KR101214899B1 - USB Security Device and Security Method thereof - Google Patents

Abstract

USS security device and its security method are presented. The present invention is to directly mount the encryption module using a smart card in the USB security device for the security of data stored in the USB security device, and to encrypt the data stored, decrypted and output the data from the loss or hacking of the USB security device To protect the user's password, and when the USB security device is connected, the password can be checked to prevent others from operating the USB security device even if it is lost.

Description

USB Security Device and Security Method

The present invention relates to a data security device that can securely store data on a storage medium. Specifically, after the USB security device is connected to a PC for the first time, the password stored in the USB security device is verified and other functions of the USB security device operate. Done. USS security device and its security method that can prevent USB device data from being hacked by encrypting and storing the data of PC in memory inside USB security device and decrypting and outputting encrypted data when reading data from USB device It is about.

In general, if the USB memory device requires security, the data encryption module is stored in the PC to encrypt the data on the PC and then transferred to the USB memory device for use, or by installing the microcomputer (MCU) inside the USB device through the firmware inside the microcomputer. The data is encrypted and stored.

Data encryption methods of the USB memory device include DES (Data Encryption Standard), AES (Advanced Encryption Standard), SEED, and RSA Public Key Cryptosystem.

This prior art technique is shown in FIG. Conventionally, the method using the software of the PC is embedded in the software module 10 itself or the RAM 20 of the PC in which the software module is operated, the kit value for encryption and decryption is easily exposed to hacking. In addition, in the method using the microcomputer, the firmware of the microcomputer performs the encryption / decryption function, but the kit value may be exposed by the known hacking method of the microcomputer itself.

 Also, these USB data devices can be used even if you are not.

The present invention to solve this problem is to embed a smart card equipped with an encryption module in the USB device that people can generally carry in order to prevent the use and the hacking of others in the encryption and decryption of data, the key generation of the module It is an object of the present invention to provide a USB security apparatus and a security method capable of encrypting or decrypting and storing data with a key generated by a function.

In order to achieve the above object, the USB security apparatus of the present invention includes a smart card unit that encrypts and outputs received data or decrypts and outputs the received encrypted data, and receives and stores data encrypted by the smart card. Receives data input from the memory unit and the external device configured to output the data to the smart card, and transmits and stores the encrypted data received from the smart card to the memory, and stores the encrypted data stored in the memory The device may be configured to include a device controller for receiving and transmitting the decrypted data to the smart card, transmitting the decrypted data to the external device, and controlling the smart card according to a verification result of the password stored in the smart card.

Since the device controller stores the password in the smart card unit and matches the password input from the external device, the device controller activates the other functions of the smart card unit and can use the activated function to encrypt and decrypt data in the memory unit. Others can't use the USB security device, and if you forget it, you won't lose data stored in the memory.

In addition, the security method of the USB security apparatus for encrypting, storing, decrypting and outputting data of the external device of the present invention for achieving the above object (a) transmitting the input data of the external device to the smart card unit, (b Generating a key by a key generation module mounted on the smart card, (c) encrypting by the generated key, (d) storing the encrypted data in a memory, (e) ) Decrypting the encrypted data stored in the memory in the smart card unit and (f) transmitting the decrypted data to an external device.

The step (a) further includes a step of activating the USB security device when the password inputted from the external device is compared with the password stored in the smart card unit.

As described above, according to the USB security device and the security method of the present invention, the encryption module is directly mounted in the smart card of the USB device, and the data can be completely protected from hacking by encrypting, storing, decrypting and outputting the data. ,

In addition, by using a password verification method, the USB security device cannot be used by others, and there is no risk of data being stolen if lost.

1 is a view illustrating a USB security device with a built-in encryption module of the prior art,
2 is a block diagram of a USB security device of the present invention,
3 is a flow chart for changing the password embedded in the USB security device of the present invention;
And,
4 is a flowchart illustrating a method of transmitting / receiving data with an external device by the USB security device of the present invention.

