Patent Application of

Don E. Sprague



Not Applicable

Not Applicable

Not Applicable

Not applicable

Not Applicable


a. Field of invention

This invention relates to the field of security of computers in a system/network. More specifically, the invention includes a broad
access security system for restricting, enabling or otherwise managing access and changes to all system/network online computers
that go way beyond any existing computer security tools.  

b. Description of Related Art.

There are many online security control processes using Ids and passwords to identify who is or is not permitted to access a
computer resource. Fire walls have been implemented to prevent unwanted computer access.  Since the early days of computer
networks, code has been installed on computers to permit remote access or takeover. As business need increases, more code is
installed to enable more ways to permit remote access or takeover.  

Clicking on a link in an email or on a web page activates code that enables remote access or remote takeover. The large number of
site ids and passwords has created a security problem that requires a new approach. It is known that the existing methods of
checking the identity of humans or software seeking access to computers is not adequate.  


The present invention removes existing code that permits human and machine access to computers.  Then the invention installs new
code to establishes an access security system for human and machine software local and remote online access. The access
security system addresses business needs while providing enhanced security. The invention enables user and business to see and
verify information about communication partners. The invention enables users and business to control the installation and activation
of code or applications on their devices when accessing web pages or clicking on links in email or files. The invention enables users
and companies to record common data then reuse it as needed.  

The following main security components interact to provide enhanced security to protect all system/network online computing devices.
They are described in detail later.

- Access Security Manager,
- End user directory security database.  
- Enterprise directory security databases,
- enhanced internet service provider directory services databases,
- National directory security services databases,
- International directory security services master databases.
- Enhanced user to local device access identification, device logon
- Enhanced local to remote access, bidirectional logon


Not applicable

This invention includes access security managers, and remote directory services databases that use human and computer to
computer conversational mode authorization system services to create comprehensive end to end and intermediary system/network
components that address the architectural security requirement of:
- Any user on any network can communicate with any other user on any other network when authorized.
- Anything that can be recorded electronically can be delivered electronically.

To securely permit any to any, all existing openings or doors for computer access must be closed and replaced with secure doors or
access ports.  
- Software must be known before it is given access to computers.
- User must be known before they are given access to computers.

The first part of this invention addresses machine or computer and software identification and access then it addresses human
identification and access.  


All existing code to enable remote activation of an application or installation of an application must be removed. Simply clicking on a
link or button will not automatically enable installation or activation of software or remote control. Clicking on a link or button to activate
an application is controlled through the access security manager.

For applications not already installed on the user device: When a user clicks on a link or button in an email or file or on a web page
that is intended to launch an application, the access security manager examines the activation request. If it is a request to run an
application that is not on the computer, the access security manager checks the national database for known, approved or
disapproved  applications.  Then the access security manager displays an application activation and installation request screen with
detail about the application and the developer owner report from the remote national database. The site or application data must be in
layman terms. The user may click to allow or disallow the installation, or click to disallow and report a suspicious request to the online
database, or click to report and label the application or site as do not communicate. If the user approves the remote request to install
and run an application, the user clicks to allow the application to install.  Once installed, the user must again approve the run of the
application. For enterprise owned devices, the enterprise database is checked for information about approved applications that may
be installed on the computer.

b. Existing application activation

The user is informed about activation of any and all existing applications already installed on the user device. When a user clicks on a
link or button to activate an application, the access security manager examines the application to be activated. If the software is
already installed on the device, the access security manager use upgraded methods of displaying information about the activation of
an application and seeking user approval. The upgrading includes but is not limited to display of application description and status
that is in the national database. The access security manager enables the user to see detail information in laymen terms about all
installed and running application.


In a closed system, a secure logon to any system component may enable a user to access any other system component. A network is
essentially an extended system. Once a user has approved access to their system/network entry point, agreements between
system/network components may enable the user to access all approved system/network components without additional legacy Ids
and password.  

There are two main areas of logon access approval
- User to local device,
- Local device to other local or remote system/network device.


