WO2017020895A1

WO2017020895A1 - Apparatus and method for securely storing, managing, and providing authentication information

Info

Publication number: WO2017020895A1
Application number: PCT/DE2016/100357
Authority: WO
Inventors: Steffen Norbert; Hendrik Mielke
Original assignee: Steffen Norbert; Hendrik Mielke
Priority date: 2015-08-05
Filing date: 2016-08-04
Publication date: 2017-02-09
Also published as: DE102015112891A1; DE112016003523A5

Abstract

The invention relates to an apparatus (1) and to a method for securely storing, managing, creating, and providing authentication information. The apparatus (1) comprises a connection assembly (2) for communicating with a computer or other electronic devices, an instrument for processing and storing data, and an additional instrument (6) for locally authenticating the user to the apparatus (1) according to the invention. For the target authentication, plain-text information is generated by means of data on the apparatus (1) and the additional instrument (6), and, in the transmission, said information is transferred to the connected electronic device or the computer as a character string in such a way that said information corresponds to the inputs of a user via a human interface device (HID).

Description

Device and method for safe storage, administration and management

Provision of authentication information

The present invention relates to a device and a method for safe

Storage, management and provision of authentication information, the device consisting of at least one hardware component and a

Device for processing and storing data and a

Connection arrangement for communication with a computer or other electronic devices.

The increased presence of the Internet and electronic devices in daily life means that you have to manage and remember a variety of passwords, usernames, account numbers, and other sensitive information. In addition, the different electronic devices and the various providers usually have different requirements and rules for the use of passwords, user names, etc., should be avoided for security reasons, passwords multiple or simple, a pattern following or donkey bridges having passwords use. In addition, the methods of retrieving foreign data are becoming more and more subtle and dangerous, so there is an urgent need to secure your own authentication data better and at the same time easier.

Numerous systems for managing and protecting authentication data are known, most of which are software solutions that include software

Require installation on each individual device of a user and, for example, can not be used for BOOT / HD-PW / hard disk encryption protection. Pure

There are relatively few hardware solutions and they all have the disadvantage that they have only a very limited functionality and security and usually a very specific purpose.

US 2013/0314208 A1 describes a biometric sensor comprising Device for authentication, wherein a portable storage device for electronically storing confidential data is used as a key to pass this data to another device. Aruna.D.Mane et al. Describe in "Locker Security System Using RFID And GSM Technology" May 2013; International Journal of Advanced Engineering & Technology (IJAET); Vol. 6, Issue 2, pp. 973-980; ISSN: 2231-1963 A Locker

Security system using RFID and GSM technologies. The system is intended especially for banks and prevents unauthorized persons from having access to the safe or safe.

US 2005/0061879 A1 describes an access authentication system comprising a data processing device, a storage medium and an RFID tag. The entered authentication data and the key data are transmitted to the RFID tag and then compared with a stored there second record. In case of agreement, the system

Access authentication data generated.

CN 203166952 U and CN 203180939 U describe input devices for passwords related to access to online banking.

The known systems have the deficiency that they have some of the user's for a secure and simple authentication desired features and functions, but their functionality in each case leaves a lot to be desired, since the existing systems are usually highly specialized and often are island solutions that are focused on just one problem and its solution.

Thus, the object of the present invention is to provide a single device and a corresponding method which provide as many as possible or, if possible, all of those required by the respective user

Authentication measures supported. The aim of the invention is thus a bundled and open solution, with much of the authentication tasks done with an identical security standard and method. The necessary features and tasks include, in particular, the possibility of emulating a keyboard, the possibility of being connected to various different devices, the possibility of using even before the start of the operating system, the protection of the login password, the possibility of storage, administration and use from many to almost unlimited numbers of ID data records, the selection of a data set eg via a display, variation and

Possible combinations when using the system, such as User ID + password, password only, with or without TAB or CR / LF, the launch possibility of a program or website prior to identification and authentication, unlimited

Multi-user capability without "sharing" the personal password and an alternative or additional automatic input option of TANs. The object is achieved by a device and a method for secure

Retention, management, creation and deployment of

Authentication information, the device comprising a connection arrangement for communicating with a computer or other electronic devices, means for processing and storing data, and an additional one

Device for the local authentication of the user against the

Device according to the invention and the provision of

Includes decryption information. The additional device is preferably a separate device, wherein the inventive

Device is preferably only ready for use when the additional separate device is in contact with the device or is in the vicinity of the device. The device according to the invention is designed to store data as

To transmit a string to the connected electronic device or the computer, wherein the data is transmitted so that they correspond to the manual inputs of a user via a Human Interface Device (HID), to achieve that the target authentication entity little or no adjustment to the device of the invention needs. This can be done, for example, by emulation a keyboard. The separate additional device advantageously includes NFC technology and communication with the separate additional device is preferably, but not exclusively, based on RFID technology. In this case, the separate additional device, a smartphone, a smartwatch or another, an RFID technology comprehensive device or an electronic

Be an identity card. The authentication information is transmitted to local or indirectly remote authentication authorities according to their requirements.

