GB2486920A - USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device - Google Patents

USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device Download PDF

Info

Publication number
GB2486920A
GB2486920A GB201022133A GB201022133A GB2486920A GB 2486920 A GB2486920 A GB 2486920A GB 201022133 A GB201022133 A GB 201022133A GB 201022133 A GB201022133 A GB 201022133A GB 2486920 A GB2486920 A GB 2486920A
Authority
GB
United Kingdom
Prior art keywords
data
computing device
interface
host
usb
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB201022133A
Other versions
GB201022133D0 (en
Inventor
Daniel Cvrcek
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB201022133A priority Critical patent/GB2486920A/en
Publication of GB201022133D0 publication Critical patent/GB201022133D0/en
Priority to GB201108792A priority patent/GB2486925A/en
Publication of GB2486920A publication Critical patent/GB2486920A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards

Abstract

The device comprises a USB interface 103 that connects to a host computer (201, fig. 2), a permanent memory 102, a microcontroller 101, a configuration, an internal state (208, fig. 2) and a user interface 105, 106. In an embodiment, the device comprises further USB interfaces 104 for connecting Human Interface Devices (HIDs), e.g. a keyboard (202, fig. 2). The device generates data, on command from its user interface or via a USB interface, using a random number generator and the deviceâ s internal state. On command from its user interface or from a connected HID, the device sends the internally stored/generated data to the host. The device inspects communications from connected HIDs for commands defined in its configuration and processes the commands accordingly or blocks communication between the HIDs and the host. The host can communicate directly with connected HIDs and the device may itself communicate as a HID with the host. Preferably the user interface comprises buttons 105 and LEDs 106 and the device communicates via an additional interface 107with an external computing device to store, display or process data. The device finds application in user authentication and identification, e.g. as a hardware security token.

Description

Title: USB Data Manipulation and Management Device
Background
Information technology requires users to remember large amounts of information like passwords, usernames, user identifiers, access codes, and others. Many of these pieces of information are used for authentication and identification purposes and although there have been numerous attempts to implement other authentication mechanisms -based on biometric information or ownership of physical tokens -the knowledge-based authentication is still used in most applications.
The main drawback of requesting users to remember a piece of information is that it has to be easy to remember. However easy to remember information is also easy to guess and as such insufficiently secure for authentication. The more complicated the information is, the more difficult it is to remember it. When people start forgetting their secrets (e.g., passwords] mechanisms need to be implemented allowing resetting forgotten secrets that increase management cost and also weaken security of the authentication.
Statement of Invention
The difficulty of using passwords is their low security on one hand and high cost for implementing password policies and for password resetting on the other hand.
One of the main problems with biometric and token-based authentication approaches as described earlier is a need for specific software and/or hardware extensions of user computers and also changes to communication and computational infrastructures used by these computers.
To overcome this, the present invention proposes a hardware USB device that looks from the USB communication's point of view as a USB keyboard or other suitable human interface device (HID] so that it does not require any changes to the host computers' configuration nor any changes to relevant infrastructures.
The USB device connects to a host computer and generates and stores pieces of information for users and sends a selected piece of information (password] to the host computer when required. The device allows users to use a large number of data items as required by information systems.
Advantages Preferably the device looks like a USB human interface device (HID] from the USB communication's point of view when connected to the host computer.
Preferably, the device connects between a host computer and one or more HIDs and listens, forwards, and/or manipulates communication from HID(s] to the computer according to its internal configuration.
Preferably, the device has its own user interface allowing users to send commands to the device, and allowing the device to signal its internal state to users.
Preferably, the device uses smartcards and other computing and data storage elements directly connected to it in such a way that no changes to the computer are needed for those additional elements to send data to the host computer.
Preferably, the device implements cloning; an operation that copies the content of one instance of the device to another instance of the device.
Preferably, the device implements partial copying of the content of one instance of the device to another instance of the device.
Preferably, the device sends to the host computer commands launching applications on the computer for the purpose of displaying messages for users from the device.
Preferably, the device accepts messages from the host computer that change its internal state and/or initiate its functions.
Preferably, the device is protected by PIN with a limited number of incorrect attempts.
Without the PIN, the device will not send stored data to the host computer.
Introduction to Drawings
An example of the invention will now be described by referring to the accompanying drawings: Figure 1/4 shows the internal structure of the device.
Figure 2/4 shows the device connected to a host computer and a keyboard and an example of communication from the keyboard to the host computer.
Figure 3/4 shows enrolment of the device with a remote server using a data diversification algorithm.
Figure 4/4 shows use of the device with a data diversification algorithm for authentication to a remote user.
Detailed Description
A high level internal structure of the device is showed in figure 1/4. The device contains a microcontroller that connects to all other elements of the device. There are USB interfaces (103) and (104). Interface (103) allows connecting a host computer to the device, interface (104) allows connecting I-lIDs (human interface devices) to the device.
The microcontroller is connected to a permanent memory (102) that can be part of the same electronic component as the microcontroller. Element (105) represents buttons that users use to send commands to the microcontroller. The microcontroller signals its internal state and responses to users via LED(s) (106). An additional computing component connects to the microcontroller (101) via another interface (107). This additional computing component can be, e.g., a smart card storing data for the microcontroller or even performing specific computational tasks.
Use of the device is showed on an example depicted in figure 2/4. The device (200) is connected to a host computer (201) and a USB keyboard (202) with USB cables. The device (200) is powered from one of its USB interfaces. When the device gets powered, it boots up and initialises.
The device initialisation includes USB enumeration of the keyboard (202) and itself so that the keyboard can start sending and/or receiving data to/from the host computer (201) via the device (200) as well as the device (200) itself.
Data coming from the keyboard (206) is used to update an internal state of the device (208). When user presses a button (204), the device expects a PIN (205) to be received from the keyboard (202). If the PIN is correct, the device unlocks its permanent memory so that data stored therein can be used for communication to the host computer (201).
Each data / packet from the keyboard (206) is inspected for a pre-defined values. If such a value is found, the device (200) processes the data according to its internal configuration. Other data is forwarded to the host computer (201).
The device uses its light emitting diodes (LED) (203) or other visual interface to signal its actual state and other information for the user.
Figure 3/4 shows an example of steps when user enrols with a remote server and provides data for future authentication. Step one shows that the device (300) keeps updating its internal state (310). Data (311) coming from a connected keyboard or other HID device (301) is used for these updates.
When user connects to a remote server (305) and the server requests user enrolment (step two), the enrolment process and generation of a password (312) starts. In step three, user presses a button (302) on the device. This action tells the device that a permanent secret is required.
The device, in step four, reads from its memory or generates a permanent secret (313) that is also used for subsequent enrolment requests. The device generates a diversification string (314). The diversification string is unique for the given enrolment request and it is also sufficiently long so that it cannot be found by trying random values. Concatenation of values (313) and (314) is used as an input to a one-way function (303) (e.g., a cryptographic hash function SI-IA-i) to produce the password (312).
In step five, all three values (312), (313), and (314) are sent from the device (300) to the host computer (304). The host computer, in step six, checks the password (312) is correctly computed and deletes the permanent string (313).
The last step, step seven, of the enrolment process is sending of the diversification string (314) and the password (312) to the remote server (305) that stores them for future authentications of the user. The host computer deletes the diversification string (314) and the password (312).
Figure 4/4 shows an example of user authentication to a remote server (405) using a diversification algorithm. The first step is for the user to initiate authentication to a remote server (405). The remote server (405) will send a user's diversification string (414) to the host computer (404).
Step two represents a user's confirmation of the authentication by pressing a button (402) on the device (400).
Once the authentication request is confirmed, the device sends the permanent string (413) to the host computer (403) in step three.
Step four is computation of an authentication string (password) (412) by the host computer using a one-way function (403), the permanent string (413) received from the device and the unique diversification string (414). The resulting string (415) is the required password. In step five, the host computer (404) sends this password to the remote server (405) as a user's authentication password (412). The host computer (404) deletes all strings it received and computed: (412), (413), and (414). The remote server (405) simply compares the received string (412) with the value held locally since the user's enrolment.

Claims (8)

  1. Claims I claim: 1. A USB data generation and storage device comprising: one USB interface that connects to a host computing device) one or more 1JSB interfaces for connecting human interface devices (I-I ID) to the device, a permanent memory, a user interface, a configuration, an internal state, and a microcontroller that processes communication between USB interfaces, and: a. forwards data between connected 1-liDs and the host computing device so that the host computing device can directly communicate with BIDs; b. sends internally stored data to the host computing device on a command from its user interface or from a connected HID; c. blocks communication from the connected HIDs to the host computing device according to its configuration; d. generates, on a command from its user interface or from one of its USB interfaces, data with a random number generator, an algorithm, and its internal state; e. inspects communication from the connected BIDs for commands defined in its configuration and processes the commands according to its configuration.
  2. 2. A device according to Claim 1 that communicates with and/or uses an additional external computing device to store data and/or show data and/or process data.
  3. 3. A device according to Claim 1 that stores a secret data or algorithm shared with another computing device (Verifier) allowing it to synchronise its operation with the Verifier.
  4. 4. A device according to Claim 1 that stores a secret or algorithm shared by a group of these devices and used for their communication and/or use of another computing device (Server).
  5. 5. A device according to Claim 1 without USB interfaces for connecting BIDs that communicates with the host computing device as if it were an BID.
  6. 6. A device according to Claim 5 that communicates with and/or use an additional external computing device to store data and/or show data and/or process data.
  7. 7. A device according to Claim S that stores a secret data or algorithm shared with another computing device (Verifier) allowing it to synchronise its operation with the Verifier.
  8. 8. A device according to Claim 5 that stores a secret or algorithm shared by a group of these devices and used for their communication and/or use of another computing device (Server).
GB201022133A 2010-12-31 2010-12-31 USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device Withdrawn GB2486920A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB201022133A GB2486920A (en) 2010-12-31 2010-12-31 USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device
GB201108792A GB2486925A (en) 2010-12-31 2011-05-25 USB data storage and generation device mimics entry of password to host computer from human interface device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB201022133A GB2486920A (en) 2010-12-31 2010-12-31 USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device

Publications (2)

Publication Number Publication Date
GB201022133D0 GB201022133D0 (en) 2011-02-02
GB2486920A true GB2486920A (en) 2012-07-04

Family

ID=43599137

Family Applications (2)

Application Number Title Priority Date Filing Date
GB201022133A Withdrawn GB2486920A (en) 2010-12-31 2010-12-31 USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device
GB201108792A Withdrawn GB2486925A (en) 2010-12-31 2011-05-25 USB data storage and generation device mimics entry of password to host computer from human interface device

Family Applications After (1)

Application Number Title Priority Date Filing Date
GB201108792A Withdrawn GB2486925A (en) 2010-12-31 2011-05-25 USB data storage and generation device mimics entry of password to host computer from human interface device

Country Status (1)

Country Link
GB (2) GB2486920A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103455747A (en) * 2013-06-20 2013-12-18 珠海亿联图灵信息技术有限公司 USB interface token terminal and communication method thereof with host

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001096990A2 (en) * 2000-06-15 2001-12-20 Rainbow Technologies, B.V. Usb-compliant personal key using a smartcard processor and a smartcard reader emulator
WO2002056154A2 (en) * 2001-01-16 2002-07-18 Rainbow Technologies B V Usb securing device with keypad
GB2434228A (en) * 2006-01-05 2007-07-18 Thomas Steven Hulbert A portable, computer-peripheral apparatus including a universal serial bus (usb) connector
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
US20080263364A1 (en) * 2007-04-20 2008-10-23 Dundas Alan H System and method for providing access to a computer resource
US20090193511A1 (en) * 2008-01-30 2009-07-30 Vasco Data Security, Inc. Two-factor usb authentication token
WO2010072735A1 (en) * 2008-12-24 2010-07-01 Gemalto Sa Portable security device protecting against keystroke loggers
EP2251812A1 (en) * 2009-05-10 2010-11-17 Mario Guido Finetti Transaction verification USB token

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4964075A (en) * 1987-05-08 1990-10-16 A. J. Weiner, Inc. Software and hardware independent auxiliary user programmable intelligent keyboard
US7454783B2 (en) * 2003-08-08 2008-11-18 Metapass, Inc. System, method, and apparatus for automatic login
WO2006128295A1 (en) * 2005-06-01 2006-12-07 Russell Warren Device for transmission of stored password information through a standard computer input interface

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001096990A2 (en) * 2000-06-15 2001-12-20 Rainbow Technologies, B.V. Usb-compliant personal key using a smartcard processor and a smartcard reader emulator
WO2002056154A2 (en) * 2001-01-16 2002-07-18 Rainbow Technologies B V Usb securing device with keypad
GB2434228A (en) * 2006-01-05 2007-07-18 Thomas Steven Hulbert A portable, computer-peripheral apparatus including a universal serial bus (usb) connector
US20080263363A1 (en) * 2007-01-22 2008-10-23 Spyrus, Inc. Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption
US20080263364A1 (en) * 2007-04-20 2008-10-23 Dundas Alan H System and method for providing access to a computer resource
US20090193511A1 (en) * 2008-01-30 2009-07-30 Vasco Data Security, Inc. Two-factor usb authentication token
WO2010072735A1 (en) * 2008-12-24 2010-07-01 Gemalto Sa Portable security device protecting against keystroke loggers
EP2251812A1 (en) * 2009-05-10 2010-11-17 Mario Guido Finetti Transaction verification USB token

Also Published As

Publication number Publication date
GB201108792D0 (en) 2011-07-06
GB2486925A (en) 2012-07-04
GB201022133D0 (en) 2011-02-02

Similar Documents

Publication Publication Date Title
US10542430B2 (en) Quorum-based secure authentication
ES2953529T3 (en) Multi-user strong authentication token
US11706199B2 (en) Electronic device and method for generating attestation certificate based on fused key
US7921455B2 (en) Token device that generates and displays one-time passwords and that couples to a computer for inputting or receiving data for generating and outputting one-time passwords and other functions
US20190354970A1 (en) Cryptographic transaction signing devices and methods therefor
JP5589608B2 (en) Biometric authentication device and biometric authentication program
US20140230019A1 (en) Authentication to a first device using a second device
KR20180048429A (en) Method for authenticating a user by means of a non-secure terminal
US9706401B2 (en) User-authentication-based approval of a first device via communication with a second device
JP6775626B2 (en) Multi-function authentication device and its operation method
CN105279410A (en) User Authentication Retry with a Biometric Sensing Device
JP2022508773A (en) Biocrypt Digital Wallet
KR101905294B1 (en) Methods and apparatus for using keys conveyed via physical contact
JP2013174955A (en) Information processor for which input of information for releasing security is requested and login method
GB2486920A (en) USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device
US20230053891A1 (en) Electronic device for generating mnemonic phrase of private key and operation method in the electronic device
JP7021790B2 (en) Providing access to structured stored data
KR101930319B1 (en) Method and apparatus for certifing of users in virtual reality devices by biometric
US20190370441A1 (en) Secure re-enrollment of biometric templates using functional encryption
US10223516B2 (en) Login with linked wearable device
US9692751B1 (en) User actuated release of a secret through an audio jack to authenticate the user
KR20180048423A (en) Method for securing a transaction performed from a non-secure terminal
KR20180048424A (en) Method for authenticating a user by means of a non-secure terminal
CN113468565A (en) Intelligent door lock control method and system
WO2024009603A1 (en) Avatar generation device and avatar usage permission device

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)