Enhanced user to device access identification enables secure single logon to the local entry device that securely communicates with
remote sites and applications in a logical private system/network.

A single logon approach simplifies the management of Ids and passwords. Single logon applications have been in use since the
global network architecture of any to any when authorized began over 35 years ago. One of the first single logon process was in the
service provider network. Most are in the user device. Although any to any has grown as designed, the security of  when authorized  
has been left behind. A system/network bidirectional computer to computer identification and logon makes legacy Ids and passwords

There are existing techniques to identify a user to a device. Most are limited to a PIN and perhaps a fingerprint.  Additional tools
include an identification card. A combination of device to user logon identification techniques increases security.  Facial recognition
and voice recognition adds a significant level of security. A still shot for facial recognition and voice recognition are requirement for
significantly more secure user to device identification. A real time motion video with voice is the next level. Real time remote viewing of
the devices video and audio showing the actual user adds a significant level of user to device verification.  


As the number of Ids and passwords increases, user mismanagement becomes inevitable. Computers can manage large amounts
of data better than a human. Any data that can be used electronically can be recorded and managed electronically. Ids and passwords
can be securely recorded, managed and delivered electronically. Once the user has been securely identified, the computer can
perform computer to computer identification tasks more efficiently and more securely than the human.  

Legacy Ids and passwords may continue for many uses but secure bidirectional logon will be required for critical financial and
confidential applications.

Bidirectional registration between a local user device and the remote target site or application is through the access security
managers.  Once the user is securely known to the local user device, a legacy password is superfluous. To register a local device to a
remote device or site, the assess security managers at both ends exchange and record component and user information. Both ends
access and verify data in a remote national database with user, application and site information. As part of the registration, a
bidirectional access code that is computer created then encrypted recorded at both ends for future access or logical private network
connection. The access code is revoked if there are any changes to an end device. The bidirectional conversational registration
exchange establishes a logical system/network connection between the two ends that remains as long as there are no
system/network changes that terminate the access code.

Secure network registration to internet service providers and to the national database defined in this invention uses information that
has been recorded in the user and enterprise site access security manager and used over and over.  That information includes things
such as; end user simple human recognizable alias ID, real IP bit address, end users real name, company name if any, all human
recognizable alias addresses and real street addresses and legacy Ids and passwords. It may include computer information such as
device type, serial, operating system and other software level.  All the appropriate end user registration identification information is
recorded in the Internet provider registration database and is mirrored in the national database. The table entry in the national
database is given a bit value that includes the table location, a change level bit value and an approval listing value with known security

A logical system/network connection goes to sleep when it is inactive for a period of time that is managed by both ends.  To wake or
reactivate a logical system/network connection, the devices exchange access codes. Both ends send a national database query to
verify the table entry status of the other end. The query includes the table location and change level bit values. The remote database
sends back a positive or negative match. If the table entry in the national database is at a different level than in the query, the updated
table entry is sent to the end user.  Any time an end user changes their identification information, the access security manager sends
the change information to be mirrored at the Internet service provider database and is propagated to the other remote database.  Any
time a site or user is identified as having security risk by approved security analysts, they send updates to the national  database.  
This use of remote databases that contain real end user data enable both communication partners to actually know real information
about their communication partner.  A failed access code match or a failed database query result in termination of the access code
and the logical system/network connection is closed.  

f. Access Security manager

The access security manager enables user and enterprise manager to control all computer access and change activity. The
computer manufacturer must 1) close all doors or openings that permit changes or remote takeover of all computers and 2) route all
use and software changes to the computer through the access security manager. Devices are listed in the access security manager
as enterprise or individual. All changes to an enterprise device must be approved by the enterprise manager.  All changes to
individual devices must be approved by the device owner.  All change requests must be explained in layman terms.  They must
provide detail business owner identification and purpose of each application or request to access the device or to change or store

The access security manager is the users local device database used to securely record and manage all their reusable information.
The user enters information once then permits the computer to reuse and share the information. The data includes but is not limited
to name, physical address, phone numbers, online Ids and passwords, and financial information. Some of the information is required
to register to use the open Internet.