It is to be understood that the words or words used in the present specification and claims are not to be construed in a conventional or dictionary sense and that the inventor can properly define the concept of a term in order to describe its invention in the best possible way And should be construed in light of the meanings and concepts consistent with the technical idea of the present invention.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise. Also, the terms " part, "" module," and " module "in the specification mean units for processing at least one function or operation and can be implemented by hardware or software or a combination of hardware and software .

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

2 is a configuration diagram of a USB security device according to an embodiment of the present invention, as shown in the USB (Universal Serial Bus) security device 100 of the present invention is input or output the data display In order to operate in conjunction with the PC 200, the memory unit 120 for storing encrypted data, the smart card unit 130 for encryption and decryption, and the device controller 110 for data interface control between components It is configured to include.

The memory unit 120 is configured as an SD memory (Serial Data Memory) or a flash memory (Flash Memory) to receive, store and output encrypted data, and is divided into a general memory area 122 and a secure memory area 124. Can lose.

In the general memory area 122, a simple program for activating the secure memory area 124 is stored. When the program is executed, a screen for inputting a password is displayed on the PC 200 and compared with the password stored in the smart card unit 130 and the input password. It can be used on a PC like normal memory and can also read and write data in the memory.

In addition, a screen for changing the password is stored, and the password can be configured to be changed if it is determined that the password has been exposed.

Since the password input screen and the change screen can be configured with a simple UI (User Interface), detailed description thereof will be omitted.

The secured memory area 124 is an area in which encrypted data is stored, and the stored data is stored after being encrypted through the smart card unit 130, and the stored data is decrypted by the smart card unit 130 and then externally stored. It is transmitted to the PC 200 which is a device.

The smart card unit 130 is configured to provide encrypted data to the memory unit 120, receive the encrypted data, decrypt it and output it again, and activate the secure memory area 124 to use the USB security device 100. It is configured to store a password for enabling.

To this end, the smart card unit 130 uses a user authentication unit 131 with a built-in password, an application unit 132 for executing an encryption algorithm, a key generator 134 for generating an encryption key, and an encryption key. And an encryption / decryption unit 133 for encrypting and decrypting data.

The user authentication unit 131 is configured to perform user authentication, password authentication of credit cards and electronic money, and the like, and is particularly configured to store a password for activating the secure memory area 124.

The application unit 132 is configured to generate a key by an encryption module mounted therein, encrypt the data input from the PC 200 through the device controller 110, and store the stored data in the memory unit 120. When outputting, the encrypted data stored in the memory unit 120 is loaded and decrypted using the device controller 110 as a path, and then transmitted to the device controller 110 to be outputted to the PC 200.

The encryption algorithm installed in the application unit 132 includes 128-bit block encryption algorithm (SEED), a national standard, DES (Data Encryption Standard), AES (Advanced Encryption Standard), ARIA, and RSA (Rivest Shamir Adleman). Algorithms such as encryption are installed, and these algorithms can be selectively supported, and since the keys are generated and stored by the encryption algorithm on their own, there is no risk of losing the key or being hacked into the encryption algorithm. By the generated encryption algorithm and key generation, it is possible to ensure the security of the data input and output to the USB security device 100 and the PC (200).

DES, ARIA, and SEED are symmetric key secret key ciphers with the same encryption and decryption keys, and RSA is an asymmetric key public key cipher with different encryption and decryption keys.

The key generation unit 134 generates a key to be decrypted by an algorithm performed by the application unit 132 so as to be used to generate a key value for decrypting the file, and generates the data received by the decryption unit 133. Configured to encrypt or decrypt.

After the authentication of the user through the first password check in the control unit, the smart card unit 130 can be operated only when the execution result is successful.

The device controller 110 drives the system to encrypt and store the input data by communicating with the PC 200 which is an external device, and decrypts and outputs the stored data, and at the same time, the USB security device 100 is mounted on the PC 200. When the password input screen is displayed on the PC 200 and through this, the USB security device 100 is configured to be activated.

To this end, the device controller 110 uses a USB interface 112 for USB communication with the PC 200, a smart card interface 114 for interfacing with the smart card unit 130, and a data interface with the memory unit 120. Memory interface 116, a USB interface 112, a smart card interface 114, and a controller 118 for controlling the memory interface 116. Communication can be made by the 7816.

Specifically, when the USB security device 100 of the present invention is mounted on the PC 200, the controller 118 executes a program for activating the secure memory area 124 stored in the general memory 122. Control to display the screen on the PC 200 and compares the password input from the PC 200 and the password stored in the user authentication unit 131 of the smart card unit 130 after verification and matching secure memory area 124 ) To control the use of existing memory.

Thereafter, the key generation unit 134 executes an encryption program to encrypt the data input with the automatically generated key in the encryption unit 133 and the encrypted data is secured through the smart card interface 114 and the memory interface 116. To be stored in the memory area 124. In addition, even when the encrypted data stored in the secure memory area 124 is to be output, the key generation unit 134 generates a key for decryption by decrypting the data through the memory interface 116 and the smart card interface 114. After the output to the PC 200 through the USB interface 112 is to ensure the security of the data input and output to the PC 200 and the USB security device 100.

The key value generated by the key generation unit 134 is modified and stored through the unique ID recorded at the time of manufacturing the smart card. This series of processes takes place only within the smart card.

The key generation unit 134 operates to delete all existing data stored in the memory unit 120 when a new key is generated. In other words, when decrypting the encrypted data, the key value is different so that the data cannot be recovered before the encryption.

On the other hand, if the encryption and decryption is performed in this way to perform the PIN authentication or password authentication of the credit card, the key value is never leaked to the outside, so it is possible to maintain secure security.

In addition, encrypting and decrypting data may be able to encrypt and decrypt only some data that may be impossible when attempting to restore data through hacking to improve processing speed.

The device controller 110, the memory unit 120, and the smart card unit 130 may be integrated into a USB token.

Hereinafter, with reference to the drawings will be described a security method of the USB security device of the present invention composed of such a device.

3 is a flow chart for changing the password embedded in the security device of the present invention, when the USB security device 100 is mounted on the PC 200, the device controller 110 is a general memory 122 of the memory unit 120 The administrator program, which is a program for activating the secure memory area 124 stored therein, is executed to display a password input screen on the PC 200 as an external device (S310).

In operation S310, an initial password is input on the input screen of the password displayed on the PC 200 (S311).

The initial password refers to a password that is set up so that the user can change the password of the USB security device at the factory.

In step S312, it is determined whether the input password and the initial setting number stored in the smart card unit 130 match, and if it matches to display a password change screen (S313).

When the password is changed in step S313, the device controller 110 stores the changed password in the user authentication unit 131 of the smart card unit 130 (S314).

This step is intended to prevent users from writing or viewing data stored in memory if they forget their password. In other words, if someone learns the same effect. In addition, all functions that can be used after password verification is disabled are also disabled.

Thereafter, in step S315, a key for encrypting and decrypting data stored and read in the memory unit 120 is generated. At this time, all keys related to an encryption function supported by the smart card unit 130 are automatically generated by the key generation unit 134. Is generated. This may be determined through an application program embedded in the application unit 132. For example, a 16-byte random key for DES, AES, and ARIA is automatically generated, depending on the algorithm associated with 128 or 256 bytes or more for RSA. The generated key value is modified and stored through the unique ID recorded at the time of manufacturing the smart card. This series of processes is made only in the smart card unit 130. That is, since no data is displayed to the outside, the user may not know what the key value is generated by the kit value, and the key values stored for each USB security device 100 are all differently generated to generate another USB security device 100. Even if connected, memory contents cannot be read or written. For reference, this function is basically possible only if the password verification step is done in the previous step.

As described above, a data transmission / reception method between the PC 200 and the USB security device 100 after the encryption / decryption key is generated will be described with reference to the drawings.

