DE202010016729U1 - External device with at least one memory - Google Patents

Abstract

External device (100) having at least one memory which can be connected to a computer (24) or computer network via a serial bus system, characterized in that it comprises a processor (14) and a USB drive (15) and a biometric means (12b ) for identifying a person, wherein processor (14), USB drive (15) and biometric means (12b) are coupled together.

Description

The invention relates to an external device with at least one memory which can be connected to a computer or computer network via a serial bus system.

State of the art

External devices of the type mentioned are known from the prior art and find particular in the form of USB sticks as a storage medium application. They fulfill in particular the function of a hard disk, the data being stored electronically on a memory, in particular on a so-called flash memory.

Conventional USB sticks are designed such that a USB plug that extends from a front end of the stick's circuit board is exposed by protruding from the opening of the USB stick casing.

In addition, USB sticks are known which are provided with the corresponding software for secure storage and in order to avoid data misuse.

This is also a from the DE 10 2009 007 345 A1 previously known USB stick with a security controller connected to a USB interface, which has a connection to a variable volume chip. In this way, data to be stored on a memory chip can be encrypted using the security controller. In addition, the known safety controller is used in a USB stick to connect a disk or memory chip to the USB interface, the disk is inserted into the USB stick. Device and method in the DE 10 2009 007 345 A1 represent approaches to provide data security by means of a USB stick and prevent data misuse.

A disadvantage of these prior art devices, however, is that they represent only an instrument for securely storing data on USB sticks.

Especially in the recent past, however, due to increased cases of data abuse, the protection of computers and networks against attacks from the network or unauthorized access, both from internal and external sources, has become more important.

DESCRIPTION OF THE INVENTION: Problem, Solution, Advantages

It is therefore an object of the invention to provide an external device of the type mentioned above, with the help of which security-relevant areas and sensitive data in computers and computer networks experience increased protection against access by unauthorized persons.

This object is achieved with the features of claim 1 or 2. Advantageous embodiments of the invention manifest themselves in the subclaims.

According to the invention, the external device, which is also referred to as a transaction key in a terminology used herein, comprises a processor as well as a USB drive and a biometric means for identifying a person, wherein processor, USB drive and biometric means are coupled together.

The core idea of the invention is that the verification or the access authorization, after the external device is inserted into a USB interface, by means of a precise identification ensuring biometric detection.

For this purpose, the physiological feature of the user is stored in advance on the USB drive and / or in the computer or in the computer network, so that the detected and recognized physiological feature can be adjusted directly internally preferably with the stored data of the physiological feature. There is also an alignment within the external device with the flash memory and ID chip as well as the physiological feature, the data then being sent to the server (computer network). The physiological feature, which is preferably a fingerprint, is read in via the biometric means, which is preferably a fingerprint sensor, and compared to the biometric data stored on the USB drive via the external device's processor. Thereafter, a memory of the external device, which is preferably as a working memory, the confirmation to a computer or to a computer network for comparison, whereupon the computer sends back in a positive comparison of the data, a signal to the processor of the external device, so that the Processor can send a corresponding code directly to the computer or to the computer network. For the implementation of this Verificationstechnik a corresponding computer program is provided.

As a result, the device according to the invention provides efficient access protection for Computers, laptops or other mobile computer-related devices, such as As netbooks, smartphones or mobile phones. Furthermore, the device according to the invention provides secure protection for entire computer networks as z. B. in research and development facilities use. In this case, the access protection on the entire system, for. The computer or the network. The inventive device thus also offers the possibility of a secure remote access (Secure Remote Access) to a network, eg. Company network, computer network of a research institution, or university network. For this purpose, the inventive device allows, for example, a VPN (Virtual Private Network) connection. This offers the advantage that in advance no additional software installation or setting must be made to a VPN connection of z. B. set up a laptop to a corporate network. With the device according to the invention, a VPN connection to a secure network can be set up from any location after successful user identification without additional software setting. Furthermore, it is possible to protect certain areas within the system from unauthorized access by the device according to the invention. For this purpose, the access rights can be defined and set according to the user or user groups corresponding to the respective application. It is thus possible for individual users to have access to individual areas in the system or for users to have access to previously defined data, data areas or even computer programs.