If the user is not part of an enterprise, the user controls the access security manager. If the user device is part of an enterprise, an
administrator has access to and manages the user device access security manager.  An enterprise manager may limit applications
or sites the device may access.

The user enters a password or pin to gain access to the access security manager. For higher security concerns, face recognition and
voice recognition in addition to fingerprints are used to provide comprehensive identification of the user attempting to access the
devices security controls. The hardware and software manufactures of the device and code must configure the systems in such a way
that; 1) the user cannot alter the code, 2) and the access security manager function cannot be used or altered through a network
connection.  Once the user enters the reusable information, they permit the access security manager to approve use and sharing of
the information.

g. Enterprise directory services database

The enterprise database is similar to the user device database.  It is used to securely record and manage all the enterprise reusable
information. The enterprise administrator enters information once then permits the computer to reuse and share the information. The
data includes but is not limited to Company name, physical address, phone numbers, all enterprise users names and online Ids and
description of all applications in laymen terms.

- Some of the enterprise information is required to register with an internet service provider to use the open Internet.

- Some of the information is required to be sent to the national and international databases.  

h. Internet Service Providers directory services database

Internet services providers enhance their databases to communicate with the user and enterprise databases and the national
databases. The appropriate information they send to the national database about users and enterprises includes but not limited to
user and enterprise real name, bit address, alias computer names, and real physical address.

i. National and international directory security services databases

The remote national and international access security databases include detail information about known, approved or disapproved
sites, users and applications.  The detail data includes but is not limited to; the individual or company owner identification and layman
description of the application and the real Internet Protocol bit address of the origin point of the site, application or user. For end
users, the database includes detail information about the end users of the site such as their real name and real IP bit address. It also
includes the users real name and physical address.  It should also include a picture or screen shot of the user. Security analysts
submit information about known risk from sites, applications and users.  

The data in the international database is shadowed and fed from the  national databases.  The information in the national databases
is shadowed and fed from the Internet services providers databases or may be from the enterprise and user databases.

Data in the national database consists of all known reusable appropriate identification information about users or enterprises. Some
of the data in the users access security manager and in enterprise databases is sent to the national database. User and enterprise
financial data is not sent to or stored in the national database.

User and enterprises and their applications may freely access the national and international databases to find or verify information
about all possible communication partners.

j. Remote Database security

The national and international databases are to be configured in such a way that they have a limited receive portion, a secure process
portion and a limited transmit portion.  The receive and transmit portions communicate with the process portion and through the
network with formatted data so their operating code can not be changed through the network.  The operating code can only be
changed through direct hardwired connection. Access to the process portion of the system is to be in such a way that it can only be
accessed through a hardwired device.

National and international databases are in highly secured federal government facilities. The manufactures must configure the
systems in such a way that some specified changes including those addressed in this invention can only be made through a direct
hard wired or paired connected device. There will be one master international database with shadow copies in other countries.  

k. Alternate or second device access and use

There are existing basic methods of enabling alternate or second device use. A highly secure method of enabling use of an alternate
device requires pairing and registering of the alternate device with each target site. To pair devices, the user must have been securely
identified to the devices and the primary and the alternate device must be bidirectional connected. The access security managers in
both devices are set to pair. The primary device displays a code that the user must enter into the alternate device. The devices
exchange confirmation then the alternate device displays a code that is entered into the primary device.  The devices again exchange
confirmation. Then the IDs and appropriate system/network data for each target sites are transferred to the alternate device. Then the
user must access each site individually from the alternate device to establish the bidirectional access for the alternate device. The
alternate device informs each individual site that it is an alternate device.  The sites send a code to the users cell phone or other
registered address.  The user enters the code in the alternate device. The device sends the code to the site. The site then establishes
the device a second device for the same user.  All the same controls to register the original device are used to register the paired
second device. Enterprise devices may only be paired and registered by an enterprise manager. A notice is sent to the original device
owners address when a device is paired.

l. Legacy ID and password enhanced management

As a result of enhanced user to device identification, legacy Id and password management is simplified. Both secure single logon
and legacy logon require enhanced user to device identification.  Both require the user to use progressively more detailed device
logon steps.  

