EP1676191A1 - Procede et dispositif pour securiser et surveiller des donnees protegees - Google Patents
Procede et dispositif pour securiser et surveiller des donnees protegeesInfo
- Publication number
- EP1676191A1 EP1676191A1 EP04790254A EP04790254A EP1676191A1 EP 1676191 A1 EP1676191 A1 EP 1676191A1 EP 04790254 A EP04790254 A EP 04790254A EP 04790254 A EP04790254 A EP 04790254A EP 1676191 A1 EP1676191 A1 EP 1676191A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- data
- protected data
- securing
- monitoring
- accesses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Definitions
- the invention relates to a device for securing and monitoring protected
- the invention further relates to a method for securing and monitoring protected data (12) against unauthorized access with a device (10) according to one of the preceding claims, wherein (a) the number of authorization code entries for accessing the protected data (12) is determined within a specific time interval (36) and
- access to the protected data is restricted or prevented if the number of entries within the time interval is greater than the reference value.
- Cryptography is basically understood to be the science of researching and implementing methods for encrypting or decrypting data, in which either the encryption method or (when using more uniform
- Encryption method the keywords used are kept secret. By changing, swapping or adding characters according to certain rules, a plain text is converted into a key text and vice versa.
- Such cryptographic methods are e.g. applicable for the storage of data and data transmission. This is currently the most effective means of data protection to make information that has fallen into the wrong hands worthless.
- the methods of cryptography can also ensure the authenticity of a message and the integrity of a file, whereby the latter, the integrity of a file, means the certainty of receiving a file in an unchanged form.
- the data can only be accessed with a suitable digital code.
- the code can, for example, be stored on a magnetic stripe or a chip of a "check card" and is evaluated by means of a suitable reader for access to the protected data. Only when the code verification was successful, i.e. the data can now be decrypted in particular with the key code. Then the data can be accessed.
- the key code must be entered using a keyboard. Problems can arise with such facilities in that an unauthorized person can try to crack the key code as often as required. With the key code, he finally has unauthorized access to the protected data and can possibly cause considerable damage.
- the German patent DE 198 39 041 C2 describes a method for identifying and displaying states of an incorrect operation counter.
- the operating error counter is installed on an intelligent data carrier. If a defined number of unsuccessful attempts is made to enter an identification feature, access to the intelligent data carrier is automatically blocked. The user is not adjusted when entering the identification feature.
- a method is known from European patent application EP 1 209 551 A2 to control access to a computer.
- a password is checked. Access is only permitted if the password is valid. Will a certain number If an incorrect password is entered within a time interval, access is prevented.
- the disadvantage of this method is that the password entry does not adapt to the behavior of users. For example, in the case of older people or children, there is an increasing risk that repeated wrong passwords will be entered within a time interval.
- a PIN is entered for identification on mobile terminals. This identification is compared with the SIM card. If the PIN was correct, the user of the mobile radio terminal is logged into a mobile radio network. From now on he is considered to be authorized in this mobile network.
- hackers are people who try to access protected data for a variety of reasons.
- the hackers mostly act out of a criminal energy, e.g. to access a bank or to carry out factory espionage or sabotage, on the other hand from a purely sporting nature.
- hackers can now access the protected data or functions without the SIM card. With suitable equipment, he can try to access the protected data via other channels, for example with another mobile terminal and an already authorized SIM card. He does not necessarily need the PIN for this.
- the task of the invention to provide a device which avoids the disadvantages of the prior art and prevents an attack on the protected data by any attempts, but which is oriented to the needs of the users.
- the object is achieved in that, in a device for securing protected data of the type mentioned at the outset, (d) means are provided with which the number of accesses to the protected data and / or functions is independent of the entry of the authorization code volatile or non-volatile data storage is determined within a certain time interval.
- the invention is based on the principle of monitoring the number of accesses to the protected data within a time interval. It is assumed in the present invention that an authorized user also makes mistakes when entering the authorization code. The proposed measure prevents an unauthorized person from making any attempts to determine the authorization code.
- the device according to the invention also provides the authorized user with a time window in which he can access the protected data with a certain frequency. This requires that the accesses to the protected data are counted in the time interval.
- the system can be cleverly adapted to the user. Someone who usually z. B. five accesses during an access process to the encrypted data will continue to have five accesses within a time interval, since the device adapts to the user.
- the data processing unit contains a clock generator for the work cycle, the time interval being determined by a specific one
- Number of clock cycles of the clock generator can be predetermined. This measure can make a device largely independent of external timers, since the number of clock cycles determine a time interval.
- the means for recording the access to the protected data contain a counter which counts the number of accesses within the time interval.
