DE102015112891A1 - Device and method for secure storage, management and provision of authentication information - Google Patents

Abstract

The present invention relates to a device 1 and a method for secure storage, management, creation and provision of authentication information. The device 1 comprises a connection arrangement 2 for communication with a computer or other electronic devices, a device for processing and storing data, and an additional device 6 for the local authentication of the user with respect to the device 1 according to the invention. For destination authentication, plain text information is used of data generated on the device 1 and the additional device 6, which are transmitted in the transmission as a string to the connected electronic device or the computer so that they correspond to the inputs of a connected Human Interface Device (HID).

Description

The present invention relates to an apparatus and method for secure storage, management and provision of authentication information, the apparatus consisting of at least one hardware component and means for processing and storing data and a connection arrangement for communicating with a computer or other electronic devices includes.

The increased presence of the Internet and electronic devices in daily life means that you have to manage and remember a variety of passwords, usernames, account numbers, and other sensitive information. In addition, the different electronic devices and the various providers usually have different requirements and rules for the use of passwords, user names, etc., should be avoided for security reasons, passwords multiple or simple, a pattern following or donkey bridges having passwords use. In addition, the methods of retrieving foreign data are becoming ever more subtle and dangerous, so there is an urgent need to better secure your own data and at the same time make it easier.

There are numerous systems for backing up data or accounts known, which are mostly software solutions that require a software installation on each device and, for example, not for BOOT / HD-PW / hard disk encryption protection can be used. There are relatively few pure hardware solutions and they all have the disadvantage of having very limited functionality and security.

The US 2013/0314208 A1 describes a device for authentication comprising a biometric sensor, wherein a portable storage device for electronically storing confidential data is used as a key to pass this data on to another device.

Aruna. D. Mane et al. describe in "Locker Security System Using RFID And GSM Technology" May 2013; International Journal of Advanced Engineering & Technology (IJAET); Vol. 6, Issue 2, pp. 973-980; ISSN: 2231-1963 a locker security system, using RFID and GSM technologies. The system is intended especially for banks and prevents unauthorized persons from having access to the safe or safe.

In the US 2005/0061879 A1 An access authentication system is described which includes a data processing device, a storage medium and an RFID tag. The entered authentication data and the key data are transmitted to the RFID tag and then compared with a stored there second record. If they match, the system generates the access authentication information.

The CN 203166952 U and the CN 2031890939 U describe input devices for passwords related to access to online banking.

The known systems have the deficiency that they have some of the user's for a secure and simple authentication desired features and functions, but their functionality in each case leaves a lot to be desired, since the existing systems are usually highly specialized and often are island solutions that are focused on just one problem and its solution.

Thus, the object of the present invention is to provide a single device and a corresponding method which contain as many as possible or possibly all of the properties desired by the users for secure authentication. The aim of the invention is thus a bundled and open solution, wherein a majority of the authentication tasks are done with an identical security standard and the same method. In particular, these features and tasks include the ability to emulate a keyboard, the ability to connect to a variety of different devices, the ability to use even before the start of the operating system, the protection of the login password, the ability to save, manage and use of many up to an almost unlimited number of ID data records, the possibility of selecting a data record via a display, variations and combination options when using the system, such as User ID + password, password only, with or without TAB or CR / LF, the ability to launch a program or website prior to identification and authentication, unlimited multi-user capability without "sharing" of the personal password and an alternative or additional automatic TAN entry option.

The object is achieved by an apparatus and a method for the secure storage, management, creation and provision of authentication information, the apparatus having a connection arrangement for communicating with a computer or other electronic devices, a device for processing and storing data and an additional device for the local authentication of the user to the device according to the invention and the provision of decryption information and destination information for data. The additional device is preferably a separate device, wherein the device according to the invention is preferably only ready for use when the additional separate device is in contact with the device or is in the vicinity of the device. The device according to the invention is adapted to transmit data as a character string to the connected electronic device or the computer, the data being transmitted in such a way that they correspond to the inputs of a connected Human Interface Device (HID). This can be done, for example, by emulating a keyboard. The separate additional device advantageously comprises an NFC technology and the communication with the separate additional device is preferably based on the RFID technology. In this case, the separate additional device may be a smartphone, a smartwatch or another device comprising an RFID technology or else an electronic identity card.

