[go: up one dir, main page]

WO1999035553A1 - Cryptographic token - Google Patents

Cryptographic token Download PDF

Info

Publication number
WO1999035553A1
WO1999035553A1 PCT/GB1999/000079 GB9900079W WO9935553A1 WO 1999035553 A1 WO1999035553 A1 WO 1999035553A1 GB 9900079 W GB9900079 W GB 9900079W WO 9935553 A1 WO9935553 A1 WO 9935553A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
host computer
decryption
data
cryptographic
Prior art date
Application number
PCT/GB1999/000079
Other languages
French (fr)
Inventor
Nicholas Benedict Van Someren
Original Assignee
Ncipher Corporation Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ncipher Corporation Limited filed Critical Ncipher Corporation Limited
Priority to AU19787/99A priority Critical patent/AU1978799A/en
Publication of WO1999035553A1 publication Critical patent/WO1999035553A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress

Definitions

  • the present invention relates to cryptographic tokens, and particularly to cryptographic tokens used in conjunction with computer systems.
  • a cryptographic token is a device which is operative to carry out a cryptographic operation using secret data embedded in the token. Such a device can be used for authentication, the provision of a digital signature, or general encryption and decryption operations. It can be useful in financial and commercial transactions, which increasingly are controlled by computer, requiring some form of reliable authentication of the user to ensure that transactions are properly authorised.
  • cryptographic tokens are used in conjunction with a host computer which has its own cryptographic capability and which is able to carry out some form of interpretation of the information provided by the token.
  • Cryptographic tokens may have to be placed in a slot in a host computer. On entry into the slot, conductive pads on the card engage with complementary contacts in the slot, so as to provide a direct physical contact. Although such an arrangement is technically satisfactory, it requires the user to perform the steps of inserting the card into the slot, waiting for processing of the card to cease, and removing the card from the slot. A user may wish to perform a number of operations using the token and, for convenience, may leave the token inside the slot until all of the operations are completed. At the end of use of the system, the user may forget to remove the token from the slot, rendering the system open to unauthorised use by a third party. Furthermore, the added steps involved in such a procedure may lead to the procedure being considered too inconvenient for efficient operation of the host system. That may lead to the operator of the host system ignoring the use of the token.
  • a data encryption/decryption device for a host computer comprising encryption/decryption means for performing encryption/decryption operations on data to be used by the host computer and communication means for wireless communications with the host computer, wherein data from the host computer for encryption/decryption is received via the communication means and encrypted/decrypted by the encryption/decryption means, and the encrypted/decrypted data is transmitted back to the host computer via the communication means.
  • the device according to the invention is particularly advantageous, in that it provides a host system with external cryptographic processing, that is to say, the host system does not need or may not have its own cryptographic capability.
  • any host system such as a standard PC, so long as it is capable of establishing a communications link with the device, can take advantage of its cryptographic processing.
  • the host system can rely upon the device for encryption of data which it wishes to send securely through an insecure network or it can rely on the device to decrypt encrypted data which it has received through a network. In either case, no further interpretation of the data needs to be carried out by the host system.
  • all the cryptographic processing is done within the device, which is where the cryptographic information or keys are stored. Using the keys where they are stored is of benefit because having to move the keys around with the data, as in the case of prior art systems, means increased opportunity for interception and deciphering.
  • FIG. 1 is a schematic view of a cryptographic security system in accordance with a preferred and specific embodiment of the invention.
  • a host computer 10 such as an IBM compatible personal computer with no cryptographic capability has a central processor 12 and is provided with an integrated infra-red interface 14, adapted to establish an infra-red communications link with an external device.
  • the interface 14 is hard-wired 16 with the central processor 12, and can be implemented physically by a card inserted into one of the bays commonly provided inside a personal computer for cards such as modems, graphics cards or the like, or encapsulated in a package the same dimensions as a standard disk drive, for insertion in a bay provided for additional disk drives in the host computer 10.
  • the interface can be implemented directly on the motherboard normally provided in a personal computer.
  • the package in which the interface 14 is provided is tamper evident and/or access resistant.
  • a personal security token 20 comprises an encryption/decryption module 22, which in use is operative to perform one or more encryption/decryption operations, and an integrated infrared interface 24 compatible with the interface 14 of the host computer 10.
  • the interface 24 is hard- wired 26 with the encryption/decryption module 22.
  • the interfaces 14, 24 are operative to establish a wireless communications link 30 between the host computer 10 and the personal security token 20.
  • the encryption/decryption module 22 is operative to encrypt un-encrypted data received from the host computer 10 on the wireless communications link or to decrypt encrypted data received from the host computer 10. In either instance, the encryption/decryption is performed using at least one key stored within the encryption/decryption module 22.
  • the encrypted/decrypted data is transmitted to the host computer 10 on the wireless communication link 30, and the data is used by the host computer 10, for example, for onward transmission to another host or to update/modify software stored in the host computer.
  • the encryption/decryption operations performed by the encryption/decryption module 22 are preferably performed in conjunction with software or hardware embedded in the host computer 10.
  • the personal security token 20 is in the form of a "credit card" size piece of plastics material, but it may also be embodied on a badge, pendant or a signet-type ring. It may be attached to the person with a flexible member such as a lanyard.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