• – Unterschiedliche Life-Cycle-Phasen zur Kontrolle der zulässigen Kommandos;
• – Schutz aller Datenobjekte mit bis zu 127 verschiedenen Zugriffsrechten pro Verzeichnisebene;
• – Logische Kombinationen der Zugriffsrechte in hoher Komplexität;
• – Schutz aller Datenobjekte mittels eigener feingranularer Access Kondition Schemata;
• – Sichere Speicherung von PINs und Schlüssel als Objekte;
• – eigenes Betriebssystem.

Alternatively, the external device according to the invention comprises a processor as well as a crypto chip and a biometric means for identifying a person, wherein the processor, biometric means and crypto chip are coupled together. Through this type of encryption, the biometric data of the user and a corresponding ID can be written directly to a chip, namely to the crypto chip. For data security, a crypto chip has clearly structured security architectures and has a variety of highly flexible protection mechanisms, such as:

• - Different life-cycle phases to control the permissible commands;
• - Protection of all data objects with up to 127 different access rights per directory level;
• - Logical combinations of access rights in high complexity;
• - Protection of all data objects by means of their own fine granular access condition schemes;
• - Secure storage of PINs and keys as objects;
• - own operating system.

In the technology of the crypto chip, the fingerprint is embedded in the processor via template matching. This ensures that no biometric data is transferred to external computers. The biometric data are thus fully protected and unadjustable. A template engine is software that processes a file (the template) and fills certain placeholders in it with current content. The original goal of cryptography is to disguise data for unauthorized third parties by applying encryption methods or the doctrine of the secrecy of information. Encryption is all the stronger, the more theoretical or mathematical effort would have to be operated to perform the reconstruction of the data by an unauthorized person. Cryptography also includes methods of authentication, electronic signature and authenticity verification.

According to the invention, the external device comprises an encryption unit. Thus, encrypted as well as unencrypted areas on a hard disk or other data carrier as well as partitions on several hard disks of a computer system can be managed and protected against unauthorized access. Furthermore, the access to different operating systems of a system for the different users can be regulated by means of the external device. Thus, the use of the device according to the invention provides effective protection against unauthorized access from the network, both internally and externally. Also, the invention provides protection against viruses.

Advantageously, the device according to the invention has an RFID (Radio Frequency Identification) chip. This RFID chip, which is used for identification by means of electromagnetic waves, allows the realization of additional functions such. B. door opener, person detection or access control.

Furthermore, it is preferable that the external device has a temperature sensor. The use of a temperature sensor increases the security when reading the fingerprint. Thus, z. B. possible copies of an impression of the actual fingerprint and recognized.

Preferably, the external device further comprises a proximity sensor. By such a proximity sensor z. B. found whether a person is moving or staying around the computer. Thus, therefore, an additional person detection by a proximity sensor is possible. Furthermore, it is conceivable to control the energy saving mode of the computer system by the proximity sensor. For example, if the user is away from the computer or not a person in the area of the computer, the computer can be put into a certain power saving mode. For security reasons, the computer should log out automatically after removal of the user, preferably within a short time window, eg. Within a minute.

Advantageously, the device according to the invention has an ID identification unit. This ID identification unit is for generating identification codes. It is envisaged to create worldwide unique 48-bit long identification codes using the ID identification unit. Shorter or longer identification codes could also be generated. A special neuron chip is used to generate these identification codes. Alternatively, this neuron chip could also by a microprocessor, such. B. ARM processor, replaced and using a special protocol, eg. As LON-Talk protocol, the identification code are generated. LON stands for Local Operating Network. LON is a fieldbus frequently used in automation technology, which is controlled by the international Standard ISO / IEC 14908 is specified. The generated identification code, like the physiological feature, is read and verified by the microcontroller of the external device. For this purpose, the microcontroller of the external device compares the identification code and the physiological feature with previously stored information or data. For further identification by the computer or the computer network, the identification code is sent together with the physiological feature in encrypted or coded form to the computer or computer network. Finally, the computer or a destination server of the computer network compares the transmitted physiological feature and the transmitted identification code with the information stored on the computer or in the computer network.

