WO2011090432A1 - Portable memory device with authentication and authentication method and system - Google Patents
Portable memory device with authentication and authentication method and system Download PDFInfo
- Publication number
- WO2011090432A1 WO2011090432A1 PCT/SG2010/000013 SG2010000013W WO2011090432A1 WO 2011090432 A1 WO2011090432 A1 WO 2011090432A1 SG 2010000013 W SG2010000013 W SG 2010000013W WO 2011090432 A1 WO2011090432 A1 WO 2011090432A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- code
- unique code
- encryption
- module
- memory device
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Definitions
- This invention relates to a portable memory device with authentication and an authentication method and system; and relates particularly, though not exclusively, to such a device, method and system to secure an authentication process.
- Security of the authentication process may be required if there is a possibility of a "sniffing" of the password and/or a replay attack.
- a method to secure an authentication process for a portable memory device operatively connected to a host computer includes an encryption module of the portable memory device generating a unique code and sending it to a login software module of the host computer.
- the login software module encrypts the unique code and sends the encrypted unique code and a password to the encryption module.
- the encryption module decrypts the encrypted code to obtain the code for validation, and authenticates the password.
- a system to secure an. authentication process for a portable memory device operatively connectable to a host computer comprising an encryption module and the host computer comprising a login software module.
- the encryption module is configured to generate a unique code and send it to the login software module.
- the login software module is configured to encrypt the unique code and send the encrypted unique code and a password to the encryption module.
- the encryption module is further configured to decrypt the encrypted code to obtain the code for validation, and to authenticate the password.
- a portable memory device configured to be operatively connected to a host computer.
- the portable memory device comprises an encryption module configured to generate a unique code and send the unique code to a login software module of the host computer.
- the encryption module is further configured to receive from the login software module an encryption of the unique code and a password, and to decrypt the encrypted code to obtain the code for validation, and also to authenticate the password
- the password may be encrypted or hashed by the login software module before being sent to the encryption module.
- the encryption or hashing of the password may be by use of the code or a derivative of the code.
- the login software module may establish a secure communication channel between the login software module and the encryption module before the encryption module generates the unique code. All communication between the login software module and the encryption module may be over the secure communication channel.
- the unique code may be selected from: a number, a series of letters, a series of numbers, characters, or any combination of them.
- the unique code may be used for the one communication session. A different unique code may be generated for each communication session.
- Encryption may comprise hashing and decryption may comprise unhashing.
- Figure 1 is a schematic view of an exemplary system of a portable memory device connectable to ' a host apparatus to enable authentication of a user;
- Figure 2 is a block diagram illustrating the exemplary portable memory device and a part of the host apparatus of Figure 1 ;
- Figure 3 is flow chart for the operation of the exemplary embodiment of Figures 1 and 2; and Figure 4 is a flow chart illustrating an additional process to that of Figure 3.
- the host computer 100 may be of any suitable form such as, for example, desktop computer, personal computer, laptop computer, notebook computer, server, tablet computer, personal digital assistant, digital diary, or mobile/cellular telephone.
- connection of the portable memory device 200 with the host computer 100 may be direct or indirect. If direct it may be by the USB connector 208 of the portable memory device 200 engaging with a USB port 108 of the host computer 100. If indirect, it may be by any suitable wireless connection such as Bluetooth or WiFi; or by use of a cable (not shown).
- the portable memory device 200 has the USB connector 208 and a USB interface 212 operatively connected to a controller 204.
- a memory module 202 is also operatively connected to the controller 204.
- the memory module 202 may, for example, be a flash memory module. However, it may be of any suitable form of non-volatile memory.
- a login software module 110 in the host computer 100 establishes a secure channel 300 with the encryption module 210 of the portable memory device 200 (302).
- This may be by any suitable and known secure channel communication system.
- the secure channel 300 provides a first level of protection against "sniffing" of the password over the communication channel, and thus the possibility of a replay attack as all communication between the login software module 110 and the encryption module 210 is over the secure
- a one-time password challenge is used.
