Patent Application
20110055908
This application claims the benefit of Canadian patent application serial number 2,677,113 filed Aug. 25, 2009.
The present invention relates generally to remote access and control of a networked computer. More particularly, the present invention relates to a system and method for remotely accessing data on a networked computer and controlling the computer.
The development of the Internet and portable computers has allowed the growth of portable computing. In particular, remote access systems and programs have been developed to allow a user to utilize the Internet and a portable computer to remotely access a home or office computer. In the business context, remote access/control capabilities enable an employee to access in-office computer resources through a web-enabled corporate laptop while traveling.
A concern with the traditional remote access setup is security breaches. For example, when a traveler goes on a business trip and inadvertently loses a corporate laptop, confidential information stored on the laptop, such as client lists, may be compromised. Configuration files stored on the laptop, e.g., user login and password, may be misappropriated the same way. When a third party subsequently uses the stolen login and password to remotely access the traveler's corporate computer account, sensitive company information stored on corporate computers is further at risk of exposure.
Similar security risks exist when the traveler accesses his home or corporate computer remotely through a public kiosk at airports and hotels. If such public terminals have inadequate security measures the traveler's personal information can be exposed. Similar consequences to those in the case of a stolen/lost laptop can result.
The development of the Internet has also allowed for the creation of e-mail and the sharing of files through e-mail. Because of the risks inherent with receiving certain types of attachments, e.g., executable (.exe) files, many e-mail programs employ virus protection that blocks receipt of such files. Many e-mail programs also impose other limitations on e-mail attachments such as size limitations.
There are services such as www.sendthisfile.ca and products such as FTP servers whereby the user would have to first upload the attachment file to another location and then provide a link to the file into the email body so that the email recipient could click on the link to retrieve the file at that location. However, such services or products do not provide a link directly pointing to the original file with retrieval restriction and/or recipient physical authentication while there is no need to first upload the file to another location.
Furthermore, it is desirable to provide a method and system that provides improved security features that restrict remote access only to intended users, and to allow the intended users to remotely and securely access, control and manage data. It is also desirable to provide a system and method for sharing files that avoid existing limitations.
The foregoing needs are met, to a great extent, by the present invention, wherein in one aspect a system is provided that in some embodiments allows a user to remotely and securely access, control and manage data.
In accordance with one embodiment of the present invention, a system includes a personal computer, a locator server, a remote access terminal, and a connection key. The personal computer can be linked to the Internet and associated with an IP address that cannot be reached publicly such as behind a corporate firewall, a Network Address Translator (NAT), router, gateway, etc. The locator server computer is linked to the Internet and associated with an IP address that can be reached publicly from the Internet such as a static public IP address. The personal computer is configured to send a signal that includes data for locating the personal computer. The locator server computer is configured to receive from the personal computer a signal that includes data for locating the personal computer. The remote access terminal is linked to the Internet and capable of sending requests for communication with the personal computer to the locator server computer. The connection key is configured to physically, electrically and removably connect with the remote access terminal.
The remote access terminal is configured to generate a request for communication with the personal computer based upon input from the connection key. In response at least in part to the request for communication with the personal computer, the locator server computer is configured to create one or more communication sessions between the personal computer and the remote access terminal based on the signal received at the locator server computer that includes data for locating the personal computer.
In accordance with another aspect of the present invention, a method for providing remote access or control to a personal computer is provided. The method includes receiving from a remote access terminal a request for communication with the personal computer. Authentication information from the remote access terminal is then received. The authentication information can at least partially be stored on a connection key physically, electrically and removably connected to the remote access terminal. One or more communication sessions between the remote access terminal and the personal computer are created based at least in part on the authentication information.
There has thus been outlined, rather broadly, certain embodiments of the invention in order that the detailed description thereof herein may be better understood, and in order that the present contribution to the art may be better appreciated. There are, of course, additional embodiments of the invention that will be described below and which will form the subject matter of the claims appended hereto.
In this respect, before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of embodiments in addition to those described and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein, as well as the abstract, are for the purpose of description and should not be regarded as limiting.
As such, those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be utilized as a basis for the designing of other structures, methods and systems for carrying out the several purposes of the present invention. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention.
The invention will now be described with reference to the drawing figures, in which like reference numerals refer to like parts throughout. An embodiment in accordance with one aspect of the present invention provides a system and method for providing remote access or control of a personal computer.
An embodiment of the present inventive system 10 is illustrated in
To implement physical security, remote access terminal 16 and connection key 18 serve as the physical authentication devices. Personal computer 12 and locator server computer 14 alone or in combination are configured to perform authorization routines to determine if at least one of a user of remote access terminal 16, and connection key 18 is authorized to access personal computer 12.
To implement the automation features, connection key 18 is configured to cause a request for communication with personal computer 12 to be generated by remote access terminal 16 upon connection thereto, thereby eliminating the need for a user to manually input the request. Here, connection key 18 “connects to” or is in “connection with” remote access terminal 16 when connection key 18 is “physically, electrically and removably connected” thereto. The process for authenticating a user can similarly be automated through pre-storing user identifiers (as discussed below) in connection key 18, thereby eliminating the need for a user to manually authenticate himself, such as by inputting a login ID and password.
Referring again to
The request for communication with personal computer 12 (hereinafter a “communication request”) generated by remote access terminal 16 can be initiated through input by a user or input from connection key 18. In some embodiments, the communication request is generated by means of a user's entry in a Web page field or by an HTTP request that already contains the name of locator server computer 14. The user may be additionally prompted to enter an identifier (e.g. computer name) of personal computer 12 to be included in the communication request. Alternatively, the user may be prompted to enter authentication information, i.e. user identifier information (hereinafter “user identifier”) (e.g. user ID and password), to be included in the communication request. In other embodiments, the communication request generated by remote access terminal 16 is initiated by connection key 18, such as through executable codes stored therein, whereby the communication request is generated without user input. Still in other embodiments, the communication request can be initiated by a combination of user and connection key input for added security.
Locator server computer 14 acts as an intermediary between personal computer 12 and remote access terminal 16. Specifically, locator server computer 14 is configured to receive from personal computer 12 a signal that includes data for locating personal computer 12. In a preferred embodiment, locator server computer 14 is provided with a program product 22 for receiving information corresponding to the current location of personal computer 12 intermittently. As is readily understood, the functionality of the locator server computer 14 can be distributed over one or more devices in order to improve system operation in such areas as speed and efficiency. Further details relating to the components, use, and functions of the computer program product, including a location facility, are found in U.S. Pat. No. 6,928,479, the relevant disclosure of which is incorporated herein by reference. In a preferred embodiment, the I'm InTouch service provided by 01 Communique Laboratory, Inc. of Mississauga, Ontario provides the locator server.
In a security-enhanced configuration, locator server computer 14 can further include an authentication routine to validate the communication request. In a preferred embodiment, locator server computer 14 is configured to determine whether a) a user of remote access terminal, b) remote access terminal 16, and/or c) connection key 18 is authorized (to access personal computer 16). Locator server computer 14 is further configured to create and establish a communication session when the user of remote access terminal 16, connection key 18, and/or remote access terminal 16 is authorized. In alternative embodiments, locator server computer 14 is configured to first create the communication session in response to the communication request and before the authentication routine is performed, and to discontinue the communication session when the user of remote access terminal 16, connection key 18, and/or remote access terminal 16 is determined to be unauthorized.
Alternative embodiments for implementing the authentication routine can be used. In place of locator server computer 14, personal computer 12 can similarly be configured to determine whether the user, connection key 18, and/or remote access terminal 16 is authorized. Still in other embodiments, the configuration routine can be carried out by a combination of locator server computer 14 and personal computer 12.
Remote access terminal 16 provides a means for a user to remotely access, manage and control personal computer 12. Specifically, remote access terminal 16 is linked to the Internet and capable of generating communication requests.
Remote access terminal 16 is linked to the Internet through a wired or a wireless network. Examples of wired networks include local area networks (LANs), metropolitan area networks (MANs), and wide area networks (WANs). Examples of wireless networks include wireless local area networks (WLANs) and wireless wide area networks (WWANs). WLANs include systems using technologies such as Wi-Fi and other wireless protocols in accordance with IEEE 802.11 standards. WWANs include systems that operate in accordance with 2.5 G (such as cdma2000) and 3 G (such as UMTS and WiMax).
Remote access terminal 16 further provides for enhanced physical security. To serve as physical authentication, remote access terminal 16 includes unique remote access terminal identifier information (hereinafter “remote access terminal identifier”) that can be registered with locator server computer 14 as an authorized remote access terminal identifier. The registration can be set up locally by an administrator at locator server computer 14. Alternatively, the registration can be set up through a registration routine running on personal computer 12, as is well known, to communicate the remote access terminal identifier over the Internet to locator server computer 14. The remote access terminal identifier can be stored in a dynamic directory at locator server computer 14, as is well known. The parameters of the operation of the registration routine can be set by a user such that locator server computer 14 enables a user to remotely access personal computer 12 only when an authorized remote access terminal 16 is used conjointly.
Connection key 18 is configured to connect with remote access terminal 16, and similarly provides physical security enhancement to a remote access session. Connection key 18 contains authentication information, including unique identifier information assigned to a specific connection key (hereinafter “connection key identifier”). It is anticipated that in certain embodiments the connection key identifier will be stored in the memory of the connection key 40 using software and hardware security features to prevent the connection key identifier from being read, copied or changed. When connection key 18 is connected to remote access terminal 16, the connection key identifier stored on connection key 18 is configured to load onto remote access terminal 16. The connection key identifier is then used during authentication routines to determine if connection key 18 is authorized.
To set up connection key 18 as a physical authentication device, a connection key identifier can be registered with locator server computer 14 such that connection key 18 is authorized. The registration of connection key identifier can be set up in a similar way to the set up of the remote access terminal identifier, i.e. through a registration routine running on personal computer 12, as is well known. The connection key identifier can be stored in the dynamic directory at locator server computer 14, as is well known. The parameters of the operation of the registration routine can further be set by a user such that locator server computer 14 enables a user to remotely access personal computer 12 only when an authorized connection key 18 is used conjointly.
As will be readily understood, through programming at the locator server computer 14, connection key 18 and/or the remote access terminal 16, various authentication configurations can be effected. For example, by way of a programming on the connection key 18, the key will cause an authentication routine to launch on any Internet connected computer to which it is connected. The system can be configured, alternately, through programming on both the connection key 18 and the remote access terminal 16, to launch an authentication routine only when a matching key and terminal are connected. Similarly, for increased security, programming at the locator server computer 14 can require a recognized combination of a registered connection key 18 and remote access terminal 16 pair before authentication can be achieved. Through such configurations, security breaches through the loss or theft of an individual key 18 or remote access terminal 16 can be prevented.
Accordingly, through the combination of user and physical authentications as described, the remote access security is advantageously enhanced. As such, when a third party discovers an authorized user's identifier, such as login ID and password, the third party would not be able to access personal computer 10 without an authorized connection key 18 and/or remote access terminal 16.
In some embodiments, connection key 18 is further configured to enable automatic user authentication. Connection key 18 can include an executable code therein that cooperates with (remote access) computer program product 20 running on personal computer 12 as described. To set up, a user connects connection key 18 with personal computer 12, and connection key 18 gathers user identifier, such as user login and password, for storing the same in connection key 18. It is readily understood that this information can be stored in encrypted form as is well known. Therefore, the user does not need to manually authenticate himself, as the process is automated through connection key 18 and the authentication information stored therein. To use, connection key 18 is connected to remote access terminal 16 and the user identifier stored on connection key 18 is automatically loaded onto remote access terminal 16 for completing the authentication routine.
