Dual interface device for access control and a method therefor

US 9,462,470 B2
Filed: 06/19/2014
Issued: 10/04/2016
Est. Priority Date: 04/14/2011
Status: Active Grant

First Claim

Patent Images

1. An access control device having dual interfaces comprising:

a memory having a cryptographic store with entries storing cryptographic information, the cryptographic information including access credentials and cryptographic keys;

a contact-bound interface for communication with a remote system, the contact-bound interface comprising a USB (“

universal serial bus”

) interface;

a contact-less interface for transmitting data derived from the cryptographic information to an access control system;

a cryptographic processor that controls the access control device to;

present, via the contact-bound interface, a USB mass storage device interface having a virtual file system that does not expose free read-and-write access to the memory of the access control device and presents a virtual representation of the cryptographic information in which entries in the cryptographic store are represented as files;

receive, via the contact-bound interface, new cryptographic information in an encrypted file written to the virtual file system, wherein the new cryptographic information is received as blocks of wrapped and/or Authenticated Encryption with Associated Data (AEAD) files;

verify the new cryptographic information received in the encrypted file written to the virtual file system, wherein the verifying comprises;

decrypting the encrypted file using a master key from the cryptographic store to produce a decrypted file; and

verifying a digital signature present in the decrypted file; and

responsive to successful verification of the new cryptographic information, store the new cryptographic information from the decrypted file in one or more entries of the cryptographic store.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a low-cost access control device for identification and authentication in both the “digital” and “physical” worlds by contact-bound respectively contact-less interfaces and where individual users of the device can securely update access control credentials and cryptographic keys from a remote system without the need for any additional hardware or specialized software. The access control credentials and the at least one cryptographic key shall be readable by an access control system via the contact-less interface of the device, thereby enabling or denying the holder of the device access.

30 Citations

View as Search Results

15 Claims

1. An access control device having dual interfaces comprising:
- a memory having a cryptographic store with entries storing cryptographic information, the cryptographic information including access credentials and cryptographic keys;
  
  a contact-bound interface for communication with a remote system, the contact-bound interface comprising a USB (“
  
  universal serial bus”
  
  ) interface;
  
  a contact-less interface for transmitting data derived from the cryptographic information to an access control system;
  
  a cryptographic processor that controls the access control device to;
  
  present, via the contact-bound interface, a USB mass storage device interface having a virtual file system that does not expose free read-and-write access to the memory of the access control device and presents a virtual representation of the cryptographic information in which entries in the cryptographic store are represented as files;
  
  receive, via the contact-bound interface, new cryptographic information in an encrypted file written to the virtual file system, wherein the new cryptographic information is received as blocks of wrapped and/or Authenticated Encryption with Associated Data (AEAD) files;
  
  verify the new cryptographic information received in the encrypted file written to the virtual file system, wherein the verifying comprises;
  
  decrypting the encrypted file using a master key from the cryptographic store to produce a decrypted file; and
  
  verifying a digital signature present in the decrypted file; and
  
  responsive to successful verification of the new cryptographic information, store the new cryptographic information from the decrypted file in one or more entries of the cryptographic store.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The access control device of claim 1 wherein the contact-bound interface comprises a USB type A plug.
  - 3. The access control device of claim 1, wherein verifying the new cryptographic information further comprises:
    - identifying the master key for the access control device stored in the cryptographic store;
      
      identifying a unique identifier of the access control device stored in the cryptographic store; and
      
      using the identified master key and unique identifier to decrypt the encrypted file written to the virtual file system.
  - 4. The access control device of claim 1, wherein the cryptographic processor further controls the access control device to:
    - wrap cryptographic information in the cryptographic store using a unique identifier of the access control device and a master key for the access control device;
      
      represent the wrapped cryptographic information as a wrapped file in the virtual file system; and
      
      transfer the wrapped file to the remote system via the contact-bound interface.
  - 5. The access control device of claim 1, wherein the cryptographic processor further controls the access control device to:
    - receive an interrogation associated with an access control transaction from the access control system via the contact-less interface; and
      
      respond to the interrogation using the cryptographic information stored in the cryptographic store.
  - 6. The access control device of claim 1, wherein each entry in the cryptographic store is represented as a file in the virtual file system.

