Electronic signing methods, systems, and apparatus

US 9,495,546 B2
Filed: 12/18/2014
Issued: 11/15/2016
Est. Priority Date: 12/31/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a communication interface configured to physically locally connect the apparatus to a host computer; and

a data processing component adapted to provide a cryptographic processing result generated by cryptographically combining a cryptographic secret key with first input data;

wherebythe apparatus is adapted to present itself to said host computer, when it is connected to said host computer by the communication interface, as a mass storage device that an application on the host computer can access through a standard mass storage access mechanism for exchanging files;

the apparatus is adapted to generate an output file and the communication interface is adapted to return the output file to said host computer over said communication interface whereby said output file comprises the cryptographic processing result, and said host computer obtains said output file by reading said output file from the apparatus over said communication interface through a mechanism for reading files of said standard mass storage access mechanism; and

the apparatus is further adapted to generate a one-time password whereby said one-time password is comprised in said result of said cryptographically combining of said cryptographic secret key with said first input data and whereby said first input data comprises a dynamic variable; and

(1) whereby the apparatus further comprises a clock and said dynamic variable is based on a time value provided by the clock;

or(2) whereby the apparatus further comprises a first memory component to store a second variable and the apparatus is further adapted to determine a value of said dynamic variable as a function of said stored second variable and to update and store the value of the second variable when the value of the second variable has been used for said combining.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and systems for generating digital signatures are disclosed. An apparatus may present itself to a host computer as a mass storage device to provide cryptographic processing results through a standard mass storage access mechanism for exchanging files.

Citations

33 Claims

1. An apparatus comprising:
- a communication interface configured to physically locally connect the apparatus to a host computer; and
  
  a data processing component adapted to provide a cryptographic processing result generated by cryptographically combining a cryptographic secret key with first input data;
  
  wherebythe apparatus is adapted to present itself to said host computer, when it is connected to said host computer by the communication interface, as a mass storage device that an application on the host computer can access through a standard mass storage access mechanism for exchanging files;
  
  the apparatus is adapted to generate an output file and the communication interface is adapted to return the output file to said host computer over said communication interface whereby said output file comprises the cryptographic processing result, and said host computer obtains said output file by reading said output file from the apparatus over said communication interface through a mechanism for reading files of said standard mass storage access mechanism; and
  
  the apparatus is further adapted to generate a one-time password whereby said one-time password is comprised in said result of said cryptographically combining of said cryptographic secret key with said first input data and whereby said first input data comprises a dynamic variable; and
  
  (1) whereby the apparatus further comprises a clock and said dynamic variable is based on a time value provided by the clock;
  
  or(2) whereby the apparatus further comprises a first memory component to store a second variable and the apparatus is further adapted to determine a value of said dynamic variable as a function of said stored second variable and to update and store the value of the second variable when the value of the second variable has been used for said combining.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The apparatus of claim 1 wherein said communication interface comprises a Universal Serial Bus (USB) interface and wherein the apparatus is further adapted to present itself to said host computer, when said apparatus is connected to said host computer, as a USB device of a USB Mass Storage Device class.
  - 3. The apparatus of claim 1 further comprising:
    - a second memory component adapted to store said cryptographic secret key;
      
      wherein said data processing component is adapted to perform cryptographic calculations with said cryptographic secret key;
      
      whereby said cryptographically combining said cryptographic secret key with said first input data comprises said data processing component performing said cryptographic calculations.
  - 4. The apparatus of claim 1 further comprising:
    - a second communication interface for receiving and exchanging commands and responses with an external removable key storage device, said key storage device comprising a key storage device memory component adapted to store said cryptographic secret key and a key storage device data processing component adapted to perform cryptographic calculations with said cryptographic secret key;
      
