US 20070208949A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2007/0208949 A1 Lu et al. (43) Pub. Date: Sep. 6, 2007

(54) INFORMATION SECURITY DEVICE OF Publication Classification UNIVERSAL SERAL HUMAN (51) Int. Cl. INTERFACE DEVICE CLASS AND DATA H04LK LM00 (2006.01) TRANSMISSION METHOD FOR SAME (52) U.S. Cl...... 713/186 (75) Inventors: Zhou Lu, Beijing (CN); (57) ABSTRACT Huazhang Yu, Beijing (CN) The present invention relates to an information security device of Universal Serial Bus (USB) Human Interface Correspondence Address: Device (HID) class and the data transmission method for the Richard L. Wood same. With a master chip that has a built-in HID descriptor and a USB interface chip connected to the master chip, the 22nd Floor, 120 South Riverside Plaza device of the present invention itself may be designed to be Chicago, IL 60606-3945 compact and easy to use, and provide powerful functions. With the USB HID interface, the device user does not need (73) Assignee: Feitian Technologies, Co., Ltd, to install a driver and the user can use the device anywhere Beijing (CN) and anytime. And the user does not need to manage the driver whose version updates constantly, consider the com patibility of various product drivers, face the risk caused by (21) Appl. No.: 111534,991 the driver when running OS, and worry about the pollution to the system resulted from the installation and uninstalla (22) Filed: Sep. 25, 2006 tion of the driver. CPU, SCM or smart card chip used as the master chip ensures that the security of identity authentica Foreign Application Priority Data tion is reliable. Moreover, the security of identity authenti (30) cation device can be further improved by adding biometric Jan. 27, 2006 (CN) ...... 20061OOOO2400.1 identification module and/or the like.

101 <1 Initialization > i 102 erform two-factor - ... | authentication

File management encryption/d 3. mow tion

a Y Operation '

---. ends Patent Application Publication Sep. 6, 2007 Sheet 1 of 2 US 2007/0208949 A1

: t Ol < Initialization ) - 102 erform tWO-factor - --. authentication--- --

106 ------*/Ose service o Service - 108 re Operation - denied --- ends FIG. 1

Initialization -> - - - - 202 re-PKI auth.- - -

non Use the services offered by f

device l 206

Date R/W Algorithm------Data - download encryption'd --- ecryption

v-uum Y----,- 2094U. (Use serviceby app offered / Service ends Patent Application Publication Sep. 6, 2007 Sheet 2 of 2 US 2007/0208949 A1

301

CPU orchip smart card r —

FIG. 3 401

USB HID host -

chip

------m-www.m-rm-mm-mm

USB HID------host 1 - 501 4N or w ------m - a ------SO2 - -- N4-, -i-m-- -t |- sni 4.Y - Y - u-1504 Other master chip - - - - Y - -- 505 Sensor - US 2007/0208949 A1 Sep. 6, 2007

INFORMATION SECURITY DEVICE OF class, comprising a master chip with a built-in HID descrip UNIVERSAL SERAL BUS HUMAN tor, and a USB interface module connected to the master INTERFACE DEVICE CLASS AND DATA chip. TRANSMISSION METHOD FOR SAME 0008. The information security device may comprise an additional authentication module, which is an intelligent FIELD OF THE INVENTION authentication module including a biometric identification module or a card reader module. 0001. The present invention relates to an information The USB interface module may be built in the master chip, security device of Universal Serial Bus (USB) Human or be a USB HID interface chip separated from the master Interface Device (HID) class and the data transmission chip. method for the same. 0009. The master chip may be a microprocessor or smart card chip, comprising a (CPU), a BACKGROUND OF THE INVENTION Microcontroller Unit (MCU), or a Single Chip Micyoco 0002. With the popularity of the Internet and the rise of (SCM). e-business and e-government, more and more people begin 0010. A data transmission method for the information to try online transactions. Meanwhile, more and more per security device, comprising the steps of Sonal privacy and business secrets information is transmitted 0011 1) the host recognizing the information security over the network. However, the malicious threats, such as device; virus, hacker, and phishing fraud, bring a great challenge to 0012. 2) the host sending control commands to the the security of online transactions. Endless network crimes device; lead to a trust crisis to the identity on network. We have to 0013 3) the device resolving and processing the control focus on the problems on how to prove “who am I?’ and commands after receiving them; how to prevent identify thefts again. It is urgent to safeguard 0014. 4) the device responding to the application and identify authentication/recognition which is the primary returning the execution results. problem in network security. The major identify authenti 0015 The control commands are transmitted through cation/recognition methods used in computer and network HID instructions between the host and the information systems are username?password, ID card, dynamic password security device. 0016. The control commands may include PIN authenti and USB Key (Token). cation, signature authentication, data downloading, file 0003 Username?password is the commonest and sim access, privilege management and/or read/write operation. plest method for identity authentication, but the password is 0017. The control commands may be transmitted in the easy to be doped out by other people. In addition, the form of cipher text after being encrypted. password is static data and is transmitted through computer 0018. The HID instructions may include Set Report and memory and network during authentication, So it is easy to Get Report commands. be captured by Trojan or listener on network. Therefore, its 0019. The algorithm used to encrypt the control com not a good method for identity authentication. mands is RSA, DES, 3DES, HMAC-MD5 or TEA, or the 0004 ID card authentication prevents user identity from combination of some of them. being counterfeited as ID card cannot be duplicated. But the 0020. The advantages of the present invention compared data read from ID card is also static and it is easy to be with existing technologies are: the information security captured by memory scan or network listening. The security device itself may be designed to be compact and easy to use, problems persist. and provide powerful functions. With the USB HID inter 0005. Dynamic password is a technology that allows user face, the device user does not need to install a driver and the password to change with time or the number of uses, and the user can use the device anywhere and anytime. And the user password can be used only once. Since each password must does not need to manage the driver whose version updates be generated by dynamic token and the private hardware of constantly, consider the compatibility of various product dynamic token is held only by valid user, the user identity drivers, face the risk caused by the driver when running OS, can be authenticated through password verification. But if and worry about the pollution to the system resulted from the the time or the number of uses between the client and the installation and uninstallation of the driver. CPU, SCM or server is not synchronized properly, a valid user probably Smart card chip used as the master chip ensures that the could not log in. And the user is required to enter a long security of identity authentication is reliable. Moreover, the string of ruleless password using keyboard each time the security of identity authentication device can be further user logs in, once there is a typo, the user must enter the improved by adding biometric identification module and/or password again. Obviously, it is not easy to use. the like.

SUMMARY OF THE INVENTION BRIEF DESCRIPTION OF THE DRAWINGS 0006. The present invention overcomes above defects 0021. The present invention may be further understood and provides a simple and secure information security from the following description in conjunction with the device of the Universal Serial Bus (USB) Human Interface appended drawings. In the drawings: Device (HID) class, which is integrated with the features and 0022 FIG. 1 is a control flow diagram of the first advantages of both USB Key (Token) and HID devices, and embodiment of the present invention; the data transmission method for the device. 0023 FIG. 2 is a control flow diagram of the second 0007. The solution of the present invention to the tech embodiment of the present invention; nical problems is: an information security device of Uni 0024 FIG. 3 is a hardware structure diagram of the first versal Serial Bus (USB) Human Interface Device (HID) embodiment of the present invention; US 2007/0208949 A1 Sep. 6, 2007

0025 FIG. 4 is a hardware structure diagram of the command. This request can be PIN authentication, signature second embodiment of the present invention; authentication, data downloading, file access, privilege man 0026 FIG. 5 is a hardware structure diagram of the third agement or read/write. embodiment of the present invention. 0037 3. The device resolves and processes the command. 0038. After receiving Set Report command from the DETAILED DESCRIPTION OF THE host, the information security device resolves the command EMBODIMENTS according to the data resolving protocol defined previously and performs appropriate security operations, such as con 0027. As a more and more widely used PC interconnec ducting PIN authentication and signature authentication, tion protocol, USB makes the connection between periph downloading necessary data to the specified location, read erals and computer more effective and convenient. This kind ing/writing/modifying/adding/deleting files according to file of interface applies to many devices. It is quick, Supports for access privilege, or changing operation privileges on files. plug and play and hot Swap, and can be connected to up to 127 devices at one time. It can solve such problems as 0039 4. The device responds to the application. resource conflict, interrupt request and direct data channel. 0040. When finishing the specified operation, or making Accordingly, more and more developers try to apply this a new request to the application, the device sends related kind of standard interface to their products. data Such as execution results to the application in response 0028. It is so convenient that the user does not need to to the request of the application. install a driver for a HID device for Windows 98 SE or 0041. The identity authentication system based on USB higher. The user can use the device anywhere and anytime, Key has two major application schemas: the authentication without installing a driver when using a PC . And schema based on challenge/response and the authentication the user does not need to manage the driver whose version schema based on Public Key Infrastructure (PKI). updates constantly, consider the compatibility of various 0042. For the identity authentication technology of the product drivers, face the risk caused by the driver when authentication schema based on challenge/response, the running OS, and worry about the pollution to the system application process will be described below. resulted from the installation and uninstallation of the driver. All these will benefit the primary users who are not very The First Embodiment sophisticated to PCs. 0029. The identity authentication based on USB Key is a 0043 Referring to FIG. 1, the application performs the convenient and secure identity authentication technology initialization process, as shown in Step 101. When it is emerged in recent years. It employs a strong two-factor required to authenticate user identity on network, perform authentication mode that combines software with hardware two-factor authentication, as shown in Step 102. Once the and uses one-time pad technology, obtaining high security weak factor (PIN) authentication is passed, the device will without the cost of usability. receive random numbers and encrypt them with defined 0030 The present invention integrates the features and algorithm(s), then return the results to the terminal which advantages of USB Key with those of HID devices, and will therefore confirm the results. applies driver-free USB Key to identity identification in 0044. After the two-factor authentication finishes, the network security area. The present invention will be further application judges whether the authentication is successful, understood from the following description. as shown in Step 103. The application side can provide the 0031. The driver-free USB Key thereof is a hardware service, as shown in Step 106, or deny the service, as shown device that has a USB HID interface. Referring to FIG.3, the in Step 108. Additionally, it can also perform file manage information security device 302 has a high performance ment, as shown in Step 104, or other data operation, as built-in SCM or smart card chip 303. It is connected to the shown in Step 105, on the information security device. host 301 via a built-in USB interface. The SCM or Smart Finally, the operation is completed, as shown in Step 107. card chip 303 can store user keys or digital certificates. The 0045. During the application process of the present user identity is authenticated with the encryption algorithms embodiment, key calculation is run on the hardware of the built in USB Key. The SCM or smart card chip has built-in information security device and the server respectively. It . The hardware supports RSA, DES, 3DES does not appear in client memory, or on network. Because and TEA algorithms. the algorithm HMAC-MD5 is not reversible, which means that you can get the calculation result if you know the key 0032. RSA keys and random numbers are generated by and the random number used in the calculation, but you the hardware. The firmware supports downloads of 3" party cannot get the key if you know the random number and the algorithms. According to the above mentioned structure, calculation result. So the key is secured, and the user identity data transmission is processed as follows: is secured thereby. 0033 1. The host recognizes the device. 0034. The host establishes connection to the information security device 302 by enumerating a USB HID device, and The Second Embodiment then gets HID class and report descriptor and sets up 0046 Referring to FIG. 4, the information security device communication with the information security device finally. 402 contains a high performance CPU chip 404 and is The host reads the file system of the information security connected to the host via a USB interface chip 403 which is device and gets related information. used to resolve the USB communication protocol. The 0035 2. The host sends a command to the device. algorithm HMAC-MD5 is implemented and the random 0036 When receiving an authentication request from the numbers are generated by the high performance CPU chip in user, the host sends authentication data to the device using combination with the USB interface chip. The firmware an HID-specific request, Set-Report control transmission Supports 3-level file access and privilege management. US 2007/0208949 A1 Sep. 6, 2007

0047 According to the above structure and the authen to the high performance CPU 503 referred in the 2" tication schema based on PKI System, the application pro embodiment. The biometric identification module comprises cess of the present invention is described in details below. a sensor 505 for extracting biometric information and a 0.048 PKI authentication is a unified technical frame control chip 504 for converting the information into control work used to provide data encryption and digital signature signals that can be recognized by CPU. The control chip 504 services in the public network environment using the public is connected between the CPU 503 and the sensor 505. key encryption technology of modem cryptography. Therefore, a biometric identification feature is added to the 0049. As the authentication technology based on Certifi device, the security of the authentication is further increased. cate Authority (CA) is getting completed, identity authen Alternatively, a reader module for example can be employed tication and data encryption are embodied using a digital for the same purpose. certificate in the present embodiment. The digital certificate 0057 The information security device of USB HID class is issued by an authoritative and just 3" party authority (i.e. and the data transmission method for the information Secu a CA Center). The encryption technology based on the rity device provided by the present invention are described digital certificate enables the encryption and decryption, in details above. It will be appreciated by those of ordinary digital signature and signature verification of the informa skill in the art that the invention can be embodied in other tion transmitted on the network, assures the confidentiality specific forms without departing from the spirit or essential and integrity of the information, the authenticity of the character thereof. The presently disclosed embodiments are identities of transaction entities and the incontestability of therefore considered in all respects to be illustrative and not signature information, and therefore maintains the security restrictive. The scope of the invention is indicated by the of network applications. appended claims rather than the foregoing description, and 0050 First, perform the initialization operation, as shown all changes which come within the meaning and range of in Step 201. When the server needs to authenticate the user's equivalents thereof are intended to be embraced therein. identity, it performs PKI authentication, as shown in Step 202. The device encrypts the received data with a private 1. An information security device of Universal Serial Bus key, and returns the result to the terminal. After receiving the (USB) Human Interface Device (HID) class, wherein com encryption result, the server decrypts it to verify if the prising authentication data is correct. a master chip with a built-in HID descriptor; and 0051. After PKI authentication finishes, whether the a USB interface module connected to the master chip. authentication is successful will be judged, as shown in Step 2. The information security device of Universal Serial Bus 203. If it fails, the service will be denied, as shown in Step (USB) Human Interface Device (HID) class according to 208. Otherwise, use the service offered by the application, as claim 1, wherein further comprising an authentication mod shown in Step 210. Moreover, the services, such as data ule which is an intelligent authentication module comprising reading/writing, as shown in Step 207, algorithm download a biometric identification module or a card reading module. ing, as shown in Step 206, and data encryption/decryption, 3. The information security device of Universal Serial Bus as shown in Step 205, can be offered and used by the present (USB) Human Interface Device (HID) class according to embodiment, as shown in Step 204. Then go to the end, as claim 1, wherein the USB interface module is built into the shown in Step 209. master chip or is a USB HID interface chip separated from 0052. In the present embodiment, each user has a private the master chip. key held only by himself to decrypt and sign, meanwhile, the 4. The information security device of Universal Serial Bus user also has a public key which is open to the public to (USB) Human Interface Device (HID) class according to encrypt and verify the signature. When sending a confiden claim 2, wherein the USB interface module is built into the tial document, the sender encrypts the data using the public master chip or is a USB HID interface chip separated from key of the receiver, and the receiver decrypts the data with the master chip. his private key. Thereby, the information can be forwarded 5. The information security device of Universal Serial Bus to the destination correctly and safely. Even if the informa (USB) Human Interface Device (HID) class according to tion is captured by a 3" party, it can not be decrypted claim 1, wherein the master chip is a microprocessor or without the private key. It is guaranteed that the encryption Smart card chip, comprising a Central Processing Unit process is an irreversible process by digital means, i.e. to (CPU), a Microcontroller Unit (MCU), or a Single Chip decrypt the data, the private key is a must. Micyoco (SCM). 0053. The user can also process the information using the 6. The information security device of Universal Serial Bus private key of his own. Since the private key is held only by (USB) Human Interface Device (HID) class according to the foregoing user, a document that cannot be generated by claim 2, wherein the master chip is a microprocessor or others will be produced, and then a digital signature comes Smart card chip, comprising a Central Processing Unit up. Using the digital signature can ensure that: (CPU), a Microcontroller Unit (MCU), or a Single Chip 0054 1) the information is signed and sent by the signer Micyoco (SCM). himself, and the signer cannot deny or is difficult to deny its 7. A data transmission method for the information security signature; and device according to claim 1, wherein comprising the steps 0055 2) the information has not been modified from it is of: signed until it is received, and the signed document is the 1) the host recognizing the information security device; authentic document. 2) the host sending control commands to the device; 3) the device resolving and processing the control com The Third Embodiment mands after receiving them; 0056 Referring to FIG. 5, the information security device 4) the device responding to the application and returning 502 comprises a biometric identification module in addition the execution results; and the control commands are US 2007/0208949 A1 Sep. 6, 2007

transmitted through HID instructions between the host 11. The data transmission method for the information and the information security device. security device according to claim 8, wherein the HID 8. The data transmission method for the information instructions include Set Report and Get Report commands. security device according to claim 7, wherein the control 12. The data transmission method for the information commands include PIN authentication, signature authenti cation, data downloading, file access, privilege management security device according to claim 9, wherein the HID and/or read/write operation. instructions include Set Report and Get Report commands. 9. The data transmission method for the information 13. The data transmission method for the information security device according to claim 7, wherein the control security device according to claim 9, wherein the algorithm commands are transmitted in the form of cipher text after used to encrypt the control commands is RSA, DES, 3DES, being encrypted. HMAC-MD5 or TEA, or the combination of some of them. 10. The data transmission method for the information security device according to claim 7, wherein the HID instructions include Set Report and Get Report commands.