7. A method for secure communication with an access control device, comprising:
- storing cryptographic information in entries of a cryptographic store, the cryptographic information including access credentials and cryptographic keys;
  
  presenting, via a contact-bound interface comprising a USB (“
  
  universal serial bus”
  
  ) interface, a USB mass storage device interface having a virtual file system that does not expose free read-and-write access to the memory of the access control device and presents a virtual representation of the cryptographic information in which entries in the cryptographic store are represented as files;
  
  receiving, via the contact-bound interface, new cryptographic information in an encrypted file written to the virtual file system, wherein the new cryptographic information is received as blocks of wrapped and/or Authenticated Encryption with Associated Data (AEAD) files;
  
  verifying the new cryptographic information received in the encrypted file written to the virtual file system, wherein the verifying comprises;
  
  decrypting the encrypted file using a master key from the cryptographic store to produce a decrypted file; and
  
  verifying a digital signature present in the decrypted file;
  
  responsive to successful verification of the new cryptographic information, storing the new cryptographic information from the decrypted file in one or more entries of the cryptographic store; and
  
  transmitting, via a contact-less interface, data derived from the cryptographic information to an access control system.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the contact-bound interface comprises a USB type A plug.
  - 9. The method of claim 7, wherein verifying the new cryptographic information further comprises:
    - identifying the master key for the access control device stored in the cryptographic store;
      
      identifying a unique identifier of the access control device stored in the cryptographic store; and
      
      using the identified master key and unique identifier to decrypt the encrypted file written to the virtual file system.
  - 10. The method of claim 7, further comprising:
    - wrapping cryptographic information in the cryptographic store using a unique identifier of the access control device and a master key for the access control device;
      
      representing the wrapped cryptographic information as a wrapped file in the virtual file system; and
      
      transferring the wrapped file to a remote system via the contact-bound interface.
  - 11. The method of claim 7, further comprising:
    - receiving an interrogation associated with an access control transaction from the access control system via the contact-less interface; and
      
      responding to the interrogation using the cryptographic information stored in the cryptographic store.

12. A non-transitory computer-readable medium storing computer program code executable to perform steps comprising:
- storing cryptographic information in entries of a cryptographic store, the cryptographic information including access credentials and cryptographic keys;
  
  presenting, via a contact-bound interface comprising a USB (“
  
  universal serial bus”
  
  ) interface, a USB mass storage device interface having a virtual file system that does not expose free read-and-write access to the memory of the access control device and presents a virtual representation of the cryptographic information in which entries in the cryptographic store are represented as files;
  
  receiving, via the contact-bound interface, new cryptographic information in an encrypted file written to the virtual file system, wherein the new cryptographic information is received as blocks of wrapped and/or Authenticated Encryption with Associated Data (AEAD) files;
  
  verifying the new cryptographic information received in the encrypted file written to the virtual file system, wherein the verifying comprises;
  
  decrypting the encrypted file using a master key from the cryptographic store to produce a decrypted file; and
  
  verifying a digital signature present in the decrypted file;
  
  responsive to successful verification of the new cryptographic information, storing the new cryptographic information from the decrypted file in one or more entries of the cryptographic store; and
  
  transmitting, via a contact-less interface, data derived from the cryptographic information to an access control system.
- View Dependent Claims (13, 14, 15)
- - 13. The medium of claim 12, wherein verifying the new cryptographic information further comprises:
    - identifying the master key for the access control device stored in the cryptographic store;
      
      identifying a unique identifier of the access control device stored in the cryptographic store; and
      
      using the identified master key and unique identifier to decrypt the encrypted file written to the virtual file system.
  - 14. The medium of claim 12, wherein the computer program code is further executable to perform steps comprising:
    - wrapping cryptographic information in the cryptographic store using a unique identifier of the access control device and a master key for the access control device;
      
      representing the wrapped cryptographic information as a wrapped file in the virtual file system; and
      
      transferring the wrapped file to a remote system via the contact-bound interface.
  - 15. The medium of claim 12, wherein the computer program code is further executable to perform steps comprising:
    - receiving an interrogation associated with an access control transaction from the access control system via the contact-less interface; and
      
      responding to the interrogation using the cryptographic information stored in the cryptographic store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yubico AB
Original Assignee
Yubico, Inc. (Yubico AB)
Inventors
Ehrensvrd, Jakob
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/309,055
Publication Number

US 20140304509A1
Time in Patent Office

838 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/572   Secure firmware programming...

G06F 2213/0038   System on Chip

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2143   Clearing memory, e.g. to pr...

G07C 9/00817   where the code of the lock ...

G07C 9/28   the pass enabling tracking ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 9/32   including means for verifyi...

H04W 12/03   Protecting confidentiality,...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/08   Access security

H04W 12/47   using near field communicat...

Dual interface device for access control and a method therefor

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Dual interface device for access control and a method therefor

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others