IT202100008723A1 - SYSTEM FOR THE SECURITY MANAGEMENT OF DIGITAL DOCUMENTS - Google Patents

Description

SYSTEM FOR THE SECURITY MANAGEMENT OF DIGITAL DOCUMENTS

Technical sector

The present invention generally refers to the sector of systems for the automated management of digital documents.

The invention provides a method, a device and in general a configured system for the secure and privacy-respecting management of digital documents by digital signature.

Does the general purpose device include one or more? smartcard readers, an integrated circuit that incorporates certificates in mode? embedded, such as chips or smartcards. These chips or smartcards containing the certificates are physically welded into the integrated circuit. Said device ? connected to a computer, or to a set of computers ? clusters ? that contribute to the provision of the digital signature service, centralized and remote management, the possibility? to carry out an automatic digital signature process in succession of digital documents by a proprietary user, the possibility? to delegate and authorize in mode? traced the entire digital signature path, the management of authentication keys in compliance with security, the conservation of documents in compliance with privacy and the verification of certificates and signed files. The device is not able only to sign, but has the ability? processing and allows you to implement verticalized workflows on specific or general applications (perhaps programmable from a graphical interface). In this way it becomes a unit? autonomous processing by processing various information, in fact (this allows you to manage the information by authenticating them in the most confidential way possible, as there is no need to access third-party services, and in addition everything is done within the same device without necessarily having network communications.

State of art

To solve the above problems, devices called hardware secure module have been devised, a physical computing device that secures and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. These are professional type devices, generally used in servers.

Application US2014/158764 provides a smart card reader configured to transmit a power signal and send commands to a smart card in accordance with with the ISO 7816 standard.

The question ?US2013/262918? proposes an apparatus for the management of anomalies comprising a master system coupled to at least one slave, the master apparatus comprises a controller to monitor the status of the slave in such a way as to signal when? necessary to intervene to reset the hardware and return to normal operations.

Application EP1967951 claims a circuit for detecting failures on the Universal Serial Bus line; US2005/081114 relates to a method and system for analyzing errors in a data memory comprising periodically executing a query to determine whether errors have occurred in the memory, retrieving and storing the memory address in which ? once the error has been verified, check the number of times the error occurs and compare with a threshold, increase the frequency of the query and incrementally increase the threshold according to the number of errors; US2014112339 comprises an apparatus comprising a physical layer coupled to a serial line placing it in a blocking state (BLS - Blocking Link State) in order to monitor bandwidth consumption and EP2362295 claims a method for restarting a subsystem when it is detected an exception on signaling request by the subsystem.

The object of the present invention generally relates to a method, a device, a system for managing digital documents in security and with respect for privacy by means of a qualified signature. DESCRIPTION

As used herein, except where the context requires otherwise, the term "comprises" and variations of the term, such as "comprising", "comprises" and "including", are not intended to exclude additional additives, components, integers or steps.

In one embodiment of the present invention, ? a device for managing digital documents by digital signature is provided, comprising at least one microcontroller configured with at least one data communication port, a plurality of of qualified signature readers to whom ? associated with a remote controlled logic switch for each reader. The logic switches associated with each reader may include electronic devices such as transistors, logic gates of the nand type, and, diodes, operational amplifiers, etc., suitably associated with the microcontroller.

The device ? made of general purpose components; the data communication port can? include a USB-type port or in general a GPIO. The remote controlled switch can? be of the wired or wireless type, capable of performing a reset through the government of the power supply means of the device itself or of one or more? readers simultaneously. Among the qualified signature readers, readers for smartcards or USB devices or bluetooth or wifi type ports can be included. The microcontroller can? be a PIC type integrated circuit.

In one embodiment of the device, this comprises at least one storage memory, which contains the digital documents stored in an encrypted manner by means of a digital signature. The memory chip and the PIC are encapsulated inside a stack of PCBs (Print Circuit Board) to protect against unwanted external access also through the use of chemical substances such as thermosetting two-component epoxy resins, polyurethanes, polybutadienes, modified silicone resins. In another form? symmetric encryption is expected. Basically it is a password manager contained in the memory of an embedded chip type, PIC16 ? why? inaccessible ? which is unlocked by entering a pin from a keypad connected to it. Why? a software/hardware of the device pu? access the decryption passwords of the files in the chip using the appropriate commands. Only after the chip is unlocked manually or with another procedure can you? access information.

