing device. The characters on the soft keyboard may match those of a specific keyboard layout. The basic input/output system (BIOS) may receive the password. When a user tries to change the password, the BIOS may reject it, if it cannot be entered by the keyboard attached to the computer.

Description

SYSTEMS AND METHODS FOR SUPPORT1NG PRE-BOOT LOG IN
BACKGROUND
lt is now common to require a user to log in before being able to operate a computer.
Such a log in is normally performed within the operating system environment. That is, the log in is performed after the computer has booted and the operating system is running. Therefore, it is the operating system, or a program running within the operating system environment, that controls the log in and authenticates the user.
Recently, it has been proposed to conduct security log-ins before the computer is booted under the control of the basic input/output system (BbS). By performing the log in during the pre-boot stage, unauthorized users can be barred from accessing not only the operating system but the computer's hardware, such as the hard drive.
Although pre-boot og in is attractive, there are challenges associated with its implementation. For example, Unicode passwords that may be usable in the operating system environment may not be fully supported in the BIOS environment.
Specifically, if the characters of the password cannot be directly entered by the user using a physical keyboard, the password cannot be entered by the user in the BIOS environment. In such a case, the computer will not boot and potentially could be rendered non-functional.
STATEMENT OF INVENTION
According to an aspect of the present invention, there is provided a method according to claim 1. According to another aspect of the present invention, there is provided a computer readable medium according to claim 6. According to another aspect of the present invention, there is provided a computer system according to claim 11.
BRIEF DESCRIPTION OF THE DRAWINGS
The disclosed systems and methods can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale.
Fig. 1 a block diagram of an embodiment of a computer system configured to support pre-boot log in.
Figs. 2A and 2B present a flow diagram that illustrates an example of a method for supporting pre-boot log in.
Figs. 3A and 3B present a flow diagram that illustrates an example of operation of a BlOS security manager shown in Fig. 1.
Fig. 4 is a flow diagram that illustrates an embodiment of operation of the BIOS security manager shown in Fig. 1.
DETA1LED DESCR1PT1ON As described above, if an authorized user cannot enter in the BIOS environment a password selected within the operating system environment, the user will be barred from booting the computer system if a pie-boot log in is required. As described below, such a situation can be avoided by confirming at the time of password selection that the password can in fact be directly entered with the user's keyboard.
In some embodiments, a virtual or "soft" keyboard may also be displayed for the user to account for situations in which the presumed keyboard layout does not match the user's actual keyboard layout.
Referring to the drawings, in which like numerals identify corresponding parts throughout the several views, Fig. I illustrates an example computer system 100 that supports pre-boot log in. As used herein, the term "pre-boot log in" identifies a log in procedure that is performed under the control of the BIOS before the computer system has completed booting and before the operating system is up and running.
The computer system 100 can have any one of a number of different configurations.
For example, the system 100 can be configured as a desktop computer, a notebook computer, a server computer, or a handheld computing device, to name a few.
Regardless, in the embodiment of Fig. I the computer system 100 comprises a processing device 102, memory 104, a user interface 106, and at least one 110 device 108, each of which is connected to a local interface 110. The processing device 102 can comprise a central processing unit (CPU) or a semiconductor-based microprocessor that executes commands stored in memory 104. The memory 104 includes any one of or a combination of volatile memory elements (e.g., RAM modules) and non-volatile memory elements (e.g., hard disk, ROM modules, etc.).
The user interface 106 comprises the components with which the user interacts with the computer system 100. The user interface 106 may comprise, for example, a keyboard, mouse, and a display, such as a liquid crystal display (LCD). The one or more 110 devices 108 are adapted to facilitate communications with other devices and may include one or more communication components, such as a modulator/demodulator (e.g., modem), a wireless device (e.g., RF transceiver), a network card, and the like.
The memory 104 comprises various programs (i.e., logic) including a BIOS 112, an operating system 114, and one or more user applications 116 that are adapted to run within the operating system environment. The BIOS 112 generally functions to boot the computer system 100 and enable other programs, such as the operating system 1145 to assume control of the system. As indicated in Fig. 1, the BIOS 112 includes a security manager 118 that5 as described in greater detail below, supports pre-boot log in on the computer system 100. In some embodiments, the security manager 118 operates in cooperation with a security manager 122 of the operating system 114 to ensure that passwords selected by the user for the pre-boot log in process are acceptable. In some embodiments, that determination is made by the BIOS security manager 118 with reference to a keyboard layout table 120 of the BIOS 112. As is also described below, the BIOS security manager 118, in embodiments of the present invention, displays a virtual or soft keyboard to the user to enable the user to communicate his or her password in cases in which a mismatch between a keyboard layout presumed by the BIOS security manager 118 does not match the user's actual physical keyboard layout or regional variation.
Figs. 2A and 2B illustrate an example method for supporting pre-boot log in.
Beginning with block 200 of Fig. 2A, a user elects to set a pre-boot password while in the operating system environment. By way of example, the user may be establishing, for the first time, that a password that will be required by the BIOS 112 before the user's computer system 100 will boot. Alternatively, the user may be changing an existing pre-boot log in password. In either case, the user inputs a password with the operating system 114, as indicated in block 202, for example using an operating system "wizard" or similar utility. The user may input the password using a variety of methods. For instance, the user may simply type in a password. Alternatively, the user may copy a password from a given source (e.g., document, web page, etc.) and paste it into a input block presented by the operating system.