In the method itself, a distinction is made between the so-called destination authentication, in which the user is confronted with the destination, e.g. a computer, an operating system, or an application that provides evidence of authenticity. This process is carried out representative of the user of the device according to the invention. In order to ensure that only the authorized person can initiate this process, a further local authentication is preceded by which the user verifies his authenticity with respect to the device according to the invention. This is done for example by means of an electronic card and / or entering a PIN. This process can be supplemented or replaced by testing biometric features. The authentication data include i.a. User names, passwords,

Transaction numbers, one-time passwords, certificates, authentication tokens and / or digital keys. The connection arrangement for communication with a computer or other electronic devices is advantageously designed so that a

Hand input can be omitted even if e.g. the computer is not yet

Operating system, the connection arrangement is a PS / 2 interface, a USB interface, a serial interface, a cable or a Bluetooth or other wireless interface.

The device for processing and storing data is preferably a microcontroller and in a preferred embodiment comprises a keypad and at least one device for status display, which in turn advantageously LEDs and / or a text field or a graphic display. In addition, the includes

A device for processing data, preferably a random number generator, in order, i.a. to generate so-called "strong passwords", which is advantageously a "true random number generator".

The device according to the invention comprises software for setting up, generating and encrypting identity documents and, in a further possible embodiment, a device for querying biometric features. In addition, the device advantageously has a largely platform-independent

Setup tool that allows the user a large number of

Manage authentication records.

The device according to the invention is thus a microcomputer solution, which usernames and passwords but also other credentials, or information from which can be generated, safely stored and managed. Safe, so long and complex passwords are no longer a problem, because the device according to the invention, for example, logs on as a keyboard on the computer, tablet or smartphone and takes over the input of the authentication data. Compared to the well-known password safe software solutions, such as "keepass", the device according to the invention has the advantage that it already works before an operating system was started, and thus, for example, hard disk passwords, hard disk encryption passwords and boot or BlOS In addition, the device is a self-contained system of hardware and software, in which no Trojan can break the encryption and spy on the passwords unnoticed.

At the same time, the device according to the invention has all the advantages of

Software solutions, so that among other things the passwords can be protected with strong cryptographic methods. Since the manual input is omitted, very long and complex passwords can easily be used. In addition, one can for Choose a different password for each login, as there is no need to remember the password. Furthermore, random passwords can be generated, so that with sufficient length of the password cracking of the password is virtually impossible.

The apparatus comprises a management program which makes it possible in a simple manner to provide identity records consisting of program start sequence or URL and further information, such as e.g. a short description as well as user names and secrets for authentication, such as Passwords, create and change. For all cases where the user is asked to choose a new password, a simple password change is possible. The identity records can be saved in a file. In this case, secure encryption advantageously ensures that it can only be read in again in the same device according to the invention. The user can thus store the security without risk in the cloud, on external servers or his smartphone.

At start-up and every time the device has not been used for a certain period of time, the input of a PIN of selectable length is provided. For this purpose, an advantageous embodiment of the device according to the invention provides that the device comprises an input device for selecting an authentication data record and for securely entering PINs and PUKs. Just a few digits offer good protection, because the encapsulated HW & SW solution is a

Try out multiple PINs as well as impossible. Advantageously, a small integrated display is provided, on which it can be seen which ID record was selected. At the press of a button, a login process can then be started in which it is possible to first select which parts of the data record, that is to say, for example, user name and password or only the latter, are transmitted. In many cases, even starting the application or entering a URL can be dispensed with because the device according to the invention can do it with you.

A more comfortable embodiment of the present invention provides a solution which is also suitable for larger companies and / or workplaces for multiple users. It is envisaged that any number of ID records can be stored. In addition to the keypad for PIN entry and record selection, this embodiment includes a reader for non-contact radio memory chips. The records can now be stored individually and securely encrypted for each user. For example, a card, a key ring, a small bracelet or simply an adhesive label can be selected. The push of a button for the transfer of user ID and password is replaced by the fact that the chip is brought close to the vicinity (about 5 cm) of the device according to the invention.

