WO2018017019A1 - Dispositif et procédé de sécurité personnelle - Google Patents

Dispositif et procédé de sécurité personnelle Download PDF

Info

Publication number
WO2018017019A1
WO2018017019A1 PCT/SG2017/050364 SG2017050364W WO2018017019A1 WO 2018017019 A1 WO2018017019 A1 WO 2018017019A1 SG 2017050364 W SG2017050364 W SG 2017050364W WO 2018017019 A1 WO2018017019 A1 WO 2018017019A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
security device
module
security module
transferred
Prior art date
Application number
PCT/SG2017/050364
Other languages
English (en)
Inventor
Hsiong Ke Desmond HSU
Original Assignee
Fast And Safe Technology Private Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fast And Safe Technology Private Limited filed Critical Fast And Safe Technology Private Limited
Publication of WO2018017019A1 publication Critical patent/WO2018017019A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

Definitions

  • the present invention relates broadly to a system, device and method, for example in the field of information technology (IT) security and electronic security.
  • IT information technology
  • Computing products like personal computers, tablet computers, and smart phones may have different security features due to the installation of different IT security application software.
  • These security software require some sort of security elements like cryptographic keys and/or passwords.
  • these cryptographic keys and/or passwords could be generated within the embedded processor of the computing product.
  • these security elements will be stored inside the computing product for different IT security applications according to requirement.
  • the IT security application could be for data encryption. This, for example the AES (Advanced Encryption Standard) algorithm, uses the symmetric cryptographic key.
  • the encrypted data may be stored inside or outside the computing products.
  • the IT security application could also be for an authentication process. This, for example the RSA (Rivest- Shamir-Adleman) algorithm, uses the asymmetric cryptographic keys for authentication by using the computing product or another computing product.
  • the security elements are generated and managed not by the user, but by outside parties - the computing product manufacturers or security software developers. This requires the user's trust in the involvement of external parties in the user's security process. This may potentially compromise security.
  • the security elements are self-managed, i.e. generated, stored inside the computing product and managed by the user themselves.
  • these security elements may not be recoverable if the product storing them is lost or damaged, and this will lead to a permanent loss, for example, of the encrypted data.
  • Example embodiments of the present invention seek to address one or more of the above problems.
  • a method of providing a security functionality on computing products comprising the steps of initializing a first security module on a dedicated security device, the initialized first security module comprising a first security element such as a first set of one or more cryptographic keys and a first verification element such as a first password; generating and storing a second security module on the security device, the second security module comprising a second security element such as a second set of one or more cryptographic keys and a second verification element such as a second password; providing a first IT security application for a first computing product, wherein the first IT security application requires the first or second security elements to operate; coupling the security device to the first computing product for enabling data communication between the first or second security modules and the first IT security application; and providing the first or second security elements to the first IT security application subject to verifying a user input using the first or second verification elements respectively.
  • a dedicated security device for cooperating with ⁇ security applications on computing products, the security device comprising an initialized first security module comprising a first security element such as a first set of one or more cryptographic keys and a first verification element such as a first password; a second security module, the second security module comprising a second security element such as a second set of one or more cryptographic keys and a second verification element such as a second password; and an interface for coupling the security device to a first computing product for enabling data communication between the first or second security modules and a first ⁇ security application for the first computing product for providing the first or second security elements to the first IT security application; wherein the security device is configured for providing the first or second security elements to the first IT security application subject to verifying a user input using the first or second verification elements respectively.
  • a computing product functioning as a security device proxy for the security device of the second aspect, the computing product comprising the transferred second security module comprising the second security element and the second verification element; an interface for coupling the computing product to a further computing product for enabling data communication between the transferred second security module and an ⁇ security application for the further computing product, wherein the ⁇ security application requires the second security element of the transferred second security module to operate; and wherein the computing product is configured for providing the second security element of the transferred second security module to the IT security application subject to verifying a user input using the second verification element of the transferred second security module.
  • Fig. 1 shows a high level schematic block diagram illustrating components internal to the dedicated security hardware, Security Device, according to an example embodiment.
  • Fig. 2 shows a high level schematic block diagram illustrating the security module, SM generated and stored inside the re-writable nonvolatile memory of the Security Device, according to an example embodiment.
  • Fig. 3a shows a high level schematic block diagram illustrating the equipment setup for the Security Device initial set-up, Master SM generating processing, according to an example embodiment.
  • Fig. 3b shows a flowchart illustrating the initial set-up process of the Security Device, including the generation of the Master SM, according to an example embodiment.
  • Fig. 4a shows a high level schematic block diagram illustrating the equipment setup for the process of generating the Secondary SM, according to an example embodiment.
  • Fig. 4b shows a flowchart illustrating the process of generating the Secondary SM, according to an example embodiment.
  • Fig. 5a shows a high level schematic block diagram illustrating the setup for the IT security applications running in the computing products, CP(s) that require security modules, SM(s) from the Security Device, according to an example embodiment.
  • Fig. 5b shows a flowchart illustrating the operation of IT security applications in the CP, while requiring the presence and interaction of the Master Security Module from the Security Device, according to an example embodiment.
  • Fig. 6a shows a high level schematic block diagram illustrating the equipment setup for the process to change the Name and Password of the SM which is stored inside the Security Device, according to an example embodiment.
  • Fig. 6b shows a flowchart illustrating the process to change the Name and Password of the SM which is stored inside the Security Device, according to an example embodiment.
  • Fig. 7a shows a high-level schematic block diagram illustrating the equipment setup for the process to reset the Password of the SM inside the Security Device, according to an example embodiment.
  • Fig. 7b shows a flowchart illustrating the process to reset the Password of the SM inside the Security Device, according to an example embodiment.
  • Fig. 8a shows a high level schematic block diagram illustrating the equipment setup for the process of deleting the SM inside the Security Device, according to an example embodiment.
  • Fig. 8b shows a flowchart illustrating the process to delete the SM inside the Security Device, according to an example embodiment.
  • Fig. 9a shows a high level schematic block diagram illustrating the equipment setup for the process of transferring SM from the Security Device to CP, according to an example embodiment.
  • Fig. 9b shows a flowchart illustrating the SM transfer process from the Security Device to CP, according to an example embodiment.
  • Fig. 10a shows a high level schematic block diagram illustrating the setup for the process of changing Name and Password of the SM inside the CP, according to an example embodiment.
  • Fig. 10b shows a flowchart illustrating the process that changes the Name and Password of the SM inside the CP, according to an example embodiment.
  • Fig. 11a shows a high level schematic block diagram illustrating the setup for the process of running a IT security application in a CP, which calls SM stored inside another CP-P, according to an example embodiment.
  • Fig. l ib shows a flowchart illustrating the process of running a IT security application in CP, which calls SM stored inside another CP-P, according to an example embodiment.
  • Fig. 12a shows a high level schematic block diagram illustrating the setup for the process of IT security application calls SM transferred and stored inside the same CP-P, according to an example embodiment.
  • Fig. 12b shows a flowchart illustrating the running of IT security applications on the CP-P which calls the SM has been transferred and stored inside the same CP-P, according to an example embodiment.
  • Fig. 13a shows a high level schematic block diagram illustrating the equipment setup for the password reset processing of the SM inside the CP-P, according to an example embodiment.
  • Fig. 13b shows a flowchart illustrating the process to reset the Password of the SM inside the CP-P, according to an example embodiment.
  • Fig. 14a shows a high level schematic block diagram illustrating the setup for the process of deleting of SM inside a CP, according to an example embodiment.
  • Fig. 14b shows a flowchart illustrating the process that delete the SM inside the CP, according to an example embodiment.
  • Figure 15 shows a flow chart illustrating a method of providing a security functionality on computing products.
  • a specially designed, dedicated Security Device may replace password access control.
  • the Security Device can generate and store multiple sets of security elements or security modules for different IT security applications.
  • the security modules stored inside the security device can be transferred to different computing products for example, the personal computer, laptop computer, tablet computer, smart phone etc.
  • the same security module can be transferred to multiple computing products for shared security control or for security recovery when the original product storing the security module is lost or damaged.
  • Multiple security modules may also be transferred to the same computing product for different IT security applications.
  • Security Device 100 a specially-designed, dedicated security hardware which generates and stores Security Modules.
  • SM Security Module 2000, 2001, ...: a module including a Name, a Password, a Counter and a set of one or more security elements, for example but not limited to Cryptographic Keys. Different SMs are required for different IT security applications.
  • Security Module Name (SMnm): a data field used to identify the SM.
  • SMpw Security Module Password
  • the data field may contain data representing the password as in the example embodiments described below.
  • any other form of verification element such as pattern recognition, location recognition or biometric element including but not limited to finger print, face recognition, voice recognition or typing stroke recognition etc.
  • Smt Security Module Counter: a small positive integer used to control the number of consecutive failed password retries. The counter value decreases by 1 for each consecutive incorrect password input and the SM 2000, 2001, ... will be disabled when the counter value reaches zero. However, the Counter will be reset to the original value when a correct password input is detected.
  • Security Module Cryptographic Key a random secret key used for security functions like data encryption, decryption under a symmetric key algorithm or authentication under an asymmetric key algorithm.
  • any other form of security element such as randomly generated password or Hash keys generated for example but not limited to password protection etc.
  • MSM 2000 the 1 st SM set up by the user during the initialization of the Security Device.
  • Mpw the Device access Password.
  • Method the allowed number of consecutive failed password attempts that can be a chosen by a user or a default set by the manufacturer.
  • Mck Master Cryptographic Key(s): Set of one or more keys user- generated by the True Random Number Generator (TRNG) of Security Device 100.
  • S2SM Secondary Security Module 2001, 2002, ...: SM, other than the MSM 2000, generated by the Security Device 100 for different applications.
  • S2nm Secondary Name linking an application with the required S2SM, e.g. S2nm 2101.
  • S2pw the password of a S2SM, e.g. S2pw 2201, which can be the same as the Mpw 2200.
  • S2ct the counter of a S2SM, e.g. S2ct 2301, which can be the same as the Met 2300.
  • S2ck Secondary Cryptographic Key Set of one or more keys user-generated by the TRNG of Security Device 100.
  • IT security application e.g. 1002, 5002: Applications include but not limited to, for example storage data protection, data exchange protection, Cloud Computing access control and Cloud data protection, Software as a Service (SaaS applications), payment authentication, password management, login access control, message protection, email protection and voice protection etc.
  • SaaS applications Software as a Service (SaaS applications)
  • payment authentication password management
  • password management login access control
  • message protection email protection and voice protection etc.
  • Computing Products (CP) 1000, 5000 machines which contain at least one build-in central processing unit (CPU) and a build-in memory; for example, a desktop computer, laptop computer, tablet computer, smart phone or a smart watch. Applications software can be installed and run inside the CP 1000, 5000.
  • CPU central processing unit
  • a build-in memory for example, a desktop computer, laptop computer, tablet computer, smart phone or a smart watch.
  • Applications software can be installed and run inside the CP 1000, 5000.
  • Computing Product Proxy (CP-P) 1000 CP storing S2SM e.g. 2001 transferred from Security Device 100, acting as a proxy for the Security Device 100.
  • SMS Security Module Interface Manager 1001, 5001: a specially designed software, installed inside the CP 1000, 5000 to manage the S2SM e.g. 2001, control the interface between the S2SM e.g. 2001 and applications.
  • S2SM Security Module Interface Manager
  • SMCT Security Module Configuration Tool 3000: a machine used to configure the SM inside the Security Device 100. It can be any computing machine such as a desktop computer, a laptop computer, a tablet computer or a smart-phone. It may also be a specially designed machine that includes build-in processor or a virtual computer in a computing Cloud. It could also be an embedded processor of the Security Device 100, in which case the Security Device 100 can configure itself.
  • SMCM 3001 a specially designed software, installed inside the SMCT 3000, to configure (generate, store, change or delete) the SM inside the Security Device 100.
  • SMTT 9000 a machine used to transfer the S2SM e.g. 2001 from the Security Device 100 to a CP 1000.
  • It can be any computing machine such as a desktop computer, a laptop computer, a tablet computer or a smart-phone. It may also be a specially designed machine that includes build-in processor or a virtual computer in a computing Cloud. It could also be an embedded processor of the Security Device 100, such that the Security Device 100 can be connected directly to the CP 1000.
  • SMTM Security Module Transportation Manager 9001: a specially designed software, installed inside the SMTT 9000, to control the transfer of the S2SM e.g. 2001 from the Security Device 100 to a CP 1000.
  • Software Installation above software may be separately installed, e.g. from a CD-ROM or from the Security Device 100 or through the internet, or may be provided as SaaS.
  • Communication Link an electrical communication means which includes, but is not limited to, any communication module or media such as radio frequency (RF) channels, WiFi, Bluetooth, NFC or any wired connection.
  • RF radio frequency
  • Password Verification Process as part of the numerous user authentication processes described in the text below, users are asked for the passwords in order to verify their rights to use the various Security Modules. It is understood that these authentication processes mentioned below are broadly similar.
  • a user requests a SM transaction or operation, he is requested by the software security manager to enter his password. His password is then checked for correctness. When the entered password is correct, his request will be approved and the requested operation will proceed. If the password entered is incorrect, retries will be allowed. Up to N consecutive retries will be allowed. N is the initial integer set in the counter (SMct, Met, or S2ct). Each consecutive incorrect entry will decrement the counter value by 1.
  • This retry process is repeated until the value of the counter reaches 0 or a successful password entry is made.
  • the counter reaches 0
  • the password verification will be aborted and all further requests will be disabled.
  • the counter value will be reset to N.
  • the present specification also discloses apparatus for performing the operations of the methods.
  • Such apparatus may be specially constructed for the required purposes, or may comprise a general purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer.
  • the algorithms and displays presented herein are not inherently related to any particular computer or other apparatus.
  • Various general purpose machines may be used with programs in accordance with the teachings herein.
  • the construction of more specialized apparatus to perform the required method steps may be appropriate.
  • the structure of a conventional general purpose computer will appear from the description below.
  • These general computers may include computers in a distributed computing network and computers in a computing Cloud.
  • the present specification also implicitly discloses the algorithm of a computer program, in that it would be apparent to the person skilled in the art that the individual steps of the method described herein may be put into effect by computer code.
  • the computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein.
  • the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing from the spirit or scope of the invention.
  • Such a computer program may be stored on any computer readable medium.
  • the computer readable medium may include storage devices such, as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general purpose computer.
  • the computer readable medium may also include a hard-wired medium such as exemplified in the internet system, or wireless medium (for example wi-fi, bluetooth device and the mobile telephone system).
  • the computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the preferred method.
  • the invention may also be implemented as hardware modules. More particular, in the hardware sense, a module is a functional hardware unit designed for use with other components or modules. For example, a module may be implemented using discrete electronic components, or it can form a portion of an entire electronic circuit such as an application specific integrated circuit (ASIC). Numerous other possibilities exist. Those skilled in the art will appreciate that the system can also be implemented as a combination of hardware and software modules.
  • ASIC application specific integrated circuit
  • Fig. 1 shows a high-level schematic block diagram illustrating a Security Device 100 according to an example embodiment.
  • the Security Device 100 is a specially-designed, dedicated security hardware which generates and stores Security Modules.
  • the Security Device 100 contains a random number generator, for example a True Random Number Generator (TRNG) 110, Re- writable Nonvolatile Memory 120, an Embedded Controller (EC) 130 and an Interface 140, according to this example embodiment.
  • TRNG True Random Number Generator
  • EC Embedded Controller
  • Each Security Module includes a Name (Mnm 2100, S2nm 2101, 210n), a Password (Mpw 2200, S2pw 2201, 220n), a Counter (Met 2300, S2ct 2301, 230n) and Cryptographic Key(s) (Mck 2400, S2ck 2401, 240n).
  • the Names are used to identify the respective Security Module.
  • the Passwords are used to control user access to the respective Security Modules.
  • the Counters are used to control the number of consecutive failed password retries.
  • the Cryptographic Keys are random secret keys as described in the Definitions section above, according to this example embodiment.
  • Fig. 3a shows a high-level schematic block diagram illustrating the equipment setup for the Security Device initialization.
  • a Security Module Configuration Tool (SMCT) 3000 is connected with the Security Device 100 using communication link 3100, according to an example embodiment.
  • the communication link (CL) 3100 represents the media through which data is communicated between the Security Device 100 and the SMCT 3000.
  • the communication link 3100 described in the Definition section above, includes, but is not limited to, any communication module or media such as radio frequency (RF) channels, WiFi, Bluetooth, NFC or any wired connection.
  • RF radio frequency
  • the Security Device 100 and the SMCT 3000 are described in the Definitions section above.
  • the SMCT 3000 contains a Security Module Configuration Manager (SMCM) 3001, which may be separately installed, e.g. from a CD-ROM or from the Security Device 100 or through the internet, according to an example embodiment.
  • SMCM Security Module Configuration Manager
  • Fig. 3b shows a flowchart illustrating the initial set-up process including the generation of the Master Security Module (MSM) 2000, according to an example embodiment.
  • MSM Master Security Module
  • a user connects his Security Device 100 to the SMCT 3000 and starts the SMCM 3001.
  • the user requests to generate the MSM 2000 in step 3101 .
  • the SMCM 3001 will then ask the user to input the Master Name (Mnm) 2100 ( Figure 2) and Master Password (Mpw) 2200 ( Figure 2) in step 3102.
  • Mnm Master Name
  • Mpw Master Password
  • the SMCM 3001 then processes step 3103 where the set of one or more cryptographic keys (Mck) 2400 is generated by the TRNG 110 ( Figure 1) and stored inside the memory 120 ( Figure 1) together with the Mnm 2100, Mpw 2200 and Met 2300, as the MSM 2000 ( Figure 2), according to an example embodiment.
  • the password and the set of one or more cryptographic keys are stored in encrypted form.
  • S2SM New Key and Secondary Security Module
  • Fig. 4a shows a high-level schematic block diagram illustrating the equipment setup for the generation of the Secondary Security Module (S2SM) 2001.
  • the SMCT 3000 is connected with the Security Device 100 using communication link (CL) 3100 (as described in the Definitions section above), according to an example embodiment.
  • the SMCT 3000 is installed with a SMCM 3001 (as described in the Definitions: software installation section above.
  • Fig. 4b shows a flowchart illustrating the process of generating the S2SM 2001, according to an example embodiment.
  • a user connects his Security Device 100 to the SMCT 3000 and starts SMCM 3001.
  • User requests to generate the S2SM 2001 in step 4101.
  • the SMCM 3001 asks the user to input the Master Name (Mnm) 2100 and/or Master Password (Mpw) 2200 in step 4102.
  • the SMCM 3001 checks the correctness of the Mnm 2100 and/or Mpw 2200 in step 4103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If the password is incorrect, the operation is halted in step 4104.
  • step 4105 user is asked to input a Name (S2nm) 2101 and a Password (S2pw) 2201 for the S2SM 2001.
  • a set of one or more new cryptographic keys 2401 is generated by the TRNG 110 ( Figure 1) and this is stored inside the memory 120 ( Figure 1) together with the S2nm 2101, S2pw 2201 and S2ct 2301, as the S2SM 2001.
  • the Secondary counter S2ct 2301 could be the same as Master counter Met 2300 or a new number input by the user, according to an example embodiment.
  • Fig. 5a shows a high level schematic block diagram illustrating the equipment setup for the operation of IT security applications running in the CP 5000, which calls the MSM 2000 or S2SM 2001/200n from the Security Device 100.
  • the CP 5000 is installed with a SMIM 5001 and a IT security application 5002 or a IT security application 5002 is provided for the CP
  • the software installation is described in the Definitions section, and includes provision of the IT security application via SaaS.
  • the IT security application 5002 is not installed on the CP 5000 itself, but resides in a Cloud- or web- server (not shown).
  • the CP5000 and the Security Device 100 are connected via communication link (CL) 5100 (as described in the Definitions section above), according to an example embodiment.
  • Fig. 5b shows a flowchart illustrating the operation of IT security applications in the CP 5000, while requiring the presence and interaction of the MSM 2000 or S2SM 2001/200n from the Security Device 100.
  • a SMIM 5001 is installed in the CP 5000 (as described in the Definitions: software installation section above) at step 5101.
  • the user then installs a IT security application 5002 to the same CP 5000 or a IT security application 5002 is provided for the CP 5000 via SaaS (as described in the Definitions: software installation section above) at step 5102, according to an example embodiment.
  • the user may run the IT security application 5002 that requires security elements from the MSM 2000 or S2SM 2001/200n inside Security Device 100 in step 5103.
  • the SMIM 5001 checks for the presence of the Security Device 100 in step 5104.
  • the presence of the Security Device 100 may be checked/determined based on, by way of example and not limitation, the SMIM 5001 sending a signal which, by pre-arrangement, is recognized by the Security Device 100 through for example the USB ports and/or the Bluetooth channels.
  • the pre-arranged signal is received/recognized by the Security Device 100, it sends a pre-arranged reply to the SMIM
  • the Security Device 100 or communication between the ⁇ security application provided for the CP 5000 via SaaS and the MSM 2000 or S2SM 2001/200n in the Security Device 100 though the SMIM 5001 on the CP 5000, is established. If the Security Device 100 is not present, the operation is aborted in step 5105. If the Security Device 100 is present, the process continues to step 5106 where the SMIM 5001 requires the user to input the Mnm 2100 and/or Mpw 2200 or S2SMnm 210n and/or S2SMpw 220n. The SMIM 5001 then checks for the correctness of the password in step 5107 against the data stored in the Security Device 100 according to the Password Verification Process described above.
  • step 5108 Security Device 100 provides the required element(s) of MSM 2000 or S2SM 2001/200n (e.g. cryptographic keys) for the IT security application 5002 on CP 5000 to operate, or for the IT security application 5002 provided via SaaS to operate, according to example embodiments.
  • MSM 2000 or S2SM 2001/200n e.g. cryptographic keys
  • Fig. 6a shows a high-level schematic block diagram illustrating the equipment setup for the process of changing Name and/or Password of the security module inside the Security Device 100.
  • the SMCT 3000 is connected to the Security Device 100 using communication link (CL) 3100 (as described in the Definitions section above), according to an example embodiment.
  • the SMCT 3000 is installed with a SMCM 3001 (as described in the Definitions: software installation section above).
  • Fig. 6b shows a flowchart illustrating the process to change the Mnm and/or Mpw of the MSM 2000 or the S2nm and/or S2pw of S2SM 2001/200n inside the Security Device 100.
  • the user chooses to change the Mnm and/or Mpw or S2nm and/or S2pw at step 6101.
  • SMCM 3001 asks the user to input the current Mnm and/or Mpw or S2nm and/or S2pw in step 6102, and the SMCM 3001 then checks the correctness of the password in step 6103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If the password is incorrect, the operation is halted in step 6104.
  • step 6105 a new Mnm and/or Mpw or S2nm and/or S2pw is entered by the user and then stored in the Security Device 100, replacing the old Mnm and/or Mpw or S2nm and/or S2pw, according to an example embodiment. .
  • Fig. 7a shows a high-level schematic block diagram illustrating the equipment setup for the process of resetting the password of the S2SM 2001 inside the Security Device 100.
  • the SMCT 3000 is connected to the Security Device 100 using communication link (CL) 3100 (as described in the Definitions section above), according to an example embodiment.
  • the SMCT 3000 is installed with a SMCM 3001 (as described in the Definitions: software installation section above).
  • Fig. 7b shows a flowchart illustrating the process to reset the Password of the S2SM 2001 inside the Security Device 100.
  • the user chooses to reset password at step 7101.
  • SMCM 3001 then asks the user to input the Master Name, Mnm 2100 and/ or Master Password, Mpw 2200 in step 7102.
  • SMCM 3001 then checks the correctness of the Mpw in step 7103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 7104. If the password is correct the process continues to step 7105 where a new S2pw 2201 is entered by the user and then stored; or a default Password is installed, according to an example embodiment.
  • Fig. 8a shows a high-level schematic block diagram illustrating the equipment setup for the process of deleting the security module inside the Security Device 100.
  • a SMCT 3000 is connected to the Security Device 100 using communication link (CL) 3100 (as described in the Definitions section above), according to an example embodiment.
  • the SMCT 3000 is installed with a SMCM 3001 (as described in the Definitions: software installation section above).
  • Fig. 8b shows a flowchart illustrating the process to delete the S2SM 2001 inside the Security Device 100.
  • the user chooses to delete S2SM 2001 at step 8101.
  • SMCM 3001 then asks the user to input the Mnm 2100 and/or Mpw 2200 in step 8102.
  • SMCM 3001 then checks the correctness of the Mpw in step 8103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 8104. If the password is correct, the process continues to step 8105 where S2SM 2001 is deleted from the Device, according to an example embodiment.
  • any Secondary Security Module may be deleted subject to verifying the Secondary Password of the relevant Secondary Security Module.
  • Fig. 9a shows a high level schematic block diagram illustrating the equipment setup for the transfer process of S2SM 2001 from the Security Device 100 to CP 1000.
  • the user presents the Security Device 100 together with the CP 1000 to a Security Module Transportation Tool (SMTT) 9000.
  • SMTT Security Module Transportation Tool
  • the CP 1000 and the Security Device 100 may be connected to the SMTT 9000 via respective communication links (CL) 1900 and 9100 (as described in the Definitions section above).
  • the Security Device 100 and the CP 1000 may be simultaneously connected to the SMTT 9000, or may be connected in sequence, for example where only one communication interface for connecting to the SMTT 9000 may be available.
  • the SMTT 9000 is installed with a SMTM 9001 (as described in the Definitions: software installation section above), according to an example embodiment.
  • Fig. 9b shows a flowchart illustrating the S2SM 2001 transfer process from the Security Device 100 to CP 1000.
  • the user starts the SMTM 9001 and chooses to transfer the S2SM 2001 from the Security Device 100 to a CP 1000 at step 9101.
  • the SMTM 9001 then asks the user to input the Mnm 2100 and/or Mpw 2200 in step 9102.
  • SMTM 9001 checks the correctness of the Mpw in step 9103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 9104.
  • step 9105 SMTM 9001 installs the SMIM 1001 to the CP 1000.
  • Security Device 100 encrypts the SM 2001 at step 9106.
  • the encrypted SM 2001 is sent to the CP 1000, for example via the SMTM 9001, at step 9107.
  • the SMIM 1001 of CP 1000 decrypts the SM 2001 received from the Security Device 100.
  • the SM 2001 is then stored in the CP 1000 at step 9108. Accordingly, the CP 1000 is now converted into a CP Proxy (CP-P) that is matched to, i.e. associated with, the Security Device 100, according to an example embodiment.
  • CP-P CP Proxy
  • any Secondary Security Module may be transferred from the security device to CP subject to verifying the Secondary Password of the relevant Secondary Security Module.
  • S2SM may be needed for different IT security applications, which can advantageously result in a single password being "automatically" applicable to different IT security applications, thus reducing cumbersome setting of the password(s) for each of the different IT security applications.
  • Fig. 10a shows a high level schematic block diagram illustrating a CP-P 1000 containing security module S2SM 2001 and installed with SMIM 1001 (as described in the Definitions: software installation section above), according to an example embodiment.
  • Fig. 10b shows a flowchart illustrating the process that changes the Name S2nm and/or Password S2pw of the S2SM 2001 inside the CP 1000.
  • the user starts the SMIM 1001 and chooses to change the S2nm and/or S2pw at step 10101.
  • the SMIM 1001 then asks the user to input the current S2nm and/or S2pw of S2SM 2001 in step 10102.
  • the SMIM 1001 checks the correctness of the password in step 10103 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 10104. If the password is correct, the process continues to step 10105 where new S2nm 2101 and/or S2pw 2201 is input and stored, according to an example embodiment.
  • any transferred Secondary Security Module may be changed subject to verifying the Master Password with the security device 100 connected, similar to what will be described below in relation to resetting the password of a transferred Secondary Security Module.
  • Fig. 11a shows a high level schematic block diagram illustrating a CP 5000 connected with the CP-P 1000 via communication link (CL) 1500 (as described in the Definitions section above).
  • the CP-P 1000 is installed with a SMIM 1001 and the CP 5000 is installed with a SMIM 5001 and IT security application 5002.
  • the ⁇ security application 5002 is provided for the CP 5000 via SaaS.
  • the S2SM 2001 has been transferred from the Security Device 100 ( Figure 1) and stored inside the CP-P 1000, according to an example embodiment.
  • Fig. l ib shows a flowchart illustrating the process of a IT security application 5002 in CP 5000, which calls S2SM 2001 stored inside CP-P 1000 as part of its operation.
  • a user installs the SMIM 5001 in the CP 5000 (as described in the Definitions: software installation section above) at step 11101.
  • the user then installs the IT security application 5002 in the CP 5000 or the IT security application 5002 is provided for the CP 5000 via SaaS (as described in the Definitions: software installation section above) at step 11102, according to an example embodiment.
  • the user then runs the IT security application 5002, which requires items from S2SM 2001 stored inside CP-P 1000 in step 11103.
  • the SMIM 5001 checks for the presence of the CP-P 1000 in step 11104.
  • the presence of the CP-P 1000 may be checked/determined based on, by way of example and not limitation, the SMIM 5001 of CP 5000 sending a signal which, by pre- arrangement, is recognized by the SMIM 1001 of CP-P 1000 through for example the USB ports and/or the Bluetooth channels.
  • the pre-arranged signal When the pre-arranged signal is received/recognized by the CP-P 1000, it sends a pre-arranged reply to the SMIM 5001 and then to the IT security application 5002, and thus communication between the IT security application 5002 in the CP 5000 and the S2SM 2001 in the CP-P 1000, or communication between the IT security application 5002 provided for the CP 5000 via SaaS and the SMSM 2001 in the in the CP-P 1000, is established. If CP-P 1000 is not present, the operation is aborted in step 11105. If the CP-P 1000 is present, the process continues to step 11106 where the SMIM 5001 requires the user to input the S2nm 2101 and/or S2pw 2201.
  • the SMIM 5001/1001 then checks for the correctness of the password in step 11107 against the data stored in the CP-P 1000 according to the Password Verification Process described above. If password is incorrect, the operation will be halted in step 11108. If the password is correct the process continues to step 11109 where required security element(s) from S2SM 2001 is sent to CP 5000 securely, according to an example embodiment.
  • Fig. 12a shows a high level schematic block diagram illustrating the setup of a CP-P 1000 that has been installed with SMIM 1001 and IT security applications 1002 or a IT security application 1002 is provided for the CP-P 1000 via SaaS (as described in the Definitions: software installation section above), according to an example embodiment.
  • the security module S2SM 2001 has been transferred from the Security Device 100 ( Figure 1) and stored inside CP-P 1000.
  • Fig. 12b shows a flowchart illustrating the process where the IT security application 1002 on the CP-P 1000 or provided for the CP-P 1000 via SaaS calls the S2SM 2001 during its operation.
  • the user installs the IT security application 1002 or the IT security application 1002 is provided for the CP-P 1000 via SaaS (as described in the Definition: software installation section above) at step 12101, according to an example embodiment.
  • the user then runs the IT security application 1002, which requires items from the S2SM 2001 in step 12102.
  • the SMIM 1001 requires the user to input the S2nm 2101 and/or S2pw 2201 of the S2SM 2001 in step 12103.
  • the SMIM 1001 checks the correctness of the password in step 12104 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 12105. If the password is correct the process continues to step 12106 where the required security element(s) of S2SM 2001 is sent as an input to the ⁇ security application 1002, according to an example embodiment.
  • the Security Device 100 can advantageously be used for authentication processing prior to resetting the password of S2SM 2001 on the CP-P 1000 if the user has forgotten the original password of the S2SM 2001, in an example embodiment.
  • Fig. 13a shows a high level schematic block diagram illustrating the equipment setup for the password reset processing of the S2SM 2001 of CP-P 1000 which is installed with SMIM 1001.
  • the user presents the Security Device 100 together with the CP-P 1000 to a SMTT 9000 .
  • the CP 1000 and the Security Device 100 are connected to the SMTT 9000 via respective communication links 1900 and 9100 (as described in the Definitions section above).
  • the Security Device 100 and the CP-P 1000 may be simultaneously connected to the SMTT 9000, or may be connected in sequence, for example where only one communication interface for connecting to the SMTT 9000 may be available.
  • a SMTM 9001 is installed on the SMTT 9000 (as described in the Definitions: software installation section above), according to an example embodiment.
  • Fig. 13b shows a flowchart illustrating the process to reset the Password, S2pw of the S2SM 2001 inside the CP-P 1000, in the case where the user has forgotten his S2pw. It is assumed that both Security Device 100 and CP-P 1000 are connected to SMTT 9000. The user chooses to reset password at step 13101.
  • SMTM 9001 requires the user to enter the Master Name Mnm and/or Master Password Mpw for the Security Device 100 in step 13102.
  • SMTM 9001 checks the correctness of the password entered in step 13103 against the data stored in the Security Device 100 according to the Password Verification Process described above. If the password is incorrect, the operation is halted in step 13104. If the password is correct the process continues to step 13105 where Security Device 100 encrypts its S2SM 2001, and sends the encrypted S2SM 2001 to the CP-P 1000 in step 13106. The SMIM 1001 then decrypts the encrypted S2SM 2001 received from the Security Device 100, to check the SM 2001 at step 13107. If the received S2SM 2001 "matches" the S2SM 2001 stored in the CP-P 1000, then the match between the Security Device 100 and the transferred secondary security module S2SM 2001 is successfully established in this example embodiment.
  • a new password, S2pw is entered by the user and then stored on both CP-P 1000 and Security Device 100, or a default Password is installed in step 13108. If there is no match, the Password reset is aborted in step 13109, according to an example embodiment.
  • the CP-P 1000 can perform encryption of its S2SM 2001 and send the encrypted S2SM 2001 to the Security Device 100 for decryption and checking of the match.
  • the final result i.e. that the match is checked, can advantageously be the same in such an alternative embodiment.
  • Fig. 14a shows a high level schematic block diagram illustrating the setup for the SM deleting process of a CP-P 1000 containing S2SM 2001 and installed with SMIM 1001 (as described in the software installation section above), according to an example embodiment.
  • Fig. 14b shows a flowchart illustrating the process to delete the S2SM 2001 inside the CP-P 1000.
  • the user chooses to delete the S2SM 2001 at step 14101.
  • the SMIM 1001 asks the user to input the current S2nm and S2pw of S2SM 2001 in step 14102.
  • the SMIM 1001 then checks the correctness of the password in step 14103 according to the Password Verification Process described above. If password is incorrect, the operation is halted in step 14104. If the password is correct, the process continues to step 14105 where the S2SM 2001 is deleted, according to an example embodiment. It is noted that alternatively, any transferred Secondary Security Module may be deleted subject to verifying the Master password with the security device connected, similar to what has been described above in relation to resetting the password of a transferred Secondary Security Module.
  • the Mpw of the MSM 2000 in the Security Device 100 may be reset by making use of an authentication device as described in WO/2014/185865, without involvement of a third party, with and without verification of a specific authentication password. All of the additional advantages of the method and system described in WO/2014/185865 can also be exploited in conjunction with the Security Device 100 of example embodiments of the present invention.
  • the Master Security Module and any Secondary Module can be transferred from the Security Device 100 to another, uninitialized Security Device, subject to verifying the Master Password. This may involve connecting to the Security Device 100 and the other, uninitialized Security Device to the SMTT 9000. This can be useful, for example, for creating a "spare" Security Device.
  • Figure 15 shows a flow chart 15000 illustrating a method of providing a security functionality on computing products, the method comprising the steps of (15002) initializing a first security module on a dedicated security device, the initialized first security module comprising a first security element such as a first set of one or more cryptographic keys and a first verification element such as a first password; (15004) generating and storing a second security module on the security device, the second security module comprising a second security element such as a second set of one or more cryptographic keys and a second verification element such as a second password; (15006) providing a first ⁇ security application for a first computing product, wherein the first IT security application requires the first or second security elements to operate; (15008) coupling the security device to the first computing product for enabling data communication between the first or second security modules and the first IT security application; and (15010) providing the first or second security elements to the first ⁇ security application subject to verifying a user input using the first or second verification elements respectively.
  • (15002 initializing a first
  • the first IT security application may require the first security element to operate, and the method may further comprise providing a second ⁇ security application for the first computing product or on a second computing product, wherein the second IT security application requires the second security element to operate; coupling the security device to the first or second computing products for enabling data communication between the second security module and the second IT security application; and providing the second security element to the second IT security application subject to verifying a user input using the second verification element.
  • the method may further comprise changing the first verification element subject to verifying a user input using the first verification element; and/or changing the second verification element subject to verifying a user input using the second or the first verification elements.
  • the method of may further comprise resetting the second verification element subject to verifying a user input using the first verification element; and/or deleting of the second security module from the security device subject to verifying a user input using the first verification element.
  • the method may further comprise transferring the second security module from the security device to the first or second computing products subject to verifying a user input using the first verification element.
  • the method may further comprise changing the second verification element of the transferred second security module subject to verifying a user input using the second verification element of the transferred second security module or the first verification element of the first security module; and/or deleting the transferred second security module subject to verifying a user input using the second verification element of the transferred second security module or the first verification element of the first security module.
  • the method may further comprise coupling the first or second computing product to a third computing product for enabling data communication between the transferred second security module and a third IT security application for the third computing product, the third IT security application requiring the second security element to operate; and providing the second security element of the transferred second security module to the third ⁇ security application subject to verifying a user input using the second verification element of the transferred second security module.
  • the method may further comprise providing the second security element of the transferred second security module on the first or second computing products to the second IT security application on the same of the first or second computing products subject to verifying a user input using the second verification element of the transferred second security module.
  • the method may further comprise resetting the second verification element of the transferred second security module subject to verifying a user input using the first verification element of the first security module on the security device, and subject to verifying a match between the transferred second security module and the security device.
  • Transferring the second security module may comprise coupling the security device and the first or second computing product to a transportation tool; and/or wherein resetting the second verification element of the transferred second security module may comprise coupling the security device and the first or second computing product to the transportation tool.
  • Initializing the first security module on the security device may comprise coupling the security device to a configuration tool; and/or generating and storing the second security module on the security device may comprise coupling the security device to the configuration tool; and/or changing of the first verification element of the first security module on the security device may comprise coupling the security device to the configuration tool; and/or changing of the second verification element of the second security module on the security device may comprise coupling the security device to the configuration tool; and/or resetting of the second verification element of the second security module on the security device may comprise coupling the security device to the configuration tool; and/or deleting of the second security module from the security device may comprise coupling the security device to the configuration tool.
  • the method may comprise generating and storing two or more different second security modules.
  • the method may comprise transferring two or more of the different second security modules from the security device to the same or different computing products.
  • the first, second, and/or third ⁇ security applications for the respective computing products may be installed on the respective computing product or may be provided for the respective computing product via Software as a Service.
  • the first IT security application may require the first security element to operate, and security device may be further configured for coupling the security device to the first or a second computing products for enabling data communication between the second security module and a second IT security application on the first or second computing products, wherein the second IT security application requires the second security element to operate; and providing the second security element to the second IT security application subject to verifying a user input using the second verification element.
  • the interface may be for coupling to a configuration tool and the security device may be configured for initializing the first security module; and/or changing of the first verification element subject to verifying a user input using the first verification element.
  • the interface may be for coupling to a configuration tool and the security device is configured for generating and storing the second security module on the security device; and/or changing the second verification element subject to verifying a user input using the second or the first verification elements; and/or resetting the second verification element subject to verifying a user input using the first verification element, and/or deleting the second security module from the security device subject to verifying a user input using the first verification element.
  • the interface may be for coupling to a transportation tool and the security device may be configured for transferring the second security module from the security device to the first or second computing products subject to verifying a user input using the first verification element; and/or resetting the second verification element of the transferred second security module subject to verifying a user input using the first verification element of the first security module of the security device, and subject to verifying a match between the transferred second security module and the security device.
  • the security device may comprise two or more different second security modules.
  • the security device may be configured for transferring two or more of the different second security modules from the security device to the same or different computing products.
  • the first and/or second IT security applications for the respective computing products may be installed on the respective computing product or may be provided for the respective computing product via Software as a Service.
  • a computing product functioning as a security device proxy for the security device
  • the computing product comprising the transferred second security module comprising the second security element and the second verification element; an interface for coupling the computing product to a further computing product for enabling data communication between the transferred second security module and an IT security application for the further computing product, wherein the IT security application requires the second security element of the transferred second security module to operate; and wherein the computing product is configured for providing the second security element of the transferred second security module to the IT security application subject to verifying a user input using the second verification element of the transferred second security module.
  • the computing product may further comprise a further IT security application; and wherein the computing product is configured for providing the second security element of the transferred second security module to the further IT security application on the same computing product subject to verifying a user input using the second verification element of the transferred second security module.
  • the computing product may be configured for changing the second verification element of the transferred second security module subject to verifying a user input using the second verification element of the transferred second security module or the first verification element of the first security module; and/or deleting the transferred second security module from the computing product subject to verifying a user input using the second verification element of the transferred second security module or the first verification element of the first security module.
  • the interface may be for coupling to the transportation tool and the computing product may be configured for resetting the second verification element of the transferred second security module subject to verifying a user input using the first verification element of the first security module of the security device, and subject to verifying a match between the transferred second security module and the security device; and/or transferring the second security module from the security device to the computing product.
  • the IT security application and/or the further IT security application may be installed on the computing product or may be provided for the computing product via Software as a Service.
  • a method and apparatus for generating and storing Security Modules inside a specially designed security hardware device (Security Device).
  • the Security Module can replace the software-generated security elements that are required by different IT security applications on different Computing Products.
  • the Security Module can be transferred from the dedicated Security Device to be stored in different Computing Devices. Then:
  • Example embodiments of the present invention can have the following advantageous characteristics:
  • the security element e.g. cryptographic key
  • the verification element e.g. password
  • the security element e.g. cryptographic key
  • the verification element e.g. password
  • the security element e.g. cryptographic key
  • the verification element e.g. password
  • security element e.g. cryptographic key
  • verification element e.g. password
  • the dedicated Security Device i.e. hardware is the security control, while e.g. a password is merely used for proving a user is the hardware owner, to prevent illegal usage of the hardware.
  • the Computing Product on which the Security Device Proxy is implemented is the major part of the security control, while e.g. a password is merely used for proving a user is the owner of the Computing Product on which the Security Device Proxy is implemented, to prevent illegal usage of the Security Device Proxy.
  • security control can be recovered from the Security Device if the Security Device Proxy is lost or damaged, which existing software solution cannot provide.
  • the Security Device or the Security Device Proxy by itself is not a security product because it has no IT security application within itself. However it works with and supports different IT security applications by providing them the different security element(s) or security module which they require.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé pour fournir d'une fonctionnalité de sécurité sur un produit informatique, un dispositif de sécurité dédié destiné à coopérer avec une application de sécurité informatique sur un produit informatique, et un dispositif informatique fonctionnant en tant que proxy de dispositif de sécurité dédié. Le procédé comprend les étapes suivantes : initialisation d'un premier module de sécurité sur un dispositif de sécurité dédié, le premier module de sécurité initialisé comprenant un premier élément de sécurité tel qu'un premier ensemble d'une ou plusieurs clés cryptographiques et un premier élément de vérification tel qu'un premier mot de passe ; génération et stockage d'un deuxième module de sécurité sur le dispositif de sécurité, le deuxième module de sécurité comprenant un deuxième élément de sécurité tel qu'un deuxième ensemble d'une ou plusieurs clés cryptographiques et un deuxième élément de vérification tel qu'un deuxième mot de passe ; fourniture d'une première application de sécurité informatique pour un premier produit informatique, la première application de sécurité informatique exigeant que le premier ou le deuxième élément de sécurité fonctionne ; connexion du dispositif de sécurité au premier produit informatique pour permettre une communication de données entre le premier ou le deuxième module de sécurité et la première application de sécurité informatique ; et fourniture du premier ou du deuxième élément de sécurité à la première application de sécurité informatique sous réserve de la vérification d'une saisie d'utilisateur en utilisant respectivement le premier ou le deuxième élément de vérification.
PCT/SG2017/050364 2016-07-20 2017-07-20 Dispositif et procédé de sécurité personnelle WO2018017019A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10201605978RA SG10201605978RA (en) 2016-07-20 2016-07-20 Personal security device and method
SG10201605978R 2016-07-20

Publications (1)

Publication Number Publication Date
WO2018017019A1 true WO2018017019A1 (fr) 2018-01-25

Family

ID=59409750

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2017/050364 WO2018017019A1 (fr) 2016-07-20 2017-07-20 Dispositif et procédé de sécurité personnelle

Country Status (2)

Country Link
SG (1) SG10201605978RA (fr)
WO (1) WO2018017019A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3090152A1 (fr) * 2018-12-17 2020-06-19 Orange Réinitialisation d’un secret applicatif au moyen du terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1710725A2 (fr) * 2005-04-06 2006-10-11 Actividentity Inc. Arrangement de partage d'identité numérique sécurisé
EP2469441A1 (fr) * 2010-12-21 2012-06-27 Research In Motion Limited Mots de passe renforcés par matériel
US8707452B1 (en) * 2008-04-14 2014-04-22 Avaya Inc. Secure data management device
WO2014185865A1 (fr) 2013-05-16 2014-11-20 Fast And Safe Technology Private Limited Dispositif et procédé d'auto-authentification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1710725A2 (fr) * 2005-04-06 2006-10-11 Actividentity Inc. Arrangement de partage d'identité numérique sécurisé
US8707452B1 (en) * 2008-04-14 2014-04-22 Avaya Inc. Secure data management device
EP2469441A1 (fr) * 2010-12-21 2012-06-27 Research In Motion Limited Mots de passe renforcés par matériel
WO2014185865A1 (fr) 2013-05-16 2014-11-20 Fast And Safe Technology Private Limited Dispositif et procédé d'auto-authentification

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3090152A1 (fr) * 2018-12-17 2020-06-19 Orange Réinitialisation d’un secret applicatif au moyen du terminal
WO2020128215A1 (fr) * 2018-12-17 2020-06-25 Orange Réinitialisation d'un secret applicatif au moyen du terminal

Also Published As

Publication number Publication date
SG10201605978RA (en) 2018-02-27

Similar Documents

Publication Publication Date Title
JP7043701B2 (ja) ソフトウェアアプリケーションの信頼を最初に確立し、かつ定期的に確認するシステム及び方法
US20210344669A1 (en) Secure authorization systems and methods
CN107431924B (zh) 将设备标识符和用户标识符相关联的设备盗窃防护
EP4081921B1 (fr) Système d'identification personnelle par carte sans contact
CN112771826A (zh) 一种应用程序登录方法、应用程序登录装置及移动终端
CN113711211A (zh) 第一因素非接触式卡认证系统和方法
US20150310427A1 (en) Method, apparatus, and system for generating transaction-signing one-time password
US20130159699A1 (en) Password Recovery Service
JP6476167B2 (ja) 自己認証デバイス及び自己認証方法
US20160048460A1 (en) Remote load and update card emulation support
EP3206329B1 (fr) Procédé, dispositif, terminal et serveur de contrôle de sécurité
CN103984904A (zh) 一种防止移动终端锁屏密码被破解的方法及装置
EP3937040B1 (fr) Systèmes et procédés pour sécuriser un accès de connexion
CN115605867A (zh) 使能在移动操作系统中的应用之间进行通信
KR102071438B1 (ko) 이동 단말의 결제 인증 방법 및 장치 그리고 이동 단말
CN108092764B (zh) 一种密码管理方法、设备和具有存储功能的装置
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
CN106685945B (zh) 业务请求处理方法、业务办理号码的验证方法及其终端
KR20130031435A (ko) 휴대용 단말의 암호화 키 생성 및 관리 방법 및 그 장치
US9871890B2 (en) Network authentication method using a card device
US10313132B2 (en) Method and system for importing and exporting configurations
WO2018017019A1 (fr) Dispositif et procédé de sécurité personnelle
KR20240024112A (ko) 비접촉식 카드 통신 및 다중 디바이스 키 쌍 암호화 인증을 위한 시스템 및 방법
CN114631109A (zh) 用于交叉耦合风险分析和一次性口令的系统及方法
KR101296402B1 (ko) 암호화된 시드를 이용한 모바일 오티피 장치의 등록 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17745212

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16/05/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17745212

Country of ref document: EP

Kind code of ref document: A1