Referring next to block 204, once the password has been input, the operating system 114 passes the password along with an indication of the user's keyboard layout to the B1OS 112. With that information, the B1OS 112 can, as indicated in block 206, determine whether the BIOS supports the user's keyboard layout. That is, the B1OS 112 can determine whether the BIOS 112 stores a description of the layout of the user's physical keyboard, for example in its keyboard layout table 120. An example of difference in keyboard layout is the difference between a Spanish keyboard, which may need the "ti" character, and the English keyboard, which does not use that character. Accordingly, two different keyboards can have different characters, shared characters in different physical locations, and/or a different number of keys, each resulting in different way of typing for the end user. With reference to decision block 208, if the keyboard layout is supported, flow proceeds on to block 214 of Fig. 28. If, on the other hand, the keyboard layout is not supported by the BIOS 112, flow continues to block 210 at which the BIOS sends an alert to the operating system 114 to notify the operating system that the user's keyboard layout is not supported. The operating system 114 can, in turn, notify the user of that fact, as indicated in block 212. At that point, the user can either change his or her keyboard layout and reattempt password selection, or simply elect not to use the pre-boot log in feature.
Assuming that the BIOS 112 supports the user's keyboard layout, the BIOS then determines whether the password input by the user can be directly entered using the user's keyboard, as indicated in block 214 of Fig. 28. In particular, it is determined whether each character of the password can be directly input (i.e., typed) through the selection of one or multiple keyboard keys of the designated keyboard layout, as opposed to being indirectly input. An example of indirect input includes the use of a copy/paste function in which the individual characters of the pasted character or character string is not actually typed but instead copied from a separate source, which will be unavailable in the BIOS environment. A further example of indirect input includes selection of a character or symbol (e.g., Chinese word or phrase) presented to the user after input of one or more of keyboard keys that trigger such presentation. In that situation, the character or symbol is also not actually typed by the user, and such functionaUty will also be unavailable in BIOS environment.
Accordingly, it is determined whether each character is one that can be typed by the user and recognized by the B1OS 112. Notably, whHe the operating system 114 may be configured to recognize thousands or even tens of thousands of Unicode characters1 the capabilities of the B1OS 112 may be far more limited. An example of a character that could be rejected is a Chinese character when the user is using an English (e.g., U.S.) keyboard because such a keyboard would not be able to product that character.
With reference next to decision block 216, assuming that all of the characters of the password can be directly entered using the keyboard, and therefore recognized by the BIOS 112, flow continues down to block 226 described below. If, however, one or more of those characters cannot be directly input using the keyboard, flow continues to block 218 at which the BIOS 112 sends an alert to the operating system 114 that conveys that the password is unacceptable for use in pre-boot log in. The operating system 114 can then prompt the user to select a new password, as indicated in block 220. Optionally1 the operating system can further identify the reason why the previous password was unacceptable and can further request the user to select a password whose characters can be directly entered (i.e., typed) using the user's keyboard.
If the user wishes to make a further attempt at setting a password, the user can input a further password with the operating system 114, as indicated in block 222, and the operating system can again pass the password to the BIOS 112, as indicated in block 224. Flow can then return to block 214, at which the BIOS 112 again considers the password. Assuming that the new password selected by the user is acceptable, flow continues to block 226 at which the BIOS 112 sends an acceptance to the operating system 114. Once that acceptance is received, the operating system 114 can set the new pre-boot password, as indicated in block 228, so that a pre-boot log in can be performed next time the computer system 100 is initiated.
Figs. 3A and 3B illustrate an example of operation of the BIOS security manager 118 (Fig, 1) in supporting pre-boot log in. Beginning with block 300 of Fig. 3A, the BIOS security manager 118 awaits a communication from the operating system 114, for example from the operating system security manager 122. At block 302, the BiOS security manager 118 receives a keyboard layout 1D from the operating system 114.
By way of example, that 1D is presented to the BIOS security manager 118 as a part of a pre-boot log in set up procedure performed by the user within the operating system environment. The BiOS security manager 118 then looks up the keyboard layout ID in the keyboard layout table 120, as indicated in block 304, to determine whether or not the user's keyboard layout is supported by the BiOS 112. With reference to decision block 306, if the keyboard ayout 1D is not in the table 120, the BiOS security manager 118 sends a rejection notification to the operating system 114, as indicated in block 308, and flow for the session is terminated given that pre-boot log in is not possible with the use(s current keyboard layout.
With further reference decision block 306, if the keyboard layout ID is in the keyboard table 120, meaning that the BIOS 112 supports that layout, flow continues to block 310 at which the BIOS security manager 118 receives the password selected by the user from the operating system 114. Although the receipt of the password has been described as being separate from receipt of the keyboard layout ID, it is noted that both pieces of information can be provided to and received by the BIOS security manager 118 simultaneously. Regardless, once the BIOS security manager 118 has received the password, the BIOS security manager identifies a character of the password, as indicated in block 312. Then, with reference to block 314, the BIOS security manager 118 determines whether that character can be directly entered with the user's keyboard. In particular, it is determined whether the character can be directly typed with the keyboard through the selection of a single key or simultaneous selection of multiple keys, including, for example, the "shift," "ctri" and "alt" keys. Referring to decision block 316, if the character can be directly entered, flow continues down to decision block 320 at which it is determined whether that character was the last character of the password. If not, flow returns to block 312 at which the next character of the password is considered. If, however, the character cannot be entered, flow continues to block 318 at which the operating system 114 is notified that the password is unacceptable. Flow can then return back to block 300 of Fig. 3A at which the BIOS security manager 118 awaits a further communication from the operating system. Returning to decision block 320, if each character of the password is acceptable, flow continues to block 322 at which the BiOS security manager 118 sends an acceptance message to the operating system 114 indicating that the user's selected password is acceptable for the pre-boot log in process.
Through the process described above in relation to Figs. 2 and 3, steps are taken to ensure that the user's selected password can be received and recognized by the B1OS 112 during pre-boot log in. However, if for some reason there is a disconnect between what the B1OS 112 thinks is the user's keyboard ayout and the user's actual keyboard layout, the user can be denied access to the computer system 100 even when he or she enters what he or she believes to be the correct password.
Consider an example in which the user sets his pre-boot password while using the standard English keyboard layout. In such a case, the BIOS will be notified that the user is using the standard English keyboard layout and will therefore interpret keystrokes accordingly. If, however, the user were to change his or her keyboard layout thereafter, mismatch may occur that can result in the BIOS interpreting a valid password as an invalid password. For instance, if the user changed his or her keyboard layout to the standard French keyboard layout, the physical location of the "q" and "a" keys are reversed. Therefore, if the user's password were "quarkl 23," the BIOS would interpret the user's input as "auqrkl 23" and would deny the user access. To prevent against such a situation, which can result in a permanently locked system, the BIOS security manager 118 is configured to display a virtual or "soft" keyboard to the user in the computer system display to enable the user to select the characters of his or her password using a pointing device, such as a mouse. In such a situation, mismatch between what the BIOS thinks is the user's keyboard layout and the user's actual keyboard layout would not prevent the user from logging in and using the computer system 100. Fig. 4 provides an example of operation of the BIOS security manager 118 operating in that capacity.
Beginning with block 400 of Fig. 4, the BIOS security manager 118 prompts the user for a password. In particular, the BIOS security manager 118 prompts the user for his or her password after powering of the computer system 100 but prior to booting of the computer system and, therefore, before the operating system 114 is up and running. The entered password is received, as indicated in block 402, and it is determined whether the password is correct (i.e., valid). With reference to decision block 404, if the password is correct, the BIOS 112 boots the computer system 1 00, as indicated in block 406. lf, on the other hand, the password is incorrect (i.e., invalid), flow continues to decision block 408 at which it is determined whether the maximum number of tries has been used. If not, flow returns to block 400 at which the user is again prompted for the password.
lf the user fails to enter the correct password after the maximum number of tries (e.g., 3 tries) have been permitted, the B1OS security manager 118 displays a vfttual or soft keyboard to the user, as indicated n block 410. The soft keyboard includes a separate displayed "key", for example displayed as an on screen button for each character that can be directly entered using the user's keyboard and layout using one or more of the physical keyboard keys. Therefore, with reference to the English versus French example provided above, the soft keyboard will include a key for "q" that the user can select irrespective of the position of the "q" key on his or her physical keyboard Once the soft keyboard has been displayed, the BIOS security manager 118 can prompt the user to select the various characters of his or her password using a pointing device, as indicated in block 412. By way of example, the pointing device can comprise a mouse. In cases in which the computer system 100 comprises a touch-sensitive screen, the pointing device can comprise a stylus or the user's finger.
Referring next to decision block 414, the BIOS security manager 118 determines whether the password is correct. If not, flow continues to decision block 416 at which it is determined whether the maximum number of tries (e.g., 3 tries) has been used.
If not, flow returns to block 412 at which the user is again prompted for the password. If so, the computer system 100 is not booted, as indicated in block 418.
Assuming, however, that the user enters the correct password by individually selecting each character of the password using the pointing device, flow continues to block 406 at which the computer system 100 boots.
To enable the functionality described in relation to Fig. 4, the BIOS 112 must be able to display each character of the keyboard layout being used by the user. In other words, the BIOS 112 must be capable of rendering the font glyph of each of those characters, otherwise the character for which there is no font glyph will not pass the verification as a valid character regardless of the keyboard layout. To ensure that the BiOS 112 is capable of such font rendering, the BIOS security manager 118 can also confirm that the BIOS can render each character of a selected password during the processes described in relation of Figs. 2 and 3.
Various programs (logic) have been described herein. It is noted that those programs can be stored on any computer-readable medium for use by or in connection with any computer-related system or method. in the context of this document, a "computer-readable medium" is an electronic, magnetic, optical, or other physical device or means that contains or stores a computer program for use by or in connection with a computer-related system or method. Those programs can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.

Claims (10)

  1. CLAiMS 1. A method for supporting pre-boot log in on a computer system, the method comprising: receiving a password entered by a user before the computer system has completed booting; determining whether the password is correct; and if the password is not correct, displaying a soft keyboard to the user with which the user can select the characters of the use(s password.
  2. 2. The method of claim 1, wherein receiving a password comprises a BIOS of the computer system receiving the password before an operating system of the computer system is up and running.
  3. 3. The method of claim 1, wherein displaying a soft keyboard comprises displaying every character that can be directly typed a given keyboard layout.
  4. 4. The method of claim 3, further comprising receiving selections of characters displayed in the soft keyboard.
  5. 5. The method of claim 4, wherein receiving selections comprises registering selections input by the user with a pointing device.
  6. 6. A computer program comprising computer program code means for performing all of the steps of any of claims I to 5 when said program is run on a computer.
  7. 7. A computer program as claimed in claim 6 embodied on a computer readable medium.
  8. 8. A computer system comprising: a processing device; memory that stores a BIOS and an operating system, the BIOS being configured to execute the method of any of claims I to 5.
  9. 9. A method as herein described and as illustrated with reference to Figure 4.
  10. 10. A computer system as herein described and as illustrated with reference to Figure 4. *11
GB1211243.9A 2008-05-19 2008-05-19 Systems and methods for supporting pre-boot log in Expired - Fee Related GB2488944B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1211243.9A GB2488944B (en) 2008-05-19 2008-05-19 Systems and methods for supporting pre-boot log in