The device according to the invention preferably also has a radio interface. This radio interface is preferably a serial radio link such. B. WLAN or Bluetooth. The wireless interface can in addition to the wired serial interface, z. B. USB interface, may be provided in the device according to the invention. Alternatively, the radio link could also be the wired interface, e.g. B. USB interface, replace. In any case, the device according to the invention provides that all data required for verification or identification also be sent via the radio link to the computer or computer network. Accordingly, the wireless interface is also such. As the USB interface for transmitting the physiological feature and the identification code to the computer or computer network for final identification. Furthermore, possibly hierarchies, z. For example, user-defined hierarchies or rights can be reassigned or changed after identification via this interface. In addition, it is possible to transmit further information between the computer and the external device via this wireless interface. This could be further security-related data as well as configuration or administrative data. Also, this wireless interface can serve, with the help of this device according to the invention a user clearly with another device, such. B. an ATM to identify.

Furthermore, it is preferred that the device according to the invention has a power supply unit. The power supply unit consists of a small charging buffer, z. As battery or battery, which is provided in the external device, and preferably an additional, more powerful battery, which is located for example in the protective cap (eg., Cap of the USB stick). The external device preferably has a real-time clock, which can thus be supplied with voltage constantly via the charging buffer. When operating the external device via the wired interface, eg. B. USB interface, the power supply via this interface takes place by the computer. Furthermore, it is intended to use this interface for charging the charging buffer and the additionally provided rechargeable battery. For this purpose, the battery is used when operating via the USB interface, which is z. B. in the protective cap of the device, suitably connected to the external device for charging. In addition to the possibility of charging via the USB interface, a charge is also provided with an external power supply. This is especially when using the device according to the invention via the radio interface, z. B. WLAN or Bluetooth. Depending on the capacity of the additional battery, the operation via the wireless interface can be done without using an external power supply for a long period of time.

Preferably, the device according to the invention is designed such that, in addition to the security-relevant data required for the identification, it also has user data with the aid of an internal memory. For this purpose, the external device advantageously has an additional flash module, z. B. NOR flash module on. Depending on the size of the user data to be stored as well as their organization, another memory could also be used, eg. B. NAND flash device can be used. As user data, all user-dependent data, such. B. desktop data are stored. This offers z. B. the advantage that each user z. B. can define desired or frequently used information and store it on the external device. For example, thus background color of the screen or frequently used programs and data on the desktop can be made quickly accessible by links to the user after identification. Furthermore, hierarchy information, such as. B. user-dependent rights are stored.

The advantage of the invention is that all security-relevant data is stored and stored on the external device accessible to the user at any time, so that maximum security is ensured. In addition, according to the invention, it is also given that for starting a computer or computer network a suitable password as well as a physiological feature of the user is sufficient. Also, the invention ensures the full encryption, eg. The hard drive, the workplace and the computer network.

A computer program for a computer device in the form of a computer or computer network connected to the external device provides claim 26, wherein the computer program is implemented on the computer or computer network and includes an algorithm used in a connection between computer device and external device of a processor of the computer device is processed, wherein the algorithm detects the method.

In addition, a method for verifying access authorization of a user of a computer or of a computer network is provided in which biometric data of the user is detected and recognized for verification by means of a biometric means of an external device connected to the computer or computer network according to one of claims 1 to 25.

Dialogue via a serial bus system is important in the context of the invention, since the data at the program level of the computer, the network, the system landscape, etc. can not be deleted, downloaded or moved, and thus the content of the program level is kept secret and the user In this way, for example, a research level with worldwide networking can be made secure. Under serial bus system are both wired, z. As USB, Ethernet or SATA, but also wireless, such. B. WLAN or Bluetooth to understand connections.