- the encryption module 210 generates a unique challenge code (303).
- the code may be a number, a series of letters, a series of numbers, characters, or any combination of them.
- the code is used for the one communication session. A different code is generated for each communication session.
- the code is sent by the encryption module 210 to the login software module 110 of the host computer 100 over the secure communications channel 300.
- the login software module 110 encrypts or hashes the code to obtain an encrypted or hashed code (304).
- the login software module 110 of the host computer 100 uses the secure communication channel 300 to send the encrypted or hashed code and the password of a user of the host computer 00 to the encryption module 210 (305).
- the encryption module 210 When the encryption module 210 receives the encrypted or hashed code and the password, it decrypts or unhashes the encrypted or hashed code to obtain the code to thus provide validation (306), and authenticates the password (307). This prevents a replay attack. If the validation is not successful (i.e. the code after decryption or unhashing is not the same as the code before encryption) and/or if the password is not authenticated, the secure communication channel 300 is closed and the session ends.
- Figure 4 shows a variation where following (304) the login software module 110 also hashes or encrypts the password (405) with the code or a derivative of the code. The hashed or encrypted password is then sent with the encrypted or hashed code to the encryption module 210 over the secure channel 300 (406). The encryption module 210 then decrypts the code and the password (407), validates the code and authenticates the password (409). This provides an additional layer of protection against a replay attack.
- the login software module 110 also hashes or encrypts the password (405) with the code or a derivative of the code.
- the hashed or encrypted password is then sent with the encrypted or hashed code to the encryption module 210 over the secure channel 300 (406).
- the encryption module 210 then decrypts the code and the password (407), validates the code and authenticates the password (409). This provides an additional layer of protection against a replay attack.
- the foregoing description has described exemplary embodiments, it will be understood by those skilled in the technology concerned that many variations in details
Abstract
A method to secure an authentication process for a portable memory device operatively connected to a host computer is disclosed. The method includes an encryption module of the portable memory device generating a unique code and sending it to a login software module of the host computer. The login software module encrypts the unique code and sends the encrypted unique code and a password to the encryption module. The encryption module decrypts the encrypted code to obtain the code for validation, and authenticates the password. A corresponding system and a portable memory device are also disclosed.
Description
Portable Memory Device with Authentication and Authentication Method and System Technical Field
This invention relates to a portable memory device with authentication and an authentication method and system; and relates particularly, though not exclusively, to such a device, method and system to secure an authentication process.
Definitions
Throughout this specification a reference to encryption and its grammatical equivalents is to be taken as including a reference to hashing and its grammatical equivalents; and vice versa.
Background
When using a portable memory device able to be used with a host computer by a USB connection, authentication of the user may be required when secure data is involved.
Security of the authentication process may be required if there is a possibility of a "sniffing" of the password and/or a replay attack. Summary
According to a first exemplary aspect there is provided a method to secure an authentication process for a portable memory device operatively connected to a host computer. The method includes an encryption module of the portable memory device generating a unique code and sending it to a login software module of the host computer. The login software module encrypts the unique code and sends the encrypted unique code and a password to the encryption module. The encryption module decrypts the encrypted code to obtain the code for validation, and authenticates the password.
According to a second aspect there is provided a system to secure an. authentication process for a portable memory device operatively connectable to a host computer. The portable memory device comprises an encryption module and the host computer comprising a login software module. The encryption module is configured to generate a unique code and send it to the login software module. The login software module is configured to encrypt the unique code and send the encrypted unique code and a password to the encryption module. The encryption module is further configured to decrypt the encrypted code to obtain the code for validation, and to authenticate the password.
According to a third aspect there is provided a portable memory device configured to be operatively connected to a host computer. The portable memory device comprises an encryption module configured to generate a unique code and send the unique code to a login software module of the host computer. The encryption module is further configured to receive from the login software module an encryption of the unique code and a password, and to decrypt the encrypted code to obtain the code for validation, and also to authenticate the password
For all aspects the password may be encrypted or hashed by the login software module before being sent to the encryption module. The encryption or hashing of the password may be by use of the code or a derivative of the code. The login software module may establish a secure communication channel between the login software module and the encryption module before the encryption module generates the unique code. All communication between the login software module and the encryption module may be over the secure communication channel. The unique code may be selected from: a number, a series of letters, a series of numbers, characters, or any combination of them. The unique code may be used for the one communication session. A different unique code may be generated for each communication session. Encryption may comprise hashing and decryption may comprise unhashing. Brief Description of the Drawings
In order that the invention may be fully understood and readily put into practical effect there shall now be described by way of non-limitative example only exemplary embodiments, the description being with reference to the accompanying illustrative drawings. In the drawings:
Figure 1 is a schematic view of an exemplary system of a portable memory device connectable to' a host apparatus to enable authentication of a user;
Figure 2 is a block diagram illustrating the exemplary portable memory device and a part of the host apparatus of Figure 1 ;
Figure 3 is flow chart for the operation of the exemplary embodiment of Figures 1 and 2; and Figure 4 is a flow chart illustrating an additional process to that of Figure 3.
Detailed Description of the Exemplary Embodiments
To refer to Figures 1 and 2 there is shown a host computer 100 to which is operatively connectable a portable memory device 200.
The host computer 100 may be of any suitable form such as, for example, desktop computer, personal computer, laptop computer, notebook computer, server, tablet computer, personal digital assistant, digital diary, or mobile/cellular telephone.
The connection of the portable memory device 200 with the host computer 100 may be direct or indirect. If direct it may be by the USB connector 208 of the portable memory device 200 engaging with a USB port 108 of the host computer 100. If indirect, it may be by any suitable wireless connection such as Bluetooth or WiFi; or by use of a cable (not shown).
The portable memory device 200 has the USB connector 208 and a USB interface 212 operatively connected to a controller 204. A memory module 202 is also operatively connected to the controller 204. The memory module 202 may, for example, be a flash memory module. However, it may be of any suitable form of non-volatile memory.
Also operatively connected to, or integral with, the controller 204 is a firmware module 206. Also operatively connected to, or integral with, the controller 204 is an encryption module 210. The operation is shown in Figures 3 and 4. When the portable memory device 200 is operatively connected with host computer 100 (301 ), a login software module 110 in the host computer 100 establishes a secure channel 300 with the encryption module 210 of the portable memory device 200 (302). This may be by any suitable and known secure channel communication system. The secure channel 300 provides a first level of protection against "sniffing" of the password over the communication channel, and thus the possibility of a replay attack as all communication between the login software module 110 and the encryption module 210 is over the secure
communications channel 300.
To further secure the user authentication process a one-time password challenge is used. For this the encryption module 210 generates a unique challenge code (303). The code may be a number, a series of letters, a series of numbers, characters, or any combination of them. The code is used for the one communication session. A different code is generated for each communication session. The code is sent by the encryption module 210 to the login software module 110 of the host computer 100 over the secure communications channel 300. Upon receiving the code the login software module 110 encrypts or hashes the code to obtain an encrypted or hashed code (304).
The login software module 110 of the host computer 100 uses the secure communication channel 300 to send the encrypted or hashed code and the password of a user of the host computer 00 to the encryption module 210 (305).
When the encryption module 210 receives the encrypted or hashed code and the password, it decrypts or unhashes the encrypted or hashed code to obtain the code to thus provide validation (306), and authenticates the password (307). This prevents a replay attack. If the validation is not successful (i.e. the code after decryption or unhashing is not the same as the code before encryption) and/or if the password is not authenticated, the secure communication channel 300 is closed and the session ends.