For business purposes, the device according to the invention is preferably designed as a "family version", whereby all chips which have been set up on one of the family boxes (box = device according to the invention) can also be used on all other boxes within the family as an important additional protection is preferably provided to block the possibility of using foreign chips.

The above more convenient embodiment of the present invention is also advantageously set up for cloud identity management. Thus, providers of cloud services can provide the user with personalized access to theirs

Simply send services by chip. Via download of QR codes, the management program of the device according to the invention can program existing chips, so that even the waiting for the postal route can be dispensed with.

In addition to the two abovementioned embodiments of the invention

In addition, the device may be customized to the device, with the possible extension being the use of biometric features, such as e.g. a fingerprint instead of or in addition to entering a PIN for the local

Authentication be provided. It is also conceivable to connect with existing or newly created locking systems, so that the same chip can be used for both physical and IT access control. Conversely, the

Device according to the invention are also modified so that they directly into a Locking system can be integrated. Whether an integration with an existing solution is economically feasible in individual cases, of course, must be checked and depends heavily on the details of the existing solution. Also conceivable is the installation in existing USB or Bluetooth keyboards or a

Combination solution with these.

An advantageous additional application of the present invention is the use as a TAN generator, wherein the tipping of the TAN is omitted and the TAN is transmitted instead, for example via a USB interface. Also in this case, the TAN generator logs on as a keyboard on the computer, tablet or smartphone, for which usually no additional software is needed.

The present invention is based on the idea of providing a device consisting of one or more hardware components and the associated software, which makes the conventional entity authentication significantly safer, easier to execute and the many identities and information that are usually required today

associated credentials (Credentials) makes controllable and manageable. The entity to be authenticated is normally a human, but the device also allows for the protection of other entities, e.g. Software programs etc.

The apparatus of the present invention significantly improves upon conventional devices having a similar purpose through the use of the USB HID interface to emulate a keyboard on and over existing computers and other electronic devices. The communication can be done via (USB) plug or cable directly or via wireless remote connections, such as "Bluetooth", so it is no longer necessary to enter credentials by hand or to copy them by software, in contrast to conventional devices with similar The purpose is usually to provide minimal or no intervention in the systems to be protected, and the device also allows for the administration and simple entry of credentials before the protection to be protected

Computer system has loaded an operating system (so-called pre boot authentication), which makes it significantly different from conventional systems.

The device according to the invention stores, delivers and / or generates

Credentials, such as Passwords, TANs (transaction numbers),

One-time passwords, authentication tokens, private or symmetric cryptographic keys, personal identification numbers (PINs) or answers to test questions. Thus, the device allows the "knowledge" (knowledge of all secrets to

Credential) by a selectable combination of "ownership" (e.g., an RFID PICC), "property" (e.g., a biometric feature such as a

Fingerprint) and simpler "knowledge" (equal to a PIN) If PIN protection is chosen, this is compared to conventional pure software

Devices with a similar purpose are far more secure because a potential attacker can not use software to attack, and by doing so, and by additional

Measures such as blocking after a certain number of failed attempts, the effort for an attack (with the same PIN length) orders orders of magnitude more difficult. In the end, adequate protection is built up even with a 4- or 6-digit PIN, which is not the case with pure software solutions. Therefore, an additional use of the device according to the invention in the protection of conventional software devices with a similar purpose ("cascading use").

The apparatus of the invention preferably employs modern, recognized and pertinent cryptographic methods to protect the credentials from unauthorized copying and use. In contrast to pure software devices with a similar purpose, attacks aiming to discover the keys needed to accomplish orders of magnitude are more difficult and expensive because a potential attacker can not gain access to memory without being extremely expensive and time consuming

Technologically complex physical analysis of the device. In addition, such attacks are easily noticed by anyone, which is not the case with conventional pure software devices. The device advantageously contains a random number generator for different applications, which fulfills the requirements for the pertinent quality of the random numbers and with whose help it is also possible to generate random credentials. This option is an advantageous alternative to entering

Credentials through a management program.

The device, even in its simplest embodiment, allows storage of a product-series-dependent set of identification records. A built-in numeric keypad is used to enter a PIN at startup. This input must be repeated after an adjustable time without use. Furthermore, an identification data record is selected via the keypad. As far as the device contains its own display, an identifier of the record is displayed. By pressing a special key, this data set, or parts of it, will be sent via the USB, HID (keyboard) interface, after the previously

Proof of Entitlement was decrypted with the short-term generated key. The key is immediately deleted (overwritten). The care

(Setting up, deleting and changing) the records via a supplied

Computer program and the serial (USB) interface can be carried out by the user at any time. Embodiments are possible, which additionally or instead of the PIN unlock the use of other methods, in particular on the query biometric features.

In an advantageous embodiment, the device includes a display and an RFID reader in addition to the keypad. In this case, the first identifi cation data sets, the number of which is configuration-dependent, stored in the device and other records on the RFID PICCs. This serves to manage system-dependent data records, such as those containing boot, hard disk or hard disk encryption passwords, of personal data records, such as those containing user login data, separately under the control of the respective owner or delegate to be able to. Also the system dependent records are usable only if the entity, identified and over a selectable combination of PIN and PICC is released. Even if the PICC were completely compromised, this would not lead to the detection of the credentials, as this would necessarily require access to the device and possibly (if so selected) knowledge of the PIN. PICCs can be locked and unlocked at any time using a master PICC. Executions, which additionally or instead of the PIN the

Unlocking usage via other methods, in particular the query of biometric features, are possible.

The device in the design as a TAN generator works similar to the conventional (hardware) devices of this type, but with the difference that no keyboard input on a display must be read and entered by hand, but the transmission by USB HID (keyboard) he follows.

Embodiments which additionally or instead of the PIN for the local

Authentication involving the use of other methods, in particular the query of biometric features, are also possible here. In addition, of course, combinations with the previously mentioned embodiments are also possible, with one or all of the aforementioned embodiments also being incorporated into existing USB HID devices, such as e.g. Remote keyboards, Bluetooth keyboards, computer mice or joysticks can be installed or integrated.

A further advantageous embodiment of the present invention offers providers of network services the ability to send their users RFID PICCs, which allow easy, fast personalized access to their services. Alternatively, the device may be encoded or scanned on a computer by means of a supplied program, such as e.g. Read QR codes. An activation and personalization procedure at the first application ensures that stolen goods in transit or, in particular, in the case of

Encodings Copied Cloud Ident records can not be used. In this case, the identity record also contains the information to automatically invoke and / or enter programs and / or "URLs" as much as possible. In the device according to the invention is a separate device that decrypts encrypted stored passwords of the user after successful authentication of the user and then transmitted as plain text, for example via the USB port of the computer or other electronic device.

In the following, the device according to the invention and the method are additionally explained in detail with reference to figures and a flowchart. 1 shows a perspective view of an example of a device together with an RFID tag. FIGS. 2 to 6 contain flowcharts in which the method sequence is systematically reproduced.

1 shows a perspective view of an advantageous embodiment of an inventive device 1 for safe storage, management,

Creation and provision of authentication information, the device 1 comprising a USB port 2 as a connection arrangement for communication with a computer or other electronic devices. In addition, the device 1 has a display 3 for status display, a keypad 4 and, an RFID antenna 5 for reading and writing radio memory chips. At the same time, FIG. 1 shows as an additional device 6 an RFID tag which is responsible for the local authentication of the user to the device 1 and the provision of

Decryption information and destination information for data is provided. As can be seen from Figures 2 to 6, is in the inventive

Method for secure storage, management, creation and provision of authentication requirements, a corresponding device, the one

Connection arrangement 2 for communication with a computer or other electronic devices and a device for processing and storing data, in a first step with the computer or the other

connected to electronic devices. This must be done depending on the operating system if necessary, install a suitable driver for the target device beforehand. In a further step, the authentication information is then selected. After the selection of the authentication data set, a separate additional device 6 is preferably used for the local authentication of the user with respect to

According to the invention and the provision of decryption and destination information for data brought into contact with the device 1 or in the vicinity of the device 1. Clear text information is generated by means of data on the device 1 and the additional device 6, which are then transmitted, the data being transmitted as a character string to the connected electronic device or the computer in such a way that they can be input by a user

Human Interface Device (HID), which then performs the destination authentication.

To figure 2 it should be noted that the start sequence is run through each time the device is activated again. It decides whether the device is brand new and has to be initialized first, or whether it is immediately ready for use. If the

Initialization has already taken place, the device expects a PIN entry and an associated PICC. If this communication is not offered, a renewed authentication is expected after a steadily increasing time delay. If the combination of PIN and PICC is accepted, the program continues with the main routine. The initialization sequence shown in parallel is executed when the device is first started or explicitly called. Here, a so-called master key is generated. Thereafter, it is forwarded to another routine for creating the user.

FIG. 3 shows the main routine. The device expects inputs and can branch into various subroutines or subroutines depending on this. For this, the user activity is monitored as a function of time. The following options are given for this:

- When a certain period of inactivity has passed, the program jumps

back to start and expects an authentication. - If a valid signal is received via a PICC, the current authentication data record, eg the first combination of login information and password is transmitted (C).

- If a special key (up, down, ok) is pressed, (D) becomes a

corresponding other record is selected or other .Actions performed, such. the deletion or setting of "flags" which control the (later output of fields of the data record.) In the case of "DEL" the last (non-action) input is deleted The subprograms shown in FIG

Transfer routine for an I D / password combination depending on a valid PICC (C), on the other hand, the subroutine for processing various functions for interpreting key inputs (D). The latter routine has more branching possibilities. These enable, on the one hand, the processing of the safety information directly on the device (F) and, on the other hand, the activation of the serial interface to the input device (E).

Figure 5 shows the subroutines for processing the security combinations on the device (F) and the subroutine for establishing connection with the PC.

In FIG. 6, the subroutine for creating a new or

Re-initializing an existing user PICC shown.

Claims

claims

1. Device (1) for safe storage, management, creation and

Provision of authentication information, including

a connection arrangement (2) for communication with a computer or other electronic devices,

a device for the processing and storage of data and

an additional device (6) for the local authentication of the

User on the device (1) and the provision of

Decryption information and destination information for data, characterized in that

the device (1) is arranged to transmit data as a character string to the connected electronic device or computer, the data being transmitted in such a way that they correspond to the inputs of a user via a Human Interface Device (HID), the

Authentication information to local or indirect remote

Authentication instances are transmitted. 2. Apparatus according to claim 1,

characterized in that

the additional device (6) is a separate device, wherein the

Device (1) is only ready for use when the separate additional device (6) is in contact with the device (1) or is in the vicinity of the device (1).

3. Apparatus according to claim 1 or 2,

characterized in that

the separate additional device (6) comprises an NFC technology and communicates with the separate additional device on the RFID

Technology based. Device according to one of claims 1 to 3,

characterized in that

the separate additional device (6) is a smartphone, a smartwatch or another device comprising an RFID technology.

Device according to one of claims 1 to 3,

characterized in that

the separate additional device (6) is an electronic identity card or a smartcard.

Device according to one of claims 1 to 5,

characterized in that

the authentication information user names, passwords,

Transaction numbers, one-time passwords, authentication tokens, certificates and / or digital keys.

Device according to one of claims 1 to 6,

characterized in that

the connection arrangement (2) is designed for communication with a computer or other electronic devices so that an input can be omitted manually even if the computer or the other

electronic devices have not yet loaded an operating system.

Device according to one of claims 1 to 7,

characterized in that

the connection arrangement (2) for communication with a computer or other electronic devices is a PS / 2 interface, a USB interface (2), a serial interface, a cable, a Bluetooth interface or any other wireless interface.

9. Device according to one of claims 1 to 8,

characterized in that

the device for processing and storing data

Microcontroller or a microprocessor with separate memory is.

10. Device according to one of claims 1 to 9,

characterized in that

the device comprises an input device (4) for selecting a

Authentication record and safe entry of PINs and PUKs includes.

11. Device according to one of claims 1 to 10,

characterized in that

the input device comprises a keypad (4).

12. Device according to one of claims 1 to 11,

characterized in that

the device comprises at least one device for status display (3).

13. Device according to claim 12,

characterized in that

the at least one device for status display (3) comprises LEDs.

14. The device according to claim 12,

characterized in that

the status display device (3) comprises a text field or a graphic display.

15. Device according to one of claims 1 to 14,

characterized in that the means for processing data comprises a random number generator for generating &"strongpasswords".

Device according to one of claims 1 to 15,

characterized in that

the device (1) comprises external software for managing and securing credentials.

Device according to one of claims 1 to 16,

characterized in that

the device (1) comprises a device for querying biometric features.

Safe Storage, Administration, Creation, and Management

Providing authentication information, wherein

- A device (1) having a connection arrangement (2) for

Communication with a computer or other electronic devices and a means for processing and storing data, in a first step is connected to the computer or other electronic devices,

in a second step, the authentication information is selected and

is authenticated in a further step via an additional device (6) for the local authentication of the user to the device (1), after which authentication data as a string to the

connected electronic device or the computer so that they correspond to the inputs of a user via a Human Interface Device (HID).