For verification of an access authorization, or to identify a user with a computer or with a computer network, the device according to the invention via a wired interface, for. B. USB interface, or a wireless connection, z. B. WLAN or Bluetooth, connected to a computer or a computer network or a system landscape. Upon successful connection, the external device becomes a physiological feature, e.g. B. fingerprint, the user read. For this purpose, the user deletes or sets z. B. his finger via a fingerprint sensor on the external device. Thereafter, the physiological feature, for. As the fingerprint, compared by the microprocessor within the external device with previously stored data of the user's fingerprint and thus identifies the user. Furthermore, the internally generated identification code is read by the microprocessor of the external device and compared with previously stored information. Thereafter, both the fingerprint and the identification code via the USB or the wireless interface in encrypted form to the computer or computer network or system landscape are transmitted. Subsequently, the computer or the target server of the computer network or the system landscape compares the received data with the data stored there, the physiological feature of the associated user and the associated identification code. After agreement of the data, a password or a personal PIN can be additionally requested to increase security. Upon successful identification, the user has access to certain data of the computer or the computer network or the system landscape as well as rights to use certain programs on the computer or in the network. In this case, the rights or data that are accessible to a user can be defined depending on the user or even a specific group membership and other criteria. These access rights can be changed at any time. When the connection between the external device and the computer or computer network is disconnected, access to the data or software is interrupted immediately. This ensures that if the external device is removed from the USB socket or the external device is removed outside the range of the radio connection, access to the data or the software is immediately interrupted. Upon subsequent reconnection, the identification procedure described above must be repeated.

According to the invention, the external device is connected to the interface of the computer after which the previously installed computer program is initialized and initiates the registration in this program level. The computer can be operated without the external device like a conventional computer, but the computer program is not addressed. It is not possible to enter the computer program without the external device, not even via the Internet / Intranet. Preferably, the hard disk of the computer network can be secured with the external device by completely encrypting the bus and data line of the entire system computer / computer network and external device with the external device again in the overall system. This can be implemented via system software by encrypting the data and bus lines using the same principle in the computer, the CPU, the control unit and the arithmetic unit.

Once the computer program has been installed on the ROM and RAM memory, the computer program can secure the computer, network, system switch so that it directly accesses the controller and arithmetic unit in the computer's processor by connecting the external device to a peripheral device interface , Here, the external device sends out an IP address that can be read by the computer controller. Only when the control unit has confirmed the sent IP address, the system is started automatically.

The computer program according to the invention is installed on the computer or computer network so that it functions as an operating system for the external device with the computer, network, system landscape, etc. Thereafter, the initialization process is started automatically and the request to deposit the fingerprint of the user on the fingerprint sensor is displayed. Successful initialization will then be confirmed or prompted to recur.

In order to further increase the protection mechanism of the external device, provision is made to integrate the Mac address of the computer into the external device. In each frame according to the Ethernet II variant, the MAC address of the receiver and the sender is first transmitted in front of the type field and the data. Receiver and transmitter must be part of the Local Area Network (LAN). If a packet is to be sent to another network, it is first sent to a router at the Ethernet level. This analyzes the data on the subordinate layer and then passes the packet on. For this purpose, it generates a new Ethernet frame, if the neighboring network is also an Ethernet. To do this, a router replaces the MAC addresses, d. H. if router R1 is to receive an Ethernet frame and pass it on to router R2, R1 replaces the source address with its own MAC address and the destination address with the MAC address of R2.

To achieve even higher standards, the invention further provides that the IP address is an address in computer networks, such. B. the Internet - based on the Internet Protocol (IP) represents. It is assigned to devices connected to the network. This makes the devices addressable and therefore accessible. The IP address may designate a single recipient or a group of recipients (multicast, broadcast). Conversely, a computer can have multiple IP addresses associated with it.