In one embodiment of the device, it comprises a plurality of of anti-burglary sensors associated with the microcontroller designed to signal activity? of a fraudulent nature due to unwanted physical access to the internal elements of the device, such as the storage memory and the PIC. Among the sensors can be included, temperature sensor, vibration sensor, brightness sensor, etc. It is considered that in case of break-in the memory is physically detached from the chip by disconnecting the power supply (VCC or D+ and D-) of the memory soldered on the PCB, thus making it inaccessible from the outside.

In one embodiment of the device, this comprises a display which allows to visualize the various operations in progress; said display can? be associated in whole or in part with a numeric keypad for entering a PIN code associated with a qualified signature. Among the displays can be included those capacitive touch called touch, non-interactive LCD type displays, etc. AND? It is also possible to access remotely via bluetooth or wifi having the encrypted channel. In another form with the PIN ? It is possible to unlock a keyring that contains all the pins of all the smartcards and the various passwords.

According to another embodiment of the device, there can be more? such as USB ports constituting a HUB, characterized by the fact that each port? individually powered, with telematic control also remotely through the host. In particular, the device pu? be controlled via USB, serial or other network protocols, including wireless, run one or more? switch between ports, enable / disable one or more? doors also in mode? programmable, automatic and timed (for example, a specific door switches on and/or off at a specific time of a specific day, or after entering a specific PIN, so that access to that token can only be done under certain conditions.The unlocking of a token can be done both locally and remotely, carry out reset operations in case of errors and possibly memorize and archive them in a memory, even external, such as a USB key or sent via the network Maintenance operations could be protected by an authentication system, for example via a pin code. Optionally, the hub can be powered by a battery, which can optionally be integrated into the device itself. The battery can be charged using the normal mains electricity or through a solar panel.The battery itself can be incorporated in the resin casting, so that it cannot be detached from the device.

The device includes a 16x2 LCD screen, pu? be of any size and type; the main board, an alphanumeric keypad. The keypad can be custom or commercial, for example those with membranes.

The main board? connected to the other two parts by means of flexible cables (in another implementation the board can be incorporated in a box which also contains the keypad. The box and the keypad will be protected by anti-burglary resin so as to make it impossible to access the memory and the connections between board and keyboard). shall I? have a terminal block input for connection to a processor. This link will provide preferably an emulation usb/rs-232 and/or gpio and/or modbus and sar? the control and data exchange channel between the main board and the computer.

The device ? able to implement a set of commands, PRT, followed by a string. The goal of the card ? to manage access to a flash memory present on the same pcb and to the memory contained in the PIC16/PIC18 or other type of chip used. Access is guaranteed thanks to a PIN, or password or other type of token, even cryptographic. If you don't have the PIN or the card blocks access to the flash memory? inhibited by a transistor. The PCB can include a USB HUB and/or an FTDI usb/rs232 and a PIC18F, a battery to power the PIC18F in case it is not powered by USB (the device is off), a transistor, a Flash Memory, PIC PINs connected to switches. Said switch is used to observe and verify if the device ? been tampered with or is about to be tampered with. When the device is moved away from its original position the switch opens. ? an anti-burglary technique, as well as anti-vibration and other sensors. If the switch is opened, the PIC alarms and no longer responds? at the commands. In this case it will be It can be unlocked with a hidden command and with an additional password (ADMIN UNLOCK).

The PCB includes a PIC18F, controlled via a usb2/rs232 interface or other type of technology/protocol, for example gpio and ? connected to the HUB. The PCB accepts commands such as UNLOCK [PIN] FLASH MEMORY, LOCK, RESET [ADMIN PIN], ADMIN UNLOCK [ADMIN PIN] - RESET DA UNBLOCK, CHANGE PIN [OLD PIN] [NEW PIN] - MANAGEMENT PIN, UNLOCK PIN [ PUK] [NEW PIN], etc.

The usb hub? connected to the computer via a terminal block. The transistor controls the power line (optionally also D+ and D-) of the flash memory (FLASH MEMORY -> TRANSISTOR -> USB HUB). In the event of a block or lock, the line must be disconnected and does not allow the operation of the flash memory.

The PIC must also handle 4 pairs of switches. These will be connected to switches. When a switch opens the PIC18F must go into mode? block why? this is equivalent to an attempt to physically break into the device. For example the opening of a door of the box).

If you get the PIN wrong for more? 3 times the PIC18F must go to block.

The flash memory communicates directly through the usb HUB the only control of the PIC18F must be on the power supply.

The PIC18F must memorize N passwords, or PINs of arbitrary length (even 256 characters) and allow them to be recovered, deleted or modified. These operations can be done if the PIC NOT ? in bulk and if you have a PIN. Optionally to change password/PIN ? necessary of a generic administration PIN/password and/or of the single PIC/password.

The PIC18F must allow writing on an LCD screen (16x2) using the appropriate commands.

The PCB must be equipped with a battery (an additional external battery may also be provided). This battery powers the PIC if the main power source is disconnected. This battery preferably does not power the flash memory (this is to save energy as much as possible and keep the PIC or similar alive longer, in order to increase its defensive power towards the device). If the switches are opened, even when the PIC ? battery powered, the PIC must go into lockout. The ideal would be for the PCB to be made on a multilayer and the traces to be hidden in an intermediate layer, so as not to give direct access to the traces or with a pile of PCBs which totally or partially enclose the chips and the solders (from above and from below).

On the PCB can be present pi? flash memory (these can be connected to a single USB port - muxate/demuxate or to multiple usb ports). Depending on the entered PIN, one or more? smartcard. Can you? assign a different security level to each smartcard. Why? can? be specified that a PIN is required for a smartcard or enter a PIN sequence in order to be able to activate it.

The device can be equipped with an alphanumeric keypad for manual entry of a password or pin to unlock the device itself. In this way the password will not be stored locally but sar? managed elsewhere by the user. The device communicates error messages or information via any display.

The device contains in the main chip (which has technology similar to smartcards for legal signature) smartcard passwords and pins. The internal memory of the device is encrypted with one of these passwords. Why? if the device goes into block will not provide? this password (which can? be long even hundreds of characters...) in addition to physically isolating the memory that ? contained on the card.

With the unlocking of the device, PINs for smartcard readers (and decryption passwords) will also be available. Why? smartcards cannot be used if the device is not ? unlocked. Likewise you will not be able to access the memory. No password ? stored in areas not protected in hardware mode.

Instead of the keypad, or in addition as a second authentication factor, pu? a fingerprint reader can also be used. The device unlocks if it recognizes one of the stored fingerprints.

The communication protocol between the computer and the device pu? be encrypted. In the device there may also be more? memories for data redundancy.

Among the alarm sensors present in the device we can include not only switches (which are used to indicate whether the package containing this device has been opened), but also an accelerometer (to make it understand if someone tries to shake it or slam something against it or if is using a drill for example), one or more? temperature sensors to let him know if someone is trying to dissolve the resin and / or volumetric or pressure sensors.

The device ? equipped with an internal battery that allows it to work even if the computer ? deactivated. This why? a possible attacker will try? to disassemble the device to get the information with the computer off, most likely. In this case the battery will allow? to identify the attempted burglary and the device will go? in block.

When the main power is off more the device will have to? enter the locked state.

Inside the device, under the walls there may be accelerometer sensors so that if the walls are tampered with or if the device is shaken for more, the after n seconds the device goes to block.

In the device there may be more? memoirs, to which ? You can log in with different pins. Why? according to the pin that you put will activate more? password and/or memory logs.

The device can be configured to block automatically after N seconds. In this way if the owner leaves it open after N seconds it goes into protection by itself. The protection can affect both memory and the password manager. If there are more memories can be managed more? different timeouts and pu? manage different timeouts between memories and password manager.

The device crashes after N incorrect commands. If there are errors in the commands sent after N commands, the device stops.

Could there also be a mode? of total concealment. That is? in the event that the device contains very sensitive information in the event of an attack on the device this through one or more? transistor can completely isolate himself from the world, without giving the possibility? more to access the command terminal (as well as the memories). Can this be done? get by interrupting the connection between the usb hub that ? present in the card and the calculator.

The commands sent to the device can be encrypted with a symmetric key (perhaps contained on another hardware token) or signed with a certificate (perhaps contained on a hardware token, perhaps a TPM contained on the motherboard). Will the device accept? only commands signed by that token.

The device will have to have a command to set its identifier (for instance, like the MAC address for network cards) and one to extract this ID. To set this id you need the super administrator password (which only the manufacturer will have).

The device allow the backup of the data contained in the pic and in the flash memory. These will be downloaded via the web interface or downloaded for example to a USB mass storage device, preferably in encrypted form. Can the encryption take place either by means of one of the smartcards of said device or by means of a password entered by the user.

Can encryption be performed by a processor inside the card or externally from the computer to which ? connected the device.

In a card you can have more? pic that handle the same memory card. Through a MUX the tracks are diverted towards a PIC or towards the other if a damage to a PIC is found.