Site access that does not require an Id or password is not affected. Any logon that does not require approval to spend money may be
considered to be low security. A simple pin to identify the user to access the device may be acceptable for low security remote site
logon. Progressively more user to device identification is specified in the device to site communication requirements specified by
either or both ends. Those conditions are recorded and used by the access security managers at both ends.

To access sites that do not have the access security manager, the users device Id and password vault is used. It is an abridged
single logon.  The access security manager may enter the ID and password or the user may access the vault to see the ID and
password for the site. For the user to access the vault, the user must enter the proper level of device identification. A low security vault
view requires only a Pin entry. Id and password management is somewhat manual for sites that do not have access security
manager secure single logon.  


To enable remote use for things like a support center or collaborative writing is basically the same as enabling an alternate device.  
The user can identify a secure remote support device level of access. For a support services remote view or takeover, the remote
support user does not have access to the security manager but does have access to portions of the computer the user permitted in
the access security manager. To enable remote support access requires the standard secure logon exchange of identification of end
user and enterprises through the enterprise or the national database.

n. Conversational authorization

Conversational authorization among components and users requires separated human input into separated components. Then it
requires the conversation between the separate computer components with additional human interaction and the remote database.  
This separation of users and authorization control components prevents a lone user from attacking a computer. It makes a
coordinated attack difficult to complete.

o. Cookies replaced by secure cookies

Cookies in their existing form are not permitted through the access security manager. Cookies are replaced with secure cookies aka
scookies.  When a session is beginning, a contract or binding agreement command with the rules of the session is shared. The
server or application session contract requirements are explained to the client or end user in layman terms.

The requesting server, site or application cannot make any changes to the receiving client or end user devices.  The receiving client or
users access security manager makes all user approved changes to the user device.  The user may approve individual scookies
requests or approve scookies from specified sites.  When scookies are approved, the access security manager record information in
a secure activity use area for each application. The user may click to permit their access security manager to update specific scookies
recording requests without showing the approval screen.  

An enterprise administrator manager controls scookies on users devices. The administrator may require the user to approve
scookies or may permit the device access security manager to update specific server scookies requests without showing the
approval screen to the user.  The user access security manager retains a record or report of all scookies requests on the enterprise
database.  When a server, site or application requests scookies information from a client or user device, users access security
manager displays the request to the user.  The user may approve and say to always allow scookies information to be sent to that site.
The user may display and manage all actual scookies data.  The user may delete scookies by site or in total.   

p. Electronic credit card

Electronic credit card and other appropriate financial information that is used over and over may be recorded in a separate portion of
the access security manager.  When a target application requires a credit card entry, the application owner presents a formatted
screen to the access security manager.  When the user clicks on fields in the formatted screen, the access security manager displays
information the user clicks to be entered in the formatted screen.

q. The access security manager vault may be used to record any and all reusable user information. Anything that the user knows and
want to recorded and reuse may be recorded shared or otherwise managed by the user and their computer.  

Although the proceeding description contains significant detail, it should not be construed to be limiting the scope of the invention.  It
provides illustrations of the preferred embodiment of the invention.  The control systems features could take many forms that do not
materially alter the nature of the invention.   The scope of the invention should be fixed by the following claims rather than any specific

Having described my invention, I claim;

1        An enhanced computer access security control system for restricting, enabling and managing user and software access, use
and changes to all system/network online computers that go way beyond any existing computer security tools comprised of:
a        Access Security Managers,
b        End user directory security databases,
c        Enterprise directory security databases,
d        Enhanced Internet service provider directory security services databases,
e        National directory security services databases,
f        International directory security services databases.
g        Enhanced user to device access identification, device logon
h        Enhanced local to remote access, bidirectional logon

2        Access Security Managers as recited in claim 1 which control all user and application access to computing devices preventing
unauthorized human and software use or changes using advanced security and identification.