A data encryption/decryption device (20) for a host computer (10) has an encryption/decryption module (22) which is hard wired with an infrared interface (24) capable of communicating with an infrared interface (14) at the host computer (10). The device (20) is for encrypting/decrypting data received from the computer (10) and transmitting it back to the computer (10), all via the infrared wireless communication link. The device (20) is in the form of a 'credit card' sized token.

Description

Cryptographic Token
The present invention relates to cryptographic tokens, and particularly to cryptographic tokens used in conjunction with computer systems.
A cryptographic token is a device which is operative to carry out a cryptographic operation using secret data embedded in the token. Such a device can be used for authentication, the provision of a digital signature, or general encryption and decryption operations. It can be useful in financial and commercial transactions, which increasingly are controlled by computer, requiring some form of reliable authentication of the user to ensure that transactions are properly authorised.
In known systems, cryptographic tokens are used in conjunction with a host computer which has its own cryptographic capability and which is able to carry out some form of interpretation of the information provided by the token.
Cryptographic tokens may have to be placed in a slot in a host computer. On entry into the slot, conductive pads on the card engage with complementary contacts in the slot, so as to provide a direct physical contact. Although such an arrangement is technically satisfactory, it requires the user to perform the steps of inserting the card into the slot, waiting for processing of the card to cease, and removing the card from the slot. A user may wish to perform a number of operations using the token and, for convenience, may leave the token inside the slot until all of the operations are completed. At the end of use of the system, the user may forget to remove the token from the slot, rendering the system open to unauthorised use by a third party. Furthermore, the added steps involved in such a procedure may lead to the procedure being considered too inconvenient for efficient operation of the host system. That may lead to the operator of the host system ignoring the use of the token.
According to the first aspect of the invention, there is provided a data encryption/decryption device for a host computer comprising encryption/decryption means for performing encryption/decryption operations on data to be used by the host computer and communication means for wireless communications with the host computer, wherein data from the host computer for encryption/decryption is received via the communication means and encrypted/decrypted by the encryption/decryption means, and the encrypted/decrypted data is transmitted back to the host computer via the communication means.
The device according to the invention is particularly advantageous, in that it provides a host system with external cryptographic processing, that is to say, the host system does not need or may not have its own cryptographic capability. Thus, any host system, such as a standard PC, so long as it is capable of establishing a communications link with the device, can take advantage of its cryptographic processing. For example, the host system can rely upon the device for encryption of data which it wishes to send securely through an insecure network or it can rely on the device to decrypt encrypted data which it has received through a network. In either case, no further interpretation of the data needs to be carried out by the host system. What is more, all the cryptographic processing is done within the device, which is where the cryptographic information or keys are stored. Using the keys where they are stored is of benefit because having to move the keys around with the data, as in the case of prior art systems, means increased opportunity for interception and deciphering.
By use of the device according to the invention, no physical connection is necessary, and so no slot need be provided in the host computer. Accordingly, the user of the system in accordance with the invention is less likely to leave the system unattended in an insecure state.
Further aspects and advantages of the invention will now be described, with reference to the drawing in which:
Figure 1 is a schematic view of a cryptographic security system in accordance with a preferred and specific embodiment of the invention. A host computer 10, such as an IBM compatible personal computer with no cryptographic capability has a central processor 12 and is provided with an integrated infra-red interface 14, adapted to establish an infra-red communications link with an external device.
The interface 14 is hard-wired 16 with the central processor 12, and can be implemented physically by a card inserted into one of the bays commonly provided inside a personal computer for cards such as modems, graphics cards or the like, or encapsulated in a package the same dimensions as a standard disk drive, for insertion in a bay provided for additional disk drives in the host computer 10. Alternatively, the interface can be implemented directly on the motherboard normally provided in a personal computer. Preferably, the package in which the interface 14 is provided is tamper evident and/or access resistant.
A personal security token 20 comprises an encryption/decryption module 22, which in use is operative to perform one or more encryption/decryption operations, and an integrated infrared interface 24 compatible with the interface 14 of the host computer 10. The interface 24 is hard- wired 26 with the encryption/decryption module 22. The interfaces 14, 24 are operative to establish a wireless communications link 30 between the host computer 10 and the personal security token 20. The encryption/decryption module 22 is operative to encrypt un-encrypted data received from the host computer 10 on the wireless communications link or to decrypt encrypted data received from the host computer 10. In either instance, the encryption/decryption is performed using at least one key stored within the encryption/decryption module 22. After having been processed by the encryption/decryption module 22, the encrypted/decrypted data is transmitted to the host computer 10 on the wireless communication link 30, and the data is used by the host computer 10, for example, for onward transmission to another host or to update/modify software stored in the host computer.
The encryption/decryption operations performed by the encryption/decryption module 22 are preferably performed in conjunction with software or hardware embedded in the host computer 10. Preferably, the personal security token 20 is in the form of a "credit card" size piece of plastics material, but it may also be embodied on a badge, pendant or a signet-type ring. It may be attached to the person with a flexible member such as a lanyard.