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1211243.9A GB2488944B (en) 2008-05-19 2008-05-19 Systems and methods for supporting pre-boot log in

Publications (3)

Publication Number Publication Date
GB201211243D0 GB201211243D0 (en) 2012-08-08
GB2488944A true GB2488944A (en) 2012-09-12
GB2488944B GB2488944B (en) 2013-02-20

Family

ID=46671832

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1211243.9A Expired - Fee Related GB2488944B (en) 2008-05-19 2008-05-19 Systems and methods for supporting pre-boot log in

Country Status (1)

Country Link
GB (1) GB2488944B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077792A2 (en) * 2000-04-07 2001-10-18 Rsa Security Inc. System and method for authenticating a user
WO2002091201A1 (en) * 2001-05-02 2002-11-14 International Business Machines Corporation Data processing system and method for password protecting a booting order of boot devices
US20030107600A1 (en) * 2001-12-12 2003-06-12 Kwong Wah Yiu Providing a user input interface prior to initiation of an operating system
US6823463B1 (en) * 2000-05-16 2004-11-23 International Business Machines Corporation Method for providing security to a computer on a computer network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077792A2 (en) * 2000-04-07 2001-10-18 Rsa Security Inc. System and method for authenticating a user
US6823463B1 (en) * 2000-05-16 2004-11-23 International Business Machines Corporation Method for providing security to a computer on a computer network
WO2002091201A1 (en) * 2001-05-02 2002-11-14 International Business Machines Corporation Data processing system and method for password protecting a booting order of boot devices
US20030107600A1 (en) * 2001-12-12 2003-06-12 Kwong Wah Yiu Providing a user input interface prior to initiation of an operating system

Also Published As

Publication number Publication date
GB2488944B (en) 2013-02-20
GB201211243D0 (en) 2012-08-08

Similar Documents

Publication Publication Date Title
US8881267B2 (en) Systems and methods for supporting pre-boot log in
US7484173B2 (en) Alternative key pad layout for enhanced security
US8272049B2 (en) Multi-domain computer password management
US7308652B2 (en) Entry of a password through a touch-sensitive computer screen
US20080066167A1 (en) Password based access including error allowance
US20080172715A1 (en) Scalable context-based authentication
US9030293B1 (en) Secure passcode entry
US20140173713A1 (en) Verification Code Generation and Verification Method and Apparatus
US20170111342A1 (en) Systems and methods for providing a covert password manager
US8869261B1 (en) Securing access to touch-screen devices
WO2013027224A1 (en) Keyboard with embedded display
JP2022509469A (en) Multi-factor based password authentication
US10354193B2 (en) Run-time image display on a device
EP2947591A1 (en) Authentication by Password Mistyping Correction
US8340954B2 (en) Multi-language support in preboot environment
GB2488944A (en) Using a soft keyboard when a pre-boot password is entered incorrectly
JP5490933B2 (en) System and method for pre-boot login
US20180046797A1 (en) Method for inputting a secure password, sheet, set of sheets, input unit, and uses thereof
US10552599B2 (en) Authentication system and method
CN111078024A (en) Method for dynamically adjusting keyboard output signal
CN114239092A (en) Device unlocking method, device, readable medium and electronic device
US8922398B2 (en) Method of generating and providing a password to a handheld electronic device
EP1855183A1 (en) Handheld electronic device having reduced keyboard and multiple password access, and associated methods
CN111443907A (en) Method and device for calling SDK function
US20250053625A1 (en) Hand structure authentication system and method

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20230519