It being understood that in a device you could have more? of these devices that go into software and/or hardware redundancy.

The device can contain a removable MICROSD-type memory for less sensitive data that cannot be lost if the chip breaks, but also a backup on a USB pendrive or other mass memory.

These can be encrypted with a password held in the PIC but which is also known to the owner of the data.

In an embodiment of the present invention comprising a workflow module where the management and processing of the documents/information takes place, an encryption module where the files or information coming from the workflow are authenticated, a module for the management of sensitive data where certificates, private cryptographic keys, PINs or passwords are stored, characterized by having an energy supply means control module and a timing system - hardware or software - connected to, or included in, said control module, configured to automatically detect malfunctions or blockages of the signature process, which in response to a command signal, said control module inhibits the operation of the power supply means of said encryption module, interrupting the power supply and subsequently automatically reintroducing the ?Power supply by means of a switch.

The encryption module comprises at least one microcontroller configured with at least one data communication port, a plurality of hardware devices suitable for digital signature in which each device? associated with a specific switch.

The sensitive data management module ? a memory composed of an embedded type chip associated in whole or in part with a local or remote device dedicated to the insertion of one or more? secret codes for unlocking said memory and by an archive memory whose supply means are controlled by said chip.

The switch can be controlled remotely via network or wireless and that said switch can? be a transistor or nand type logic gate or and type logic gate or diode or op amp,

Can the digital documents contained in the archive memory be encrypted with asymmetric encryption systems and the private key of this encryption system? stored in a hardware device or with symmetric encryption systems where the secret key of the symmetric encryption system ? stored in said form for the management of sensitive data.

Unlocking the memory includes an additional authentication factor. The microcontroller and/or the embedded type chip are encapsulated inside a stack of PCBs (Print Circuit Board) by means of resin so as to hide the traces and not allow direct access to said integrated circuits.

In the embedded chip ? contains a Keyring in which the PINs of the signing hardware devices and the encryption keys are stored.

Furthermore, the system includes a plurality of anti-burglary sensors associated with the microcontroller designed to signal activity? of a fraudulent nature due to unwanted physical access to the internal elements of said modules and by a battery which powers the embedded chip to maintain power even in the event of break-in.

In the event of a fraudulent access attempt either through burglary or through a data breach, the microcontroller is configured in such a way as to inhibit the read and write commands of the embedded chip and of the storage memory.

In one embodiment of the present invention, ? a system is provided comprising a device of the present invention set forth above, associated with a processor or electronic calculator, configured for the management of digital documents by means of a qualified signature by a proprietary user.

The reader device included in the system of the invention ? therefore configured for interaction with an electronic computer, for example equipped with a dedicated driver for its management or connected via network to the same. Furthermore, the system, in whole or in part, by means of the associated device of the present invention, comprises a control module for the energy supply means of the reader and a timing system - hardware or software - connected to, or including in, said control module, configured to automatically detect malfunctions or blockages of the signature process. The system of the invention ? configured in such a way that when the timing system detects a malfunction or block or error of the returned signature or if no value is returned during the process of signing a document, it automatically sends a command signal to the control module. When an operation requires much more? time than expected you can? detect on the basis of an exit status of the signature operation with error, or on the basis of a signature which, following the post-signature verification, is incorrect or null (null information is returned). Once a threshold of N wrong signatures has been exceeded, the device is reset. The control module, in response to the command signal, ? configured to inhibit the operation of the power supply means by interrupting the current supply and then automatically re-introducing the current supply to the reader, preferably in a timed manner Once the current ? fed back to the reader, the processor automatically resumes the process of signing the document, that is? make a new attempt to sign it. Preferably, the maximum number of attempts can? be predetermined, if you exceed the N attempts the token pu? go to block and maybe it is replaced by a token ?spare? which preferably has the same data, such as referring to the same tax code. These characteristics of the system allow you to maintain continuity? of? activity? digital signature, to be able to digitally sign documents in a stable and continuous way, without requiring the active intervention of a user.

AND? possible to predict that after the current ? been restored, carry out a test on a file and then verify it to see if the functionality? ? been restored. In case of N failures of this test then you can? restart. The restart procedure can? also be performed spontaneously during breaks, even at regular intervals. In the same way it is possible to execute probes with timed signature/verification in moments of non-use in order to always have an eye on the situation. In case of breakage or malfunction of the token, the user is warned so as not to block it when it will have? then materially need the token.

