GB2486920A - USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device - Google Patents
USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device Download PDFInfo
- Publication number
- GB2486920A GB2486920A GB201022133A GB201022133A GB2486920A GB 2486920 A GB2486920 A GB 2486920A GB 201022133 A GB201022133 A GB 201022133A GB 201022133 A GB201022133 A GB 201022133A GB 2486920 A GB2486920 A GB 2486920A
- Authority
- GB
- United Kingdom
- Prior art keywords
- data
- computing device
- interface
- host
- usb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
Abstract
The device comprises a USB interface 103 that connects to a host computer (201, fig. 2), a permanent memory 102, a microcontroller 101, a configuration, an internal state (208, fig. 2) and a user interface 105, 106. In an embodiment, the device comprises further USB interfaces 104 for connecting Human Interface Devices (HIDs), e.g. a keyboard (202, fig. 2). The device generates data, on command from its user interface or via a USB interface, using a random number generator and the deviceâ s internal state. On command from its user interface or from a connected HID, the device sends the internally stored/generated data to the host. The device inspects communications from connected HIDs for commands defined in its configuration and processes the commands accordingly or blocks communication between the HIDs and the host. The host can communicate directly with connected HIDs and the device may itself communicate as a HID with the host. Preferably the user interface comprises buttons 105 and LEDs 106 and the device communicates via an additional interface 107with an external computing device to store, display or process data. The device finds application in user authentication and identification, e.g. as a hardware security token.
Description
Title: USB Data Manipulation and Management Device
Background
Information technology requires users to remember large amounts of information like passwords, usernames, user identifiers, access codes, and others. Many of these pieces of information are used for authentication and identification purposes and although there have been numerous attempts to implement other authentication mechanisms -based on biometric information or ownership of physical tokens -the knowledge-based authentication is still used in most applications.
The main drawback of requesting users to remember a piece of information is that it has to be easy to remember. However easy to remember information is also easy to guess and as such insufficiently secure for authentication. The more complicated the information is, the more difficult it is to remember it. When people start forgetting their secrets (e.g., passwords] mechanisms need to be implemented allowing resetting forgotten secrets that increase management cost and also weaken security of the authentication.
Statement of Invention
The difficulty of using passwords is their low security on one hand and high cost for implementing password policies and for password resetting on the other hand.
One of the main problems with biometric and token-based authentication approaches as described earlier is a need for specific software and/or hardware extensions of user computers and also changes to communication and computational infrastructures used by these computers.
To overcome this, the present invention proposes a hardware USB device that looks from the USB communication's point of view as a USB keyboard or other suitable human interface device (HID] so that it does not require any changes to the host computers' configuration nor any changes to relevant infrastructures.
The USB device connects to a host computer and generates and stores pieces of information for users and sends a selected piece of information (password] to the host computer when required. The device allows users to use a large number of data items as required by information systems.
Advantages Preferably the device looks like a USB human interface device (HID] from the USB communication's point of view when connected to the host computer.
Preferably, the device connects between a host computer and one or more HIDs and listens, forwards, and/or manipulates communication from HID(s] to the computer according to its internal configuration.
Preferably, the device has its own user interface allowing users to send commands to the device, and allowing the device to signal its internal state to users.
Preferably, the device uses smartcards and other computing and data storage elements directly connected to it in such a way that no changes to the computer are needed for those additional elements to send data to the host computer.
Preferably, the device implements cloning; an operation that copies the content of one instance of the device to another instance of the device.
Preferably, the device implements partial copying of the content of one instance of the device to another instance of the device.
Preferably, the device sends to the host computer commands launching applications on the computer for the purpose of displaying messages for users from the device.
Preferably, the device accepts messages from the host computer that change its internal state and/or initiate its functions.
Preferably, the device is protected by PIN with a limited number of incorrect attempts.
Without the PIN, the device will not send stored data to the host computer.
Introduction to Drawings
An example of the invention will now be described by referring to the accompanying drawings: Figure 1/4 shows the internal structure of the device.
Figure 2/4 shows the device connected to a host computer and a keyboard and an example of communication from the keyboard to the host computer.