3        End user databases as recited in claim 1 that are managed by the access security manager and contains required access
security data and may also include any and all information the user chooses to record, share or otherwise manage through the
access security manager.  

4        Remote Enterprise, national and international databases as recited in claim 1 that maintain and share reusable enterprise and
user identification information with a secure process to share the reusable information on an as needed basis.

5        Secure Service Manager function on end user devices as recited in claim 1 to control and manage changes to the end user
device comprised of:

a        An access security manager to enable end user to approve, disapprove or otherwise manage installation and activation of code
in the end user device.

b        An access security manager that is installed in the user device to approve, disapprove or otherwise manage links in email or on
web pages to prevent unauthorized activation of code on the user device.

c        An access security manager that replaces cookies with secure cookies that enable end user to approve, disapprove or other
wise manage requests from remote applications to store or otherwise enter information of the end user device.

d        An access security manager that sends secure cookies information to remote applications requesting the information.   

6        An enhanced user to device identification and logon Secure access manager as recited in claim 1 to enable secure device
access and secure system/network access comprised of:

a        A system for enhanced user to device logon using facial recognition with real time video/audio and remote viewing of video and

b        A bidirectional access code that establishes a logical connections between computers that does not require legacy Ids and
passwords for compute to computer access.

c        A system for enhanced enabling of alternate or second user device.

d        A system for enhanced Legacy ID and password management

e        A system for enhanced remote access

f        A system for Electronic credit card management using the access security manger.  


A CONTROL SYSTEM to restrict, enable or otherwise securely manage all human and machine or computer and software access to
system/network components through conversational mode human and computer to computer exchange of information from human
sources and prerecorded database information which securely prevents unauthorized human or software control or changes to
system/network online computers that go way beyond any existing computer security.

Enhanced Cyber security requirements - a beginning  

It is best to find and eliminate the cause of a problem instead of treating the symptom or trying things and hoping they fix the problem.
TELNET is said to be the first code installed on computers to enable remote takeover of a computer. Before 1983 when TELNET was
first installed, it was impossible to hack a computer.


To implement cyber security, there are four main general requirements and many specific detail requirements.  

1. Remove TELNET and all subsequent code that permits remote takeover or hacking. Closing existing openings that permit code
activation when clicking on any link in an email or site.  

2. Enable remote communication but not remote control. Install access security managers that take business requests then handoff
formatted dated. This enables business but blocks remote takeover hacking.

3. Establish national and international public databases that provide real documentation about all end users, applications and sites.
This enable individuals, and enterprises to control trading partner activity based on real data before enabling communication through
their access security manager.

4. Implement enhanced local and remote logon.  Once the user is securely known to the local device, the remote session can be
managed by secure computer to computer access manager control making legacy remote Ids and passwords obsolete.

SKILLS: requirements vs deliver

The skills to develop cyber security requirements are different from the skills to deliver cyber security. Programmers may be great at
writing code but they may not be good at defining requirements.  Sales people are good at assessing a customer needs and filling
them with one of the products or services they have to sell.  Most usually focus on selling the product line.  It takes a rare futuristic
thinking person to create requirement for new products.

There are a wide variety of public and private needs that some have falsely argued compete with security needs. You need people who
know consumer needs, business needs, programming capability and security.  Once the requirements are clear, the programmers
deliver the code.  

To create security requirements, you need people with the following skills:

1.- System Network security skills
2. - Operating System program skills
3. - Marketing and sales skills
4. - System Network management, architecture and  design skills
5. - Project management skills
6. - System Network Problem Determination skills
7. - Program and Product requirements skills
8. - At least one person with all of the above to serve as a Global Network Architect and Security Requirements Consultant.

Once the requirements are completed, the operating systems and the network service providers should be asked to review then design
and implement the solutions.

Based on years of experience with global network requirements and design, I suggest that there is no doubt that some of the
requirements suggested herein  will be part of the cyber security solution.