The system includes an encryption module, where the files or information in general sent by the workflow or safe are authenticated, a workflow engine where the management and processing of documents/information takes place, a data security module, in this part deals with storing information including specific areas for storing PINs, passwords. In particular, PINs / passwords are stored in a system that has the same level of security as a smartcard cio? the internal memory of a PIC18F.

In one embodiment of the system, ? further envisaged is the sending of a communication or message, for example via e-mail, SMS or Telegram, or other alarm to the owner user when there is a malfunction or blockage of the activity? of affixing the digital signature. Furthermore, according to a further aspect, a trace of the occurrence of this malfunction or blockage? stored in a first database, preferably contained in the security module or sent to monitoring systems, for example, such as scada.

In one embodiment of the system, signed files can be stored in a different queue, db table or even filesystem directories: one for input files, ie? the files received from another user, and one for the output files, cio? the files to be sent to another user. This queue guarantees the perfect decoupling between the reception of information and its processing. Meanwhile, this allows you to manage very high load volumes, to manage security at a level prior to processing ? That ? the one that takes more? resources and ? the most criticism of the process - why? to discard any unlawful or erroneous requests before getting to the heart of the system. This allows you to manage the scheduling of tasks and the management of resources necessary for processing in an optimal way. Furthermore, according to an even further aspect of the implementation of the system, ? It is possible to provide external software programs or applications, including those of third parties, for example for the management of digital documents, in such a way as to facilitate the user?s interaction with the system, for example a CRM application which, for example, allows the sending of invoices, to receive invoices and notifications from the Public Administration, but also to manage customers, orders, sales campaigns, appointments, etc. In the case of connection via network, protocols such as modbus, snmp can be used but also called web services, REST, GET or POST, HTTP and in any case any network protocol that allows you to query or interact with a server application, to query the computer on the status of a door or set the status of a door. In this case can also be present a web interface management of the hub, where you can? manage user access configuration. Furthermore, can be included tracking system (logging) of all the operations carried out, as well as? integrate a storage memory, such as sd or micro sd, into the new device to record and keep the logs.

A further embodiment of the system comprising an anomaly detection module stored in a memory which detects a status anomaly on the differential transmission line of the bus, an error detection module stored in a memory which detects a message and /o error state of the user?s application process, by a time detection module stored in the memory which detects a time signal at the expiration of a predetermined counter preferably configurable, by a threshold detection module stored in a memory which detects a value predetermined threshold preferably configurable, by a comparison and confirmation module stored in the memory which compares and confirms that the duration of the status anomaly on the differential transmission line of the bus and/or that the duration of the message and/or error status of the user?s application process persist/are for a time greater than the predetermined counter and/or that the frequency of occurrence of the anomaly/and of the status on the differential transmission line of the bus and/or that the frequency of occurrence of message/ i and/or error state(s) of the user?s application process is/are not greater than or equal to the predetermined configurable error threshold value, by a reset module stored in the memory that performs a reset action, at least one processor which executes - the anomaly detection module, the error detection module, the time detection module, the threshold detection module, the comparison and confirmation module, the reset module - from at least one communication port that connects the system and the peripheral.

Another form of the present invention is a method, implemented by the device associated with the processor, which a) detects the time duration and frequency of occurrence of a state anomaly on the differential transmission line of the bus, and/or detects the time duration and frequency of? occurrence of error message(s) and/or state(s) of the user's application process; b) detects a time signal upon expiry of a predetermined, preferably configurable counter; c) detects a predetermined, preferably configurable, error threshold value; d) compares and confirms that the duration of the status anomaly on the differential transmission line of the bus and/or that the duration of the message and/or error status of the user's application process persists for a time greater than the counter predetermined and/or that the frequency of occurrence of anomaly/and of the state on the differential transmission line of the bus and/or that the frequency of occurrence of message/s and/or state/s of error of the user's application process is /no higher(s) or equal(s) to the predetermined error threshold value; then e) the device performs a reset action. Once the peripheral ? powered again, the computer automatically resumes the user process. If after the first reset the user application does not restart correctly, the method is repeated for a preferably configurable number of attempts. Preferably, after ten consecutive failed reset attempts, a notification ? sent to the user, for example containing the fault message.

Optionally ? It is possible to integrate in the steps of this method as a reset action also the restart of the application and/or of the processor both in the event of an error message and/or state of the user application and/or both in the event of an anomaly on the transmission and/or even after a predetermined number of failed resets.