      whereby said cryptographically combining said cryptographic secret key with said first input data comprises said key storage device data processing component performing said cryptographic calculations with said cryptographic secret key.
  - 5. The apparatus of claim 4 whereby said second communication interface comprises an International Organization for Standardization (ISO) 7816 compatible smart card interface and said commands and responses comprise smart card commands and responses, and whereby said key storage device comprises a smart card.
  - 6. The apparatus of claim 1 further comprising a user input interface for a user of said apparatus to indicate an approval, whereby the apparatus is adapted to capture by said user input interface said approval by the user and whereby at least one of said cryptographically combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on the apparatus obtaining said approval.
  - 7. The apparatus of claim 1 wherein said cryptographic secret key comprises a symmetric secret key that is shared with an application and whereby said cryptographically combining said cryptographic secret key with said first input data comprises performing on said first input data a symmetric cryptographic algorithm parameterized with said symmetric secret key.
  - 8. The apparatus of claim 1 wherein said cryptographic secret key comprises a secret private key of an asymmetric public-private key pair and whereby said cryptographically combining said cryptographic secret key with said first input data comprises performing on said first input data an asymmetric cryptographic algorithm parameterized with said secret private key.
  - 9. The apparatus of claim 8 further adapted to make available to said host computer a public key file that comprises a public key of said public-private key pair and whereby said host computer obtains said public key file by reading the public key file from the apparatus over said communication interface through said mechanism for reading files.
  - 10. The apparatus of claim 8 further adapted to make available to said host computer a certificate file that comprises one or more certificates associated with said public-private key pair and whereby said host computer obtains said certificate file by reading the certificate file from the apparatus over said communication interface through said mechanism for reading files.
  - 11. The apparatus of claim 1 further comprising a user input interface for a user of said apparatus to provide to said apparatus at least one of a PIN value or a password value;
    - said apparatus further adapted to obtain from said user the at least one of said PIN value or said password value by said user input interface and to verify whether the at least one of said PIN value or said password value is correct;
      
      whereby said cryptographically combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on the at least one of said PIN value or said password value provided by the user being correct.
  - 12. The apparatus of claim 11 further adapted to store a reference value wherein said verifying of the at least one of said obtained PIN value or said obtained password value comprises said apparatus comparing the at least one of said obtained PIN value or said obtained password value with said reference value.
  - 13. The apparatus of claim 11 further comprising a second communication interface for receiving and exchanging commands and responses with an external removable device wherein said verifying of the at least one of said obtained PIN value or said obtained password value comprises:
    - said apparatus communicating to said external removable device over said second communication interface at east one of a PIN representing value or a password representing value that represents the at least one of said obtained PIN value or said obtained password value for the external removable device to verify; and
      
      said apparatus receiving from said external removable device over said second communication interface the result of said verification by the external removable device of said at least one of a PIN representing value or a password representing value.
  - 14. The apparatus of claim 1 further comprising a biometric sensor to capture a biometric measurement of a user of said apparatus;
    - said apparatus further adapted to obtain said biometric measurement from said user by said biometric sensor and to verify whether said biometric measurement is correct;
      
      whereby at least one of said cryptographically combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on said obtained biometric measurement being correct.
  - 15. The apparatus of claim 14 further adapted to store biometric reference data wherein said verifying of said obtained biometric measurement comprises said apparatus comparing said obtained biometric measurement with said biometric reference data.
  - 16. The apparatus of claim 14 further comprising a second communication interface for receiving and exchanging commands and responses with an external removable device wherein said verifying of said obtained biometric measurement comprises:
    - said apparatus communicating, to said external removable device over said second communication interface said biometric measurement for the external removable device to verify; and
      
      said apparatus receiving from said external removable device over said second communication interface the result of said verification by the external removable device of said biometric measurement.

17. A method for obtaining a digital signature over an electronic input file for use with an apparatus comprising a communication interface configured to physically locally connect the apparatus to a host computer, a user output interface for presenting outputs to a user of said apparatus, and a user input interface for capturing inputs from said user,whereby the apparatus is adapted:
- to present itself to said host computer, when the apparatus is connected to said host computer, as a mass storage device that an application on the host computer can access through a standard mass storage access mechanism for reading and saving files;
  
  to receive said input file from said host computer over said communication interface;
  
  to recognize a format of at least one of a plurality of possible file type formats of said input file;
  
  to read said at least some contents of said input file;
  
  to present said at least some contents to said user by said user output interface;
  
  to capture from said user by said user input interface at least one of an approval or a rejection by said user of said at least some contents presented to the user;
  
  to generate said digital signature over said input file by applying to said input file a digital signature algorithm that is parameterized by a secret signature key;
  
  to generate and return an output file to said host computer over said communication interface whereby said output file comprises said digital signature over said input file;
  
  whereby at least one of the generation of said digital signature or the generation and return of said output file comprising said digital signature is conditional on the apparatus obtaining said approval;
  
  the method comprising the steps of;
  
  making at said host computer a connection with said apparatus;
  
  sending at said host computer said input file to the apparatus over said communication interface by saving the input file to the mass storage device presented by the apparatus using a method for saving files of said standard mass storage access mechanism;
  
  obtaining at said host computer said output file from the apparatus over said communication interface by reading the output file using a method for reading files of said standard mass storage access mechanism;
  
  retrieving said digital signature from said output file.
- View Dependent Claims (18)
- - 18. The method of claim 17 wherein said communication interface comprises a Universal Serial Bus (USB) interface and wherein said apparatus is further adapted to present itself to said host computer, when said apparatus is connected to said host computer, as a USB device of the USB Mass Storage Device class.

19. A system for generating a digital signature over an electronic input file comprising:
- a host computer comprisinga data processing component for running software applications,a connection mechanism for removably connecting at least one external peripheral device to the host computersaid host computer adapted to;
  
  support a class of mass storage devices;
  
  recognize devices that are connected to said host computer through said connection mechanism as belonging to said class of mass storage devices if said devices advertise themselves as belonging to said class when they are connected to said host computer;
  
  support a standard mass storage access mechanism for reading and saving files to mass storage devices connected to the host computer through said connection mechanism and recognized by the host computer as belonging to said class of mass storage devices;
  
  offer said software applications a first method of said standard mass storage access mechanism to read files from said mass storage devices and a second method of said standard mass storage access mechanism to save files to said mass storage devices;
  
  the system further comprising;
  
  a signature apparatus comprising a communication interface configured to physically locally connect the signature apparatus to said host computer by said connection mechanism, a user output interface for presenting outputs to a user of said apparatus, and a user input interface for capturing inputs from said user, whereby said signature apparatus is adapted;
  
  to present itself to said host computer, when the signature apparatus is connected to said host computer, as belonging to said class of mass storage;
  
  to receive said input file from said host computer over said communication interface;
  
  to recognize a format of at least one of a plurality of possible file type formats of said input file;
  
  to read at least some contents of said input file;
  
  to present said at least some contents to said user by said user output interface;
  
  to capture from said user by said user input interface at least one of an approval or a rejection by said user of said at least some contents presented to the user;
  
  to generate said digital signature over said input file by, applying to said input file a digital signature algorithm that is parameterized by a secret signature key;
  
  to generate and return an output file to said host computer over said communication interface whereby said output file comprises said digital signature over said input file, whereby at least one of said generation of said digital signature or said generation and return of said output file comprising said digital signature is conditional on the apparatus obtaining said approval; and
  
  whereby;
  
  said signature apparatus is connected to said host computer through said communication interface and said connection mechanism; and
  
  said host computer is running a signature application adapted to;
  
  send said input file to the signature apparatus over said communication interface by saving the input file to the apparatus using said second method of said standard mass storage access mechanism for saving files;
  
  obtain at said host computer said output file from the signature apparatus over said communication interface by reading the output file using said first method of said standard mass storage access mechanism.
- View Dependent Claims (20)
- - 20. The system of claim 19 wherein said communication interface comprises a Universal Serial Bus (USB) interface and wherein said apparatus is further adapted to present itself to said host computer, when said apparatus is connected to said host computer, as a USB device of a USB Mass Storage Device class.

21. An apparatus comprising:
- a communication interface configured to physically locally connect the apparatus to a host computer; and
  
  a data processing component adapted to provide a cryptographic processing result generated by cryptographically combining a cryptographic secret key with first input data;
  
  wherebythe apparatus is adapted to present itself to said host computer, when it is connected to said host computer by the communication interface, as a mass storage device that an application on the host computer can access through a standard mass storage access mechanism for exchanging files; and
  
  the apparatus is adapted to generate an output file and the communication interface is adapted to return the output file to said host computer over said communication interface whereby said output file comprises the cryptographic processing result, and said host computer obtains said output file by reading said output file from the apparatus over said communication interface through a host computer mechanism for reading files of said standard mass storage access mechanism; and
  
  whereby the apparatus is further adapted to generate a digital signature over at least some contents of an input file whereby;
  
  said communication interface is further adapted to receive said input file from said host computer whereby said host computer sends the input file to the apparatus over said communication interface by saving the input file to the mass storage device presented by the apparatus through a host computer mechanism for saving files of said standard mass storage access mechanism;
  
  said first input data are based on a value that represents said at least some contents of the input file; and
  
  said digital signature is comprised in said result of said cryptographically combining of said cryptographic secret key with said first input data; and
  
  the apparatus further comprising a user output interface for presenting outputs to a user of said apparatus and a user input interface for capturing inputs from said user;
  
  the apparatus further adapted to;
  
  recognize a format of at least one of a plurality of possible file type formats of said input file;
  
  read said at least some contents of said input file;
  
  present said at least some contents to said user by said user output interface; and
  
  capture from said user by said user input interface at least one of an approval or a rejection by said user of said at least some contents presented to the user;
  
  whereby said cryptographically combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on the apparatus obtaining said approval.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The apparatus of claim 21 wherein said at least some contents of said input file comprise the entire input file.
  - 23. The apparatus of claim 21 wherein said communication interface comprises a Universal Serial Bus (USB) interface and wherein the apparatus is further adapted to present itself to said host computer, when said apparatus is connected to said host computer, as a USB device of a USB Mass Storage Device class.
  - 24. The apparatus of claim 21 further comprising:
    - a memory component adapted to store said cryptographic secret key;
      
      wherein said data processing component is adapted to perform cryptographic calculations with said cryptographic secret key;
      
      whereby said cryptographically combining said cryptographic secret key with said first input data comprises said data processing component performing said cryptographic calculations.
  - 25. The apparatus of claim 21 further comprising:
    - a second communication interface for receiving and exchanging commands and responses with an external removable key storage device, said key storage device comprising a key storage device memory component adapted to store said cryptographic secret key and a key storage device data processing component adapted to perform cryptographic calculations with said cryptographic secret key;
      
      whereby said cryptographically combining said cryptographic secret key with said first input data comprises said key storage device data processing component performing said cryptographic calculations with said cryptographic secret key.
  - 26. The apparatus of claim 25 whereby said second communication interface comprises an International Organization for Standardization (ISO) 7816 compatible smart card interface and said commands and responses comprise smart card commands and responses, and whereby said key storage device comprises a smart card.
  - 27. The apparatus of claim 21 wherein said cryptographic secret key comprises a secret private key of an asymmetric public-private key pair and whereby said cryptographically combining said cryptographic secret key with said first input data comprises performing on said first input data an asymmetric cryptographic algorithm parameterized with said secret private key.
  - 28. The apparatus of claim 27 further adapted to make available to said host computer a public key file that comprises a public key of said public-private key pair and whereby said host computer obtains said public key file by reading the public key file from the apparatus over said communication interface through said host computer mechanism for reading files.
  - 29. The apparatus of claim 27 further adapted to make available to said host computer a certificate file that comprises one or more certificates associated with said public-private key pair and whereby said host computer obtains said certificate file by reading the certificate file from the apparatus over said communication interface through said host computer mechanism for reading files.
  - 30. The apparatus of claim 21 further adapted to obtain from said user at least one of said PIN value or said password value by said user input interface and to verify whether the at least one of said PIN value or said password value is correct;
    - whereby said cryptographically combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on the at least one of said PIN value or said password value provided by the user being correct.
  - 31. The apparatus of claim 30 further adapted to store a reference value wherein said verifying of the at least one of said obtained PIN value or said obtained password value comprises said apparatus comparing the at least one of said obtained PIN value or said obtained password value with said reference value.
  - 32. The apparatus of claim 30 further comprising a second communication interface for receiving and exchanging commands and responses with an external removable device wherein said verifying of the at least one of said obtained PIN value or said obtained password value comprises:
    - said apparatus communicating to said external removable device over said second communication interface at least one of a PIN representing value or a password representing value that represents the at least one of said obtained PIN value or said obtained password value for the external removable device to verify; and
      
      said apparatus receiving from said external removable device over said second communication interface the result of said verification by the external removable device of said at least one of a PIN representing value or a password representing value.
  - 33. The apparatus of claim 21, further comprising a biometric sensor to capture a biometric measurement of a user of said apparatus;
    - said apparatus further adapted to obtain said biometric measurement from said user by, said biometric sensor and to verify, whether said biometric measurement is correct;
      
      whereby at least one of said cryptographically, combining of the secret key with the first data or said returning of the output file comprising the result of said cryptographically combining is conditional on said obtained biometric measurement being correct.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Onespan North America Incorporated (OneSpan, Inc.)
Original Assignee
Vasco Data Security Incorporated (OneSpan, Inc.)
Inventors
Marien, Dirk
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/575,068
Publication Number

US 20150186658A1
Time in Patent Office

698 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/067   using one-time keys cryptog...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 9/006   involving public key infras...

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Electronic signing methods, systems, and apparatus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic signing methods, systems, and apparatus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links