The IP address is used to transport data from its sender to the intended recipient. Similar to the mailing address on an envelope, data packets are provided with an IP address that uniquely identifies the recipient. Based on this address, the "post offices", the routers, can decide in which direction the parcel should be transported. Unlike postal addresses, IP addresses are not tied to a specific location.

The most popular notation of today's IPv4 addresses consists of four numbers, which can take values from 0 to 255 and are separated by a period, for example, 127.0.0.1. Technically, the address is a 32-digit (IPv4) or 128-digit (IPv6) binary number.

Brief description of the drawings

An embodiment of the invention will be explained in more detail with reference to the drawings. In a schematic representation:

1 a design of the external device according to the invention;

2 the technical structure of the external device 1 ;

3 the data history in the external device 2 ;

4 the essential components of a computer; and

5 a block diagram of the external device;

6 a block diagram of another embodiment of the external device;

7 a block diagram of another embodiment of the external device.

Preferred embodiment of the invention

1 shows a design of the external device according to the invention, denoted by the reference numeral 100 is provided.

The external device 100 has the design of a USB stick and is at one end with a USB plug 11 provided, which is exposed by moving from an opening of the housing 10 projects. The USB plug 11 is suitable for a USB port z. As a computer to be introduced.

The external device 100 also has a biometric 12b in the form of a fingerprint sensor 12 and a proximity sensor 13 on, all or part of the case 10 are integrated. The fingerprint sensor 12 is arranged such that the user of the external device 100 his finger on the scanner surface 12a can lay, so the fingerprint sensor 12 capture the fingerprint and this can be recognized.

2 shows the technical structure of the external device 100 , In addition to the in 1 shown plug 11 has the device 100 the USB drive 15 on, next to the fingerprint sensor 12 and the microprocessor processor 14 to the essential components of the external device 100 belong.

After detecting the fingerprint of the user of the device 100 over the in 1 shown fingerprint sensor 12 the fingerprint is read in and with those on the USB drive 15 previously stored biometric data. Before that, more in 2 components included in the process, namely the processor 14 , the random access memory (RAM) 17 as well as the read-only memory (ROM) 16 By using the external device 100 into the USB interface 23 a computer 24 at a previously on the computer 24 implemented computer program 9 the computer 24 prompt the user for his fingerprint on the fingerprint sensor 12 deposit so that the capture can be done and the fingerprint sensor 12 a digital code to the processor 14 the external device 100 can send, whereupon the memory 17 and the memory will be activated.

The read-only memory 16 and / or the memory 17 the external device 100 now access the USB drive 15 the external device 100 to and compare the biometric data with the fingerprint, which were already stored with the implementation of appropriate software. After this process is completed, the in 4 shown processor 25 of the computer 24 to the read-only memory 26 and the memory 27 of the computer 24 and compares it in memory 27 already stored fingerprint of the user. Next, the in 4 shown processor 25 of the computer 24 an initialization code to the in 2 shown processor 14 the external device 100 back. Only now does the processor produce 14 the external device 100 a log-in code to the processor 25 of the computer 24 , so that the whole system, ie computer 24 and external device 100 , is unlocked.

This connection goes out again 3 showing the data history within the external device 100 shows. The on the fingerprint sensor 12 captured fingerprint is read and the digital code of the Finderprint is over the connection 37 to the processor 14 Posted. From there, be on the connections 38 the working memory 17 and the statistical memory is enabled, which then connects to the USB drive via data lines 15 and access the USB drive 15 Compare already stored by a computer program biometric data of the fingerprint. The working memory 17 provides a corresponding determination via the data line 39 to the computer 24 , The computer 24 in turn provides for a positive comparison of the data over the data line 40 a signal to the processor 14 the external device 100 , whereupon the processor 14 a code over the data line 41 directly to the computer 24 returns. After identification, the computer sends 24 over the data line 40 the release. In the case of a given identity identity, then finally the access to the computer 24 Approved.