In particular, in one embodiment of the method, ? possible to integrate in the steps of the said method, preferably in modality? configurable, different reset actions and/or the combination of different reset actions or in case of confirmation of one or more? anomalies on the bus and/or one or more? error messages and/or states the reset action could include one or the combination of the following steps a1) the request for logical reset to the peripheral, piloting the differential transmission line of the bus; a2) restarting the user application process; a3) hardware reset which consists in interrupting the power supply, preferably in a timed manner, between the peripheral and the computer by specifically intervening in the power supply means of the peripheral itself; a4) restarting the computer. Why? in this particular embodiment of the present invention, ? is it possible to configure the choice of one or more? of said steps a1), a2), a3), a4) to be performed, the chronological sequence for more? of these steps, the number of attempts for one or more? of said steps to be performed according to the predetermined chronological sequence, the number of repetitions of the reset action including the number of attempts for one or more? of said chosen steps, to be performed according to the predetermined chronological sequence.

In one embodiment of the method, object of the present invention, the reset action can understand different ways reset and/or the combination of reset or - the hardware reset, which consists in interrupting the power supply, preferably in a timed manner, between the peripheral and the computer by intervening specifically in the electrical power supply means of the peripheral itself, preliminarily inhibiting the operation of the electric power supply means through the switch, in order to interrupt the flow of current between the peripheral and the computer, then re-allow the current flow between the peripheral and the computer by reintroducing the electric power supply means of the peripheral itself through the switch - and/or the request for logical reset to the peripheral, piloting the differential transmission line of the bus and/or the restart of the user application process - and/or the restart of the computer. In said embodiment of the method the reset action can? be configurable or ? is it possible to choose one or more? types of reset to be performed and/or the chronological sequence of execution for one or more? types of reset chosen and/or the number of attempts for one or more? types of reset chosen according to the predetermined chronological sequence and/or the number of repetitions of the method itself, in case of restart failure of the system process (where by system process we mean the whole system or the hardware-software combination made up of the peripheral general purpose, the user?s application process, the new device, the new method and the processor), re-executing said reset action configured or including the number of attempts for one or more? reset types chosen to be performed according to the predetermined chronological sequence.

These characteristics of the method and of the device make it possible to maintain continuity? of? activity? of user processes in a stable and continuous way, without requiring the active intervention of a user.

In another embodiment of the method we will have that the device interposed between the peripheral and the computer a) detects the time duration and the occurrence frequency of an anomaly in the state on the differential transmission line of the bus, generally indicated with D+ and D- verifying that the state J or K persists for a number of consecutive 1 bits higher than six (6) and/or that the voltage on the differential line D+ and D- is (D-) ? (D+) <= 200mV and/or that the voltage on the differential line D+ and D- is (D+) ? (D-)<= 200mV and/or that the voltage on the differential line D+ and D- is (D-) <= 2V and/or that the voltage on the differential line D+ and D- is (D+) <= 2V; b) detects the time duration and frequency of occurrence of error message/s and/or state/s of the user's application process; c) detects a predetermined, preferably configurable, error threshold value; d) detects a time signal at the expiration of a predetermined counter, preferably configurable; e) compares and confirms that the duration of the status anomaly on the differential transmission line of the bus and/or that the duration of the message and/or error status of the user's application process persists for a time greater than the counter predetermined and/or that the frequency of occurrence of anomaly/and of the state on the differential transmission line of the bus and/or that the frequency of occurrence of message/s and/or state/s of error of the user's application process is /no higher/s or equal/s to the predetermined error threshold value such that f) the reset action comprising one or more? mode? action and/or the combination of reset possibly and/or preferably said configured reset action.

In another embodiment we will have that the method ? implemented by at least a portion of a processor comprising at least one processor, characterized by) detecting the time duration and occurrence frequency of a status anomaly on the differential transmission line of the bus, generally indicated by D+ and D, - and /or detect the time duration and the frequency of occurrence of a message/s and/or error state/s of the user's application process; b) detecting a time signal upon expiry of a predetermined, preferably configurable, counter; c) detecting a predetermined, preferably configurable, error threshold value; d) compare and confirm that the duration of the status anomaly on the differential transmission line of the bus and/or that the duration of the message and/or error status of the user's application process persists for a time greater than the counter predetermined and/or that the frequency of occurrence of anomaly/and of the state on the differential transmission line of the bus and/or that the frequency of occurrence of message/s and/or state/s of error of the user's application process is /no higher(s) or equal(s) to the predetermined error threshold value; e) perform the reset action including one or more? mode? action and/or the combination of reset possibly and/or preferably said configured reset action.

In another embodiment of the method we will have that said method implemented by at least a portion of a processor comprising at least one processor a) detects the time duration and the frequency of occurrence of an anomaly in the state on the differential transmission line of the bus , generally indicated with D+ and D-, verifying either that the J or K state persists for a number of consecutive 1 bits greater than six (6) and/or that the voltage on the differential line D+ or D- is (D-) ? (D+) <= 200mV and/or that the voltage on the differential line D+ and D- is (D+) ? (D-) <= 200mV and/or that the voltage on the differential line D+ and D- is (D-) <= 2V and/or that the voltage on the differential line D+ and D- is (D+) <= 2V; b) detects the time duration and frequency of occurrence of error message/s and/or state/s of the user's application process; c) detects a time signal upon expiry of a predetermined, preferably configurable, counter; d) detecting a predetermined, preferably configurable, error threshold value; e) compares and confirms that the duration of the status anomaly on the differential transmission line of the bus and/or that the duration of the message and/or error status of the user's application process persists for a time greater than the counter predetermined and/or that the frequency of occurrence of anomaly/and of the state on the differential transmission line of the bus and/or that the frequency of occurrence of message/s and/or state/s of error of the user's application process is /no higher/s or equal/s to the predetermined error threshold value such that f) the reset action comprising one or more? mode? action and/or the combination of reset possibly and/or preferably said configured reset action.

In another embodiment of the method, this comprises: 1) deactivating the VCC voltage by one or more? USB device by means of one or more? logic switches, such as transistors, associated with said device; 2) the switching on of said transistors, one by one, I wait for the device to be ready, in this way we can see which smartcard? connected to that transistor, and to which software slot (for example pcsc slot) ? connected and which is the usb device; 3) the creation of a unique association TRANSISTOR => (USB DEVICE, SLOT, SMART CARD); 4) the association for each transistor/smartcard the pin, taking it from the memory which; 5) the creation of an array in said memory with all the references of the key contained in the smartcard, transistor, tax code contained in the S/C, serial code of the S/C and all the other references present, etc. Furthermore, in the event of a fault of the signature, you go to see which is the transistor in function of the smartcard used, and more? precisely in the case of pcsc of which slot. Again, when you want to sign you will go? to search in the vector of the keys/smartcard the key that corresponds to the search criteria (for example the tax code) and you will use? this sought. Again, in the event of a further fault, you will see? in the same structure the number of the transistor and you will? a door reset. Said reset of the door must also provide for waiting for the device to become operational again, and optionally it can? do a verification test to see if the S/C or the token in general ? working. When is a smartcard removed from the system ? able to detect it and put in mode? disabling the token/transistor/slot; while when it is inserted, all the signature operations are stopped, all the devices are scanned so as to associate a token and a transistor for each bus. Another procedure? that of turning off all the readers and turning them on again one by one. In this way you have the usb devices one at a time, the readers/tokens and the certificates and make the relative associations. In particular, when you turn on the first transistor you will have? the first reader/token/certificate and usb peripheral, the reference associative vector is written and the next transistor is passed. For every ignition? It is possible to perform a test signature, performing a reset or alert in case of blockage. In another mode? includes recognition of which port ? Once the smart/card has been inserted, the check is performed and then the information is placed in the inventory

In one embodiment of the method, the PINs are stored in the above storage device, including all protection mechanisms. The code and any other sensitive data are stored in the internal memory of the protected device. Sensitive software is also stored in this section so that it cannot be tampered with.

Optionally, a smartcard is supplied with each device or the device allows a password to be displayed on the display. With these methods? It is possible to store encrypted data on a cloud or on a USB stick, controlling everything from the keyboard and screen. In another variant, the hardware protection device can? be a simple encrypted file that the user "unlocks" at boot of the device, but that can? lock/unlock even with the device turned on.

In one embodiment of the method, the association of the device comprises the procedure by difference, i.e. the readers initially present are memorized, all the transistors are deactivated and it is seen as the transistors/vcc are activated which USB devices are added. this can? be done either with special libraries or with navigation, for example under linux, of the "sys" file system or similar.

In this way you can analyze if the device produces errors (physical or protocol, or of another nature) and if necessary proceed to a reset if these are present or exceed a certain threshold.

When a device (here we mean the token, smartcard reader or even the application. Because the application can be made up of various tasks that each preside over a reader, therefore for N readers the application performs various tasks, each one managing a reader/token. In this way the possibility of generalized error is reduced, it is reset, the signing operations are blocked. If there is a reader in the device that has the same characteristics, for example the same tax code, it is possible to pass to this, or the signing operations are postponed For the operations in progress, if the block occurs during a signing, they are rescheduled, so that as soon as the device is operational again they can be re-executed.

The storage module of the PIC18F/16F includes a sub-system having a mass memory in which passwords, hashes, encrypted or protected file information are stored. Basically, they are used as password managers (by taking advantage of their protected internal memory. This allows you to achieve data security. For example, if you encrypt files in AES and the passwords are stored in the internal memory of a chip that locks with a pin physically inserted the files are safe As well as if you store the hashes of some critical parts of the system in the chip, you can find out if the system has been compromised since the memory of the soc (system in chip) is difficult to tamper with allows to contain basic information from which the others can then be accessed in a secure way.

How will it be? Appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method, device or use thereof, or a computer program product. Accordingly, aspects of the present invention may take the form of an all-hardware embodiment, an all-software embodiment (including firmware, resident software, microcode, etc.), or an embodiment that combines both software and hardware aspects at which can you? generally referred to herein as "circuit", "module", or "system". Additionally, aspects of the present invention may take the form of a computer program product incorporated into one or more programs. computer-readable media on which ? incorporated program code that can be used by computers. Can? be used any combination of one or more? computer readable media. Can computer-readable media be a computer-readable signal carrier or a computer-readable storage carrier. A computer-readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, device, or any suitable combination of the foregoing. The computer program code for performing operations for aspects of the present invention can be written in any combination of one or more? programming languages, including an object-oriented programming language such as Java?, Smalltalk?, C+ or similar, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code can run entirely on your computer, partially on your computer, as a stand-alone software package, partly on your computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer can? be connected to your computer over any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection can? be made to an external computer (for example, over the Internet using an Internet service provider).

Claims (10)

1. A system for managing digital documents using a digital signature, including a workflow module where the management and processing of documents/information takes place, an encryption module where files or information coming from the workflow are authenticated, a module for the management of sensitive data where certificates, cryptographic keys, PINs or passwords and other access credentials are stored, characterized by having an energy supply means control module and a timing system - hardware or software - connected to , or included in said control module, configured to automatically detect malfunctions or blockages of the signature process, which in response to a command signal, said control module inhibits the operation of the power supply means of said encryption module, interrupting the power supply and then automatically reintroducing the power supply by means of a switch. 2. The system according to claim 1, characterized in that the encryption module comprises at least one microcontroller configured with at least one data communication port, a plurality of hardware devices suitable for digital signature in which each device? associated with a specific switch. 3. The system according to claim 1, characterized by the fact that the sensitive data management module ? a memory composed of an embedded type chip associated in whole or in part with a local or remote device dedicated to the insertion of one or more? secret codes for unlocking this memory and from one or more? storage memory whose supply means are controlled by said chip. 4. The system according to claim 1, characterized by the fact that the switch can? be controlled remotely via network or wireless and that said switch can? be a transistor or nand-type logic gate or and-type logic gate or diode or op amp 5. The system according to claim 3, characterized in that the digital documents contained in the filing memory can be encrypted with asymmetric encryption systems and the private key of said encryption system? stored in a hardware device or with symmetric encryption systems where the secret key of the symmetric encryption system ? stored in said form for the management of sensitive data. 6. The system according to claim 3, characterized in that the unlocking of the memory comprises one or more? authentication factors. 7. The system according to claims 2 and/or 3, characterized in that the microcontroller and/or the chip of the embedded type are encapsulated inside a pile of PCBs (Print Circuit Board) by means of resin so as to hide the traces and not allow direct access to said integrated circuits. 8. The system according to the preceding claims, characterized by the fact that in the embedded chip ? contains a Keyring in which the PINs of the signature hardware devices, the encryption keys, the certificates and the access credentials are stored. 9. The system according to the preceding claims, characterized in that it includes a plurality? of anti-burglary sensors associated with the microcontroller designed to signal activity? of a fraudulent nature due to the unwanted physical access to the internal elements of the said modules and by one or more? batteries incorporated in the resin casting that power the embedded chip to maintain power even in the event of a break-in. 10. The system referred to in the previous claims, characterized by the fact that in the event of a fraudulent access attempt either through theft or through a data breach, the microcontroller ? configured in such a way as to inhibit the read and write commands of the embedded chip and of the storage memory.