In the method itself, a distinction is made between the so-called destination authentication, in which the user is confronted with the destination, e.g. a computer, an operating system, or an application that provides evidence of authenticity. This process is carried out representative of the user of the device according to the invention. In order to ensure that only the authorized person can initiate this process, a further local authentication precedes, by means of which the user proves his authenticity with respect to the device according to the invention. This is done for example by means of an electronic card and / or entering a PIN. This process can be supplemented or replaced by testing biometric features.

The authentication data includes usernames, passwords, transaction numbers, one-time passwords, certificates, and / or digital keys. The connection arrangement for communication with a computer or other electronic devices is advantageously designed so that an input by hand can be omitted even if e.g. the computer has not yet loaded an operating system, wherein the connection arrangement is a PS / 2 interface, a USB interface, a serial interface, a cable or a Bluetooth or other wireless interface.

The device for processing and storing data is preferably a microcontroller and in a preferred embodiment comprises a keypad and at least one device for status display, which in turn advantageously comprises LEDs and / or a text field. In addition, the device for processing data preferably comprises a random number generator, which is advantageously a "true random number generator".

The device according to the invention comprises software for setting up, generating and encrypting identity documents and, in a further possible embodiment, a device for querying biometric features. In addition, the device advantageously has a platform-independent device tool with which the user can manage a large number of authentication information.

The device according to the invention is thus a microcomputer solution which securely stores and manages user names and passwords as well as other credentials. Safe, so long and complex passwords are no longer a problem, because the device according to the invention, for example, logs on as a keyboard on the computer, tablet or smartphone and takes over the input of the authentication data.

Compared to the well-known password safe software solutions, such as "keepass", the inventive device has the advantage that it works before an operating system was started, and thus hard disk passwords, encryption of whole hard disks and boot or BIOS passwords can protect. In addition, the device is a closed system of hardware and software, in which no Trojan can break the encryption and spy the passwords unnoticed.

At the same time, the device according to the invention has all the advantages of the software solutions, so that the passwords can be protected with strong cryptographic methods. Since there is no need for typing, very long and complex passwords can easily be used. In addition, you can choose a different password for each login because there is no need to remember the password. Furthermore, passwords can be generated randomly, so that with sufficient length of the password cracking of the password is virtually impossible.

The device comprises a management program which makes it possible in a simple manner to create and modify identity data records consisting of program name, URL or brief description as well as user name and password. For all cases where the user is asked to choose a new password, a simple password change is possible. The identity records can be secured in a file. Secure encryption advantageously ensures that these can only be read into the same device according to the invention. The user can thus store the security without risk in the cloud, on external servers or his smartphone.

At start-up and every time the device has not been used for a certain period of time, the input of a PIN of selectable length is provided. For this purpose, an advantageous embodiment of the device according to the invention provides that the device comprises an input device for selecting an authentication data record and for securely entering PINs and PUKs. Just a few digits offer good protection, because with the encapsulated HW & SW solution a trial and error of several PINs is almost impossible. Advantageously, a small integrated display is provided, on which it can be seen which ID record was selected. At the push of a button, a login process can then be started in which the authentication requirements can be selected, for example if user name and password or only the latter are transmitted. In many cases, even starting the application or entering a URL can be dispensed with because the device according to the invention can do it with you.

A more convenient embodiment of the present invention provides a solution that is also suitable for larger companies and / or workplaces for multiple users. It is envisaged that any number of ID records can be stored, which can be much longer. In addition to the keypad for PIN entry and record selection, this embodiment includes a reader for non-contact radio memory chips. The records can now be stored individually and securely encrypted for each user. For example, a card, a key ring, a small bracelet or simply an adhesive label can be selected. The transfer of user ID and password is replaced by the fact that the chip is brought close to the vicinity (about 5 cm) of the device according to the invention.

For businesses, the device according to the invention is preferably designed as a "family version", wherein all the chips that have been set up on one of the family boxes (box = device according to the invention) can also be used on all other boxes within the family. As an important additional protection is then preferably provided to block the possibility of using foreign chips.

The above more convenient embodiment of the present invention is also advantageously set up for cloud identity management. Thus, providers of cloud services can easily send the user personalized access to their services by chip. Via download of QR codes, the management program of the device according to the invention can program existing chips, so that even the waiting for the postal route can be dispensed with.