Figure 4 shows a variation where following (304) the login software module 110 also hashes or encrypts the password (405) with the code or a derivative of the code. The hashed or encrypted password is then sent with the encrypted or hashed code to the encryption module 210 over the secure channel 300 (406). The encryption module 210 then decrypts the code and the password (407), validates the code and authenticates the password (409). This provides an additional layer of protection against a replay attack. Whilst the foregoing description has described exemplary embodiments, it will be understood by those skilled in the technology concerned that many variations in details of design, construction and/or operation may be made without departing from the present invention.
Claims
1. A method to secure an authentication process for a portable memory device operatively connected to a host computer, the method comprising:
an encryption module of the portable memory device generating a unique code and sending it to a login software module of the host computer;
the login software module encrypts the unique code and sends the encrypted unique code and a password to the encryption module;
the encryption module decrypts the encrypted code to obtain the code for validation; and
the encryption module authenticates the password.
2. A method as claimed in claim 1 , wherein the password is encrypted or hashed by the login software module before being sent to the encryption module.
3. A method as claimed in claim 2, wherein the encryption or hashing of the password is by use of the code or a derivative of the code.
4. A method as claimed in any one of claims 1 to 3, wherein the login software module establishes a secure communication channel between the login software module and the encryption module before the encryption module generates the unique code.
5. A method as claimed in claim 4, wherein all communication between the login software module and the encryption module is over the secure communication channel.
6. A method as claimed in any one of claims 1 to 5, wherein the unique code is selected from the group consisting of: a number, a series of letters, a series of numbers, characters, or any combination of them.
7. A method as claimed in any one of claims 1 to 6, wherein the unique code is used for the one communication session.
8. ' A method as claimed in any one of claims 1 to 7, wherein a different unique code is generated for each communication session.
9. A method as claimed in any one of claims 1 to 8, wherein encryption comprises hashing, and decryption comprises unhashing.
10. A system to secure an authentication process for a portable memory device operatively connectable to a host computer, the portable memory device comprising an encryption module and the host computer comprising a login software module; the encryption module being configured to generate a unique code and send it to the login software module; the login software module being configured to encrypt the unique code and send the encrypted unique code and a password to the encryption module; the encryption module being configured to decrypt the encrypted code to obtain the code for validation and to authenticate the password.
11. A system as claimed in claim 10, wherein the login software module is configured to encrypt the password or obtain a hash of the password before being sent to the encryption module.
12. A system method as claimed in claim 11 , wherein the encryption or hashing of the password is by use of the code or a derivative of the code.
13. A system as claimed in any one of claims 10 to 12, wherein the login software module is configured to establish a secure communication channel between the login software module and the encryption module before the encryption module generates the unique code.
14. A system as claimed in claim 13, wherein all communication between the login software module and the encryption module is over the secure communication channel.
15. A system as claimed in any one of claims 10 to 14, wherein the unique code is selected from the group consisting of: a number, a series of letters, a series of numbers, characters, or any combination of them.
16. A system as claimed in any one of claims 10 to 15, wherein the unique code is used for the one communication session.
17. A system as claimed in any one of claims 10 to 16, wherein a different unique code is generated for each communication session.
18. A system as claimed in any one of claims 10 to 17, wherein encryption comprises hashing, and decryption comprises unhashing.
19. A portable memory device configured to be operatively connected to a host computer, the portable memory device comprising:
an encryption module configured to generate a unique code and send the unique code to a login software module of the host computer;
the encryption module being further configured to receive from the login software module an encryption of the unique code and a password, and to decrypt the encrypted code to obtain the code for validation and also to authenticate the password.
20. A portable memory device as claimed in claim 19, wherein the unique code is selected from the group consisting of: a number, a series of letters, a series of numbers, characters, or any combination of them.
21. A portable memory device as claimed in claim 19 or claim 20, wherein the unique code is used for the one communication session.
22. A portable memory device as claimed in any one of claims 19 to 21 , wherein a different unique code is generated for each communication session.