Figure 3/4 shows enrolment of the device with a remote server using a data diversification algorithm.
Figure 4/4 shows use of the device with a data diversification algorithm for authentication to a remote user.
Detailed Description
A high level internal structure of the device is showed in figure 1/4. The device contains a microcontroller that connects to all other elements of the device. There are USB interfaces (103) and (104). Interface (103) allows connecting a host computer to the device, interface (104) allows connecting I-lIDs (human interface devices) to the device.
The microcontroller is connected to a permanent memory (102) that can be part of the same electronic component as the microcontroller. Element (105) represents buttons that users use to send commands to the microcontroller. The microcontroller signals its internal state and responses to users via LED(s) (106). An additional computing component connects to the microcontroller (101) via another interface (107). This additional computing component can be, e.g., a smart card storing data for the microcontroller or even performing specific computational tasks.
Use of the device is showed on an example depicted in figure 2/4. The device (200) is connected to a host computer (201) and a USB keyboard (202) with USB cables. The device (200) is powered from one of its USB interfaces. When the device gets powered, it boots up and initialises.
The device initialisation includes USB enumeration of the keyboard (202) and itself so that the keyboard can start sending and/or receiving data to/from the host computer (201) via the device (200) as well as the device (200) itself.
Data coming from the keyboard (206) is used to update an internal state of the device (208). When user presses a button (204), the device expects a PIN (205) to be received from the keyboard (202). If the PIN is correct, the device unlocks its permanent memory so that data stored therein can be used for communication to the host computer (201).
Each data / packet from the keyboard (206) is inspected for a pre-defined values. If such a value is found, the device (200) processes the data according to its internal configuration. Other data is forwarded to the host computer (201).
The device uses its light emitting diodes (LED) (203) or other visual interface to signal its actual state and other information for the user.
Figure 3/4 shows an example of steps when user enrols with a remote server and provides data for future authentication. Step one shows that the device (300) keeps updating its internal state (310). Data (311) coming from a connected keyboard or other HID device (301) is used for these updates.
When user connects to a remote server (305) and the server requests user enrolment (step two), the enrolment process and generation of a password (312) starts. In step three, user presses a button (302) on the device. This action tells the device that a permanent secret is required.
The device, in step four, reads from its memory or generates a permanent secret (313) that is also used for subsequent enrolment requests. The device generates a diversification string (314). The diversification string is unique for the given enrolment request and it is also sufficiently long so that it cannot be found by trying random values. Concatenation of values (313) and (314) is used as an input to a one-way function (303) (e.g., a cryptographic hash function SI-IA-i) to produce the password (312).
In step five, all three values (312), (313), and (314) are sent from the device (300) to the host computer (304). The host computer, in step six, checks the password (312) is correctly computed and deletes the permanent string (313).
The last step, step seven, of the enrolment process is sending of the diversification string (314) and the password (312) to the remote server (305) that stores them for future authentications of the user. The host computer deletes the diversification string (314) and the password (312).
Figure 4/4 shows an example of user authentication to a remote server (405) using a diversification algorithm. The first step is for the user to initiate authentication to a remote server (405). The remote server (405) will send a user's diversification string (414) to the host computer (404).
Step two represents a user's confirmation of the authentication by pressing a button (402) on the device (400).
Once the authentication request is confirmed, the device sends the permanent string (413) to the host computer (403) in step three.
Step four is computation of an authentication string (password) (412) by the host computer using a one-way function (403), the permanent string (413) received from the device and the unique diversification string (414). The resulting string (415) is the required password. In step five, the host computer (404) sends this password to the remote server (405) as a user's authentication password (412). The host computer (404) deletes all strings it received and computed: (412), (413), and (414). The remote server (405) simply compares the received string (412) with the value held locally since the user's enrolment.