In others embodiments, connection key 18 is configured to automate both the communication request and authentication processes. Specifically, connection key 18 is configured, such as through executable codes stored therein, to cause remote access terminal 16 to generate and send to locator server computer 14 the communication request. More specifically, connection key 18 is configured to cause the communication request to be generated when connection key 18 is connected to remote access terminal 16. As such, the need for a user to manually input a communication request is eliminated. Further, the user identifier stored on connection key 18 can be included in the automated communication request, whereby both the communication request and the user authentication process can be initiated without user interaction. While the steps required by the user to effect authentication can thereby be limited to simply connecting connection key 18 to remote access terminal 16 improved security can be obtained by requiring at least one login parameter, e.g., user password, to be manually entered
Network connection device 24 connects remote access terminal 16 to the Internet, and for example, can be a wireless modem for connecting to a WLAN network. It will be appreciated by a person of ordinary skill in the art however that network connection device 24 may be of another type or more than one type in order to connect remote access terminal 16 to the aforementioned wired and wireless networks. For example, network connection device 24 may include a 3G modem for connection to a high-speed cellular data network.
Memory 30 includes random access memory (RAM) and read only memory (ROM). In this embodiment, ROM is a flash EEPROM, or flash memory. The ROM can be pre-installed with an operating system that provides the feature of remote access or control of the personal computer 12 and for portable computing, such as Internet access, networking connectivity and printing support. For data security, in this embodiment remote access terminal 16 contains no local non-volatile storage. The ROM is write-protected to prevent the user from storing data locally on the remote access terminal 16. All data is instead remotely stored on personal computer 12. As such, no sensitive data can be compromised from remote access terminal 16 in case it is lost or stolen.
User interface device 28 provides a hardware interface between a user of remote access terminal 16 and microprocessor (CPU) 26, and includes input and output devices as may be necessary for portable computing and to enable remote user access and/or control of personal computer 10. Examples of input devices include a keyboard and a mouse. Examples of output devices include an LCD display.
In an additional embodiment of the present invention, a system such as that depicted in
When secure attachments are to be provided to a third party utilizing the remote access terminal 16, the user of the personal computer 12 will invoke the secure attachment application, by way of example, by clicking on the secure attachment button. In response to this action, the program will create a link by the process described below for the user to clip and paste into the e-mail body providing a path to the attachment on the personal computer 12. Access to the attachment on the personal computer 12 is thereafter controlled through the use of public-private secure encryption keys.
As shown in
As shown in
If the party that is creating the secure attachment selects the option of copying the file to a new location 42, the user will also be presented with the option of having that link automatically deleted after reaching a specified retrieval limit 48. The retrieval limit can be specified either by the number of times in which it is retrieved 50 or a period of time during which it can be retrieved 52.
The dialog box presented to the user creating the secure attachment will also provide the user with the option of securing the attachment through the use of a public private key pair 54. If this option is selected, the user will enter the secure key needed to access the attachment 56. As will be readily understood, this key can be entered either by typing it into an appropriate field, selecting it from a drop down menu of stored keys or, as will be discussed below, by creating a new key.
As a further security precaution, the user creating the secure attachment can create a password that will be required to retrieve the attachment. When the password option is selected 58, the user will be prompted to enter and then reenter the password as is well known. The password would then typically be delivered to the recipient separate from the e-mail providing the link to the secure attachment.
After making the desired above-noted selections and entering the appropriate information, the user will then generate the link to the attachment 60 and the link can be added directly to the e-mail. Alternatively, and in accordance with one embodiment, the links can be presented to the user creating the secure attachment in a separate dialog box which will provide the user with a summary of the elections made regarding the attachments and will present the user with the option of canceling one or more of the secure attachments or copying those to a clipboard to be pasted into the e-mail.
The process for creation of a new secure key, and subsequent use of an existing secure key, will now be described. As will be readily understood, the user can invoke the application for creation of a secure key by selecting a link while creating a secure attachment or through a link provided elsewhere on the personal computer, e.g., on the desktop.
Once invoked, the public private key pair application will prompt the user to identify a new ID for a key to be created and then generate a new key pair for that user ID. The public key of this key pair would then be provided to the remote user separate from the e-mail containing a link to a secure attachment and that public key would be utilized in accessing the attachment. In one embodiment, the public key is provided to the remote user on a USB stick 62. It should be readily understood that the secure key can be provided on the same USB stick as the connection key 18 however, as will be readily understood, because this will limit the ability to manage the public-private key pairs, it is envisioned that separate USB sticks would be used for the connection key 18 and public encryption key 62.
It should be understood that a single public-private key pair can be used for secure attachments to all remote users, a single public-private key pair can be used for multiple users or separate public-private key pairs can be used for specific users. It should also be readily understood that the user generating the public-private key pairs manages the key pairs and thus, has the ability to both create and remove key pairs as desired in order to further manage access to secure files.
Once the link to the secure attachment is created and added to an e-mail the e-mail would thereafter be sent from the personal computer 12 to the remote user 16. Once received, the remote user will open the e-mail and click on the secure attachment link. This action will cause the remote computer 16 to send a request for communication with the personal computer 12 to the locator server computer 14. The locator server computer will create a communication session between the remote computer 16 and the personal computer 12 as discussed above thereby allowing the remote computer 16 to access the secure attachment on the personal computer 12.
It will be readily understood that, through use of the foregoing described secure attachment feature, the size limitations for e-mail imposed by e-mail services can be overcome. In addition, because the e-mail attachments are being received from trusted parties, e-mail filters can be bypassed for file types such as .exe without the fear of virus contamination. An additional advantage of the foregoing secure attachment program is that restrictions can be placed on access and audit trails can be created for received attachments.
It will also be readily understood that when used for providing secure attachments, it is intended that a user at the personal computer in
Other embodiments of remote access terminal 16 have been contemplated. Although in the embodiment as shown in
The method next proceeds to receive authentication information from remote access terminal 16 (68). The authentication information may be received at locator server computer 14 and/or personal computer 12. The authentication information may contain identifier information to authenticate a user of remote access terminal 16, or to authenticate remote access terminal 16 and/or connection key 18. In a preferred embodiment, authentication information contains connection key identifier information stored on connection key 18 and loaded onto remote access terminal 16 when connected thereto. In some embodiments, authentication information may further contain user identifier information stored at connection key 18 that is configured to load onto remote access terminal 16 when connected. Alternatively, the user identifier can be input by the user through an input interface. In other embodiments, authentication information may also contain remote access terminal identifier information associated with remote access terminal 16, as discussed above.
To enhance security, the system can be configured to require connection key 18 and remote access terminal 16 be used in connection with a remote access session. The authentication process is performed in accordance with the configured parameters to determine if the conditions for authentication are satisfied (70). Specifically, personal computer 12 and/or locator server computer 14 authenticates the received authentication information to determine if the user of remote access terminal 16, remote access terminal 16, and/or connection key 18 is authorized.
Based at least in part on the authentication information, one or more communication sessions between remote access terminal 16 and personal computer 12 is created. In the preferred embodiment, once locator server computer 14 has determined the conditions for authentication are satisfied, a communication session is established between the personal computer 12 and the remote computer 16 (74). In one embodiment the remote computer 16 accesses a file within the personal computer 12 directly from the memory of the personal computer 12. Alternatively the remote computer 16 can access a file within the personal computer 12 indirectly from the memory of the personal computer 12. U.S. Pat. No. 6,928,479, discloses both direct and indirect connection methods between personal computer 12 and remote access terminal 16, the disclosures of which are incorporated herein by reference.
If however the conditions for authentication are not satisfied, no communication session is established between personal computer 12 and remote access terminal 16 (72). In some embodiments, in response to the receipt of the communication request in step 66, personal computer 12 or locator server computer 14 may further prompt the user to enter authentication information. For added security, in some embodiments, it is desirable to include a further authentication routine once the communication session(s) is established between remote access terminal 16 and personal computer 12.
While embodiments of the method of the invention are described in the order of steps as shown, a reasonable person of ordinary skill in the art would understand that the order is not so limited. For example, in some embodiments, the communication sessions between personal computer 12 and remote access terminal 16 may be established before performing the authentication routine.
The many features and advantages of the invention are apparent from the detailed specification, and thus, it is intended by the appended claims to cover all such features and advantages of the invention which fall within the true spirit and scope of the invention. Further, since numerous modifications and variations will readily occur to those skilled in the art, it is not desired to limit the invention to the exact construction and operation illustrated and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2677113 | Aug 2009 | CA | national |
