Individual encryption device with user credential protection mechanism (Machine-translation by Googl

专利摘要:
Device that performs the double function of, on the one hand, protecting the information of a user on his personal computer by encrypting the content of files selected by the user and, on the other hand, communications between it and contacts by means of a credential transformation (login/password). The device has a central microcontroller, which communicates with an FPGA (programmable device) that uses an LFSR and that uses a generation of a seed or a random number that in combination with the serial values of numerical tables to create session keys . The device also has a cryptographic EPROM memory, a USB connector in slave mode for connection to a PC, a socket for microSD memories and another USB connector in master mode to connect a keyboard. The device has an exclusive anti-opening mechanism and means of destruction in case of opening attempt.
公开号:ES2685123A1
申请号:ES201700377
申请日:2017-03-31
公开日:2018-10-05
发明作者:Jesús Damaso ASENSIO ARROYO
申请人:Gruprex S L；Gruprex Sl；
IPC主号:

专利说明:

image 1
image2
image3 DESCRIPTION
Individual encryption device with user credential protection mechanism. Object of the invention
The object of the present invention, as the title establishes, a device that performs the dual function of, on the one hand, protecting the information of a user on his personal computer by encrypting the content of files selected by the user and, on the other On the other hand, the communications between it and contacts of your trust group and also for the identification of people, which can be carried out through a credential transformation (login / password).
This device features the special functional and constructive features that it presents that performs the functions of individual encryption in addition to allowing the protection of credentials (user and password) in the process of accessing a website. In addition, the device has some means of protection in case of theft, unauthorized use or access to it.
It is a symmetric encryption device for individual and personalized use for each user. The device offers two types of symmetric encryption, one of which is proprietary encryption exclusively implemented in hardware, either in a microcontroller or in an FPGA (Field Programmable Gate Array) (programmable device) designed for this fact and on the other hand an encryption standard symmetric such as AES (Advanced Encryption Standard) or IDEA (International Data Encryption Algorithm). Any of the two types of encryption that you want can be used.
The device contains an electronic algorithm that performs mathematical transforms of the credentials entered by the user, that is, the Login / Password of any web or remote environment, preventing a Trojan from reading the keyboard while the user types those credentials. subsequently use them to enter the access area of that user.
The device is also designed to prevent theft from being used by a usurper as if it were the legitimate user. To do this, when the device is connected to the user's PC, a management application that controls the device in “standalone” mode obtains the computer model and the serial number of said application, sending them to the device, which together with its unique number Serially stores that data in a secure memory. In this way, a pairing between the device, the application and the PC is carried out to prevent operation on another computer not belonging to the user. Of course, the user, once the device is acquired and in its first use, enters a key that the device stores in its secure memory so that the user can use the device when entering the previously selected key.
The device is designed to perform a key exchange using an asymmetric key exchange algorithm or by X.509 certification, for example. It is connected to the computer through a USB connection in which it acts as a slave and has another USB input for the control of a keyboard that allows you to enter written data and encrypt them before you arrive at the computer. The device is characterized, in addition to what has already been said, for including an anti-opening mechanism based on a layer that completely envelops it and is formed by a polymer-shaped piezoelectric crystal. In this way, the crystal is connected to the central microcontroller of the device, which contains an algorithm capable of distinguishing between a normal use of the device or an attempt to open by means of the waveforms produced by the piezoelectric crystal.
image4
image5
image6 Background of the invention
There are some approaches to the algorithm used by the device of this invention. Among the most prominent are US2006177065A1 and also US20130142328A1. In the first case, patent US2006177065A1 refers to a system and method for carrying out encryption operations by means of an XOR operation, a numerical table and in which random numbers are generated to form a key with the values of the table. Now, what the algorithm mentioned in that patent does is select a subset of values from the numerical table through a generation of random numbers but it is a linear process. In our case, the algorithm that we use carries out the non-linear generation of keys so that reverse engineering cannot be carried out to try to discover the key or the way of generating the keys linearly. It also does not protect clear text-encrypted text from attacks since in our case, if someone who is not authorized obtains the device and tries to send a message to the device to see the response of the device and thus determine what the encryption key may be, you will not get any response. of the device because said device communicates exclusively with the PC application authorized for it or through the messages sent by another authorized electronic device.
In the second case, US20130142328A1, refers to an encryption system and method that uses single-use keys but are not generated in the same way as in our case.
The above devices have a series of drawbacks that can be improved, such as the fact that if the numerical table used in encryption is compromised by an attacker, all the employing devices of these tables should change the table to a new one. They also lack means of generating encryption keys through a non-linear generation mechanism. Nor do they have means to detect the process of attempts to open the device and also to self-destruct information and even the hardware.
Therefore, it is the object of the present invention to develop a device that overcomes the above inconveniences and also allows to perform the double function on the one hand, an individual encryption and on the other hand have means of protecting user credentials, developing a device as described below and is essentially included in the first claim. Explanation of the invention.
An object of the present invention is an information encryption / decryption device, for individual use, which is designed to protect the information of a user's computer, allowing in addition to encryption / decryption, transform the credentials of a user (login / password ) so that your hardware calculates the real login / password that will be checked on the corresponding server, either of a banking entity or of any kind and that, therefore, invalidates the use of the login / password typed by the user so that A keylogger or Trojan capable of reading the keyboard acquires unusable information if it captures what is pressed by the user.
The device, in this sense and in an exclusive and very characteristic way of this invention, can operate in USB mode through a virtual serial port or through pure USB connection of high performance in the case of encrypting files or communications in real time or , in USB HID mode for the case of credential introduction with an internal digital switch that allows it to operate in the corresponding mode, serial communication through virtual serial port, USB HID or native USB high performance. The reason for this triple communication mechanism is that Internet browsers only accept devices that communicate using HID (Human Interface Device). Therefore, this device can work in all three modes, on the one hand as high-performance USB for sending massive data or as HID for its interaction with Internet browsers and, as a device connected to a virtual serial port.
image7
The device comprises a high-performance central microcontroller, which communicates with an FPGA (programmable device) that contains a symmetric encryption algorithm based on a non-linear encryption that uses a linear feedback shift register LFSR that translates as a shift register with linear feedback and that uses a series of numerical tables to create session keys through the generation of random seeds, that is to say the principle of operation is based on the generation of a seed that is not more than a random number that in combination with the values of a table they generate a session key. The device also has a cryptographic EPROM memory that stores the data indicated by the central microcontroller in encrypted form.
As a connection, the device has a USB connector in slave mode for connection to a PC, a microSD memory socket and another USB connector in master mode to connect a keyboard or a USB memory (pen drive).
