EP1756697A2 - Module de securite amovible - Google Patents
Module de securite amovibleInfo
- Publication number
- EP1756697A2 EP1756697A2 EP05766401A EP05766401A EP1756697A2 EP 1756697 A2 EP1756697 A2 EP 1756697A2 EP 05766401 A EP05766401 A EP 05766401A EP 05766401 A EP05766401 A EP 05766401A EP 1756697 A2 EP1756697 A2 EP 1756697A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- security module
- removable
- module according
- host system
- authentication means
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/84—Protecting input, output or interconnection devices output devices, e.g. displays or monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2129—Authenticate client device independently of the user
Definitions
- the invention relates to a removable security module for electrical connection to a host system.
- the invention is generally in the field of data security and secure computing.
- TPM Trusted Platform Modules
- TCG Trusted Computing Group
- a TPM in the form of a microcontroller, is permanently installed on the motherboard of a computer and typically includes certificates to create a certain security level for the operation of the computer in a safe environment.
- the secure system provides certificates that are verified in processes and system operations, particularly with regard to the boot process for hardware and software components.
- the global architecture of a secure computer platform is outlined in the "TCG Specification Architecture Overview", revision 1.2 of April 28, 2004.
- US 2002/0087877 AI describes a security system for booting BIOS and a method for securely authenticating a user of a platform during a two-stage BIOS boot process.
- a combined second key is generated on the basis of a first key, which is derived from user authentication in a first boot process. It is also known from the document to generate a second key, including a first key, that comes from a token (such as a SmartCard) that the user provides and that the process then continues based on the continued use of a combined key which contains a secret element under the control of the user.
- a token such as a SmartCard
- EP-A-1 085 396 describes a computer system which comprises several physical components as well as software components which form the typical system platform for a computer, such as the CPU, main memory, monitor, modem, operating system and the like.
- the system includes the platform described above, which communicates with a secure monitoring component.
- the secure system platform creates various security levels depending on the operating status of the computer and the elements working under the defined platform.
- the secure computer component tracks the security levels that have been achieved according to a set of integrity metrics and, for example, allows selected user data entry only if trustworthiness is granted.
- the object of the invention is to increase the security of computers and related security-relevant data transfer in a simple and flexible manner.
- this object is achieved by a removable security module having the features of claim 1.
- a removable security module having the features of claim 1.
- Such a module opens up the possibility of retrofitting computer systems that were originally delivered without a built-in security device with the functionality of a secure platform module, in particular a TPM. It is also possible to use a TPM in connection with several host systems.
- the object is achieved by a removable security module with the features of claim 4.
- the security module according to the invention the security of a host system that already has a permanently installed security component, such as a TPM, can be further increased.
- a higher level of security can be built up, through guidelines and procedures it is determined which are specified by the removable security module.
- Figure 1 shows a removable security module according to the invention with partially. optional components
- Figure 2 shows the architecture of a host system with a removable security module according to the invention according to a first application;
- FIG. 3 shows the architecture of a security module according to the invention
- FIGS. 4a, 4b, 4c the architecture of a host system with a removable security module according to the invention in different variants according to a second application;
- Figure 5 schematically shows a locking mechanism for a removable security module according to the invention.
- FIG. 1 schematically shows a removable security module 10 according to the invention for the electrical connection to a host system in the format of a PCMCIA ExpressCard with a DM-HS chip 12 and a SIM card 14, a flash memory card 16 and a signaling means 18 as Additional components shown.
- the removable security module 10 can also have another suitable physical format;
- the security module 10 can be designed, for example, as a USB token or the like.
- the host system 20 has, in a known manner, a secure platform module in the form of a TPM 22, such as it is defined by the industry standard organization "Trusted Computing Group" (TCG).
- TCG Truste Computing Group
- the TPM 22 represents a (first) authentication means.
- a removable security module 10 according to the invention is accommodated in a slot of the host system 20.
- the security module 10 communicates with the Host system 20 via independent serial interface connections, namely an SMBus connection (first interface connection) with low bandwidth and a USB connection (second interface connection) with high bandwidth
- SMBus connection first interface connection
- USB connection second interface connection
- the two connections can also be established by means of only one physical interface, in this In this case, the connections are distinguished by the protocols used.
- the removable security module 10 comprises a second authentication means and creates an extended authentication by means of certificates that are stored in the security module 10.
- the second authentication means is implemented as SAM 24 (Secure Authentication Means), which is either embedded in the removable security module 10 or can be removed from it.
- a protocol is provided according to which a first security level (security guideline) is initially set up, whereupon in a second step the establishment of a defined second security level (with another security guideline) is made possible via the second interface connection.
- the first interface connection is mainly used to establish the authentication means 24 of the security module 10 as part of the security component or a secure monitoring system in a separate and secure installation process, to bind the component semi-permanently to the security requirements of the system for an ordinary boot process and to establish a security policy that supplements and / or "overwrites" the security policy that was previously established by the TPM 22 (first authentication means).
- the signaling means 18, which may have one or more LEDs and or a buzzer, reports the successful establishment of a certain security level.
- a secure display on corresponding output components of the host system 10 can also be made reliable by the second authentication means 24 in connection with the signaling means 18.
- Require data processing operations (import and export of secure data to and from the computer platform, which requires user interaction and authorization) performed over the second interface connection, which operates at a higher transmission rate than the first interface connection.
- Detachable security module 10 may establish a security level that may be higher than that provided by the security component (TPM 22) built into the computer.
- the two different types of communication interfaces can generally be used for different purposes and different applications that require lower or higher transmission rates, both of which are used to provide security levels when establishing a dedicated communication connection.
- a communication control gate element 26 decides whether or not a connection is established in accordance with the security guideline that is specified by one of the two security components (authentication means 22, 24).
- the security guideline is built up by operations and defined operating states, which occur after the mutual authentication of the first and second Authentication means 22, 24 can be achieved.
- the communication control gate 26 is operated in accordance with the operating conditions.
- the removable security module 10 serves as a security gate during the data transmission from or to the host system 20, in particular with regard to a flash memory card 16 as a storage medium.
- a security level that is enforced by an embedded and unchangeable system component (for example a permanently installed TPM 22)
- the data are transferred into the host system 20 and out of the host system solely depending on the security level created by the removable security module 10 20 transferred.
- the removable security module 10 can thus represent an adapter for a removable flash memory card 16.
- the security module 10 controls the reading and writing of data from or to the portable flash memory 16 in accordance with a security policy that may be determined by the type of data to be transferred to and from the host system 20 ,
- the invention also extends to a wireless communication port that can be built into the removable security module 10.
- the security module 10 interacts with an external network and / or with the host system 20.
- the security level in the network is higher than that of the host system 20.
- the communication of the host system 20 with the network may be blocked due to the insufficient security of the host system 20.
- the removable security module 10 With the help of the removable security module 10, however, if the authentication is successful, sufficient security can be established and network communication can be made possible.
- the authentication means 24 of the removable security module 10 can provide various certificates for authentication to secure systems (for example TPM, flash data, network connections, remote applications) and request authentication before routing data in the security module 10.
- secure systems for example TPM, flash data, network connections, remote applications
- the operating system of the host system 20 (or at least essential components thereof) is loaded directly from a portable storage medium.
- the storage medium is preferably a flash memory card 16 that can be inserted into the removable security module 10.
- the removable security module 10 provides the interface for the flash memory card 16 so that the data can be transmitted to the host system 20. Basically, with this training, different stages of
- a monitoring device is thus created which communicates with the host CPU using its own abilities during the boot process.
- the security levels created for individual system components are displayed to the user.
- the root keys are integers
- a secure platform module provided by the removable security module 10 "acts" between an internal bus interface (internal interface) and an external peripheral interface (external interface), which may have a lower bandwidth
- the security transition comes from the authentication means 24 (SAM) of the detachable security module 10, is transferred to the TPM and then creates security levels for the platform according to the platform components and peripherals controlled by the TPM.
- SAM authentication means 24
- the security module 10 thus provides a removable one (Portable) security component of the host system 20.
- Such a flexible architecture is favorable for the connection of different certificate authorities in order to be able to work with certain security levels across national borders. In an advantageous embodiment of the invention, this is achieved by a
- CA bridge function achieved, which is integrated into a SAM 24, if a transferable security chain requires the accreditation of CAs for the establishment of a predetermined secure platform.
- replacement of removable security modules 10, including the associated encrypted storage media 16 enables the portability of the components to switch from one computer platform to another without the need for online connections before exporting or moving data from one platform to another ,
- the removable security module 10 contains either essential components or a complete TPM.
- Possible architectures of a host system 20, in which a TPM is not permanently installed, but is at least partially provided by the removable security module 10, are shown in FIGS. 4a, 4b and 4c.
- An internal high speed bus connection such as is specified for the PCIexpress bus and by the PCMCIA ExpressCard, is used to connect the host CPU 28 to the TPM 30 contained in the removable security module 10.
- the entire software code that is executed in the TPM 30 is stored in a memory area 32 for Trusted Building Blocks (TBB), which only the TPM 30 can access.
- TTBB Trusted Building Blocks
- Serial PCIexpress bus as defined in the PCMCIA ExpressCard standard, allows a direct connection to the removable security module 10.
- the host CPU 28 has high-speed program access and performs critical boot and operating system loading processes by direct memory addressing of RAM or ROM, which is located in the removable security module 10 (see Figures 4b and 4c).
- the invention provides an electromechanical locking mechanism for the removable security module 10.
- the locking mechanism prevents the security module 10 from being removed and thus possible manipulation before, during or after a certain security level is / was set up.
- the locking mechanism has a locking status indicator 34 and creates additional levels of security in terms of tamper resistance and tamper evidence. This can also apply to the entire computer platform as soon as the removable security module 10 is locked to the host system 20 in accordance with the system implementations.
- the locking mechanism can e.g. activated as soon as the booting and loading of the operating system have been carried out at a certain security level.
- Security module 10 offers a PIN input option.
- a correct PIN entry can, for example, be a prerequisite for sending a certified confirmation message to the first authentication means 22 (of the host system 20) in the case of mutual authentication. Otherwise, according to a security guideline specified by the removable security module 10, a PIN input via a component of the host system 20 is only permitted when the TPM 22 is activated. In the case of the electromechanical locking mechanism, provision can be made for this to be released when a PIN code entry has been checked by the second authentication means 24 and a corresponding one Status message was sent from the security module 10 to the first authentication means 22.
- Security module 10 is not corruptible, since it cannot be easily reprogrammed as a hardware device.
- the invention supports the physical security and integrity of sensitive components of the host system 20.
- the system stability (software and operating system) against uncontrolled / surprising removal of important system components is improved.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Details Of Connecting Devices For Male And Female Coupling (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102004027686 | 2004-06-07 | ||
PCT/EP2005/006111 WO2005122055A2 (fr) | 2004-06-07 | 2005-06-07 | Module de securite amovible |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1756697A2 true EP1756697A2 (fr) | 2007-02-28 |
Family
ID=34972712
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05766401A Withdrawn EP1756697A2 (fr) | 2004-06-07 | 2005-06-07 | Module de securite amovible |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP1756697A2 (fr) |
WO (1) | WO2005122055A2 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2911743B1 (fr) * | 2007-01-23 | 2009-04-24 | Ncryptone Sa | Dispositif portable d'authentification. |
US10320571B2 (en) | 2016-09-23 | 2019-06-11 | Microsoft Technology Licensing, Llc | Techniques for authenticating devices using a trusted platform module device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0440158B1 (fr) * | 1990-01-30 | 1997-09-10 | Kabushiki Kaisha Toshiba | Système d'authentification mutuel |
-
2005
- 2005-06-07 WO PCT/EP2005/006111 patent/WO2005122055A2/fr active Application Filing
- 2005-06-07 EP EP05766401A patent/EP1756697A2/fr not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO2005122055A3 * |
Also Published As
Publication number | Publication date |
---|---|
WO2005122055A2 (fr) | 2005-12-22 |
WO2005122055A3 (fr) | 2006-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69717063T2 (de) | Verfahren und System zur sicheren Datenverarbeitung | |
DE102009013384B4 (de) | System und Verfahren zur Bereitstellung einer sicheren Anwendungsfragmentierungsumgebung | |
EP3437012B1 (fr) | Procédé, processeur et appareil pour vérifier l'intégrité de données d'utilisateurs | |
EP2602738A2 (fr) | Dispositif de protection des mécanismes de sécurité contre la malveillance | |
DE102015209108A1 (de) | Verfahren und Entscheidungsgateway zum Autorisieren einer Funktion eines eingebetteten Steuergerätes | |
DE112008003862T5 (de) | System und Verfahren zum Liefern eines Systemverwaltungsbefehls | |
WO2011051128A1 (fr) | Procédé permettant de faire fonctionner un tachographe, et tachographe correspondant | |
EP1999521B1 (fr) | Appareil de terrain | |
DE60317024T2 (de) | Methode zum Setzen der Konfigurationsinformationen eines Speichergerätes | |
DE102005014352A1 (de) | Verfahren und Steuervorrichtung zur Steuerung eines Zugriffs eines Computers auf Nutzdaten | |
EP3563209B1 (fr) | Dispositif global comprenant un dispositif d'authentification et procédé d'authentification | |
EP2510475A1 (fr) | Dispositif matériel | |
DE102015202215A1 (de) | Vorrichtung und Verfahren zum sicheren Betreiben der Vorrichtung | |
DE102007051440B4 (de) | Verfahren und Vorrichtung zur Freischaltung von Software in einem Kraftfahrzeug | |
EP1756697A2 (fr) | Module de securite amovible | |
DE602004011965T2 (de) | Verfahren und schaltung zum identifizieren und/oder verifizieren von hardware und/oder software eines geräts und eines mit dem gerät arbeitenden datenträgers | |
EP2080144B1 (fr) | Procédé pour la libération d'une carte à puce | |
EP2038805B1 (fr) | Procédé de délégation de privilèges à une instance privilégiée inférieure par une instance privilégiée supérieure | |
EP2169579B1 (fr) | Procédé et dispositif d'accès à un document lisible sur machine | |
EP1912184A2 (fr) | Dispositif et procédé destinés à la production de données | |
DE10020562C1 (de) | Verfahren zum Beheben eines in einer Datenverarbeitungseinheit auftretenden Fehlers | |
WO2021228581A1 (fr) | Génération d'une instance de conteneur avec un procédé de vérification de licence lié à un matériel | |
EP2850553B1 (fr) | Système de protection d'accès électronique, procédé d'exploitation d'un système informatique, carte à puce et composant à microprogramme | |
WO2020207779A1 (fr) | Dispositif de sécurité et procédé pour la surveillance d'un accès d'un appareil à un dispositif de sécurité | |
WO2018103883A1 (fr) | Ensemble de stockage sécurisé |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070108 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): DE ES FR GB IT |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: NEIFER, WOLFGANG Inventor name: GENEVOIS, CHRISTOPHE |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE ES FR GB IT |
|
17Q | First examination report despatched |
Effective date: 20081217 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20090103 |