How out 2 further indicates the external device 100 In addition, a wireless connection 18 which allows remote programming of the system conditions. The individual components in the external device 100 are via data lines 19 . 20 . 21 . 22 connected with each other.

In addition, how can 4 shows the computer 24 even with other peripherals 29 . 30 . 31 as well as with an input / output 28 be provided. In the 4 shown components of the computer 24 are via data lines 32 . 33 . 34 . 35 . 36 connected with each other.

Preferably, as in 2 set out, to the working memory 17 the fast USB drive 15 as a fast cache (working register), as the processor 14 has a smaller memory. The processor 14 also awards the IP Addresses of the data and bus lines and assigns in this way the planned hierarchy on the program network of the computer 24 the user. Again, the processor attacks 14 to the working memory 17 and the USB drive 15 to. One in the 1 to 4 not shown RFID chip of the external device 100 Also recognizes security areas and captures the users of the external device 100 and preferably already registers the user still to be registered with his biometric data in the program network of the computer 24 ,

The power supply of the external device 100 can, for example, on the in 2 shown serial interface 23 from the computer 24 or come over a battery or cell. In the in 2 shown embodiment of the external device 100 the power supply is provided by a battery backup.

After rebooting and logging in on the computer 24 starts in the external device 100 automatically a previously defined encryption. The encryption takes place via the biometric data comparisons as a first step, for example into the computer program of the computer network, and afterwards over the in 2 shown memory 17 the external device 100 as well as the in 4 shown memory 27 of the computer 24 ,

The external device 100 has a work program that organizes the hierarchies of each user. This hierarchy program is in memory 27 of the computer 24 loaded. This is followed by the external device 100 IP addresses to the system program of the computer 24 , whereupon the program opens and is accessible to the user depending on the hierarchy. The encryption is located both on the external device 100 as well as on the computer 24 , About an appropriate computer program, which is on the computer 24 is implemented, the bus and data lines are controlled.

The emergence of the encryption is designed after the biometric data comparison such that initially the external device 100 an IP address to the computer 24 sends in which the hierarchy program is stored. The hierarchy program automatically resets an IP address. The external device then sends 100 a random number code, the recognized number code being sent to the external device 100 is returned. It then opens the work program a development platform. The first IP address has already sent along the hierarchical level of the user's recorded biometric data, so that the development platform now automatically opens in an approved grid. The data on the development program can not be deleted or downloaded. A program "remove on reboot" remembers these applications for deletion or download and removes or loads the file requests the next time the computer is restarted 24 , but only after approval of a system administrator. Thereafter, the desired file is deleted or desired data on the Internet / Intranet made available to the user. This ensures that the data can not be moved or possibly lost. It should be noted that the encryption can be allowed only if the external device 100 in the interface 23 of the computer 24 located. As a result, the encryption will start automatically after rebooting and logging in only if the external device 100 with the interface 23 of the computer 24 connected is.