Claims

Claims
1. A data encryption/decryption device for a host computer comprising encryption/decryption means for performing encryption/decryption operations on data to be used by the host computer and communications means for wireless communication with the host computer, wherein data from the host computer for encryption/decryption is received via the communication means and encrypted/decrypted by the encryption/decryption means, and the encrypted/decrypted data is transmitted back to the host computer via the communication means.
2. A device according to claim 1 wherein the host computer has no cryptographic capability.
3. A device according to claim 1 or claim 2 wherein at least one key for the encryption/decryption of data is stored within the encryption/decryption means.
4. A device according to any of claims 1 to 3 wherein the communication means comprises an infra-red interface capable of communicating with an infra-red interface at the host computer.
5. A device according to any of claims 1 to 4 which comprises a piece of plastics material, a badge, a pendant or a signet-type ring.
6. A device according to claim 5 which is attached to a user by means of a flexible member.
PCT/GB1999/000079 1998-01-10 1999-01-11 Cryptographic token WO1999035553A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU19787/99A AU1978799A (en) 1998-01-10 1999-01-11 Cryptographic token

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB9800443.5 1998-01-10
GB9800443A GB9800443D0 (en) 1998-01-10 1998-01-10 Cryptographic token

Publications (1)

Publication Number Publication Date
WO1999035553A1 true WO1999035553A1 (en) 1999-07-15

Family

ID=10825052

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB1999/000079 WO1999035553A1 (en) 1998-01-10 1999-01-11 Cryptographic token

Country Status (3)

Country Link
AU (1) AU1978799A (en)
GB (1) GB9800443D0 (en)
WO (1) WO1999035553A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10140544A1 (en) * 2001-08-17 2003-03-06 Deutsche Telekom Ag Mobile telecommunications unit has security chip in removable battery
DE102004056635A1 (en) * 2004-11-23 2006-05-24 MICON Verein zur Förderung der Mobilität im Internet und in Kommunikationsnetzen e.V. Software distribution method for e.g. communication application, involves executing code on distribution medium, where execution takes place over input/output module, if communication with host computer and user is necessary
US8165299B2 (en) 2000-08-15 2012-04-24 Telefonaktiebolaget Lm Ericsson (Publ) Network authentication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2181582A (en) * 1985-10-11 1987-04-23 Victor Campbell Blackwell Personal identification device
GB2204971A (en) * 1987-05-19 1988-11-23 Gen Electric Co Plc Transportable security system
WO1993009621A1 (en) * 1991-10-31 1993-05-13 Kwang Sil Lee Electronic identification system having remote automatic response capability and automatic identification method thereof
WO1996034333A1 (en) * 1995-04-26 1996-10-31 Interval Research Corporation Context sensitive universal interface device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2181582A (en) * 1985-10-11 1987-04-23 Victor Campbell Blackwell Personal identification device
GB2204971A (en) * 1987-05-19 1988-11-23 Gen Electric Co Plc Transportable security system
WO1993009621A1 (en) * 1991-10-31 1993-05-13 Kwang Sil Lee Electronic identification system having remote automatic response capability and automatic identification method thereof
WO1996034333A1 (en) * 1995-04-26 1996-10-31 Interval Research Corporation Context sensitive universal interface device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8165299B2 (en) 2000-08-15 2012-04-24 Telefonaktiebolaget Lm Ericsson (Publ) Network authentication
DE10140544A1 (en) * 2001-08-17 2003-03-06 Deutsche Telekom Ag Mobile telecommunications unit has security chip in removable battery
DE102004056635A1 (en) * 2004-11-23 2006-05-24 MICON Verein zur Förderung der Mobilität im Internet und in Kommunikationsnetzen e.V. Software distribution method for e.g. communication application, involves executing code on distribution medium, where execution takes place over input/output module, if communication with host computer and user is necessary

Also Published As

Publication number Publication date
AU1978799A (en) 1999-07-26
GB9800443D0 (en) 1998-03-04

Similar Documents

Publication Publication Date Title
JP4703791B2 (en) Data re-encryption apparatus and method
US5623637A (en) Encrypted data storage card including smartcard integrated circuit for storing an access password and encryption keys
US5949881A (en) Apparatus and method for cryptographic companion imprinting
US7103782B1 (en) Secure memory and processing system having laser-scribed encryption key
EP1866873B1 (en) Method, system, personal security device and computer program product for cryptographically secured biometric authentication
CN101196855B (en) Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method
US7861015B2 (en) USB apparatus and control method therein
US20010039620A1 (en) Method for protecting a memory card, and a memory card
US20090049307A1 (en) System and Method for Providing a Multifunction Computer Security USB Token Device
US7136995B1 (en) Cryptographic device
US6371376B1 (en) PCMCIA card with secure smart card reader
EP1253503A3 (en) Protection of software against use without permit
JP2003506921A (en) Adapter having protection function and computer protection system using the same
WO2006027723A1 (en) Portable storage device and method for exchanging data
US20050182934A1 (en) Method and apparatus for providing secure communications between a computer and a smart card chip
WO2013123453A1 (en) Data storage devices, systems, and methods
CN101364187A (en) Double operating system computer against worms
KR20010073358A (en) Secret key security device with USB port
US7805611B1 (en) Method for secure communication from chip card and system for performing the same
JP2008015744A (en) Information storage device
CN107864133A (en) Wireless authentication secret mobile storage device and encryption authentication method
US20040034768A1 (en) Data encryption device based on protocol analyse
WO2000017758A1 (en) Secure data entry peripheral device
EP1286242A1 (en) System and method for protected data input of security data
WO1999035553A1 (en) Cryptographic token

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: KR

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase