DE102006049814A1 - Auxiliary variable producing and storing method, involves determining block position of each of data blocks for each of characters of secret combination, and storing determined block positions in memory as auxiliary variables - Google Patents

Abstract

The method involves calculating a pseudo-random signal sequence in dependence of an entered main password (MPW). Data blocks of definite length are extracted from the signal sequence, where the data blocks are assigned characters of an alphabet (A) by coding of the alphabet. The extracted data blocks are compared with characters (gi) of a secret combination (g) e.g. transaction number, under consideration of the coding. A block position (bpi) of each data block is determined for each character of the secret combination. The block positions are stored in a memory (4) as auxiliary variables. Independent claims are also included for the following: (1) a method for recovering a secret combination from an auxiliary variable and a main password (2) a program technical device for implementing a method for producing and storing an auxiliary variable and a method for recovering a secret combination from an auxiliary variable and a main password.

Description

The The present invention relates to a method for automatic generation and storing auxiliary quantities that each associated with an application-specific secret combination are, depending from a master password and the respective secret combination, as well a method for recovering a secret combination from so generated Auxiliary sizes and the corresponding main password. The invention further relates one to carry at least one of these methods program-technically established Contraption.

The The invention particularly relates to a method and a corresponding one Device for the secure and user-friendly storage of authentication data such as passwords, Personal Identification numbers (PINs) or transaction numbers (TANs). These are personal secrets with which Users prove the authenticity of their claimed identity. passwords are usually used together with an identifier - often referred to as a login - identifying the user, where the login name may be publicly known, the password is kept secret. Passwords are strings, which can consist of letters, numbers and special characters. at a PIN is a message issued to a user Multi-digit combination of numbers, often together with Authentication token is used for user authentication, such as ec-cards or credit cards is the case. TANs are usually multi-digit combinations of numbers, which in addition to PIN or password can be entered, the user from the List of TANs issued to him on each transaction a new and previously unused TAN must choose, since each TAN only is accepted once. The order to use the TANs are given either by the order of TANs in the list, like this is issued to the users, or the TANs are indexed - as with the so-called iTAN method - and the user uses exactly the same TAN in a transaction, to which he from the opposite side by indication of the respective index was asked.

It shows in many places that users access restricted devices, applications and services in practice by the requirements of a deal with a variety of secret combinations needed in everyday life, the for a use of restricted devices, applications and services needed become overwhelmed are.

There are now a number of approaches and solutions that aim to assist users in dealing with their secret combinations (passwords, PINs, TANs). In this context, for example, technical solutions have been developed in which application-specific secret combinations are generated and / or stored. Access to the stored secrets is usually also controlled by means of a central secret or by means of biometric methods. In some approaches, the secret combinations are stored in encrypted form in a persistent memory of the terminal, as is the case for a variety of password management programs (eg password storage in web browsers). A patented method for centrally storing application-specific passwords and password-protected access is provided in US 6,006,333 A described. In the pamphlets EP 1 591 867 A2 and DE 199 38 001 A1 Inventions are described in which secrets access protected, eg encrypted, stored in portable storage. All encrypted secret combination storage methods have the property that an attacker with access to the encrypted secret combinations can test main passwords and then use the decryption results to verify that he has the correct master password. This is possible, for example, if the secret combination was encrypted with redundancy. An encryption of plain texts with redundancy is present, for example, if not all theoretically conceivable combinations of encryptable plain text occur in practice in plain text. This means that, based on a given encryption result, a tested key can be discarded if the decryption results obtained therewith contain those characters or character combinations which in practice do not appear as plain-text characters or as combinations of plain-text characters. An example of this is the encryption of ASCII-coded secret combinations. If an encrypted secret combination supplies a result which contains non-writable ASCII characters when a main password is entered, then it can be assumed that the main password tested was incorrect. The same applies to decryption attempts with an encrypted PIN, in which the result is a character combination which does not consist exclusively of digits; in this case it would also be immediately apparent that the wrong master password was entered.

If an attacker succeeds in accessing secret ciphers generated by the current state of the art, then he can test out main passwords until he obtains a result which exclusively contains the required characters or acceptable character combinations contains. Depending on the redundancy of the plaintext, the probability can be very high that such a positively tested main password is actually the correct password. Such attacks are in practice favored by a user choosing a weak master password, which is common to many users.

One A method based on which a user on a mobile terminal such as a cell phone or a PDA the required secret combinations like passwords, PINs or TANs available stand is helpful in itself. The user is thereby freed to remember all secret combinations and only has to a single secret combination, namely a so-called main password notice. However, since mobile devices Often lost or stolen, it is desirable that appropriate information as possible be stored safely. That means that unauthorized third parties too when accessing the terminal should not be able to access the secret combinations, i. that she ideally should not be able to decide whether the main password entered is the correct one Main password is. The aim of with the present invention proposed method is that an attacker, otherwise as in comparable methods of the prior art, by the testing of main passwords - also at potentially weakly chosen Main passwords - based of results obtained using the corresponding main password for secret combinations can not distinguish whether the tested main password is correct is or not.

Of the The present invention is therefore based on the object, a method and to develop a corresponding device with which Save information so that this information a variety of secret combinations, especially for a Access to restricted access devices needed can be recover and spend with the help of a single main password leave without a third party to this information or the device would have access, could identify the main password or the secret combinations. With The invention is further a method and a corresponding device be proposed with which the secret combinations by means of of the main password can be recovered from the stored information can.

These The object is achieved by a method having the features of claim 1 and a method with the features of claim 16 and by a device with the features of claim 21. Advantageous embodiments and further developments of the invention will become apparent with the features the dependent claims.

• – Berechnen einer pseudozufälligen Signalfolge in Abhängigkeit von dem eingegebenen Hauptpasswort,
• – Extrahieren von Datenblöcken bestimmter Länge aus der pseudozufälligen Signalfolge, wobei die Datenblöcke durch eine Kodierung eines Alphabets, aus dem die Geheimkombination gebildet ist, jeweils einem Zeichen aus diesem Alphabet zugeordnet sind,
• – Vergleichen der extrahierten Datenblöcke mit Zeichen aus der Geheimkombination unter Berücksichtigung dieser Kodierung,
• – Bestimmen einer Blockposition – eine Position des jeweiligen Datenblocks in der pseudozufälligen Signalfolge definierend – jeweils eines der Datenblöcke für jedes Zeichen aus der Geheimkombination, so dass dieser Datenblock durch die Kodierung diesem Zeichen zugeordnet ist, und
• – Speichern der so bestimmten Blockpositionen in einem Speicher.

The proposed method for the automatic generation and storage of auxiliary variables assigned in each case to an application-specific secret combination as a function of a main password and the respective secret combination which allows a reconstruction of the corresponding secret combination with the help of the main password from the auxiliary variables assigned to this secret combination thus comprises the steps:

• Calculating a pseudo-random signal sequence as a function of the input main password,
• Extracting data blocks of a specific length from the pseudorandom signal sequence, wherein the data blocks are each assigned to a character from this alphabet by coding an alphabet from which the secret combination is formed;
• Comparing the extracted data blocks with characters from the secret combination taking into account this coding,
• Determining a block position - defining a position of the respective data block in the pseudo-random signal sequence - each one of the data blocks for each character from the secret combination, so that this data block is assigned by the coding that character, and
• - Save the block positions determined in a memory.

typically, while the auxiliary sizes are dependent also of at least one further, preferably application-specific, Input size formed, being the pseudorandom one Signal sequence in addition dependent on is calculated by this at least one other input size.

• – nach Eingabe des Hauptpassworts zumindest ein Teil der pseudozufälligen Signalfolge wie bei dem Verfahren zum Erzeugen der Hilfsgrößen berechnet wird,
• – der durch die diesem Zeichen zugeordnete Blockposition definierte Datenblock aus der pseudozufälligen Signalfolge extrahiert wird,
• – dieser Datenblock gemäß der Kodierung des Alphabets, aus dem die Geheimkombination gebildet ist, einem Zeichen zugeordnet wird, wobei das gleiche Alphabet verwendet wird, welches auch bei der Erzeugung der Hilfsgrößen für die Geheimkombination verwendet wurde, und
• – dieses Zeichen ausgegeben wird.

The corresponding method for recovering a secret combination of auxiliary quantities generated by a method as described above and the corresponding master password provides that each character of the secret combination is determined by

• After the input of the main password at least a part of the pseudo-random signal sequence is calculated as in the method for generating the auxiliary quantities,
• The data block defined by the block position assigned to this character is extracted from the pseudo-random signal sequence,
• - This data block is assigned to a character according to the coding of the alphabet from which the secret combination is formed, using the same alphabet, which is also used in the generation of the auxiliary quantities for the Ge homecombination was used, and
• - this character is output.

The The auxiliary variables assigned to the respective secret combination can thereby advantageously be read directly from the memory. input is used to calculate the pseudo-random signal sequence or the Part of the pseudorandom Signal sequence typically also the at least one other input size, the depending on the input size and each after execution of the procedure manually entered or also from the memory can be read. Typed by hand is typically both in the method for generating and storing the auxiliary quantities as also in the process of recovering the secret combination one serving as an input Application identification.

The Both proposed methods allow one user multiple Services and / or devices with one provided for safety reasons Restricted Area each requiring an entry of a secret combination, in an advantageous way, with the main password just a secret to have to remember with the help of which he can calculate any needed secret combination at any time can, without having access to it stored in memory Auxiliary sizes one Give any third party any indication of any of the secret combinations could.

at It can do this named application-specific secret combinations For example, PINs, TANs or passwords that are used for a Access to a technical device or for one certain application of such a device may be required.

The pseudorandom Signal sequence may in preferred embodiments of the invention as a checksum or as Message Authentication Code (MAC) of a dependent from the at least one input size and possibly also a count defined text are formed, this checksum or this MAC depending generated by the main password.

Of the The term "alphabet" is quite general here for one Amount of characters - possibly also or even exclusively Containing digits - used, from those - under consideration any password rules - the each secret combination is to form. So the alphabet contains all those characters that are theoretically in the secret combination may be included. Any conceivable assignment of a data block from the pseudo-random signal sequence is thereby said length a character from the alphabet assigned to a redundancy-free Assignment of main passwords, To obtain secret combinations and auxiliary sizes. Further, every element is to represent each secret combination from the alphabet of at least one possible assignment of a data block said length assigned. Usually becomes the pseudorandom one Signal sequence is a sequence of binary Be signals, so any binary combination said length is associated with exactly one character from the alphabet. The comparison the extracted data blocks with A character from the secret combination can happen by first doing this Data block according to the coding of the alphabet a coding value, so a sign from this Alphabet, and then this encoding value with the Characters from the secret combination is compared or by first all potential Codings of a character can be determined from the secret combination and then tested whether the assignment of the data block is one of these codings of the character from the secret combination corresponds.

Of the The term "block position" is quite general understood as a position indication, from which results, where the respective Data block in the pseudo-random Signal sequence can be found. Typically, the data blocks are off one of their length corresponding sequence of consecutive characters from the signal sequence so that every possible Block position can be given by only one number.

Different as the auxiliary sizes, the be stored in the memory for recovery of the Secret combinations available The main password and the secret combinations are typical only temporarily in a working memory or should at least after a certain time automatically deleted become. To form the pseudo-random signal sequence can next the entered main password and other input variables also used such sizes which are implicitly defined by the respective secret combination are. In question comes for it For example, an index indicating where the character, for the to calculate an auxiliary size is, in the respective secret combination stands.

A preferred embodiment of the proposed method provides that the pseudo-random signal sequence is calculated by generating a key from the input main password by means of a key derivation function and then encrypting a character string formed as a function of the at least one further input variable with this key. For security reasons, the key derivation function should be such that each digit of the key is dependent on the occupation of each location of the main password, the key derivation Preferably, further function should be suitable, regardless of a length of the main password to form a key of predetermined length. Such key derivation functions are known per se. Of course, however, the pseudo-random signal sequence can also be formed in another way, for example by hashing a character string formed from the at least one input variable and the main password. Conversely, embodiments of the invention in which at least two of the further input variables are concatenated to form a character string, possibly with separators between the individual input variables, and the character string thus formed is encrypted with a key formed from the main password.

advantageous Embodiments of the invention provide that the character string block by block and preferably symmetrically encrypted, for example using the well-known Advanced Encryption Standards (AES), which ensures a very high level of security. The string can be divided into blocks of a certain length and a clear text and / or a cipher of each of the blocks respectively be bit-wise XORed with the plaintext or cipher of another block. Preferred is one referred to as cipher block chaining (CBC) shortcut the blocks, at the beginning of a second block each block from the string is XOR-linked with a cipher of the preceding block and a result of this link encoded becomes a cipher, which in turn, if necessary, with another block XORed becomes.

Around to ensure, that sufficiently pseudozu due Material for forming the data blocks to disposal can be provided that the calculation of the pseudo-random signal sequence in sections additionally dependent on from a meter reading takes place, the meter reading for calculating a respective further section of the pseudo-random signal sequence on another Value changed if one is available then Section of the pseudo-random Signal sequence is consumed by extracting data blocks. there can the meter reading to form the respective section of the pseudo-random signal sequence like the rest application-specific input variables. For each Character of the secret combination is then in addition to the block position of a data block associated with this character in the corresponding section the pseudorandom one Signal sequence also this section of the pseudo-random signal sequence corresponding counter reading determined and saved as a further auxiliary size. For each Sign of the secret combination is then so from a count and block position in the corresponding section of the pseudo-random signal sequence existing pair determined as auxiliary sizes and saved.

The Extract the data blocks from the pseudo-random Signal sequence can be done successively by one of its Length corresponding Number of consecutive signals, typically bits, from the pseudorandom Signal sequence are taken, with the respective subsequent data block across from the previous data block by a certain number of signals is shifted, preferably corresponding to one of the length of the data blocks Number of signals. A preferred embodiment of the method for generating the auxiliary sizes sees before that for each character of the secret combination the block position of this Character assigned data block is determined by the extracted Data blocks in succession, preferably in order of their extraction, taking into account the encoding to be compared with this character, taking a the character not corresponding data block is discarded while a the character corresponding data block, i. a data block that is assigned by the coding exactly this character, by a Decision function with a certain probability not discarded, but is accepted by the block position of this Data block saved as auxiliary value assigned to this character and extracting data blocks for this Character is terminated. additionally is available in versions of the invention with a partial calculation of the pseudorandom Signal sequence of the current section of the pseudo-random signal sequence corresponding counter reading saved as a further auxiliary size, if the corresponding data block is not discarded.

The said decision function can be carried out by a random decision maker who performs a binary random experiment with an individual probability that corresponds to the probability mentioned in the previous paragraph. This binary random experiment must therefore be conceived in such a way that the individual probability for one of two possible outcomes corresponds to the probability with which a data block that fits itself is not rejected, but accepted. The binary random experiment can be carried out by extracting a not yet used block out of a signal chain obtained as a processing result of random data and assigning it to a value, comparing this value with a threshold value or several threshold values and an output of the binary random experiment as a function of a Result of that comparison, possibly after discarding one or more previously extracted blocks whose value was not assigned to a result. The single probability can be constant for all secret combinations, secret combinations specifically or also for each character of a secret combination. It can also be provided that this single probability is again halved for all the characters that are assigned by coding two possible assignments of data blocks.

activities the kind mentioned here in connection with the decision function serve to make the process even safer, because they have a Reconstructing the main password or debugging main passwords additionally. But it is also conceivable that the decision function only one pseudorandom Decision, for example through comparable processing a pseudorandom one Signal chain. If the decision function by a true random decision made should be able to the one for that required Random data, for example, be obtained from attack times and / or Differences between keystrokes when entering the main password and / or the secret combination and / or the at least one other Input size and / or specifically for generating the random data requested keystrokes. Such random data can for example, processed by hash to a random signal chain if necessary, after a concatenation of several random data, wherein after consuming available bits, extending the random signal chain can be done, for example, by linking with a new (ie if necessary previously changed) Initial value and a second hash.

When Input quantities, in dependence derer the auxiliary sizes or The secret combinations can be calculated, the following sizes or any combination of these sizes can be used: user identification, Application identification, application-specific user identification, position the respective character of the secret combination for which an auxiliary variable is currently being determined is, index of a transaction number, the alphabet or a Alphabet characterizing size. It is advantageous these input sizes the method for generating and storing the auxiliary sizes together to save with the auxiliary sizes, so that a further input of these input variables at the method for recovering the respective secret combination unnecessary. It can be enough in particular if the application identification is entered manually, depending on then the others (for the corresponding application belonging) further input variables the memory can be read. If the secret combination is a transaction number especially if an index of the transaction number serves as input size, may also be saved a recovery mark, which determines whether the transaction number associated with a particular index already used. Although the position of the sign of the Secret combination used as input size it does not have to be over the keyboard will be entered. The term "input size" should be understood here so generally that such input size is not must necessarily be entered by hand. The use of the position of the character of the secret combination as input size has essentially to Follow that for Each character of the secret combination has its own pseudo-random signal sequence is formed. A typical application of the described method for generating and storing auxiliary quantities, in which the advantage that the Users only have to remember one main password, especially for Wear comes, provides that in the described way auxiliary sizes for a plurality of different Secret combinations are generated and stored. From the previous one Description shows that then for each character of each secret combination generates at least one auxiliary character assigned to this character of this secret combination and saved.

Provided the method for generating and storing the auxiliary quantities provides that the pseudorandom Signal sequence in several sections and additionally dependent from a meter reading can be calculated, the appropriate method to recover the secret combinations are designed so that to determine each character of the secret combination only the portion of the pseudo-random signal sequence calculated by the count associated with this character is defined.

A advantageous development of the proposed method provides that depending on the input main password by means of a one-way function one optical mark and calculated on a display component, such as a Screen is displayed. In this optical marking can For example, it is a color, a geometric shape or a specific location on the display component or one Combination of these features act. The one-way function used for this For example, a hash of the input main password or a bit sequence formed from this and a subsequent assignment a character or bit string obtained thereby becomes possible Values for provide the optical marking. Such an optical marking Fulfills the purpose of a response for the User who entered the main password to verify it can, if he entered the correct main password.

• – eine Eingabekomponente zum Eingeben eines Hauptpassworts und mindestens einer weiteren Eingabegröße,
• – einen Speicher,
• – eine Berechnungskomponente, die zum Berechnen der Hilfsgrößen aus von der Eingabekomponente übergebenen Daten und/oder zum Berechnen der Zeichen der Geheimkombination aus von der Eingabekomponente übergebenen und aus dem Speicher ausgelesenen Daten eingerichtet ist,
• – ggf. eine Anzeigekomponente und
• – eine Ausgabekomponente, die zum Ausgeben der von der Berechnungskomponente berechneten und übergebenen Hilfsgrößen an den Speicher und/oder zum Ausgeben der von der Berechnungskomponente berechneten und übergebenen Zeichen der Geheimkombination an die Anzeigekomponente eingerichtet ist.

The described methods can be used on any pre-programmed direction. This device may be, for example, a PDA or a mobile phone. It is also conceivable that different components of this device are spatially separated, so that, for example, the memory is housed in a different unit than a calculation component, wherein also for calculating the auxiliary quantities, a different calculation component can be used than to recover the secret combinations. A device set up to carry out at least one of the described methods in a technically feasible embodiment of the invention may comprise in particular the following components:

• An input component for inputting a main password and at least one further input variable,
• - a memory,
• A computation component configured to compute the auxiliary quantities from data input from the input component and / or to compute the characters of the secret combination from data passed from the input component and read from the memory,
• - If necessary, a display component and
• - An output component, which is set up for outputting the auxiliary components calculated and transferred by the calculation component to the memory and / or for outputting the calculated and transmitted by the calculation component characters of the secret combination to the display component.

The Display component can additionally to display an optical dependent on the input main password Serve mark.

at The data mentioned can be the main password, which is at least another input size and the appropriate secret combination act, provided the device is designed for generating and storing the auxiliary quantities, and / or to the main password, the at least one more input size and the Auxiliary sizes, provided formed the device for recovering the secret combination is. Furthermore the device is preferably to be designed so that in addition to the calculated auxiliary sizes too the appropriate input variables to the Memory is output and stored there. Furthermore, the device preferably designed so that the display component not only to display the recovered secret combination, but also to display a dependent from the input main password calculated optical mark is set up.

• – Mittel zum Ausführen einer Schlüsselableitungsfunktion zur Bildung eines Schlüssels vorgegebener Länge aus dem eingegebenen Hauptpasswort,
• – Konkatenationsmittel zum Bilden einer Zeichenkette aus mindestens einer eingegebenen oder aus dem Speicher eingelesenen Eingabegröße,
• – Verschlüsselungsmittel zum Bilden einer pseudozufälligen Signalfolge durch Verschlüsseln der Zeichenkette mit dem Schlüssel und
• – Mittel zum Extrahieren und Kodieren von Datenblöcken aus der pseudozufälligen Signalfolge sowie
• – ggf. zusätzlich Mittel zum Berechnen der erwähnten optischen Markierung.

The calculation component preferably comprises

• Means for executing a key derivation function for forming a key of predetermined length from the input main password,
• Concatenation means for forming a character string from at least one input variable entered or read from the memory,
• - Encryption means for forming a pseudo-random signal sequence by encrypting the character string with the key and
• Means for extracting and encoding blocks of data from the pseudorandom signal sequence and
• - If necessary, additional means for calculating the mentioned optical marking.

In addition, can the device, provided for set up the method for generating and storing the auxiliary sizes is a counter control for Controlling the meter reading, a comparator for comparing the data blocks with the characters of the secret combination considering the coding of the alphabet and a random trap that decides whether considering a character of the secret combination the coding of the corresponding data block is discarded or selected, include.

at of the invention Users remember only one password, the so-called main password. The invention allows users to use a terminal device Enter the main password for any predetermined secrets such as passwords, PIN or TAN combinations a sequence of here referred to as auxiliary quantities Data, typically in the form of character-specific counter readings and Block positions, to generate and store on the terminal. If necessary, then at a later Time after entering the main password and reading the stored Counter readings and Block positions the desired Secret combination (password, PIN, TAN) calculated and output become. As a terminal, on which the invention is carried out mobile phones or PDAs are particularly suitable. The procedure allows it, auxiliary sizes for several secret combinations or different types of secret combinations (e.g., PINs and TANs), from which recover these secret combinations let, safely on the terminal save.

In the case of the method on which the invention is based, a user with the main password only has to memorize a single secret which he himself can freely choose. Starting from the main password and the stored counter readings and block positions then all secret combinations (passwords, PINs, TANs) of the user for different applications.

The The invention of the underlying method is characterized by special Safety features. An attacker trying to gain access to the terminal by repeatedly entering character combinations the main password and thus also the secret combinations of the user to find, then the method provides the attacker for each entered Combination of a main password and given auxiliary sizes - typically character-specific counter readings and block positions - a character combination, which, from the point of view of the attacker, does not initially differ from the actual one Secret combination is to be distinguished, provided that the required secret combination no Redundancy, which would allow the attacker, certain To be able to discard results (and thus also certain main passwords). redundancy-free Secret combinations can For example, if PINs or TANs are present, if all PIN and TAN combinations spent with equal frequency and the crowd, over which secret combinations for given meter readings and Block positions are calculated, containing only digits. In order to decide whether the result of the calculation is the correct one Secret combination, the attacker must therefore the respective Secret combination in the authentication process against the enter the appropriate system and wait to see if the system Secret combination accepted as correct value. Under the assumption, that an attacker has no Has information about the main password of a user the attacker, even if he has access to a user terminal and that according to the Underlying method calculated counter readings and Block positions has, opposite An attacker who tries to gain the secret combination by merely guessing find, no advantage. In this property is different the method underlying the invention is fundamentally different from the technical solutions Today's practice involving the secret combinations of a user encoded on the terminal get saved. In the encrypted storage of secret combinations (Passwords, PINs, TANs) on a terminal An attacker can use the correct key - derived from a master password - from the wrongly guessed keys differ, since the wrong guess key with a high probability the given cipher does not apply to such decrypted text depicting which corresponds to a typical secret combination. this makes possible It's an attacker's job to test out keys until they're decrypted result obtained contains typical secret combinations. Becomes such a key found, so is almost certainly to assume that this is the correct key. In this case, an attacker has the certainty that it is in the decrypted Data about the desired secret combinations (passwords, PINs, TANs).

Embodiments of the present invention will be described below with reference to FIGS 1 - 25 described.

It shows

1 a schematic representation of an apparatus for performing a method for automatically generating and storing auxiliary quantities in the context of the present invention,

2 in a corresponding representation, another exemplary embodiment of an apparatus according to the invention for carrying out a method for generating and storing auxiliary quantities,

3 a corresponding representation for a further embodiment of a device according to the invention for generating and storing auxiliary quantities,

4 a flowchart showing an inventive calculation of auxiliary quantities in dependence on a main password according to the embodiment of the 1 illustrates

5 one of the 4 corresponding representation of a corresponding calculation for the embodiment 2 .

6 a the 4 and 5 corresponding representation of the embodiment of the invention 3 .

7 a flowchart showing the calculation of auxiliary values given by count and block position for an i-th character of a secret combination in the in the 1 and 4 illustrated embodiment of the invention illustrated

8th one of the 7 corresponding representation of the calculation of auxiliary quantities for the embodiment of the 2 and 5 .

9 a the 7 and 8th corresponding representation of the calculation of count and block position for the i-th character of a secret combination in the embodiment of the 3 and 6 .

10 a flowchart showing a Be illustrated bill of optical marking in the aforementioned embodiments,

11 a schematic representation of an embodiment of an inventive device for recovering a secret combination of according to the embodiment example of the 1 and 4 won auxiliary quantities and a main password,

12 a corresponding representation of a device for recovering the secret combinations according to the embodiment of the 2 and 5 .

13 a corresponding representation of an inventive device for recovering the secret combinations according to the embodiment of the 3 and 6 .

14 a flowchart showing a calculation of the secret combination in a calculation component of the device 11 illustrates

15 one of the 14 corresponding representation of the calculation of the secret combination for the embodiment 12 .

16 a corresponding representation of the calculation of the secret combination for the embodiment 13 .

17 a more detailed flowchart illustrating the calculation of an i-th character of a secret combination (here a PIN in the embodiment of the 11 and 14 illustrates),

18 one of the 17 corresponding representation of a calculation of an i-th character of a secret combination (here a TAN) for the embodiment of the 12 and 15 .

19 a the 17 and 18 corresponding representation of a calculation of an i-th character of a secret combination (here a password) for the embodiment of the 13 and 16 .

20 3 is an illustration of an extraction of data blocks of a length k from a section of a length bl of a pseudo-random signal sequence calculated in the context of a method according to the invention,

21 a tabular representation of a possible encoding of secret combination characters in the case of PINs and TANs (exclusive use of digits),

22 one of the 21 corresponding representation of a possible coding of secret combination characters in the case of passwords (exclusive use of lowercase letters and numbers),

23 a corresponding representation of another possible encoding of secret combination characters in the case of passwords (exclusive use of digits and the special characters!, $, (,), [,]),

24 a corresponding representation of another possible encoding of secret combination characters in the case of passwords (exclusive use of uppercase letters, lowercase letters and numerals) and

25 a final example of another possible encoding of secret combination characters in the case of passwords (exclusive use of uppercase letters, lowercase letters, numbers and the special characters!, #,%, +, -, /, =, @, [,], _, |) ,

In the 1 Thus, a device according to the invention is shown, which is set up by the program for performing a method for automatically generating and storing counter readings z _i and block position bp _i with i = 1,..., m as auxiliary quantities, which are each assigned to an application-specific secret combination g. This device may for example be given by a PDA, a mobile phone or a PC. The secret combination g should be a PIN (Personal Identification Number) that includes m characters g ₁ to g _m . The auxiliary variables are generated as a function of a single main password MPW, the secret combination g and other input variables, which are random data zd, an alphabet A, from which the secret combination g is formed, a user identity or user identification bid and a service identity or application id did. At least the service identity did is an application-specific input variable. Also, the alphabet A, which for the application described here will be given by the numbers from 1 to 9, may be application specific in other embodiments or applications of the invention.

The in the 1 The device shown comprises an input component 1 for inputting the main pass word MPW, the secret combination g and the other input quantities, a calculation component 2 to which the input component 1 input variables, an output component 3 , a store 4 and a display component 5 , In the calculation component 2 become the mentioned auxiliary quantities, thus the Counter readings z _i and the block positions bp _i , which are each associated with a character g _i from the secret combination g, calculated in a manner described below. These auxiliary quantities are combined with one also in the calculation component 2 calculated optical mark OM as well as the input sizes given by the alphabet A, the user identity (also called user identification) bid and the service identity (also called application identification) to the output component 3 to hand over. The output component 3 returns the calculated auxiliary quantities and those of the calculation component 2 received input quantities to the memory 4 from where they are stored. The optical mark OM is from the output component 3 to the display component 5 to hand over. In the display component 5 it can be, for example, the screen of a computer or a PDA, in the input component 1 for example, a keyboard.

2 shows one of the device from the 1 corresponding device in another embodiment of the invention. Recurring features are provided here and in the following figures, each with the same reference numerals, without being explained in detail again in each case. Differences arise in the embodiment of the 2 in that the secret combination g is given here by a transaction number (TAN). As an additional input size, an index ix is provided here in order to identify the various transaction numbers for an application. Also provided is a variable designated as utilization mark u, whose value is to indicate whether the transaction number belonging to a specific index ix has already been used or not.

One of the embodiments of the 1 and 2 comparable architecture is also in the 3 shown, which differs from the previously described embodiments, that it is the secret combination g here is a password and compared to the embodiment of the 1 additionally a service-specific user identity (also referred to as application-specific user identification) dbid is provided as the input size.

The calculation of the auxiliary quantities for the embodiment of the 1 in the 4 and 7 , for the embodiment of the 2 in the 5 and 8th and for the embodiment of the 3 in the 6 and 9 illustrated. For this calculation, a pseudo-random signal sequence rand is first calculated as a function of the input main password MPW, of a position i of the respective character g _{i of} the secret combination g and of the input variables user identification bid, application identification did and optionally index ix or application-specific user identification dbid. For this purpose, a key s is calculated from the main password MPW according to a key derivation function SAF, by means of corresponding means for deriving this key derivation function SAF, with which one of the mentioned input variables and the position i by concatenation and, if appropriate, padding formed string is blockwise symmetrically encrypted by a symmetric encryption SV. The pseudo-random signal sequence rand is calculated in several sections and additionally as a function of a count z _i , which is processed according to the other input variables and is changed to a next value for calculating a respective further section of the pseudo-random signal sequence rand by a counter control zs. if a hitherto available section of the pseudorandom signal sequence edge is consumed.