5 shows a block diagram of the external device 100 , At the in 5 The blocks shown are functional modules which do not necessarily have to correspond to separate physical modules. A single functional module could be implemented in the external device by multiple physical assemblies. Furthermore, it would be possible to implement multiple functional modules with a single physical device. As a central control of the external device 100 serves a processor 14 , The processor 14 Controls the data and program flow within the external device 100 and has corresponding interfaces to the individual functional units. A microprogram running on the processor controls the functionality of the external device 100 as well as the communication with the connected computer 24 or the network. This can be done by the processor 14 non-volatile memory, e.g. ROM or Flash, as well as volatile memory, e.g. SRAM. The fingerprint sensor 12 is used to capture the fingerprint, the processor 14 the captured fingerprint with the fingerprint features displayed on a Flash device 44 deposited, compares. To generate a globally unique identification ID (identification code), the ID identification unit is used 42 , Another flash component 45 essentially includes user data of one or more users of the external device 100 , Different data regarding the user or the user behavior can be stored on this module. For example, it is possible to store desktop data such as screen wallpapers, icons for faster access to frequently used programs, and links to user-specific data in that memory. This can be done after successful identification of the user with the computer 24 or computer network of the user work with a familiar desktop environment and save any changes for later registration. Via a USB driver block 46 These are data from the flash through a multiplexer 48 to the USB interface 50 Transfer this to a connected computer 24 to convey. Another USB driver block 47 is used to transfer the data through the processor 14 , Furthermore, the external device looks 100 a radio module 49 ago, which via a wireless transmission technology, for. B. Bluetooth or WLAN, via the radio interface 51 with other devices, eg. As computer, computer network, network router or other receivers communicates. For power supply during longer, mains-free use, serves a power supply unit 43 , The power supply unit 43 is preferably realized by one or more batteries. Alternatively, the power supply could 43 also z. B. have battery cells. Through the power supply unit 43 becomes the external device 100 , in particular the internal real-time clock (not shown in the figure), during the mains-free use supplied with voltage. Under power-free use here is the use of the external device 100 via the wireless interface 51 as well as the non-use of the external device understood. During USB operation, ie while using the external device 100 via the USB interface 50 , the external device is preferably from the computer 24 energized. It is provided that the internal voltage source, for. B. Battery, while using the USB interface is reloaded. The internal power supply unit 43 can be inside the external device 100 as well as in a cap of the external device 100 be arranged. As a cap z. As a common cap of a USB stick conceivable. This cap would be a battery to power the external device 100 during the network-free use. During operation of the external device 100 via the USB interface 50 For example, the cap could be suitably connected to the external device for the purpose of charging the batteries. Other possible functional blocks such. B. an RFID chip, a proximity sensor or a temperature sensor are in 5 not shown.

6 shows a block diagram of another embodiment of the external device 100 , Also with the in 6 The blocks shown are functional modules which do not necessarily have to correspond to separate physical modules. A single functional module could be in the external device 100 be realized by multiple physical assemblies. Furthermore, it would also be possible here to implement several functional modules with a single physical module. As a central control of the external device 100 serves the processor 52 , which is preferably in the form of a DSP processor. The processor 52 Controls the data and program flow within the external device 100 and has corresponding interfaces to the individual functional units, which also here as a flash module 53 and RAM module 54 available. The power supply is a power supply unit 42 , By means of the fingerprint sensor 12 the fingerprint is detected. Contrary to in 5 , shown embodiment of the invention, however, for storing the fingerprint and to uniquely identify a user of the flash module 44 and the ID identifying unit 42 (ID chip) through the crypto chip 55 replaced.

As part of the in 6 In the embodiment shown, the crypto chip is replaced by two separate storage media provided for internal data synchronization 55 , The finger pressure sensor 12 is thus in essential to the invention on the processor 52 for communication with the crypto chip 55 integrated and can so the real finger as well as the ID of the user or additional user data directly into the Kryptochip 55 write. The verification is done clearly via the processor 52 to the crypto chip 55 , The cryptochip 55 can also be implemented as a SIM card and from the outside into the external device 100 be insertable. the interface 56 of the processor 52 to the crypto chip 55 is as ISO 7816 Interface trained and thus meets international standard.

The processor 52 can another ISO 7816 interface 57 to have further functional units and thus the external device 100 to expand more functional units. As further functional features come, as from 7 indicates a USB HUB 58 , another USB storage medium 60 as well as a memory controller 59 , which regulates the data flow in question. The authorization for storage on the USB storage medium 60 is only about the processor 52 and with the user data for authorizing the hierarchy in the system. The USB storage medium 60 can be run as an SD card or expanded with an SD card. All functions of the USB storage media are previously on the SIM card or the crypto chip 55 authorized or prohibited according to the user's security level.