In addition to the two above-mentioned embodiments of the device according to the invention, the device can moreover be customized, the possible extension being the use of biometric features, such as e.g. a fingerprint may be provided instead of or in addition to entering a PIN. It is also conceivable to connect with existing or newly created locking systems, so that the same chip can be used for both physical and IT access control. Conversely, the device according to the invention can also be modified so that it can be integrated directly into a locking system. Whether an integration with an existing solution is economically feasible in individual cases, of course, must be checked and depends heavily on the details of the existing solution. It is also conceivable the installation in existing USB or Bluetooth keyboards or a combination solution with these.

An advantageous additional application of the present invention is the use as a TAN generator, wherein the tipping of the TAN is omitted and the TAN is transmitted instead, for example via a USB interface. Also in this case, the TAN generator logs on as a keyboard on the computer, tablet or smartphone, for which usually no additional software is needed.

The present invention is based on the idea of providing a device consisting of one or more hardware components and the associated software, which makes the conventional entity authentication significantly safer, easier to execute and controls the many identities and associated credentials that are required today makes it manageable. The entity to be authenticated is normally a human, but the device also allows the protection of other entities, e.g. Software programs etc.

The apparatus of the present invention significantly improves upon conventional devices having a similar purpose through the use of the USB HID interface to emulate a keyboard on and over existing computers and other electronic devices. The Communication can take place via (USB) plug or cable directly or via wireless remote connections, such as "Bluetooth". So it is no longer necessary to enter credentials by hand or copy by software. In contrast to conventional devices with a similar purpose, there is usually no or minimal intervention in the systems to be protected. The device also allows the management and easy entry of credentials before the computer system to be protected has loaded an operating system (pre boot authentication), which makes it significantly different from the conventional systems.

The device according to the invention stores, delivers and / or generates credentials, e.g. Passwords, TANs (transaction numbers), one-time passwords, private or symmetric cryptographic keys, PINs (personal identification numbers) or answers to test questions. Thus, the device enables the "knowledge" (knowledge of all credentials) through a selectable combination of "possession" (eg of an RFID PICC), "property" (eg of a biometric feature, such as a fingerprint) and simpler "knowledge" ( equal to a PIN). If PIN protection is chosen, then this is much more secure over conventional pure software devices with a similar purpose, because a potential attacker can not use software to attack and thereby, and by additional measures such as blocking after a certain number of failed attempts, the effort for an attack (with the same PIN length) orders orders of magnitude more difficult. In the end, adequate protection is built up even with a 4- or 6-digit PIN, which is not the case with pure software solutions. Therefore, an additional use of the device according to the invention in the protection of conventional software devices with a similar purpose ("cascading use").

The apparatus of the invention preferably employs modern, recognized and pertinent cryptographic methods to protect the credentials from unauthorized copying and use. In contrast to pure software devices with a similar purpose, attacks aiming to discover the keys needed to accomplish orders of magnitude more difficult and expensive because a potential attacker can not gain access to memory, without an extremely expensive and time-consuming and technologically complex physical analysis of the device. In addition, such attacks are easily noticed by anyone, which is not the case with conventional pure software devices.

The device advantageously contains a random number generator for different applications, which fulfills the requirements for the pertinent quality of the random numbers and with whose help it is also possible to generate random credentials. This option is an advantageous alternative to entering credentials through a management program.

The device, even in its simplest embodiment, allows storage of a product-series-dependent set of identification records. A built-in numeric keypad enters a PIN at startup. This input must be repeated after an adjustable time without use. Furthermore, an identification data record is selected via the keypad. As far as the device contains its own display, an identifier of the record is displayed. Pressing a special key will send that record, or parts of it, via the USB, HID (keyboard) interface, after decrypting the credentials with the short-term generated key. The key is immediately deleted (overwritten). The maintenance (setting up, deleting and changing) of the data records via a supplied computer program and the serial (USB) interface can be carried out by the user at any time. Embodiments are possible, which additionally or instead of the PIN unlock the use of other methods, in particular on the query biometric features.

In an advantageous embodiment, the device includes a display and an RFID reader in addition to the keypad. In this case, the first identification data records, the number of which is configuration-dependent, are stored in the device and further data records are stored on the RFID PICCs. This is to provide system dependent records, such as those containing boot, hard-disk, or hard-disk encryption passwords, of personal records, e.g. those that contain user login data, each under the control of the respective owner or delegate managed separately. The system-dependent data records can only be used if the entity is identified and approved via a selectable combination of PIN and PICC. Even if the PICC were completely compromised, this would not lead to the detection of the credentials, as this would necessarily require access to the device and possibly (if so selected) knowledge of the PIN. PICCs can be locked and unlocked at any time using a master PICC. Versions which additionally or instead of the PIN enable the use of further methods, in particular the query of biometric features, are possible.