The method now further comprises extracting data blocks of a certain length k from the pseudo-random signal sequence rand, these data blocks being assigned by coding the alphabet A to a character x from this alphabet A, after which the extracted data blocks whose extraction is controlled by the extraction driver will be compared taking into account the coding of the alphabet A with the character g _{i of} the secret combination g. Subsequently, a block position bp _{i is determined in} each case one of the data blocks for each character g _i from the secret combination g, which is assigned by the coding to this character g _i . This is done by supplying a comparison result v to a randomizer which, when the comparison shows a correspondence of the extracted data block with the respective symbol g _i , selects the corresponding block position bp _i with a certain probability as an auxiliary quantity assigned to the respective character g _i to which the respective portion of the pseudo-random signal sequence rand characterizing count z _i occurs added as a further auxiliary variable.

The 7 to 9 show that the character string formed from the input variables and the position i is encrypted in a manner known as cipher block chaining (CBC) by dividing this character string into blocks of a specific length bl, with a clear text of this block beginning with a second block Cipher of the previous block is bitwise XOR linked. Prior to the first symmetric encryption SV, an additional XOR connection is provided with a bit sequence init designated as initialization. The random data zd may be, for example, differences between keystrokes and / or keystroke durations that are the Randallsent be supplied to separators, which can make a truly random selection decision.

The calculation component 2 The described devices thus comprise in particular means for executing the key derivation function SAF, concatenation means for forming the mentioned character string from the input variables, encryption means for forming the pseudorandom signal sequence rand by encrypting the character string with the key s and means for extracting and coding the data blocks the pseudo-random signal sequence edge. In addition, the calculation component includes 2 Means for calculating an optical mark OM, which will be described in more detail below. The 1 to 3 Finally, they can also be interpreted as representing different architectures - for calculating PINs, TANs or passwords - that are implemented on a single device.

Corresponding architectures for recovering the respective secret combination g from the auxiliary variables are in the 11 to 19 shown. In each case, these may in each case be the same device with which the auxiliary variables have been generated and stored (ie, the devices or the device from the 1 to 3 ) or other comparable devices. Recurring or corresponding features are again provided with the same reference numerals. In the 11 The architecture shown serves to retrieve a PIN as a secret combination g from counter readings z _i and block positions bp _i , i = 1,..., m, which are used as auxiliary quantities from the memory 4 be read out. The in the calculation component 2 the calculation of the characters g _{i of} the secret combination g is performed in the 14 and 17 illustrated in more detail. The so on the basis of 11 . 14 and 17 So described embodiment corresponds to the in the 1 . 4 and 7 shown embodiment for generating auxiliary quantities. The in the 12 The architecture shown is for retrieving a secret combination g of auxiliary quantities given by a transaction number (TAN), which is described in connection with FIG 2 . 5 and 8th were obtained as described. The calculation of the characters g _{i of} this secret combination g in the calculation component 2 is for this embodiment in the 15 and 18 illustrated in more detail. In a similar way is in the 13 an architecture for computing a password given by a secret combination g and in the 16 and 19 the calculation of this secret combination g in the calculation component 2 illustrated for a the embodiment of the 3 . 6 and 9 corresponding embodiment.

The 11 to 19 It can be seen that to recover the secret combination g after input of the main password MPW and a corresponding service application characterizing da (the application identification did assigned) in the input component 1 the corresponding auxiliary quantities z _i and bp _i , i = 1,..., m, and the further corresponding input variables from the memory 4 into the calculation component 2 are read in, after which any character g _i of the secret combination g z _i corresponding portion of the pseudo-random signal sequence is rand calculated just as the corresponding count as the corresponding method of generating the auxiliary parameters, after which the by this sign g _i associated block position BP _i defined data block is extracted from the corresponding portion of the pseudo-random signal sequence rand, this data block is assigned to the character g _i according to the coding of the alphabet A and this character g _i via the output component 3 to the display component 5 is issued.

Thus, the present invention includes a method in which an application or service-specific secret combination g = (g ₁ , ..., g _m ) (eg password, PIN, TAN), consisting of m characters, stored in a secure manner on a terminal can be. In this case, the result of a classic encryption operation is not stored directly on the terminal, but rather control information in the form of secret character-specific counter readings and block positions which serve as auxiliary variables assigned to the respective secret combination. The application of the method on which the invention is based is particularly suitable in those cases in which the secret combinations to be secured are completely free from deltancy or largely redundancy-free. These conditions are fulfilled, for example, when the secret combinations to be securely deposited are PINs or TANs. This means that the method on which the invention is based is particularly suitable for the secure storage of PINs and TANs. This is the method for secure storage of passwords, which should be selected accordingly well, ie if possible should not contain passages to which one could assign a certain meaning or meaning, as would be the case, for example, if a user's passwords Lexicon or dictionary would be taken.

• • Ein Verfahren zur Berechnung von zeichenspezifischen Zählerständen und Blockpositionen: Durch diesen Teil der Erfindung werden für die Zeichen einer m-stelligen Geheimkombination g = (g₁, ..., g_m) bei gegebenem Alphabet A, über welchem g gebildet wird, zeichenspezifische Zählerstände und Blockpositionen (z₁, bp₁), ..., (z_m, bp_m) berechnet. Dies wird in den 1, 2, 3, 4, 5, 6, 7, 8 und 9 dargestellt.
• • Ein Verfahren zur Berechnung von Geheimkombinationen: Durch diesen Teil der Erfindung werden aus den zeichenspezifischen Zählerständen und Blockpositionen (z₁, bp₁), ..., (z_m, bp_m) für das gegebene Alphabet A die Zeichen der m-stelligen Geheimkombination g = (g₁, ..., g_m) berechnet. Dies wird in den 11, 12, 13, 14, 15, 16, 17, 18 und 19 dargestellt.

The overall method on which the invention is based is roughly divided into two parts:

• A method for calculating character-specific counter readings and block positions: By this part of the invention, for the Characters of an m-digit secret combination g = (g ₁ ,..., G _m ) for a given alphabet A, over which g is formed, character-specific counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , bp _m ). This will be in the 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8th and 9 shown.
• A method for calculating secret combinations: By this part of the invention, the character-specific counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , b p _m ) for the given alphabet A become the characters of the m-digit ones Secret combination g = (g ₁ , ..., g _m ) is calculated. This will be in the 11 . 12 . 13 . 14 . 15 . 16 . 17 . 18 and 19 shown.

• • PINs (siehe auch 1) – Hauptpasswort MPW – PIN als Geheimkombination g = (g₁, ..., g_m) – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Zufallsdaten zd – Benutzeridentifikation bid (optional)
• • TANs (siehe auch 2) – Hauptpasswort MPW – TAN als Geheimkombination g = (g₁, ..., g_m) – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Zufallsdaten zd – Benutzeridentifikation bid (optional) – Indexwert der TAN ix
• • Passwörter (siehe auch 3) – Passwort als Geheimkombination g = (g₁, ..., g_m) – Hauptpasswort MPW – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Zufallsdaten zd – Benutzeridentifikation bid (optional) – dienstespezifische Benutzeridentifikation dbid

In the method of calculating character-specific counts and block positions, the character-specific counts and block positions are calculated based on a series of values to be input by the user. These values include the user's main password MPW, the secret combination g = (g ₁ , ..., g _m ) to be stored, the alphabet A over which g is formed, the name did of the application or service for which the Secret combination is used random data zd and optionally an identification bid for the user. The value of bid can be assigned by the user himself and should not be confused with a service-specific user identification. If the user still requires a service-specific user identification dbid (ie login name) for the respective application or service, this value can likewise be taken into account in the calculation of the character-specific counter readings and block positions. The use of the service-specific user identification dbid for calculating the character-specific counter readings and block positions is only meaningful anyway if dbid is output to the user and this would have to remember this value, as is the case for example in typical password applications in which one in addition to his password also remember his login name. In addition, there are also applications such as the use of ATM cards at ATMs or electronic payment, in which you do not have to enter a login name as a user. In such cases one would not use service-specific user identification dbid to calculate the character-specific counter readings and block positions. The input of dbid is thus dependent on the type of secret combination and the use is advantageous if the secret combination to be securely deposited is a password for which a user additionally has to remember a login name as a service-specific user identification dbid. If the secret combination to be securely kept is a TAN, then it is advantageous to enter index values ix by means of which the individual TANs can be referenced, as is the case with the iTAN method, eg (ix = 1, g = 250367 ) as 1st TAN, (ix = 2, g = 281273) as 2nd TAN, ..., (ix = 30, g = 010706) as 30th TAN. The input of an index value ix is thus also dependent on the type of secret combination and mainly relevant in the management of TANs. In the following, the advantageous input values are again listed depending on the types of secret combinations.

• • PINs (see also 1 ) - Main password MPW - PIN as a secret combination g = (g ₁ , ..., g _m ) - Alphabet A - Name of the application or service did - Random data zd - User identification bid (optional)
• • TANs (see also 2 ) - Main password MPW - TAN as secret combination g = (g ₁ , ..., g _m ) - Alphabet A - Name of the application or the service did - Random data zd - User identification bid (optional) - Index value of the TAN ix
• • Passwords (see also 3 ) - Password as a secret combination g = (g ₁ , ..., g _m ) - Main password MPW - Alphabet A - Name of the application or service did - Random data zd - User identification bid (optional) - Service-specific user identification dbid

The alphabet A to be entered describes the set of characters over which the secret combination is formed. In this case, the alphabet A includes not only those characters which are ultimately contained in g, but also those which could potentially be included. However, it is important that A does not include characters that can not be contained in g in any case, ie no characters excluded a priori by rules of the service or application as elements of the secret combination. If g is a PIN or a TAN, then A = {0, 1, ..., 9}. In this case, instead of choosing A = {0, 1, ..., 9, a, b, c} in this case, and computing counts and block positions based on that amount, an attacker would pin or tan for certain candidate key passwords which contain the characters a, b or c, whereby a selected master password could easily be identified as false. Since PINs and TANs are typically made up only of digits, this should be entered by the user giving alphabet A exclusively include such characters. On the other hand, if the secret combination is a password, then the alphabet A will usually include other characters, such as uppercase or lowercase letters or special characters. However, when entering A, it must nevertheless be ensured that A contains no characters which are excluded by the password rules of the respective application / service. If there are characters in A that obviously can not appear in passwords according to application-specific password rules, this provides an opportunity for attackers to directly identify wrong main passwords. The selection of the alphabet A also has an effect on the size of data blocks which are used in the method of calculating counter readings and block positions on which the invention is based. In an advantageous embodiment for inputting the alphabet A, certain characters may already be grouped so that the user can select character groups instead of selecting individual characters (eg, numbers, lowercase letters, capital letters). Only with special characters does a selection of single characters make sense for the description of A, since different applications and services accept different special characters.

The Random data to be entered zd provide the material for the implementation of Random experiments, the results of which are used to control the calculation of meter readings and Serve block positions. This can either be random data directly the entered values (e.g., the values given by the user in random Episode over enter the keyboard) or the time intervals in milliseconds between each keystroke or a combination of entered values and time intervals. When entering random data a certain minimum quantity of random material is necessary. Around to ensure a minimum amount of random material it is beneficial if the user is forced to enter this minimum amount, e.g. a required minimum amount of keystrokes. In an advantageous embodiment The invention can not calculate counter counts and block positions be started if not enough initial random values are present. If later during the calculation of meter readings and Block positions even more random data to carry out more Random experiments are necessary, it is possible the initial random data by using a suitable method to expand, so to get more random values.

The architecture for calculating the character-specific counter readings and block positions will depend on the safe-to-store secret combination type in the 1 . 2 and 3 shown. Basically, the calculation for all types of secret combinations consists of an input component 1 , a calculation component 2 , an output component 3 , a store 4 and a display component 5 , The input component 1 allows the user to enter the required values. The input can be made either by manual input or by electronic reading of data stored on the terminal. In particular, secret combinations such as TANs, which can be made available to the user together with the associated index values in electronic form, are suitable for electronic reading. From the input component 1 the values are then transferred to the calculation component 2 to hand over. The differences between the embodiments of the invention for different types of secret combinations are mainly reflected in the data that is input and exchanged between the respective components, as in FIGS 1 . 2 and 3 will be shown. After the calculation process, the calculated values of the counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , bp _m ) and the optical marking OM together with further values which are used for later calculation of the secret combination based on the counter readings and block positions are needed to the output component 3 passed. All values from the calculation component 2 to the output component 3 are given, depending on the type of secret combination in the 1 . 2 and 3 shown. The output component 3 then causes either the storage of the values passed to them or their display to the user. In an advantageous embodiment of the invention described here, depending on the type of secret combination, the following data is stored in a persistent memory of the terminal:

• Storage with PINs (see also 1 )
- secret combination character specific counter readings z ₁ , ..., z _m
- secret combination character specific block positions bp ₁ , ..., bp _m
- Alphabet A
- Name of application or service did
- User identification bid (optional)

• Storage on TANs (see also 2 )
- secret combination character specific counters z ₁ , ..., z _m
- secret combination character specific Blockpo positions bp ₁ , ..., bp _m
- Alphabet A
- Name of application or service did
- User identification bid (optional)
- Index value ix of the TAN
- utilization mark u

• Storage for passwords (see also 3 )
- secret combination character specific counters z ₁ , ..., z _m
- secret combination character specific block positions bp ₁ , ..., bp _m
- Alphabet A
- Name of application or service did
- User identification bid (optional)
- service-specific user identification dbid

If a new secret combination is entered as a TAN, then the computational component for that TAN generates a utilization mark u, which indicates whether the TAN has already been used. In an advantageous embodiment of the method described in this invention, a newly entered TAN initially gets assigned a value indicating that the TAN has not yet been used. The utilization mark u becomes as in 2 shown by the calculation component 2 to the output component 3 passed and from this in the persistent store 4 stored.

The The optical mark OM displayed to the user helps the user to recognize if he entered the correct main password or whether at the input possibly Typing mistakes. For this purpose, starting from the entered main password an optical feedback calculated. From the displayed optical marking, however, you can do not clearly infer the entered main password, since the Number of distinguishable optical marks significantly smaller is as the number of possible Master passwords. Therefore each main password calculates a specific optical mark a user always gets the same visual mark displayed as long as it inputs the same main password. In an advantageous embodiment The invention results in the optical marking over a Combination of symbols, foreground colors, background colors and Positions.

• • Weitere der i-ten Berechnung übergebene Werte bei PINs (siehe auch 4) – i-tes Zeichen g_i der Geheimkombination g – Alphabet A – Zufallsdaten zd – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional)
• • Weitere der i-ten Berechnung übergebene Werte bei TANs (siehe auch 5) – i-tes Zeichen g_i der Geheimkombination g – Alphabet A – Zufallsdaten zd – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional) – Indexwert ix der TAN
• • Weitere der i-ten Berechnung übergebene Werte bei Passwörtern (siehe auch 6) – i-tes Zeichen g_i der Geheimkombination g – Alphabet A – Zufallsdaten zd – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional) – dienstespezifische Benutzeridentifikation dbid

The calculation of the counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , bp _m ) is carried out in characters, as in the 4 . 5 and 6 is pictured. The values used for the character-specific calculation of meter readings and block positions depend on whether the secret combination to be saved is a PIN, TAN or password. For the calculations of the character-specific counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , bp _m ), a cryptographic key s is calculated from the input main password MPW by means of a key derivation function SAF, which is later transferred to an encryption device. In an advantageous embodiment of the method contained in this invention, a symmetric block encryption method is used as the cryptographic method, such as AES (Advanced Encryption Standard) with a key length sl of 128 bits or 256 bits. Correspondingly many bits are then generated by the key derivation function SAF. In a further advantageous embodiment of the invention, the use of the PBKDF2 method from the PKCS # 5 standard of the RSA Laboratories (Password Based Cryptography Standard, Version 2.0, March 1999) is suitable for the technical implementation of the key derivation function SAF. The cryptographic key s obtained in this way is used to calculate the respective counter readings and block positions (z ₁ , bp ₁ ),..., (Z _m , bp _m ). Beyond the key s, additional values are passed to the respective calculations depending on the type of secret combination, which are listed below:

• • Further values for the i-th calculation with PINs (see also 4 ) - i-th character g _{i of} the secret combination g - alphabet A - random data zd - name of the application or service did - user identification bid (optional)
• • Further values for TANs transferred to the ith calculation (see also 5 ) - i-th character g _{i of} the secret combination g - alphabet A - random data zd - name of the application or service did - user identification bid (optional) - index value ix of the TAN
• • Further values for passwords given to the ith calculation (see also 6 ) - i-th character g _{i of} the secret combination g - alphabet A - random data zd - name of the application or service did - user identification bid (optional) - service-specific user identification dbid

In addition to these values given to the calculation, the character position i of the secret character g _i for i = 1,..., M is additionally required for all types of secret combinations for calculating the character-specific counter readings and block positions (z _i , bp _i ). Here, in the ith instantiation of the calculation of character-specific counter readings and block positions, the respective value of i can be used, as in the 4 . 5 and 6 is hinted at.

For mapping the main password MPW to the optical mark OM, use of a one-way function may be advantageous in the present invention. Through this, the head becomes password MPW a binary string o a certain length l _o calculated from the then blocks o ₁ , o ₂ , o ₃ , ... fixed length l ₁ , l ₂ , l ₃ , ... extract, which in turn on Certain features (eg symbol to be displayed, foreground color, background color, position) are displayed. With a block of length y> 0, a maximum of 2 ^y different occurrences of a feature can be described. For this purpose, it is necessary to introduce corresponding codes for the different optical characteristics of the respective features, so that the resulting value allocations of the extracted blocks can be mapped to the corresponding optical characteristics of the features. Extracting from a binary string o for example as in 10 4 blocks o ₁ , o ₂ , o ₃ , o ₄ (eg for the symbol to be displayed, foreground color, background color, position), then a maximum of 2 ^l ₁ + ^l ₁ + ^l ₃ + ^l ₄ different optical markings can be described. In an advantageous embodiment of the invention described herein, the input main password MPW is passed to a cryptographic hash function such as SHA-1, SHA-256, SHA-512 or MD5, the results of which are then mapped to a set of user distinguishable optical markers. In this case, it is generally to be assumed that the amount of distinguishable optical markings is significantly smaller than the set of results of the one-way function (eg hash function), ie the total number of bits removed by the blocks is less than the number of bits which can be used the one-way function were obtained. Therefore, different results of the one-way function (eg hash values) can be mapped to the same optical mark OM. In the invention to be executed, it is important that the optical marker OM is displayed only when the input of the main password MPW is completely completed.

• • A = {0, ..., 9, a, ..., z}, |A| = 36, ⎾log₂|A|⏋ = 6 (siehe 22)
• • A = {!, $, (, ), 0, ..., 9, [, ], a, ..., z}, ⎾A⏋ = 42, ⎾log₂|A|⏋ = 6 (siehe 23)
• • A = {0, ..., 9, A, ..., Z, a, ..., z}, |A| = 62, ⎾log₂|A|⏋ = 6 (siehe 24)
• • A = {!, #, %, +, –, /, 0, ..., 9, =, @, A, ..., Z, [, ], a, ..., z, |}, |A| = 74, ⎾log₂|A|⏋ = 7 (siehe 25)

The calculation of the character-specific counts and block positions (z _i , bp _i ) for a given secret combination character is performed depending on the type of secret combination as in 7 . 8th or 9 is pictured. In an advantageous embodiment of the present invention, some input to the calculation input values are processed in a manner to be described here. This applies, for example, to the alphabet A, which contains all the allowed characters for the present secret combination g. The number of characters containing the alphabet A is denoted by | A | designated. In order to be able to write all the characters of the alphabet A, one needs ⎾log ₂ | A | ⏋ bits (⎾x⏋ means "integer part of x + 1"). If the number of characters in the alphabet does not correspond to a power of two, more combinations can be written over ⎾log ₂ | A | ⏋ bits than characters in A are. Since in the method of the invention blocks are calculated with ⎾log ₂ | A | ⏋ bits, which in turn are mapped to characters of the alphabet, it is advantageous if all the binary combinations over ⎾log ₂ | A | ⏋ bits are a character of the alphabet A is assigned. If | A | does not correspond to a power of two, this means that certain characters of A can be assigned two binary combinations while other characters are associated with only one binary combination. Since PINs and TANs in practice only consist of digits, in an advantageous embodiment of the invention described here for the alphabet | A | = 10 and ⎾log ₂ | A | ⏋ = 4, resulting in a coding like the one in 21 is shown as an example. When dealing with passwords as secret combinations, different alphabets A can result, depending on the respective password rules, which in turn can differ both in terms of the characters involved and in the number of their elements. Thus, depending on the respective password, there may be different alphabets A, of which some alphabets are to be given below as examples with their associated binary combinations:

• • A = {0, ..., 9, a, ..., z}, | A | = 36, ⎾log ₂ | A | ⏋ = 6 (see 22 )
• • A = {!, $, (,), 0, ..., 9, [,], a, ..., z}, ⎾A⏋ = 42, ⎾log ₂ | A | ⏋ = 6 (see 23 )
• • A = {0, ..., 9, A, ..., Z, a, ..., z}, | A | = 62, ⎾log ₂ | A | ⏋ = 6 (see 24 )
• • A = {!, #,%, +, -, /, 0, ..., 9, =, @, A, ..., Z, [,], a, ..., z, |} , | A | = 74, ⎾log ₂ | A | ⏋ = 7 (see 25 )

The coding of the alphabets to be used for the secret combinations can be done automatically in an advantageous embodiment of the invention, for example by listing the characters of the alphabet in a given order (eg according to the order of ASCII coding) and then the ⎾log ₂ | A | ⏋-digit binary combinations are assigned. If a ⎾log ₂ | A | ⏋-digit binary combination has been assigned to each character, the remaining binary combinations are again assigned to the characters of the alphabet in a given order until exactly one character has been assigned to all ⎾log ₂ | A | ⏋-digit binary combinations.

As in the 7 . 8th or 9 is shown, the calculation of the character-specific counter readings and block positions (z _i , bp _i ) is probabilistic, ie in the calculations results of real random experiments are included. This means that whenever a suitable count and a suitable block position has been found, it is decided, depending on the outcome of a random experiment, whether the count found and the block position are used or whether they are discarded and instead a new count and a new block position are searched, for which then again a random experiment is executed. In an advantageous embodiment of the invention, this requires a technical device which performs a binary random experiment, ie a random experiment with two distinct results. The performance of these random experiments is based on the random data zd entered by the user.

• 1. Konstante Wahrscheinlichkeit p₀ für alle Geheimkombinationen g: In diesem Fall wird ein fest voreingestellter Wahrscheinlichkeitswert p_i = p₀ mit 0 < p₀ < 1 verwendet, z.B. p₀ ∈ {1/2, 1/3, 1/4, ..., 1/100}. Der eingestellte Wert von p₀ wird bei allen Zeichen aller Geheimkombinationen angewendet.
• 2. Geheimkombinationsspezifische Wahrscheinlichkeit p_g: In diesem Fall wird die Wahrscheinlichkeit p_i = p_g mit p_min < p_g < p_max und 0 < p_min < p_max < 1 für jede Geheimkombination neu ausgewählt, d.h. bei der Berechnung der Zählerstände und Blockpositionen für die Geheimkombinationen g^{( 1 )} und g^{( 2 )} werden nicht notwendigerweise die gleichen Wahrschein lichkeitswerte verwendet. Jedoch sind die Wahrscheinlichkeitswerte p_i zur Berechnung der Zählerstände und Blockpositionen für alle Zeichen einer Geheimkombination identisch.
• 3. Geheimkombinationszeichenspezifische Wahrscheinlichkeit p_gi: In diesem Fall wird für jedes Zeichen der Geheimkombination, für welches ein Zählerstand und eine Blockposition zu berechnen ist, ein neuer Wahrscheinlichkeitswert p_i = p_gi mit p_min < p_gi < p_max und 0 < p_min < p_max < 1 verwendet, so dass von Fall zu Fall unterschiedliche Wahrscheinlichkeitswerte angewendet werden können.

If a suitable value pair of a character-specific counter reading and a block position (z _i , bp _i ) has been found for a secret combination character g _i , then this is either accepted with a probability p _i or rejected with a probability 1-p _i and the search is continued. The method contained in the invention must hereby use suitable values for this probability p _i when carrying out the binary random experiment. It is possible in this case to keep the value of p _i constant for the calculation of character-specific counter readings and block positions of different secret combinations or to vary this as well. There are various possibilities for this:

• 1. Constant probability p ₀ for all secret combinations g: In this case a fixed preset probability value p _i = p ₀ with 0 <p ₀ <1 is used, eg p ₀ ∈ {1/2, 1/3, 1/4, ..., 1/100}. The set value of p ₀ is applied to all characters of all secret combinations.
• 2. Secret combination-specific probability p _g : In this case, the probability p _i = p _g with p _min <p _g <p _max and 0 <p _min <p _max <1 is newly selected for each secret combination, ie in the calculation of the counter readings and Block positions for the secret combinations g ^{( 1 )} and g ^{( 2 )} do not necessarily use the same probability values. However, the probability values p _i for calculating the counts and block positions are identical for all characters of a secret combination.
• 3. Secret _Combination Character-Specific Probability p _gi : In this case, for each character of the secret combination for which a count and a block position is to be calculated, a new probability value p _i = p _gi with p _min <p _gi <p _max and 0 <p _min <p _max <1, so that different probability values can be used on a case-by-case basis.

• 1'. Wahrscheinlichkeit p₀ für alle Geheimkombinationen g bei abbildungsabhängiger Anpassung: In diesem Fall wird ein fest voreingestellter Wahrscheinlichkeitswert p₀ mit 0 < p₀ < 0,5 verwendet. Der eingestellte Wert von p₀ wird bei allen Geheimkombinationen angewendet. Wenn das vorliegende Geheimkom binationszeichen zwei Binärkombinationen zugeordnet wird, dann gilt p_i = p₀. Wenn das vorliegende Geheimkombinationszeichen nur einer Binärkombination zugeordnet wird, dann gilt p_i = 2p₀.
• 2'. Geheimkombinationsspezifische Wahrscheinlichkeit p_g bei abbildungsabhängiger Anpassung: In diesem Fall wird für jede Geheimkombination g ein eigner Wahrscheinlichkeitswert p_g mit p_min < p_g < p_max und 0 < p_min < p_max < 0,5 ermittelt. Der ermittelte Wert von p_g wird daraufhin bei der Berechnung der Zählerstände und Blockpositionen für alle Zeichen der vorliegenden Geheimkombinationen g in folgender Weise angewendet. Wenn das vorliegende Geheimkombinationszeichen zwei Binärkombinationen zugeordnet wird, dann gilt p_i = p_g. Wenn das vorliegende Geheimkombinationszeichen nur einer Binärkombination zugeordnet wird, dann gilt p_i = 2p_g.
• 3'. Geheimkombinationsspezifische Wahrscheinlichkeit p_gi bei abbildungsabhängiger Anpassung: In diesem Fall wird für jedes Zeichen g_i der Geheimkombination g, für welches ein Zählerstand z_i und eine Blockposition bp_i zu berechnen ist, ein neuer Wahrscheinlichkeitswert pg_i mit p_min < p_gi < p_max und 0 < p_min < p_max < 0,5 ermittelt. Wenn das vorliegende Geheimkombinationszeichen zwei Binärkombinationen zugeordnet ist, dann wird p_i = p_gi gewählt. Wird das vorliegende Geheimkombinationszeichen dagegen nur einer Binärkombination zugeordnet, so gilt p_i = 2p_gi.

In the three cases described above, it is also conceivable that in the calculation of counts and block positions for such secret combination characters from the given alphabet A, which are assigned to only a binary combination, a probability value is applied, which is twice as large as the applied Probability value for secret combination characters from A, which are assigned to two binary combinations. In this specialization of the above cases, care must be taken that the probability for secret combination characters from A, which are assigned to two binary combinations, is chosen to be less than 0.5. You get the following specializations:

• 1'. Probability p ₀ for all secret combinations g for image-dependent adaptation: In this case a fixed preset probability value p ₀ with 0 <p ₀ <0.5 is used. The set value of p ₀ is used for all secret combinations. If the present secret combination character is assigned to two binary combinations, then p _i = p ₀ . If the present secret combination character is assigned only to a binary combination, then p _i = 2p ₀ .
• 2 '. Secret combination-specific probability p _g for image-dependent adaptation: In this case, for each secret combination g, an own probability value p _g with p _min <p _g <p _max and 0 <p _min <p _max <0.5 is determined. The determined value of p _g is then used in the calculation of the counts and block positions for all characters of the present secret combinations g in the following manner. If the present secret combination character is assigned to two binary combinations, then p _i = p _g . If the present secret combination character is assigned to only one binary combination, then p _i = 2p _g .
• 3 '. Secret combination-specific probability p _gi for image-dependent adaptation: In this case, for each character g _{i of} the secret combination g for which a count z _i and a block position bp _{i is} to be calculated, a new probability value pg _i with p _min <p _gi <p _max and 0 <p _min <p _max <0.5. If the present secret combination character is associated with two binary combinations, then p _i = p _{gi is} chosen. On the other hand, if the present secret combination character is only assigned to a binary combination, then p _i = 2p _gi .

In the variants mentioned above, suitably selected values for p _min and p _{max are} defined, from which the respective probability p ₀ , p _g or p _gi can be deduced. The selection of the probability values for p _g and p _gi can likewise be carried out by means of a random experiment. Care must be taken to ensure that the randomly selected probability values available between p _min and p _max are themselves either equally distributed or approximately evenly distributed. In the practical application of the method on which the invention is based, it is possible, for example, to use p _min = 0.1 and p _max = 0.5.

In an advantageous embodiment of the invention, a binary random experiment with appropriate probabilities can be achieved by setting an integer threshold sw with 0 <sw <99 on a scale from 0 to 99 and determining the outcome of the random experiment as to whether one of the Random data zd suitably derived value ex either the relation ex <sw or the relation ex> sw holds. The value of ex can be obtained, for example, by extracting 7 bits from the processing result of the random data zd, which have not yet been extracted, and decoding the thus obtained binary combination. The value of ex is then between 0 and 127 inclusive. If 0 ≤ ex ≤ 99, it is checked which of the two relationships (ex <sw or ex ≥ sw) is satisfied. In the case of ex> 99, the determined value of ex is discarded and a new value for ex is determined by extracting new 7 bits. Depending on the choice of the threshold value sw, a value of sw / 100 can thus be obtained for the probability p ₀ , p _g or p _gi , it being assumed that the occurrence of the event ex <sw is mapped to the event in which the found pair of meter reading and block position is accepted.

In a further advantageous embodiment of the invention for achieving varying probabilities p _i = p _g or p _i = 2p _g or p _i = p _gi or p _i = 2p _gi (ie either secret combination-specific probability or secret combination-specific probability) are on the given scale between 0 and 99, a lower limit ug and an upper limit og set with 0 ≤ ug <og ≤ 99. The threshold value sw with ug ≤ sw ≤ og is then determined by a value sw = ug + swex, where swex with swex∈ { 0, ..., og - ug} is derived in a suitable manner from the random data zd and thus describes the output of a new random experiment. For this purpose, a number of bits required according to the size of og-ug is extracted from the processing result of the random data zd, which have not been previously extracted. If the result obtained thereby is larger than og - ug, it is discarded and a corresponding number of new bits are extracted from the processing result of the random data zd. However, if the value obtained by extraction is between 0 and og - ug inclusive, then swex is assigned this value and the threshold value sw is set to the value sw = ug + swex. As a result, the threshold value is determined probabilistically as needed and can advantageously be used to determine the secret combination-specific probability or the secret combination-character-specific probability. The choice of the lower limit ug and the upper limit og results in the probabilities p _min = ug / 100 and p _max = og / 100, between which the probabilistically determined probability p _g = sw / 100 or p _gi = sw / 100 lies.

• 1. Erneute Eingabe von Zufallsdaten zd durch den Benutzer mittels r Tastenanschlägen und anschließender Verarbeitung wie oben beschrieben.
• 2. Weitere Eingabe von Werten T_r+1, ..., T_r+q durch das Drücken von q Tasten und Messung von q Zeitintervallen t_r+1, ..., t_r+q und Berechnung eines neuen Hashwerts auf Basis des vorangegangenen Hash werts und der neuen Zufallsdaten nach Konkatenation des des vorangegangenen Hashwerts und der neuen Zufallsdaten.
• 3. Erneute Anwendung der Hashfunktion auf den vorangegangenen Hashwert ohne weitere Eingabe neuer Zufallsdaten durch den Benutzer.

Both the values of ex and the values of swex are derived from the user-entered random data zd. In an advantageous embodiment of the method on which the invention is based, the random data on the values T ₁ ,..., T _r of the keys pressed by the user and the time intervals t ₁ ,..., T _r between the keystrokes (eg in milliseconds) with t _i as the time between T _i-1 and T _i , where r> 0 is a system-requested number of keystrokes. The value of t ₁ results from the elapsed time between the beginning of the time measurement and the first keystroke. In an advantageous embodiment of the invention r ≥ 5. In a further advantageous embodiment of the invention, the input random data is concatenated and a cryptographic hash function (eg SHA-1, SHA256, or MD5) passed, by means of which a hash value is calculated and from which the Values of ex as well as the values of swex can be extracted. If there are not enough bits left unused in the calculated hash since too many have already been extracted and consumed then new bits must be calculated. Several approaches are suitable for this:

• 1. Re-input of random data zd by the user by means of r keystrokes and subsequent processing as described above.
• 2. Further input of values T _{r + 1} , ..., T _{r + q} by pressing q keys and measuring q time intervals t _{r + 1} , ..., t _{r + q} and calculating a new hash value based on the previous hash value and the new random data after concatenation of the previous hash value and the new random data.
• 3. Reapply the hash function to the previous hash value without user input of new random data.

• – PIN als Geheimkombination – Position i des Geheimkombinationszeichens innerhalb der Geheimkombination – Bezeichnung der Applikation oder des Dienstes did (Anwendungsidentifikation) – Benutzeridentifikation bid
• – TAN als Geheimkombination – Position i des Geheimkombinationszeichens innerhalb der Geheimkombination – Bezeichnung der Applikation oder des Dienstes did – Index ix der TAN – Benutzeridentifikation bid
• – Passwort als Geheimkombination – Position i des Geheimkombinationszeichens innerhalb der Geheimkombination – Bezeichnung der Applikation oder des Dienstes did – dienstespezifische Benutzeridentifikation dbid – Benutzeridentifikation bid

For calculating the character-specific counter readings and block positions (z _i , bp _i ) for a given secret combination character, a part of the input data for symmetric encryption is transferred to an encryption method (eg AES in connection with CBC). The data to be transferred for encryption depends on the type of secret combination (PIN, TAN or password). During encryption, the following data is concatenated and encrypted, depending on the type of secret combination:

• - PIN as a secret combination - Position i of the secret combination character within the secret combination - Name of the application or service did (application identification) - User identification bid
• - TAN as a secret combination - Position i of the secret combination character within the secret combination - Name of the application or service did - Index ix of the TAN - User identification bid
• - Password as a secret combination - Position i of the secret combination character within the secret combination - Name of the application or service did - Service-specific user identification dbid - User identification bid

• – PIN als Geheimkombination: N = i|did|bid
• – TAN als Geheimkombination: N = i|did|ix|bid
• – Passwort als Geheimkombination: N = i|did|dbid|bid

Since the entry of bid is optional for all types of secret combinations, bid is assigned a fixed value if the user does not enter a secret combination. Before the data are encrypted in the respective case, they are first concatenated into a message N, resulting in the following message:

• - PIN as a secret combination: N = i | did | bid
• - TAN as a secret combination: N = i | did | ix | bid
• - Password as a secret combination: N = i | did | dbid | bid

• – PIN als Geheimkombination: N = i|Tz|did|Tz|bid
• – TAN als Geheimkombination: N = i|Tz|did|Tz|ix|Tz|bid
• – Passwort als Geheimkombination: N = i|Tz|did|Tz|dbid|Tz|bid

This is by | the concatenation operator. In an advantageous embodiment of the method on which the invention is based, certain delimiters Tz are inserted between the data to be concatenated (eg tabulator as delimiter), so that the following messages result:

• - PIN as a secret combination: N = i | Tz | did | Tz | bid
• - TAN as a secret combination: N = i | Tz | did | Tz | ix | Tz | bid
• - Password as a secret combination: N = i | Tz | did | Tz | dbid | Tz | bid

(Of course, the data or input variables mentioned can also be concatenated in each case in a different, defined sequence.) The received message N is now expanded by application of a padding method (eg according to ISO 9797-1) to a multiple of the block length bl of the symmetric encryption method SV used and then segmented into blocks of block length bl. The resulting blocks are then symmetrically encrypted similar to a CBC method. For this purpose, the symmetrical key s with key length sl calculated from the main password MPW by means of a suitable method (eg PKCS # 5) is used. In an advantageous technical variant of the invention described here, the ABS standard is used as symmetrical encryption method, in which bl = 128 and sl = 128. In a variant going beyond the standardized version of ABS, a key length sl = 256 is also suitable. The first block obtained after concatenation, padding and segmentation is determined according to the 7 . 8th and 9 bitwise XOR-linked to a block of length bl, which contains an initial value init. The result obtained after the bitwise XOR operation is then encrypted by using the symmetric encryption method SV. The block-length cipher obtained by symmetric encryption is XOR-linked in the following step to the next block of the same block length obtained from the message N after segmentation, after which the result of the combination is in turn symmetrically encrypted using the key s. This process is continued until all blocks obtained after segmentation of the message N have been bit-wise XOR-linked and symmetrically encrypted. The ciphertext of the block length bl obtained in this way depends on all components of the message N and on the key s.

In the next step, the cipher rate thus obtained is XORed bit by bit with the value z _{i of} a counter, which in turn is represented as a block of block length bl, and the interleaving result is again symmetrically encrypted using SV and s, whereby the cipher edge the block length bl is obtained. The starting value for the counter z _i is the value 1, which is represented as a binary number in the block used for the bit-wise XOR connection (ie at the initial value of the counter reading z _i = 1 as 0 ... 01).

The rand value obtained by symmetric encryption is passed in the next step to a Block Extraction & Encoding component. The Block Extraction & Encoding component also passes the input Alphabet A. The Block Extraction & Encoding component determines the mapping between Alphabet A and the k-digit binary combinations with k = ⎾log ₂ | A | ⏋ as described for various example alphabets in the 21 . 22 . 23 . 24 and 25 will be shown. In particular, the value of k is determined here on the basis of the alphabet A entered. In the block extraction & coding component, starting with the first block position bp ₁ = 1, a block of k bits (hereinafter referred to as k-block) is extracted and according to the existing mapping between k-digit binary combinations and the characters from the alphabet A coded with the corresponding character from the alphabet A. The coding value obtained thereby is denoted by x. The encoding value x is then given by the block extraction & coding component to a comparison component where the encoding value x obtained at the current count z _i = 1 and the given block position bp _i = 1 and the given secret combination character g _i are checked for equality. The binary Verification result v with v ∈ {equal, unequal} is given to a random decision maker. In the case of inequality of x and g _i , the randomizer of the extraction & counter control component communicates by means of the value ze with ze ∈ {use current pair, do not use actual pair} that the current pair of count and block position (z _i , bp _i ) can not be used for later calculation of the secret combination character g _i . In this case, the random decision maker does not have to carry out a random experiment. In the case of the equality of x and g _i , however, the random decision maker carries out a random experiment. For this purpose, it is decided on the basis of the random data entered zd and using one of the variants (constant probability, secret combination specific probability or secret combination character specific probability) and performing the technical implementation of random experiments described above, if the principle favorable pair of meter reading and block position should actually be used , or whether another pair of meter reading and block position should be searched for. The result of this random experiment then informs the random decision maker of the extraction & counter control component by means of a corresponding value of ze. If the pair found is to be used (ie, ze = use current pair), then the extraction & counter control component outputs the found values z _i and bp _i .

If the current pair of values from the count and block position (z _i , bp _i ) is not to be used for later calculation of the secret combination character g _i (ie either v = unequal or (v = equal, ze = do not use actual pair)), then requests the extraction & counter control component, the block extraction & coding component with an extraction control signal, extracts a new k-block from rand. For this purpose, the position of the k-block to be extracted from edge is shifted further within the edge block by d bits; for example, d = 1 can be used. In an advantageous embodiment of the method described in this invention, the position of the k-block to be re-extracted is shifted from the previously extracted k-block by d = k bits, so that no bit is extracted from rand in more than one k-block. This will be in 20 shown. In the case d = k, depending on k and bl, it is possible that certain bits of rand are not extracted as elements of a k-block (in 20 this applies from bit b · k + 1 to bit bl, if bl - (b · k) <k). If, after shifting the extraction window by d bits, a new k-block is extracted from rand, the value of the block position bp _i is increased by one. Conversely, based on the current value of bp _i , the position of the current k-block can be determined, which is why the term block position for bp _{i is} justified. When a new k-block has been extracted from rand, processing steps follow as described above. The extracted k-block is mapped to a character from the alphabet A and the result x of the mapping is passed to the comparator, which compares x to g _i . The result v of the comparison is given to the random decision maker and this performs a random experiment or none depending on the result of the comparison, and instructs the component for extraction & counter control by ze whether the combination of z _i and bp _{i found is used} as the calculation result or a new k-block should be extracted from rand.