The device has an internal digital switch that allows it to operate in normal high-performance USB HID or USB mode, through a virtual communications port, for example.
The device has an exclusive anti-opening mechanism based on a piezoelectric polymer that surrounds the entire device and is controlled by the central microcontroller. Thus, in normal use mode, the piezoelectric mechanism emits electric waves that are very different from those that involve attempts to open the device. The device, at that time and through the central controller, activates a high-voltage mechanism that destroys the central microcontroller and makes the device unusable by also eliminating the useful information that was in that device.
A software application is installed on the user's computer to manage the device. The first time the device is connected to the PC through the application, it asks the user to enter a password. Once the key has been entered, it is stored in the cryptographic memory of the device for later use. Other information that is stored in this memory is an application code, unique information of the PC where the application is installed and in which the device is connected. Thus, if the device is to be installed on another PC later, the application will be installed on that PC, the device will request the access key (in this case by way of verification) to the user and again, the device will obtain data from the application and the current PC, which will be stored in your cryptographic memory. Thus, if at any time, the device is stolen or the user loses it and someone tries to use it, the device will know that a new application is on a new PC, and if the third attempt to enter the password is it is not correct, then the high-voltage electronic self-destruct mechanism is activated. If possible, the same PC application will send an alert message to the corresponding control center indicating the device (serial number) that has suffered an attempted theft or attempted unauthorized access.
Unless otherwise indicated, all technical and scientific elements used herein have the meaning normally understood by a person skilled in the art to which this invention pertains. In the practice of the present invention procedures and materials similar or equivalent to those described herein can be used.
image8
image9
image10
Throughout the description and the claims the word "comprises" and its variants are not intended to exclude other technical characteristics, additives, components or steps. For those skilled in the art, other objects, advantages and features of the invention will be derived partly from the description and partly from the practice of the invention. Brief description of the drawings
To complement the description that is being made and in order to help a better understanding of the characteristics of the invention, according to a preferred example of practical implementation thereof, a set of drawings is attached as an integral part of said description. where, for illustrative and non-limiting purposes, the following has been represented.
Figure 1 shows a representation of the different components of the device.
Figure 2 shows a scheme of the system connected to a PC and the global information exchange.
Figure 3 shows a scheme of the device in USB HID mode for the transformation of credentials electronically.
Figure 4 shows the appearance of the anti-opening mechanism and the electronic destruction circuit. Preferred Embodiment of the Invention
In view of the figures, a preferred embodiment of the proposed invention is described below.
In figure 1 you can see the different electronic elements of the device. The device comprises:
- A high performance central microcontroller (1), containing a plurality of tables.
- An FPGA (programmable device) (2) communicated with the central microcontroller (1), where the FPGA (2) contains a symmetric encryption algorithm based on a non-linear encryption that uses a linear feedback shift register (LFSR) that translates as shift register with linear feedback and that uses the generation of a seed or a random number that in combination with the values of a series of numerical tables to create session keys.
- A cryptographic EPROM memory (3) that stores the data indicated by the central microcontroller (1) in encrypted form.
- An anti-opening mechanism (4) in connection with the central microcontroller (1).
- A first slave USB connector (5) for connection to a personal computer.
- A second USB connector (6) master for keyboard.
- An anti-opening mechanism that in a possible embodiment is based on a piezoelectric polymer (7) that surrounds the entire device and is controlled by the central microcontroller.
- A socket for a micro SD memory (8).
image11
image12
image13
In figure 2 we can see the device object of the invention (10) connected to a PC
(9) and the data flow between application and device, among which we find:
- A first pairing process (11).
- A second pairing process (12).
- A third process of sending (13) files for storage in micro SD memory.
- A fourth process (14) of transforming user credentials.
A preferred embodiment of the invention occurs when the device acts as an intelligent encryption / decryption machine using the symmetric encryption algorithm based on non-linear key generation. The central microcontroller (1) of the device contains tables of 1024 bytes each as a minimum size and 8192 bytes each as a maximum size. Through these numerical tables (understood as one-dimensional vectors) the device is able to select the encryption key while encrypting each byte of information. This is done through a nonlinear generation algorithm based on LFSR. The device can randomly select the table to use. Once the table is selected, a random seed is selected through the hardware random number generator that includes the central microcontroller and also after measuring the time spent between the device connection and the arrival of the first encryption command. This mechanism is exclusive to the electronic device. Thus, the 16-bit seed is formed by the combination of both random numbers, a mechanism also exclusive to this device. Once the random seed has been calculated, through a sequence generated by the LFSR, data is obtained from the table and it is precisely this data that is used for XOR encryption with the byte corresponding to the plain text.
To avoid attacks typical of these XOR mechanisms, such as attack by plain text-encrypted text, the device cannot communicate with anything except with the application installed and previously paired with the user's computer.
When the device has encrypted the flat message, it is returned to the application of the PC that sends it to its destination, usually another PC with another device of this invention. However, between the way there is usually a server that acts as an element of trust between the devices and that allows to control the management of these devices and their users. The communication flow on the USB bus can also be secured to avoid a listening process.
Figure 3 shows the credential protection process by means of the device object of the invention. When in accessing a web page of a server (19) we are asked for the login and password, through the keyboard (20) the credentials are sent (15) to the encryption device (10) in which it is produced the transformation (16) of the credentials, then sending (17) the credentials transformed to the PC (9) and from it to the web server (19) via the internet (18).
In a preferred embodiment of the invention, when a user accesses a web page requesting their credentials in Login / Password mode, the user enters said parameters. The web browser interacts with the device (10) in USB HID mode (electronically selected) and the latter proceeds to carry out a mathematical transformation as a function of time using the same non-linear generation algorithm. In this specific case, the serial number (unique worldwide) of the device and through which a seed is generated is selected, selecting those corresponding values in the key table path. A secure hash function is finally carried out and that is the data that will be sent to the server (19) of the web page, which will verify the data in its database to give access to the
image14
image15
image16
5 user to web services, whether online banking or other type of web. In this way, keylogger attacks are avoided, but also video recording of the user's screen, screenlogger, etc.
In figure 4 the anti-opening mechanism comprising the piezoelectric polymer 10 (7) connected to the central microcontroller (1) can be seen through an input port
(21) through which the signals from the piezoelectric polymer (7) are analyzed, counting on the microcontroller (1) with an output port (22) for activation towards a mosfet (23) fed from a battery (24).
15 Sufficiently described the nature of the present invention, as well as the manner of putting it into practice, it is stated that, within its essentiality, it may be implemented in other embodiments that differ in detail from that indicated by way of for example, and to which it will also achieve the protection that is sought, provided that it does not alter, change or modify its fundamental principle.
twenty

权利要求:
Claims (4)
[1]
image 1
image2
image3
1. Individual encryption device with user credential protection mechanism characterized in that it comprises:
- A central microcontroller (1) that contains a plurality of tables.
- An FPGA (programmable device) (2) communicated with the central microcontroller (1), where the FPGA (2) contains a symmetric encryption algorithm based on a non-linear encryption that uses a linear feedback shift register (LFSR) that translates as register of displacement with linear feedback and that uses the generation of a seed or a random number that in combination with the values of a series of numerical tables to create session keys.
- A cryptographic EPROM memory (3) that stores the data indicated by the central microcontroller (1) in encrypted form.
- An anti-opening mechanism (4) in connection with the central microcontroller (1) and which is based on a piezoelectric polymer (7) that surrounds the entire device and is controlled by the central microcontroller.
- A first slave USB connector (5) for connection to a personal computer.
- A second USB connector (6) master for keyboard.
- An anti-opening mechanism
- A socket for a micro SD memory (8).
[2]
2.  Individual encryption device with user credential protection mechanism according to claim 1 characterized in that the central microcontroller (1) of the device contains tables of 1024 bytes each as a minimum size and 8192 bytes each as a maximum size.
[3]
3.  Individual encryption device with user credential protection mechanism according to any of the preceding claims characterized in that it additionally comprises symmetric encryption such as AES (Advanced Encryption Standard) or IDEA (International Data Encryption Algorithm).
[4]
Four.  Individual encryption device with user credential protection mechanism according to any of the preceding claims characterized in that the device can operate in USB mode through a virtual serial port or through a high performance native USB connection in the case of encrypting files or Real-time communications or, in USB HID mode in the case of credential introduction, with an internal digital switch that allows it to operate in the corresponding mode, serial communication through virtual serial port, in USB HID mode or native USB high perfomance.
8

类似技术:

---

公开号 | 公开日 | 专利标题

---

ES2403233T3|2013-05-16|Method for authenticating access to a chip protected by a test device

---

CN101542496B|2012-09-05|Authentication with physical unclonable functions

---

TWI604335B|2017-11-01|Apparatus and method for processing authentication information

---

JP4848039B2|2011-12-28|Memory system with multipurpose content control

---

US9043610B2|2015-05-26|Systems and methods for data security

---

ES2731775T3|2019-11-19|Data encryption system and procedures

---

JP4857284B2|2012-01-18|Control structure generation system for multi-purpose content control

---

JP2008524753A5|2010-04-30|

---

JP2008524758A5|2011-11-10|

---

CN107908574A|2018-04-13|The method for security protection of solid-state disk data storage

---

Choi et al.2012|Design of security enhanced TPM chip against invasive physical attacks

---

US20190347445A1|2019-11-14|Security data generation based upon software unreadable registers

---

ES2685123B1|2019-07-18|Individual encryption device with user credential protection mechanism

---

JP6246516B2|2017-12-13|Information processing system

---

US10956560B1|2021-03-23|System and method for improving the security of stored passwords for an organization

---

Istyaq2016|A New approach of Graphical Password with Integration of Audio Signature Combination of Recall and recognition

---

ArockiamȦ et al.2014|Security framework to ensure the confidentiality of outsourced data in public cloud storage

---

CN213814673U|2021-07-27|Multi-security-level storage access device based on user fingerprint identification

---

WO2017182679A1|2017-10-26|Computer-implemented method for generating passwords and computer program products of same

---

CN213780963U|2021-07-23|High-safety storage access device based on user iris recognition

---

Alhalabi et al.2014|Universal physical access control system

---

KR101247521B1|2013-04-03|Security apparatus for mobile device

---

TWI728355B|2021-05-21|Password-protected data storage device and control method for non-volatile memory

---

Anton et al.2018|Linux Unified Key Setup |-The Good, the Bad, the Ugly

---

CN213876726U|2021-08-03|Multi-security-level storage access device based on user face recognition

同族专利:

---

公开号 | 公开日

---

ES2685123B1|2019-07-18|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

WO1991005306A1|1989-10-03|1991-04-18|University Of Technology, Sydney|Electro-active cradle circuits for the detection of access or penetration|

---

US20090220083A1|2008-02-28|2009-09-03|Schneider James P|Stream cipher using multiplication over a finite field of even characteristic|

---

EP2852089A1|2013-09-22|2015-03-25|Winbond Electronics Corp.|Data protecting apparatus and method thereof|

---

法律状态:
2018-10-05| BA2A| Patent application published|Ref document number: 2685123 Country of ref document: ES Kind code of ref document: A1 Effective date: 20181005 |

---

2019-07-18| FG2A| Definitive protection|Ref document number: 2685123 Country of ref document: ES Kind code of ref document: B1 Effective date: 20190718 |

---

2020-01-09| FA2A| Application withdrawn|Effective date: 20200102 |

优先权:

---

申请号 | 申请日 | 专利标题

---

ES201700377A|ES2685123B1|2017-03-31|2017-03-31|Individual encryption device with user credential protection mechanism|ES201700377A| ES2685123B1|2017-03-31|2017-03-31|Individual encryption device with user credential protection mechanism|