The device in the design as a TAN generator works similar to the conventional (hardware) devices of this type, but with the difference that no keyboard input on a display must be read and entered by hand, but the transmission by USB HID (keyboard) he follows. Embodiments which additionally or instead of the PIN involve the use of further methods, in particular the query of biometric features, are also possible here. In addition, of course, combinations with the aforementioned embodiments are possible, and also one or all of the aforementioned embodiments can be incorporated or integrated into existing USB HID devices or remote keyboards, Bluetooth keyboards, computer mice or joysticks.

A further advantageous embodiment of the present invention offers providers of network services the ability to send their users RFID PICCs, which allow easy, fast personalized access to their services. Alternatively, the device may be encoded or scanned on a computer by means of a supplied program, such as e.g. Read QR codes. An activation and personalization procedure for the first application ensures that cloud identification records stolen on the transport route or, in particular, copied in the case of encodings can not be used. In this case, the identity record also contains the information to automatically invoke and / or enter programs and / or "URLs" as much as possible.

In the device according to the invention is a separate device that decrypts encrypted passwords of the user after successful authentication of the user and then transmitted as plain text, for example via the USB port of the computer or other electronic device.

In the following, the device according to the invention and the method are additionally explained in detail with reference to figures and a flowchart.

It shows 1 a perspective view of an example of a device together with an RFID tag. The 2 to 6 include flowcharts in which the process flow is systematically represented.

The 1 shows a perspective view of an advantageous embodiment of a device according to the invention 1 for securely storing, managing, creating and providing authentication information, wherein the device 1 a USB port 2 as a connection arrangement for communication with a computer or other electronic devices. In addition, the device owns 1 a display 3 for status display, a keypad 4 and, an RFID antenna 5 for reading and writing radio memory chips. At the same time is in 1 as an additional facility 6 to see an RFID tag for the local authentication of the user to the device 1 and providing decryption information and destination information for data.

Like from the 2 to 6 can be seen, in the inventive method for secure storage, management, creation and provision of authentication requirements, a corresponding device, the connection arrangement 2 for communication with a computer or other electronic devices and means for processing and storing data, in a first step connected to the computer or other electronic devices. Depending on the operating system, it may be necessary to install a suitable driver on the target device beforehand. In a further step, the authentication information is then selected. After selecting the authentication requirements, it is preferable to have a separate additional facility 6 for the local authentication of the user to the device according to the invention and the provision of decryption and destination information for data in contact with the device 1 or in the vicinity of the device 1 brought. It will clear text information using data on the device 1 and the additional facility 6 generated, which are transmitted as a string to the connected electronic device or the computer so that they correspond to the inputs of a connected Human Interface Device (HID), which then performs the destination authentication.

to 2 It should be noted that the start sequence is run through each time the device is reactivated. It decides whether the device is brand new and has to be initialized first, or whether it is immediately ready for use. If the initialization has already taken place, the device expects a PIN entry and an associated PICC. If this communication is not offered, a renewed authentication is expected after a steadily increasing time delay. If the combination of PIN and PICC is accepted, the program continues with the main routine. The initialization sequence shown in parallel is executed when the device is first started or explicitly called. Here, a so-called master key is generated. Thereafter, it is forwarded to another routine for creating the user.

• – Wenn eine gewisse Zeit der Inaktivität verstrichen ist, springt das Programm zurück auf Start und erwartet eine Authentifizierung.
• – Wenn ein valides Signal über einen PICC empfangen wird, wird der erste Sicherheitsdatensatz bzw. die erste Kombination aus Login-Informationen, Passwort und Übertragungsflags übertragen (C).
• – Wenn eine Sondertaste (up, down, ok, del) gedrückt wird, wird ein entsprechendes Aktionsprogramm aktiviert (D). Durch eine Nummernauswahl werden weitere Sicherheitskombinationen gewählt und angezeigt.

In the 3 is the main routine shown. The device expects inputs and can branch into various subroutines or subroutines depending on this. For this, the user activity is monitored as a function of time. The following options are given for this:

• - When a period of inactivity has elapsed, the program returns to startup and awaits authentication.
• - When a valid signal is received via a PICC, the first security record or the first combination of login information, password and transmission flag is transmitted (C).
• - If a special key (up, down, ok, del) is pressed, a corresponding action program is activated (D). A number selection selects and displays additional security combinations.