4 is a flowchart illustrating a method of transmitting and receiving data with an external device by the USB security device of the present invention. When the USB security device 100 is connected to the PC 200 (S320), the device controller 110 is an example. For example, receiving a fingerprint recognition and verification results from the fingerprint recognition unit, etc., if the result is a failure, and if successful, secure memory area 124 stored in the general memory 122 of the memory unit 120 next By executing a program for activating the display the password input screen on the PC 200 as an external device and receives the password input (S321).

If the input password and the password stored in the smart card unit 130 is determined to match (S322) if the USB security device 100 is activated to operate like a normal USB memory and the USB security device ( In step S323, it is determined whether to store the data.

If it is determined in step S323 to save the data to the USB security device 100, the device controller 110 controls to encrypt the data transmitted from the PC 200 in the smart card unit 130 to store in the memory unit 120 do.

On the other hand, if it is determined that the data stored in the memory unit 120 is a process of reading the data stored in the step S323 (S326), and if it is determined that the data is read the encrypted stored in the memory unit 120 The devices are operated to read data, decrypt the data in the smart card unit 130, and output the data to the PC 200.

If it is determined in step S326 that the data is not read, it is determined whether the user has finished (S325), and if not, the data transmission and reception between the USB security device 100 and the PC 200 is repeated from step S322 again. Waiting to be done.

While the invention has been described in detail with respect to the embodiments described, it will be apparent to those skilled in the art that various modifications and variations are possible within the spirit of the invention, and such modifications and variations belong to the appended claims.

110: device controller 120: memory unit
130: smart card unit

Claims (5)

delete Encrypts and decrypts data using a user authentication unit 131 with a built-in password, an application unit 132 for executing an encryption algorithm, a key generation unit 134 for generating an encryption key, and an encryption key. A smart card unit 130 including an encryption / decryption unit 133 to encrypt and output the received data or to decrypt and output the received encrypted data;
A program is divided into a general memory 122 area and a secure memory 124 area, and a program for displaying a screen for inputting a password on the external device 200 by activating the secure memory area is stored in the general memory area and encrypted by the smart card. A memory unit 120 configured to receive data, store the data in the secure memory area, and output the received data;
And when the password is input to the password input screen displayed on the external device 200 to perform a user authentication compared to the password stored in the user authentication unit and receives the data input from the external device to transmit to the smart card 130 and the The encrypted data received from the smart card is transmitted to and stored in the memory 120, and the encrypted data stored in the memory is received and transmitted to the smart card to be decrypted, and the decrypted data is stored in the external device 200. USS secure device comprising a device controller (110) for controlling to transmit to.
In the security method of the USB security device that encrypts, stores, decrypts and outputs data of an external device,
The security method of the USB security device,
(a) When the USB device is mounted on the external device 200, the device controller 110 executes a program for activating the secure memory area 124 stored in the general memory 122 of the memory unit 120. Displaying a password input screen on an external device;
(b) authenticating by entering a password on the password input screen;
(c) the device controller transmitting input data of the external device to a smart card unit;
(d) generating a key by an encryption algorithm mounted on the smart card unit;
(e) encrypting data received by the generated key;
(f) allowing the device controller to receive encrypted data from the smart card unit, to transmit the data to the memory unit, and to store the encrypted data;
(g) The device controller executes a program stored in the general memory 122 area of the memory unit 120 while the USB security device is connected to the external device to activate the secure memory 124 area to provide a password to the external device 200. Displaying an input screen and receiving a password;
(h) determining whether the password inputted to the external device matches the password stored in the smart card unit 130;
(i) checking whether the device controller reads the data stored in the memory unit if the passwords match;
(j) when the stored data is read, receiving, by the smart card unit, encrypted data stored in the memory unit through a device controller and decrypting the encrypted data;
And (k) transmitting the data decrypted by the smart card unit to an external device through a device controller.
The method of claim 3,
Step (b) is
And comparing the password inputted from the external device with the password stored in the smart card unit and activating the USB security device.
delete

Images