Claims (8)
- Claims I claim: 1. A USB data generation and storage device comprising: one USB interface that connects to a host computing device) one or more 1JSB interfaces for connecting human interface devices (I-I ID) to the device, a permanent memory, a user interface, a configuration, an internal state, and a microcontroller that processes communication between USB interfaces, and: a. forwards data between connected 1-liDs and the host computing device so that the host computing device can directly communicate with BIDs; b. sends internally stored data to the host computing device on a command from its user interface or from a connected HID; c. blocks communication from the connected HIDs to the host computing device according to its configuration; d. generates, on a command from its user interface or from one of its USB interfaces, data with a random number generator, an algorithm, and its internal state; e. inspects communication from the connected BIDs for commands defined in its configuration and processes the commands according to its configuration.
- 2. A device according to Claim 1 that communicates with and/or uses an additional external computing device to store data and/or show data and/or process data.
- 3. A device according to Claim 1 that stores a secret data or algorithm shared with another computing device (Verifier) allowing it to synchronise its operation with the Verifier.
- 4. A device according to Claim 1 that stores a secret or algorithm shared by a group of these devices and used for their communication and/or use of another computing device (Server).
- 5. A device according to Claim 1 without USB interfaces for connecting BIDs that communicates with the host computing device as if it were an BID.
- 6. A device according to Claim 5 that communicates with and/or use an additional external computing device to store data and/or show data and/or process data.
- 7. A device according to Claim S that stores a secret data or algorithm shared with another computing device (Verifier) allowing it to synchronise its operation with the Verifier.
- 8. A device according to Claim 5 that stores a secret or algorithm shared by a group of these devices and used for their communication and/or use of another computing device (Server).
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB201022133A GB2486920A (en) | 2010-12-31 | 2010-12-31 | USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device |
GB201108792A GB2486925A (en) | 2010-12-31 | 2011-05-25 | USB data storage and generation device mimics entry of password to host computer from human interface device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB201022133A GB2486920A (en) | 2010-12-31 | 2010-12-31 | USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device |
Publications (2)
Publication Number | Publication Date |
---|---|
GB201022133D0 GB201022133D0 (en) | 2011-02-02 |
GB2486920A true GB2486920A (en) | 2012-07-04 |
Family
ID=43599137
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB201022133A Withdrawn GB2486920A (en) | 2010-12-31 | 2010-12-31 | USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device |
GB201108792A Withdrawn GB2486925A (en) | 2010-12-31 | 2011-05-25 | USB data storage and generation device mimics entry of password to host computer from human interface device |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB201108792A Withdrawn GB2486925A (en) | 2010-12-31 | 2011-05-25 | USB data storage and generation device mimics entry of password to host computer from human interface device |
Country Status (1)
Country | Link |
---|---|
GB (2) | GB2486920A (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103455747A (en) * | 2013-06-20 | 2013-12-18 | 珠海亿联图灵信息技术有限公司 | USB interface token terminal and communication method thereof with host |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001096990A2 (en) * | 2000-06-15 | 2001-12-20 | Rainbow Technologies, B.V. | Usb-compliant personal key using a smartcard processor and a smartcard reader emulator |
WO2002056154A2 (en) * | 2001-01-16 | 2002-07-18 | Rainbow Technologies B V | Usb securing device with keypad |
GB2434228A (en) * | 2006-01-05 | 2007-07-18 | Thomas Steven Hulbert | A portable, computer-peripheral apparatus including a universal serial bus (usb) connector |
US20080263363A1 (en) * | 2007-01-22 | 2008-10-23 | Spyrus, Inc. | Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption |
US20080263364A1 (en) * | 2007-04-20 | 2008-10-23 | Dundas Alan H | System and method for providing access to a computer resource |
US20090193511A1 (en) * | 2008-01-30 | 2009-07-30 | Vasco Data Security, Inc. | Two-factor usb authentication token |
WO2010072735A1 (en) * | 2008-12-24 | 2010-07-01 | Gemalto Sa | Portable security device protecting against keystroke loggers |
EP2251812A1 (en) * | 2009-05-10 | 2010-11-17 | Mario Guido Finetti | Transaction verification USB token |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4964075A (en) * | 1987-05-08 | 1990-10-16 | A. J. Weiner, Inc. | Software and hardware independent auxiliary user programmable intelligent keyboard |
US7454783B2 (en) * | 2003-08-08 | 2008-11-18 | Metapass, Inc. | System, method, and apparatus for automatic login |
WO2006128295A1 (en) * | 2005-06-01 | 2006-12-07 | Russell Warren | Device for transmission of stored password information through a standard computer input interface |
-
2010
- 2010-12-31 GB GB201022133A patent/GB2486920A/en not_active Withdrawn
-
2011
- 2011-05-25 GB GB201108792A patent/GB2486925A/en not_active Withdrawn
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001096990A2 (en) * | 2000-06-15 | 2001-12-20 | Rainbow Technologies, B.V. | Usb-compliant personal key using a smartcard processor and a smartcard reader emulator |
WO2002056154A2 (en) * | 2001-01-16 | 2002-07-18 | Rainbow Technologies B V | Usb securing device with keypad |
GB2434228A (en) * | 2006-01-05 | 2007-07-18 | Thomas Steven Hulbert | A portable, computer-peripheral apparatus including a universal serial bus (usb) connector |
US20080263363A1 (en) * | 2007-01-22 | 2008-10-23 | Spyrus, Inc. | Portable Data Encryption Device with Configurable Security Functionality and Method for File Encryption |
US20080263364A1 (en) * | 2007-04-20 | 2008-10-23 | Dundas Alan H | System and method for providing access to a computer resource |
US20090193511A1 (en) * | 2008-01-30 | 2009-07-30 | Vasco Data Security, Inc. | Two-factor usb authentication token |
WO2010072735A1 (en) * | 2008-12-24 | 2010-07-01 | Gemalto Sa | Portable security device protecting against keystroke loggers |
EP2251812A1 (en) * | 2009-05-10 | 2010-11-17 | Mario Guido Finetti | Transaction verification USB token |
Also Published As
Publication number | Publication date |
---|---|
GB201108792D0 (en) | 2011-07-06 |
GB2486925A (en) | 2012-07-04 |
GB201022133D0 (en) | 2011-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10542430B2 (en) | Quorum-based secure authentication | |
ES2953529T3 (en) | Multi-user strong authentication token | |
US11706199B2 (en) | Electronic device and method for generating attestation certificate based on fused key | |
US7921455B2 (en) | Token device that generates and displays one-time passwords and that couples to a computer for inputting or receiving data for generating and outputting one-time passwords and other functions | |
US20190354970A1 (en) | Cryptographic transaction signing devices and methods therefor | |
JP5589608B2 (en) | Biometric authentication device and biometric authentication program | |
US20140230019A1 (en) | Authentication to a first device using a second device | |
KR20180048429A (en) | Method for authenticating a user by means of a non-secure terminal | |
US9706401B2 (en) | User-authentication-based approval of a first device via communication with a second device | |
JP6775626B2 (en) | Multi-function authentication device and its operation method | |
CN105279410A (en) | User Authentication Retry with a Biometric Sensing Device | |
JP2022508773A (en) | Biocrypt Digital Wallet | |
KR101905294B1 (en) | Methods and apparatus for using keys conveyed via physical contact | |
JP2013174955A (en) | Information processor for which input of information for releasing security is requested and login method | |
GB2486920A (en) | USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device | |
US20230053891A1 (en) | Electronic device for generating mnemonic phrase of private key and operation method in the electronic device | |
JP7021790B2 (en) | Providing access to structured stored data | |
KR101930319B1 (en) | Method and apparatus for certifing of users in virtual reality devices by biometric | |
US20190370441A1 (en) | Secure re-enrollment of biometric templates using functional encryption | |
US10223516B2 (en) | Login with linked wearable device | |
US9692751B1 (en) | User actuated release of a secret through an audio jack to authenticate the user | |
KR20180048423A (en) | Method for securing a transaction performed from a non-secure terminal | |
KR20180048424A (en) | Method for authenticating a user by means of a non-secure terminal | |
CN113468565A (en) | Intelligent door lock control method and system | |
WO2024009603A1 (en) | Avatar generation device and avatar usage permission device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |