Authenication stick

Abstract

A communication adapter for authentication of a user includes a receiving unit for receiving encrypted credentials, a decryption unit for decrypting the encrypted credentials and an output unit for outputting the decrypted credentials to a terminal device.

Claims

1. A communication adapter for authentication of a user, the communication adapter comprising: a receiving unit comprising a radio link interface for receiving encrypted credentials; a decryption unit comprising a processor for decrypting the encrypted credentials; an output unit comprising a keyboard signal interface for outputting the decrypted credentials to a terminal device; wherein the keyboard signal interface of the output unit can be connected to an interface on the terminal device and wherein the interface on the terminal device is suitable for inputting keyboard signals; wherein the radio link interface of the receiving unit is configured to receive the encrypted credentials from a mobile input device; wherein the mobile input device is configured to output the encrypted credentials to the radio link interface of the receiving unit via a radio link; wherein the processor of the decryption unit is configured to decrypt the encrypted credentials by means of a second password; wherein the second password is dependent on an application for which the user authenticates himself/herself; wherein the second password is dependent on the user who wants to authenticate himself/herself; or wherein the communication adapter being configured to generate the second password in an automated manner.

2. The communication adapter as claimed in claim 1, wherein the keyboard signal interface of the output unit is configured to output the decrypted credentials in a format of a standard keyboard.

3. The communication adapter as claimed in claim 1, wherein the decrypted credentials comprise a first password.

4. The communication adapter as claimed in claim 1, the communication adapter being configured to store the second password within a memory.

5. The communication adapter as claimed in claim 1, the communication adapter being configured to receive the second password via an additional input unit.

6. A system for authentication of a user on a terminal device, comprising: a communication adapter for authentication of the user, said communication adapter comprising: a receiving unit comprising a radio link interface for receiving encrypted credentials; a decryption unit comprising a processor for decrypting the encrypted credentials; an output unit comprising a keyboard signal interface for outputting the decrypted credentials to a terminal device; wherein the keyboard signal interface of the output unit can be connected to an interface on the terminal device and wherein the interface on the terminal device is suitable for inputting keyboard signals; wherein the radio link interface of the receiving unit is configured to receive the encrypted credentials from a mobile input device; wherein the mobile input device is configured to output the encrypted credentials to the radio link interface of the receiving unit via a radio link; the mobile input device configured to store encrypted credentials from a user and to output same to the radio link interface of the receiving unit of the communication adapter; and the terminal device configured to receive the decrypted credentials from the keyboard signal interface of the output unit; wherein the processor of the decryption unit is configured to decrypt the encrypted credentials by means of a second password; wherein the second password is dependent on an application for which the user authenticates himself/herself; wherein the second password is dependent on the user who wants to authenticate himself/herself; or wherein the communication adapter being configured to generate the second password in an automated manner.

7. The system as claimed in claim 6, wherein the mobile input device is configured to generate first passwords or second passwords in an automated manner.

8. A method for authentication of a user, the method comprising: receiving encrypted credentials from a mobile input device via a radio link; decrypting the encrypted credentials; outputting the decrypted credentials to a terminal device via an interface, suited for inputting keyboard signals, on the terminal device; decrypting the encrypted credentials by means of a second password; wherein the second password is dependent on an application for which the user authenticates himself/herself; wherein the second password is dependent on the user who wants to authenticate himself/herself; or wherein the second password is generated in an automated manner.

9. A non-transitory digital storage medium having a computer program stored thereon to perform the method for authentication of a user, said method comprising: receiving encrypted credentials from a mobile input device via a radio link; decrypting the encrypted credentials; outputting the decrypted credentials to a terminal device via an interface, suited for inputting keyboard signals, on the terminal device, decrypting the encrypted credentials by means of a second password; wherein the second password is dependent on an application for which the user authenticates himself/herself; wherein the second password is dependent on the user who wants to authenticate himself/herself; or wherein the second password is generated in an automated manner; when said computer program is run by a computer.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Embodiments of the present invention will be detailed subsequently referring to the appended drawings, in which:

(2) FIG. 1 shows a schematic representation of an embodiment of a communication adapter;

(3) FIG. 2 shows a schematic representation of a system for authentication of a user on a terminal device;

(4) FIG. 3 shows an embodiment of a communication adapter;

(5) FIG. 4 shows an input mask for access data on a terminal device.

DETAILED DESCRIPTION OF THE INVENTION

(6) In the subsequent description of the embodiments of the invention, elements which are identical or equivalent will be provided with identical reference numerals in the figures, so that their descriptions are interchangeable in the different embodiments.

(7) FIG. 1 shows a schematic representation of an embodiment of a communication adapter 10 for authentication of a user. Authentication may be understood to mean a user's contribution so as to provide evidence of an alleged property of an entity by means of said contribution. Subsequently, said authentication is confirmed, for example, by a server by in an authenticated manner. The user may be person or a group of persons. However, it is also possible for a device or an apparatus to be authenticated by the communication adapter 10. As a result of the authentication, the user is subsequently enabled to perform applications, i.e. the user is granted access rights, for example, to specific data, programs, documents or areas.

(8) The communication adapter 10 includes a receiving unit 12 for receiving encrypted credentials 26. Credentials usually include an identity such as a user name or an account name as well as a password by means of which the identity is verified. Passwords are an agreed sequence of characters by means of which an identity can be confirmed. In addition, encrypted credentials 26 may include digital keys or certificates.

(9) The receiving unit 12 includes an interface of the communication adapter 10. The encrypted credentials 26 may be received as a bitstream by the receiving unit 12. The bitstream may comprise encoding such as an ASCII code, for example, for transmitting a character set to the receiving unit 12. Transmission of the bitstream may be effected in a wired manner, for example via an electrical cable or an optical waveguide. Advantageously, transmission of the encrypted credentials 26 to the receiving unit 12 is effected over an air route, for example by means of a radio signal or infrared data transmission. Transmission over an air route has the advantage that no additional openings, where humidity and/or pollution may enter, need to be provided on a housing of the communication adapter 10. In addition, cable connections involve the risk of mechanically insufficient electrical connections, as a result of which electrical signals are insufficiently transmitted. Moreover, a radio link requires no additional hardware such as a suitable cable comprising plugs, for example.

(10) In a transmission of the encrypted credentials 26 by means of a radio signal, the receiving unit 12 may include a transmitter and a receiver for the radio signal. Transmission of the encrypted credentials 26 is effected by suitable means, e.g., for short-haul data transmission between devices via radio or infrared technology. In accordance with embodiments, transmission of the encrypted credentials 26 is effected via a WPAN (Wireless Personal Area Network). Examples of a WPAN are Bluetooth, ZigBee or FIR-IrDA.

(11) The communication adapter 10 further comprises a decryption unit 14 for decrypting the encrypted credentials 26. The decryption unit 14 includes a processor, for example, which decrypts the encrypted credentials 26.

(12) In accordance with embodiments, the decrypted credentials 28.sub.1 include a first password, a user name, digital keys or certificates. The decryption unit 14 is configured to decrypt the encrypted credentials 26 by means of the second password. Passwords are frequently employed for authenticating persons or devices. Following authentication, the authenticated person may be enabled to use specific data, programs, documents or accesses. Instead of or in addition to a password, biometric data such as fingerprints or iris scans may also be used as a first or second password, for example. Moreover, it is possible, for example, to use a long-lived secret such as, e.g., name of the first pet or mother's birthdate or entire sentences or acronyms as the first or the second password.

(13) The communication adapter 10 may be configured to store the second password within a memory. The second password is forwarded by the memory to the processorwhich decrypts the encrypted credentials 26for decrypting the encrypted credentials 26. In accordance with embodiments, the communication adapter 10 is configured to receive the second password via an additional input unit. An additional input unit may be, e.g., a keyboard or a keypad for entering the second password. The additional input unit may be connected to the communication adapter 10 via an additional interface. As additional interfaces one may also use the interfaces described above in connection with the receiving unit 12. For example, the second password may be input into the decryption unit 14 via a keyboard additionally connected to Bluetooth. This has the advantage that the second password is not stored within the communication adapter 10 and thus cannot be read out by unauthorized persons and/or attackers, e.g. if the communication adapter 10 is stolen.

(14) In accordance with embodiments, the second password is dependent on an application for which the user authenticates himself/herself. By using different second passwords for different applications one can prevent thatin case decrypted credentials 28.sub.1 become knownthe second password may be found out and that consequently, encrypted credentials 26 of further applications may be decrypted by unauthorized persons. In this context, different second passwords may both be stored within the communication adapter 10 or be entered via the additional interface.

(15) The second password may also depend on a user who wants to authenticate himself/herself. By means of a second password, which is dependent on the user, the level of protection against unauthorized access is also increased. Utilization of different second passwords renders it impossible for any of the users to decrypt the encrypted credentials 26 of other users by means of one's own second password and to thus obtain the credentials of other users.

(16) The communication adapter 10 may be configured to generate the second password in an automated manner. By means of a software, for example, a password may be generated in an automated manner with the aid of a random generator. Passwords generated in an automated manner have the advantage that unlike long-lived secrets, in particular, they are not related to the user, and are therefore difficult to guess even for a well-informed attacker. In addition, with automatically generated passwords it is possible to generate long passwords with advantageously more than 64 characters, particularly advantageously more than 256 characters, which otherwise would have to be awkwardly generated by a user via keyboard entry.

(17) The communication adapter 10 further includes an output unit 16 for outputting the decrypted credentials 28.sub.2 to a terminal device. What is referred to as a terminal device is a device where the decrypted credentials 28.sub.2 are to be entered. The terminal device may be a computer or a server, for example.

(18) In embodiments of the communication adapter 10, the output unit 16 is configured with an interface suitable for outputting keyboard signals, it being possible to connect said interface to an interface, which is suitable for inputting keyboard signals, of the terminal device. Interfaces suitable for inputting keyboard signals are PS/2 interfaces or USB interfaces, for example. In accordance with embodiments, the output unit 16 is configured to output the credentials in a format of a standard keyboard. By outputting the credentials in the format of a standard keyboard, the communication adapter 10 may be connected to a terminal of the terminal device which is provided for keyboard entry. Via the interface on the terminal device, which is suitable for inputting keyboard signals, the output unit 16 of the communication adapter 10 may simulate entry of the decrypted credentials 28.sub.2, for example of a password, on the part of a user on the mobile input device.

(19) In accordance with embodiments, the communication adapter 10 is configured to receive the second password from the terminal device. The interface of the output unit 16 of the communication adapter 10 is configured, in embodiments, not only for transmitting data but also for receiving data. Reception of the second password from the terminal device on the part of the communication adapter 10 also has the advantage that the second password is not stored within the communication adapter 10 and thus cannot be read out by unauthorized persons in case the communication adapter 10 is stolen.

(20) FIG. 2 shows an embodiment of a system 18 for authentication of a user 20 on a terminal device 22. The system 18 includes a communication adapter 10 and a mobile input device 24 configured to store encrypted credentials 26 of a user 20 and to output same to the receiving unit 12 of the communication adapter 10. The system 18 further includes a terminal device 22 configured to receive the decrypted credentials 28.sub.2 from the output unit. A mobile input device 24, or a mobile terminal device, is a device which may be used by a user 20 for entering and/or storing encrypted credentials 26.

(21) A mobile input device 24 may be a smartphone, a tablet PC or a laptop, for example. Mobile input devices 24 in most cases are personal devices of a user. On account of the personal connection between the user 20 and the mobile input device 24 it is rendered more difficult for an attacker or a fraud to gain access to the encrypted credentials 26 stored within the mobile input device 24. In addition, mobile input devices 24 such as smartphones, for example, are often carried around permanently by the user 20. This offers good protection against access on the part of a fraud. Loss of the mobile input device 24 is also noticed by the user 20 within a narrow timeframe, as a result of which, e.g., accesses to applications can be permanently blocked. Said carrying around of the mobile input device 24 additionally has the advantage that the mobile input device 24 is available to the user 20 at any time for entering encrypted credentials 26 to a communication adapter 10.

(22) Additionally, mobile input devices 24 comprise memories which in most cases are sufficiently large for storing a plurality of pairs consisting of encrypted passwords and user names. The encrypted passwords and user names may be stored as encrypted credentials 26. Moreover, mobile input devices 24 in most cases have different communication interfaces by means of which they can exchange data with other devices.

(23) In accordance with embodiments, the mobile input device 24 has a program code (software) operated thereon which controls exchange of the encrypted credentials 26 between the mobile input device 24 and the communication adapter 10. The software may include additional functions such as encryption of the credentials, generation of first and second passwords, controlling or monitoring of the communication between the communication adapter 10 and the terminal device 22, as well as storing of the encrypted credentials 26. The software may be operated on a smartphone as an app (mobile app, application), for example.

(24) Embodiments of the mobile input device 24, or the mobile terminal device, in combination with a communication adapter 10 are used for solving the problem of administering and entering safe passwords. For this purpose, the user 20 stores his/her pairs of user names and encrypted passwords on the mobile input device 24 (mobile terminal device) and has sent them to a different device (terminal device 22) for authentication purposes if need be. Once the user 20 has selected a password, said password will also be sent to the communication adapter 10 in an encrypted manner. Thus, the password of the user 20 does not appear in plain text on the mobile input device 24 (mobile terminal device) at any time.

(25) In a particular well-protected area, the communication adapter 10 may have a long-lived secret of the user 20 stored thereon. Only the combination of an encrypted password (encrypted credentials 26) and said long-lived secret (second password) renders decryption possible. Following decryption, the password, which now appears in plain text on the communication adapter 10 (decrypted credentials 28.sub.1) is processed further. To this end, the data (decrypted credentials 28.sub.1) is converted by the communication adapter 10 to the format of a standard keyboard and then sent to the terminal device 22 as decrypted credentials 28.sub.2. The format for transmitting keyboard information may be specified by the PC System Design Guide (see, e.g., reference [9] for IBM compatible devices).

(26) The process of authenticating a user 20 (login) by means of the new method will be described below in an embodiment:

(27) 1. The terminal device 22 (device) prompts a user to log in.

(28) 2. The user 20 selects the suitable (encrypted) credentials 26 in his/her mobile input device 24 (mobile terminal device).

(29) 3. The user 20 plugs his/her communication adapter 10 into the terminal device 22 (device).

(30) 4. The communication adapter 10 passes itself off as a standard keyboard toward the terminal device 22 (device).

(31) 5. The user 20 prompts his/her mobile input device 24 (mobile terminal device) to transmit the encrypted credentials 26.

(32) 6. The mobile input device 24 transmits the encrypted credentials 26 (data) to the communication adapter 10.

(33) 7. The communication adapter 10 decrypts the credentials 28.sub.1 with the aid of the stored second password (long-lived secret).

(34) 8. The communication adapter 10 converts the decrypted credentials 28.sub.1 so that they conform to the format of a standard keyboard.

(35) 9. The communication adapter 10 transmits the converted decrypted credentials 28.sub.2 (data) to the terminal device 22 (device).

(36) 10. Login is completed. The user 20 removes his/her communication adapter 10 from the terminal device 22 (device).

(37) FIG. 3 shows an embodiment of a communication adapter 10. The communication adapter 10 includes a USB interface 34 by means of which the communication adapter 10 may be connected to the terminal device. The communication adapter 10 further includes a receiving unit 12 configured by a Bluetooth interface 36, for example. The Bluetooth interface 36 is advantageously arranged in that part of the communication adapter 10 which is located opposite the USB interface 34.

(38) FIG. 4 shows an embodiment of a mask 32 for entering credentials on a terminal device. The credentials may include a user name and a password. By using the communication adapter, which simulates a keyboard entry, the mobile input device and the communication adapter may fill in the input mask 32 in an automated manner.

(39) In accordance with embodiments it is also possible to store encrypted credentials e.g. on a desktop PC as the mobile input device and to send the encrypted credentials, e.g. via a Bluetooth interface of the desktop PC, to the receiving unit of the communication adapter. The communication adapter decrypts the encrypted credentials. Moreover, the communication adapter is connected, e.g., to a USB interface of the desktop PC. The communication adapter returns the decrypted credentials at its output unit to the desktop PC as the terminal device. In the embodiment described, the mobile input device is identical with the terminal device. The communication adapter serves to decrypt the encrypted credentials, decryption of the credentials being possible for a user only by means of the corresponding hardware of the communication adapter.

(40) In accordance with embodiments, the hardware of the communication adapter contains an algorithm for decrypting the encrypted credentials. By implementing the decryption algorithm directly into the hardware of the communication adapter, readout of the algorithm by attackers may be prevented.

(41) In known methods, the user may manually enter his/her data on a keyboard or may install a software on the terminal device itself. In accordance with present embodiments, this is not necessary. For communication, a specific adapter (communication adapter) is used which behaves like a standard keyboard toward the terminal device (device). Thus, no modifications on the terminal device (device) are required (e.g. installation of additional drivers or software), and compatibility with commercial PCs is ensured.

(42) In embodiments, the communication adapter enables receiving encrypted data from a mobile input device (mobile terminal device), decrypting same on the communication adapter (adapter) itself, and subsequently forwarding same in the format of a keyboard.

(43) Even though some aspects have been described within the context of a device, it is understood that said aspects also represent a description of the corresponding method, so that a block or a structural component of a device is also to be understood as a corresponding method step or as a feature of a method step. By analogy therewith, aspects that have been described within the context of or as a method step also represent a description of a corresponding block or detail or feature of a corresponding device. Some or all of the method steps may be performed while using a hardware device, such as a microprocessor, a programmable computer or an electronic circuit. In some embodiments, some or several of the most important method steps may be performed by such a device.

(44) Depending on specific implementation requirements, embodiments of the invention may be implemented in hardware or in software. Implementation may be effected while using a digital storage medium, for example a floppy disc, a DVD, a Blu-ray disc, a CD, a ROM, a PROM, an EPROM, an EEPROM or a FLASH memory, a hard disc or any other magnetic or optical memory which has electronically readable control signals stored thereon which may cooperate, or actually do cooperate, with a programmable computer system such that the respective method is performed. This is why the digital storage medium may be computer-readable.

(45) Some embodiments in accordance with the invention thus comprise a data carrier which comprises electronically readable control signals that are capable of cooperating with a programmable computer system such that any of the methods described herein is performed.

(46) Generally, embodiments of the present invention may be implemented as a computer program product having a program code, the program code being effective to perform any of the methods when the computer program product runs on a computer.

(47) The program code may also be stored on a machine-readable carrier, for example.

(48) Other embodiments include the computer program for performing any of the methods described herein, said computer program being stored on a machine-readable carrier.

(49) In other words, an embodiment of the inventive method thus is a computer program which has a program code for performing any of the methods described herein, when the computer program runs on a computer. The data carrier, the digital storage medium, or the recorded medium are typically tangible, or non-volatile.

(50) A further embodiment of the inventive methods thus is a data carrier (or a digital storage medium or a computer-readable medium) on which the computer program for performing any of the methods described herein is recorded.

(51) A further embodiment of the inventive method thus is a data stream or a sequence of signals representing the computer program for performing any of the methods described herein. The data stream or the sequence of signals may be configured, for example, to be transferred via a data communication link, for example via the internet.

(52) A further embodiment includes a processing means, for example a computer or a programmable logic device, configured or adapted to perform any of the methods described herein.

(53) A further embodiment includes a computer on which the computer program for performing any of the methods described herein is installed.

(54) A further embodiment in accordance with the invention includes a device or a system configured to transmit a computer program for performing at least one of the methods described herein to a receiver. The transmission may be electronic or optical, for example. The receiver may be a computer, a mobile device, a memory device or a similar device, for example. The device or the system may include a file server for transmitting the computer program to the receiver, for example.

(55) In some embodiments, a programmable logic device (for example a field-programmable gate array, an FPGA) may be used for performing some or all of the functionalities of the methods described herein. In some embodiments, a field-programmable gate array may cooperate with a microprocessor to perform any of the methods described herein. Generally, the methods are performed, in some embodiments, by any hardware device. Said hardware device may be any universally applicable hardware such as a computer processor (CPU), or may be a hardware specific to the method, such as an ASIC.

(56) While this invention has been described in terms of several embodiments, there are alterations, permutations, and equivalents which fall within the scope of this invention. It should also be noted that there are many alternative ways of implementing the methods and compositions of the present invention. It is therefore intended that the following appended claims be interpreted as including all such alterations, permutations and equivalents as fall within the true spirit and scope of the present invention.

REFERENCES

(57) [1] https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2011/Pass-wortsicherheit_27012011.html

(58) [2] 1Password; https://agilebits.com/onepassword

(59) [3] KeepPass; http://keepass.info/

(60) [4] LastPass; https://lastpass.com/

(61) [5] Password Safe 7; http://www.passwordsafe.de/support/ features/ uebersicht-version-7.html

(62) [6] http://mobilevaults.com/mobilevaults-features

(63) [7] http://myidkey.com/using-myidkey/

(64) [8] http://inputstick.com/

(65) [9] Intel Corporation and Microsoft Corporation, PC99 System Design Guide, 1999.

Authenication stick

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/3226

ELECTRICITY

Classification Explorer

H04W12/06

ELECTRICITY

Classification Explorer

H04L63/0428

ELECTRICITY

Classification Explorer

H04L2463/081

ELECTRICITY

Classification Explorer

H04L63/06

ELECTRICITY

Classification Explorer

H04L63/0853

ELECTRICITY

Classification Explorer

H04W12/068

ELECTRICITY

Classification Explorer

H04L63/083

ELECTRICITY

International classification

Classification Explorer

H04L29/06

ELECTRICITY

Classification Explorer

H04W12/06

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Abstract

Claims

Description