23. A portable memory device as claimed in any one of claims 19 to 22, wherein encryption comprises hashing, and decryption comprises unhashing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/SG2010/000013 WO2011090432A1 (en) | 2010-01-19 | 2010-01-19 | Portable memory device with authentication and authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/SG2010/000013 WO2011090432A1 (en) | 2010-01-19 | 2010-01-19 | Portable memory device with authentication and authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2011090432A1 true WO2011090432A1 (en) | 2011-07-28 |
Family
ID=44307068
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/SG2010/000013 WO2011090432A1 (en) | 2010-01-19 | 2010-01-19 | Portable memory device with authentication and authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| WO (1) | WO2011090432A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106817671A (en) * | 2017-02-14 | 2017-06-09 | 腾讯科技(深圳)有限公司 | A kind of networked information sharing method, first terminal and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050250473A1 (en) * | 2004-05-04 | 2005-11-10 | Research In Motion Limited | Challenge response system and method |
| US7139915B2 (en) * | 1998-10-26 | 2006-11-21 | Microsoft Corporation | Method and apparatus for authenticating an open system application to a portable IC device |
| US20090193511A1 (en) * | 2008-01-30 | 2009-07-30 | Vasco Data Security, Inc. | Two-factor usb authentication token |
-
2010
- 2010-01-19 WO PCT/SG2010/000013 patent/WO2011090432A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7139915B2 (en) * | 1998-10-26 | 2006-11-21 | Microsoft Corporation | Method and apparatus for authenticating an open system application to a portable IC device |
| US20050250473A1 (en) * | 2004-05-04 | 2005-11-10 | Research In Motion Limited | Challenge response system and method |
| US20090193511A1 (en) * | 2008-01-30 | 2009-07-30 | Vasco Data Security, Inc. | Two-factor usb authentication token |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106817671A (en) * | 2017-02-14 | 2017-06-09 | 腾讯科技(深圳)有限公司 | A kind of networked information sharing method, first terminal and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9455830B2 (en) | Method for securing credentials in a remote repository | |
| CN109923830B (en) | System and method for configuring wireless network access device | |
| EP2314090B1 (en) | Portable device association | |
| CN103152366B (en) | Obtain the method for terminal authorization, terminal and server | |
| US8099761B2 (en) | Protocol for device to station association | |
| WO2015180691A1 (en) | Key agreement method and device for verification information | |
| KR101239297B1 (en) | System for protecting information and method thereof | |
| WO2015192670A1 (en) | User identity authentication method, terminal and service terminal | |
| US20110159848A1 (en) | Methods and apparatus for provisioning devices with secrets | |
| US9445269B2 (en) | Terminal identity verification and service authentication method, system and terminal | |
| US20100250796A1 (en) | Establishing a Secure Channel between a Server and a Portable Device | |
| CN109361508B (en) | Data transmission method, electronic device and computer readable storage medium | |
| JP2012530311A5 (en) | ||
| US8397281B2 (en) | Service assisted secret provisioning | |
| US11196721B2 (en) | Systems and methods for establishing a secure communication channel between an information handling system and a docking station | |
| WO2014180198A1 (en) | Access method, system, and device of terminal, and computer storage medium | |
| US9313185B1 (en) | Systems and methods for authenticating devices | |
| CN101621794A (en) | Method for realizing safe authentication of wireless application service system | |
| WO2010023506A1 (en) | Methods, apparatuses, computer program products, and systems for providing secure pairing and association for wireless devices | |
| KR100668446B1 (en) | Safe --method for transferring digital certificate | |
| CA2813765C (en) | A method for securing credentials in a remote repository | |
| CN102404337A (en) | Data encryption method and device | |
| US9654455B2 (en) | Communication system, communication device, key management apparatus, and communication method | |
| CN108199851B (en) | Data secure transmission method, device and system | |
| EP3149883B1 (en) | Management of cryptographic keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10844084 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 10844084 Country of ref document: EP Kind code of ref document: A1 |