LIST OF REFERENCE NUMBERS

100

external device

9

computer program

10

casing

11

USB plug

12

fingerprint sensor

12a

scanner area

12b

biometric agent

13

Proximity sensor

14

processor

15

USB drive

16

Only memory

17

random access memory

18

Wi-Fi connection

19

data line

20

data line

21

data line

22

data line

23

interface

24

computer

24a

computer program

25

processor

26

Only memory

27

random access memory

28

Input / Output

29

peripheral

30

peripheral

31

peripheral

32

data line

33

data line

34

data line

35

data line

36

data line

37

connection

38

connection

39

data line

40

data line

41

data line

42

ID identifying unit

43

Power supply unit

44

memory chip

45

memory chip

46

USB driver block

47

USB driver block

48

multiplexer

49

radio module

50

USB-IF

51

Radio IF

52

processor

53

Flash module

54

RAM module

55

cryptochip

56

interface

57

interface

58

USB HUB

59

memory controller

60

USB storage device

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 102009007345 A1 [0005, 0005]

Cited non-patent literature

• Standard ISO / IEC 14908 [0020]
• ISO 7816 [0060]
• ISO 7816 [0061]

Claims (25)

External device ( 100 ) with at least one memory which is connected to a computer via a serial bus system ( 24 ) or computer network, characterized in that it comprises a processor ( 14 ) and a USB drive ( 15 ) and a biometric ( 12b ) for identifying a person, wherein processor ( 14 ), USB drive ( 15 ) and biometric means ( 12b ) are coupled together. External device ( 100 ) with at least one memory which is connected to a computer via a serial bus system ( 24 ) or computer network, characterized in that it comprises a processor ( 52 ) as well as a cryptochip ( 55 ) and a biometric ( 12b ) for identifying a person, wherein the processor ( 52 ), biometric means ( 12b ) and cryptochip ( 55 ) are coupled together. Device according to claim 1 or 2, characterized in that the means ( 12b ) a fingerprint sensor ( 12 ). Device according to one of claims 1 to 3, characterized in that it comprises a chip. Apparatus according to claim 4, characterized in that the chip is an RFID chip. Device according to one of the preceding claims, characterized in that it comprises means for temperature detection. Device according to one of the preceding claims, characterized in that it is provided with a USB plug ( 11 ) is provided. Device according to one of the preceding claims, characterized in that it has Internet access. Apparatus according to claim 8, characterized in that the access is a WLAN access ( 18 ). Device according to one of the preceding claims, characterized in that it comprises a proximity sensor ( 13 ) having. Device according to one of the preceding claims, characterized in that it comprises at least one memory in the form of a working memory ( 17 ) and / or read-only memory ( 16 ) having. Device according to one of the preceding claims, characterized in that it is provided with a housing ( 10 ) is provided. Device according to one of the preceding claims, characterized in that it has the design of a USB stick. Device according to one of the preceding claims, characterized in that the external device ( 100 ) an ID identification unit ( 42 ) having. Device according to one of the preceding claims, characterized in that the external device ( 100 ) a radio interface ( 51 ), in particular a WLAN and / or a Bluetooth interface. Device according to one of the preceding claims, characterized in that the external device ( 100 ) a power supply unit ( 43 ) having. Device according to one of the preceding claims, characterized in that user data, preferably desktop data, of one or more users in the external device ( 100 ) are stored. Device according to one of claims 2 to 17, characterized in that the crypto chip ( 55 ) is executed as a crypto card and from the outside into the device ( 100 ) is insertable. Device according to one of claims 2 to 17, characterized in that the crypto card is designed as a SIM card. Device according to one of the preceding claims, characterized in that it comprises a USB memory module ( 60 ) having Device according to claim 20, characterized in that the USB memory device ( 60 ) is associated with an SD card. Device according to one of the preceding claims, characterized in that it comprises an LED sensor. Device according to one of the preceding claims, characterized in that it comprises an RFID transmitter and / or a transponder. Device according to one of the preceding claims, characterized in that it is connectable to a cloud (cloud computing). Device according to one of claims 2 to 24, characterized in that it comprises a USB drive.

Images