- the meter reading can be used to check whether further access to the protected data is possible or whether all access options are initially blocked.
- a preferred embodiment of the invention results from the fact that means for resetting the counter are provided, which reset the counter to zero when authorized access. This enables the counter to be reset, for example, after a predefined period of time has elapsed, in order to be able to access the protected data again.
- the means for resetting the counter are provided, which reset the counter to zero when authorized access. This enables the counter to be reset, for example, after a predefined period of time has elapsed, in order to be able to access the protected data again.
- Data storage is provided on a SIM card.
- a SIM card Such a device can therefore also be used in a suitable manner, for example in mobile radio terminals or telematics devices.
- mobile terminals and telematics devices advantageously designed as a data processing unit.
- the data processing unit is designed as a computer.
- a preferred embodiment of the invention results from alarm means which generate an alarm signal when a number of unauthorized or incorrect accesses are exceeded. This can be used to signal that a
- Unauthorized persons can tamper with the protected data.
- the number of accesses to the protected data is recorded with a counter within a specific time interval. This measure ensures that the number of accesses is recorded so that an event can occur if a number is exceeded in the time interval.
- Such an event consists in a further preferred embodiment of the method according to the invention for securing and monitoring protected data, namely when access to the protected data is restricted. This happens e.g. if a reference value for the number of accesses to the protected is exceeded
- the counter for counting the number of accesses can be reset when the access is correct. This ensures that after incorrect access
- Different users have their own user profile. It may be that, for example, in the case of mobile terminals, e.g. older people and possibly children have a higher error rate when accessing the protected data. It is therefore an advantageous embodiment if the number of accesses for the restriction can be set and / or adapted to a user.
- An advantageous embodiment of the method according to the invention also results if the number of. Accesses for restriction over a network, in particular
- Mobile network set and / or adapted to a user. This means that the user does not necessarily have to go with his facility to a service that adjusts the facility to his needs.
- a preferred embodiment of the method according to the invention for securing protected data against unauthorized access results from the fact that a suitable alarm signal is generated when a value for the number of accesses to the protected data is exceeded.
- the alarm signal is advantageously not recognizable for the person accessing the protected data. As a result, the unauthorized person may be caught "red-handed".
- a value for the number of accesses to the protected data is exceeded, further access to the data is denied within a time interval.
- FIG. 1 shows a schematic diagram of an inventive device for securing and monitoring protected data.
- FIG. 1 shows a schematic diagram of a preferred exemplary embodiment of a device 10 according to the invention for securing and monitoring protected data 12.
- the protected data 12 are located in a data memory 14 of the device 10 and are identified by crossed hatching.
- the dates 12 are available in a coded or encrypted form according to a cryptographic process.
- the device 10 is located in a data processing unit that is not explicitly shown, for example a computer or a comparable processor-controlled device, such as mobile radio terminals or telematics devices with conventional standardized interfaces 16, which are designed for data access.
- a data processing unit that is not explicitly shown, for example a computer or a comparable processor-controlled device, such as mobile radio terminals or telematics devices with conventional standardized interfaces 16, which are designed for data access.
- an authorization code 20 can be entered as a digital key, which is therefore symbolically represented as a key.
- the authorization code 20 is passed to a test unit 22.
- the test unit 22 is in turn in one
- a decryption unit 26 decodes the protected data 12 from the data memory 14 and sends it to an output interface 28.
- the authorization code 26 may under certain circumstances be required in whole or in part for the decryption unit 26 to decrypt the protected data 12.
- a monitor, printer or other computer or storage drive can be provided on the output interface 28 in order to display or save the decrypted data 12.
- the data or authorization code transmission between the individual units 18, 22, 26 or interfaces 16, 28 takes place via a data bus 30.
- the processes in the device 10 are controlled with the aid of a processor 32 (CPU), which has a clock generator 34 is clocked.
- the clock generator 34 also serves to define a time measure 36 for the authorization apparatus 23.
- a number of clock cycles of the clock generator 34 that can be set by means of adjusting means 38 forms a time interval.
- a counter 40 counts the attempts to make incorrect entries for the authorization code 20 in order to be able to access the protected data 12. If a predetermined number of accesses for the input by the test unit 22 are determined within a set time interval 36, no further accesses via this interface 16 to the protected data 12 are permitted.
- This reference value for the number of possible accesses is calculated from time intervals 36, previous input attempts. For example, by recording the average number of previous authorization code entries per time interval 36. By using a reference value, which is calculated from previous input attempts, greater flexibility for the user is achieved.
- Authorization codes 20 blocked within the time interval 36 for a certain period of time or even completely.
- An alarm signal can also be generated to signal that the number of failed attempts to enter the authorization code has been exceeded
- the counter 40 is reset after a predefined period of time.
- the time period for the access restriction can also be dynamically adjusted to the possible user habits.
- a hacker 100 can attempt to access the protected data 12 via a further interface 102, specifically regardless of the authorization code entry described above.
- a further interface 102 In order to decrypt the protected data 12, however, he must know the DecMfMeral algorithm 104. In order to get this out, he will access the protected data 12 via data bus 106.
- the frequency of accesses per time interval 108 is likely to be considerably higher than is the case with an authorized user.
- a control unit 110 is provided to control data.
- the control unit 110 contains a counter 112, which counts the number of accesses to the protected data 12.
- the control unit 110 also contains actuating means 114.
- the actuating means 114 are used to set a time measure 116 for the control unit 110 via the clock generator 34. A number of clock cycles of the clock generator 34, which can be set by means of the adjusting means 114, is formed
- Time interval 108 A counter 118 counts the number of accesses to the protected data 12.
- This reference value for the number of possible accesses is calculated from time intervals 108, previous accesses. For example, by recording the average number of previous accesses to the protected data 12 per time interval 108. By using a reference value, which is calculated from previous accesses per time interval, greater flexibility for the user is achieved.
- test unit 120 determines that the number of accesses to the protected data has increased, an alarm 122 is triggered. If the accesses are below a reference value within a time interval, the counter 112 is reset.
- the "administrator” can also use the "reset function" 42 to reset the counter 112 for accessing the protected data 112. Alternatively, the counter 112 is reset after a predefined period of time has elapsed.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Social Psychology (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un dispositif (10) pour sécuriser et surveiller des données protégées (12) dans une mémoire de données (14) volatiles et/ou non volatiles d'une unité de traitement de données, afin de les protéger d'un accès non autorisé, des moyens d'accès (18) permettant d'accéder aux données protégées (12) dans la mémoire de données (14) seulement au moyen d'un code d'autorisation et/ou d'une clé d'autorisation. Des moyens (110) permettent de saisir des accès aux données protégées (12) indépendamment de l'entrée du code d'autorisation. L'invention porte également sur un procédé pour sécuriser et surveiller des données protégées (12) afin de les protéger d'un accès non autorisé au moyen d'un tel dispositif (10).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10348729.8A DE10348729B4 (de) | 2003-10-16 | 2003-10-16 | Einrichtung und Verfahren zur Sicherung von geschützten Daten |
PCT/EP2004/011338 WO2005038633A1 (fr) | 2003-10-16 | 2004-10-11 | Procede et dispositif pour securiser et surveiller des donnees protegees |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1676191A1 true EP1676191A1 (fr) | 2006-07-05 |
Family
ID=34442144
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04790254A Ceased EP1676191A1 (fr) | 2003-10-16 | 2004-10-11 | Procede et dispositif pour securiser et surveiller des donnees protegees |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1676191A1 (fr) |
CN (1) | CN100483297C (fr) |
DE (1) | DE10348729B4 (fr) |
WO (1) | WO2005038633A1 (fr) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005030072A1 (de) * | 2005-06-27 | 2007-01-04 | Giesecke & Devrient Gmbh | Verfahren zum Schutz vertraulicher Daten |
EP2316180A4 (fr) | 2008-08-11 | 2011-12-28 | Assa Abloy Ab | Communications par interface wiegand sécurisées |
ES2485501T3 (es) | 2008-08-14 | 2014-08-13 | Assa Abloy Ab | Lector de RFID con heurísticas de detección de ataques incorporadas |
CN101448130B (zh) * | 2008-12-19 | 2013-04-17 | 北京中星微电子有限公司 | 监控系统中数据加密保护的方法、系统和设备 |
CN202803878U (zh) * | 2011-12-22 | 2013-03-20 | 黄启瑞 | 金属板材的成型系统 |
CN103428235B (zh) * | 2012-05-15 | 2018-08-17 | 上海博路信息技术有限公司 | 一种数据交换系统 |
US9560523B2 (en) * | 2013-08-23 | 2017-01-31 | General Electric Company | Mobile device authentication |
US10452877B2 (en) | 2016-12-16 | 2019-10-22 | Assa Abloy Ab | Methods to combine and auto-configure wiegand and RS485 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0999490A2 (fr) * | 1998-11-05 | 2000-05-10 | Fujitsu Limited | Appareil de contrôle de sécurité basé sur un journal d'accès et méthode correspondante |
WO2002005098A1 (fr) * | 2000-07-07 | 2002-01-17 | Activesky, Inc. | Dispositif de stockage de donnees securise |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19839041C2 (de) * | 1998-08-28 | 2003-03-27 | Ibm | Verfahren zum Identifizieren und Darstellen von Zuständen eines Fehlbedienungszählers |
WO2002014987A2 (fr) | 2000-08-18 | 2002-02-21 | Camelot Information Technologies Ltd. | Systeme adaptif et architecture de controle d'acces |
EP1209551B1 (fr) * | 2000-11-28 | 2013-02-13 | International Business Machines Corporation | Système et procédé pour empêcher l'accès non authorisé aux ressources d'un système d'ordinateurs |
-
2003
- 2003-10-16 DE DE10348729.8A patent/DE10348729B4/de not_active Expired - Lifetime
-
2004
- 2004-10-11 EP EP04790254A patent/EP1676191A1/fr not_active Ceased
- 2004-10-11 CN CNB2004800370982A patent/CN100483297C/zh active Active
- 2004-10-11 WO PCT/EP2004/011338 patent/WO2005038633A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0999490A2 (fr) * | 1998-11-05 | 2000-05-10 | Fujitsu Limited | Appareil de contrôle de sécurité basé sur un journal d'accès et méthode correspondante |
WO2002005098A1 (fr) * | 2000-07-07 | 2002-01-17 | Activesky, Inc. | Dispositif de stockage de donnees securise |
Non-Patent Citations (1)
Title |
---|
See also references of WO2005038633A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2005038633A1 (fr) | 2005-04-28 |
CN100483297C (zh) | 2009-04-29 |
DE10348729B4 (de) | 2022-06-15 |
DE10348729A1 (de) | 2005-05-19 |
CN1894644A (zh) | 2007-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0063794B1 (fr) | Dispositif et procédé pour contrôler une identité | |
EP0281058B1 (fr) | Système pour l'échange de données | |
DE60001222T2 (de) | Rechenvorrichtung und -verfahren mit gesicherter authentikationseinrichtung | |
DE69730128T2 (de) | Authentifizierungsmethode und -system basierend auf einem periodischen challenge-response-protokoll | |
AT506619B1 (de) | Verfahren zur zeitweisen personalisierung einer kommunikationseinrichtung | |
EP2810400B1 (fr) | Procédé d'authentification et d'identification cryptographique à chiffrement en temps réel | |
EP1184771A1 (fr) | Méthode et dispositif de protection de logiciels d'ordinateur et/ou données lisibles par un ordinateur | |
EP1254436A1 (fr) | Procede de controle de l'identite d'un utilisateur | |
WO2005038633A1 (fr) | Procede et dispositif pour securiser et surveiller des donnees protegees | |
WO2000069204A1 (fr) | Procede pour la protection de la premiere utilisation d'une carte a puce microprocesseur | |
EP0117907B1 (fr) | Méthode et module pour l'examen de données électroniques | |
WO2016041843A1 (fr) | Procédé et agencement permettant d'autoriser une action au niveau d'un système en libre-service | |
EP0304547A2 (fr) | Dispositif de contrôle d'identité, procédé pour le contrôle cryptographique de l'identité et procédé pour détecter une interruption entre un terminal et un système de communication | |
DE10134489B4 (de) | Asymmetrisches Kryptographieverfahren | |
EP2127294B1 (fr) | Authentification de supports de données portables | |
WO2007017288A2 (fr) | Procede pour proteger l'authentification d'un support de donnees portable vis-a-vis d'un lecteur par une voie de communication non securisee | |
EP0997853B1 (fr) | Méthode de protection de cartes à puce contre l'utilisation frauduleuse dans des dispositifs non-associés | |
DE60205176T2 (de) | Vorrichtung und Verfahren zur Benutzerauthentisierung | |
WO2005055018A1 (fr) | Procede et dispositif pour securiser des donnees numeriques | |
EP2950227B1 (fr) | Procédé d'authentification | |
DE102020101732A1 (de) | Manipulationssicherung anhand von gerätspezifischen Toleranzen | |
EP4116849A1 (fr) | Procédé mis en uvre par ordinateur permettant de gérer un ensemble de données comprenant des informations relatives à la sécurité | |
DE102022004009A1 (de) | Verfahren zum Erteilen oder Ablehnen eines Zugangs zu einem Skigebiet sowie Schuh | |
EP1715617B1 (fr) | Procédé destiné à l'exploitation d'un système doté d'un support de données portatif et d'un terminal | |
EP1993059A1 (fr) | Procédé et dispositif destinés à l'authentification de saisies relatives au code PIN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20060509 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20061229 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20121121 |