The in the 4 The subroutines shown are firstly the transfer routine for an ID / password combination as a function of a valid PICC (C), and secondly the subroutine for processing various functions for interpreting key inputs (D). The latter routine has more branching possibilities. These enable, on the one hand, the processing of the safety information directly on the device (F) and, on the other hand, the activation of the serial interface to the input device (E).

5 shows the subroutines for editing the security combinations on the device (F) and the subroutine for connecting to the PC.

In the 6 the subroutine for creating a new or re-initializing an existing user PICC is displayed.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• US 2013/0314208 A1 [0004]
• US 2005/0061879 A1 [0006]
• CN 203166952 [0007]
• CN 2031890939 [0007]

Cited non-patent literature

• Aruna. D. Mane et al. describe in "Locker Security System Using RFID And GSM Technology" May 2013; International Journal of Advanced Engineering & Technology (IJAET); Vol. 6, Issue 2, pp. 973-980; ISSN: 2231-1963 [0005]

Claims (18)

Contraption ( 1 for secure storage, management, creation and provision of authentication information, comprising - a connection arrangement ( 2 ) for communication with a computer or other electronic equipment, - a device for the processing and storage of data, and - an additional device ( 6 ) for the local authentication of the user to the device ( 1 ) and the provision of decryption information and destination information for data, characterized in that the device ( 1 ) is adapted to transmit data as a string to the connected electronic device or computer, the data being transmitted to correspond to the inputs of a connected Human Interface Device (HID). Device according to claim 1, characterized in that the additional device ( 6 ) is a separate device, wherein the device ( 1 ) is only operational if the separate additional facility ( 6 ) in contact with the device ( 1 ) or in the vicinity of the device ( 1 ) is located. Device according to claim 1 or 2, characterized in that the separate additional device ( 6 ) comprises an NFC technology and the communication with the separate additional device is based on the RFID technology. Device according to one of claims 1 to 3, characterized in that the separate additional device ( 6 ) is a smartphone, a smartwatch or other device comprising an RFID technology. Device according to one of claims 1 to 3, characterized in that the separate additional device ( 6 ) is an electronic identity card. Device according to one of claims 1 to 5, characterized in that the authentication information user names, passwords, transaction numbers , one-time passwords, certificates and / or digital keys. Device according to one of claims 1 to 6, characterized in that the connection arrangement ( 2 ) is designed for communication with a computer or other electronic devices so that an input by hand can be omitted even if the computer or the other electronic devices have not yet loaded an operating system. Device according to one of claims 1 to 7, characterized in that the connection arrangement ( 2 ) to communicate with a computer or other electronic devices a PS / 2 interface, a USB interface ( 2 ), a serial port, a cable, a Bluetooth interface or any other wireless interface. Device according to one of claims 1 to 8, characterized in that the means for processing and storing data is a microcontroller or a microprocessor with separate memory. Device according to one of claims 1 to 9, characterized in that the device comprises an input device ( 4 ) for selecting an authentication record and for securely entering PINs and PUKs. Device according to one of claims 1 to 10, characterized in that the input device (a key pad 4 ). Device according to one of claims 1 to 11, characterized in that the device at least one device for status display ( 3 ). Apparatus according to claim 12, characterized in that the at least one device for status display ( 3 ) LEDs. Apparatus according to claim 12, characterized in that the device for status display ( 3 ) comprises a text field. Device according to one of claims 1 to 14, characterized in that the means for processing data comprises a random number generator. Device according to one of claims 1 to 15, characterized in that the device ( 1 ) includes software for establishing, generating and encrypting credentials. Device according to one of claims 1 to 16, characterized in that the device ( 1 ) comprises means for interrogating biometric features. A method for secure storage, management, creation and provision of authentication information, wherein - a device ( 1 ) having a connection arrangement ( 2 ) for communication with a computer or other electronic devices and a device for processing and storing data, in a first step with the Computer or the other electronic devices, - in a second step, the authentication information is selected and - in a further step, an additional device ( 6 ) for the local authentication of the users to the device ( 1 ), whereby data is transmitted as a string to the connected electronic device or computer corresponding to the inputs of a connected Human Interface Device (HID).

Images