If no new k-block can be extracted from the bl bits, since the k-digit extraction window for a new k-block can no longer be shifted by d bits, then the extraction & counter control component signals via a counter control signal zs Counter component to increase the count z _i by 1. In this case, the new count of z _{i is} bit-wise XOR-linked with the cipher, which was obtained from the encryption of the message N as already described above. The result of this bitwise XOR operation is then encrypted using SV using s, and a new value for rand is obtained from which k-blocks are then extracted. If the counter reading of z _{i has been} counted up, bp _i = 1 applies again for the first k-block extracted from the edge. From here, k-blocks are taken from rand one after the other, characters from A are assigned and compared with g _i as x, if coincidence experiments are carried out, a decision is made as to whether the current value assignment of z _i and bp _{i should be used} as the calculation result, or if the value assignment of z _i or bp _{i is to be} incremented and new values for rand are calculated and new k blocks are created from rand be removed. The process is carried out until, at a match of x and g _i, the output of the random experiment performed decides to use the current pair (z _i , bp _i ) as the result of the calculation.

In a further advantageous embodiment of the method, the secret combinations g and the other input values are not input by the user individually by hand into a mobile terminal (eg mobile phone, PDA) but from another terminal via a suitable transmission method (eg Bluetooth) to the transferred to mobile terminal. Finally, in a further modification, it would also be possible to carry out the method for generating the auxiliary variables completely on the other terminal and then to carry out the already calculated auxiliary variables-possibly together with others for the reconstruction of the secret combination g required input variables - to transfer to the mobile terminal on which in turn, if necessary, the method for recovering the secret combination g can be performed.

If the calculation of character specific counts and block positions for entered Secret combinations g - regardless of whether they were entered manually or otherwise - completed is, the user has the option complete the entire computation process, eliminating the in memory of the terminal held values of MPW (ie the main password), s, g and zd deleted or overwritten become.

This completes the description of the method for calculating character-specific counter readings and block positions (z _i , bp _i ) for an entered secret combination g. The following describes the method for calculating secret combinations g from character-specific counter readings and block positions (z _i , bp _i ).

The method for calculating secret combinations g from character-specific counter readings and block positions (z _i , bp _i ) basically consists of the same components as the method for calculating character-specific counter readings and block positions: an input component, a calculation component, a memory, an output component, and a component see full ad.

• – Geheimkombination als PIN (siehe auch 11) – geheimkombinationszeichenspezifische Zählerstände z₁, ..., z_m – geheimkombinationszeichenspezifische Blockpositionen bp₁, ..., bp_m – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional)
• – Geheimkombination als TAN (siehe auch 12) – geheimkombinationszeichenspezifische Zähler stände z₁, ..., z_m – geheimkombinationszeichenspezifische Blockpositionen bp₁, ..., bp_m – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional) – Indexwert ix der TAN – Verwertungsmarkierung u
• – Geheimkombination als Passwort (siehe auch 13) – geheimkombinationszeichenspezifische Zähler stände z₁, ..., z_m – geheimkombinationszeichenspezifische Blockpositionen bp₁, ..., bp_m – Alphabet A – Bezeichnung der Applikation oder des Dienstes did – Benutzeridentifikation bid (optional) – dienstspezifische (anwendungsspezifische) Benutzeridentifikation dbid

In an advantageous embodiment of the method according to the invention, first of all all relevant data which is stored in the persistent memory 4 the terminal used are stored by the calculation component 2 read. These read-in data depend on the type of the respective secret combination g. It will be the following data from the persistent store 4 read:

• - Secret combination as PIN (see also 11 ) - secret combination character specific counter readings z ₁ , ..., z _m - secret combination character specific block positions bp ₁ , ..., bp _m - alphabet A - designation of the application or the service did - user identification bid (optional)
• - Secret combination as TAN (see also 12 ) - secret combination-character-specific counters z ₁ , ..., z _m - secret combination-character specific block positions bp ₁ , ..., bp _m - alphabet A - name of the application or service did - user identification bid (optional) - index value ix of the TAN utilization mark u
• - Secret combination as password (see also 13 ) - secret combination-character-specific counter states z ₁ , ..., z _m - secret combination-character specific block positions bp ₁ , ..., bp _m - alphabet A - designation of the application or service did - user identification bid (optional) - service-specific (application-specific) user identification dbid

In addition to reading the data from the persistent store 4 In order to calculate the secret combinations, the user inputs his main password MPW, which is the input component 1 to the calculation component 2 is given further. The input main password is taken from the calculation component 2 in the manner already described an optical marking OM calculated, which to the output component 3 is passed on and displayed to the user. This will be in the 10 . 11 . 12 . 13 . 14 . 15 and 16 shown. If the data for all secret combinations from the persistent memory 4 are read, the names for the respective services and applications (ie the application identification did) to the output component 3 given to the user by the display component 5 in the form of a list. From this list, the user can then select which secret combination g is to be calculated and displayed. For this purpose, the user makes a service selection there, whereby the calculation component 2 is communicated which secret combination is to be calculated and the output component 3 to the display component 5 to be given to the ad.

If the secret combination is a TAN, the user additionally specifies, by means of the TAN selection ta to be entered, which of the TANs belonging to a service or an application is to be calculated. The TAN selection ta specifies the TAN belonging to a particular index ix. If the user has consumed a TAN, then he can change the value of the utilization mark u accordingly and this new value in the persistent store 4 lay down. To do this, the new value is then entered via the input component 1 entered and via calculation component 2 to the output component 3 given further, which is the new value of u then In the storage room 4 stores persistently. At the next read-in process, the TAN is then marked as used up.

When the user selects the service or application he wants by means of the input da, the respective secret combination g is calculated and sent to the output component 3 passed on, which then causes their display for a certain short time.

If it is the secret combination is a password is the user with the service-specific user identity dbid Login name for the selected one Service or application displayed.

The calculation of the secret combinations from the counter readings z ₁ ,..., Z _m and block positions bp ₁ ,..., Bp _m is carried out separately for each individual secret combination character g _i , as in FIGS 14 . 15 and 16 will be shown. The respective calculations differ only in the data, which are given to the calculations as input. For a secret combination of length m, therefore, a total of m calculations are carried out on the basis of m character-specific counter readings z ₁ ,..., Z _m and bp ₁ ,..., Bp _m .

For each of these Calculations the symmetric key s is needed, which from the entered Main password by means of a key derivation function SAF is calculated. This is done in the same way for the calculation of the key s in the method for calculating the character-specific counter readings and Block positions for a given secret combination. The same procedure is particularly necessary that from the now given character-specific meter readings and Block positions again the original entered secret combination characters can be calculated.

• – Geheimkombination als PIN N = i|did|bid oder N=i|Tz|did|Tz|bid bei der Verwendung eines Trennzeichens Tz
• – Geheimkombination als TAN N = i|did|ix|bid oder N = i|Tz|did|Tz|ix|Tz|bid bei der Verwendung eines Trennzeichens Tz
• – Geheimkombination als Passwort N = i|did|dbid|bid oder N = i|Tz|did|Tz|dbid|Tz|bid bei der Verwendung eines Trennzeichens Tz

The calculation of a secret combination symbol g _i for a read-in pair (z _i , bp _i ) from the count and the block position depends on the different secret combination types in FIG 17 . 18 and 19 shown. When calculating the secret combination characters, the same encryption method SV must be used, which was also used in the calculation of counter readings and block positions. Depending on the respective secret combination type, the same messages N are generated by concatenation, as was the case with the calculation of the counter readings and block positions, ie

• - Secret combination as PIN N = i | did | bid or N = i | Tz | did | Tz | bid when using a delimiter Tz
• - Secret combination as TAN N = i | did | ix | bid or N = i | Tz | did | Tz | ix | Tz | bid when using a delimiter Tz
• - Secret combination as password N = i | did | dbid | bid or N = i | Tz | did | Tz | dbid | Tz | bid when using a delimiter Tz

If in the calculation of meter readings and Block positions a separator Tz is used, then at the calculation of the secret characters uses the same separator become. (Of course must also in the case that in the calculation of the auxiliary quantities for Generation of the string N a different order of input sizes was selected, Here the appropriate order can be chosen.) If the user in the calculation of meter readings and Block positions did not use the optional parameter bid, and the method instead for bid has given a default value, then must in the calculation the secret character of the same default value can be used. Also the padding and the segmentation of the messages must be in the calculation the meter readings and Block positions on the one hand and the calculation of the secret characters on the other hand done the same way, so that in the end both calculations have identical blocks in the same order the symmetric encryption method SV handed over become. Also the value of the initialization init is correct with the in the Previous elected Value of init match.

The first plaintext block obtained by concatenation, padding and segmentation is then XORed bit-wise with the initialization value init and the result of the combination is encrypted by means of the symmetric encryption method SV using the symmetric key s. The result of the encryption is bit-wise XOR-linked to the next plaintext block and in turn encrypted by means of the symmetric encryption method SV using the symmetric key s. This will continue until the last plaintext block has been encrypted. The cipher obtained in this way - by symmetric encryption in CBC mode - is now bit-wise XOR-linked to the corresponding coded value of the input meter reading z _i and then encrypted with the symmetric encryption method SV using the symmetric key s. The counter is coded in the same way as was the case with the calculation of meter readings and block positions. After the last encryption, the Block Extraction & Coding component receives the same value of rand, which was determined as the last rand value when calculating the meter readings and block positions. With the entered alphabet A calculates the Component for block extraction & coding now the value k = ⎾log ₂ | A | ⏋. With the entered value of the block position bp _i , the k-block extraction window can now be shifted to the appropriate position and the desired k-block can be extracted. Based on the given alphabet A, the character from A corresponding to the extracted k-block is now determined and output as the value of g _i .

By executing this calculation method for all pairs (z _i , bp _i ),..., (Z _m , bp _m ) and concatenation of the results in a corresponding order, the desired secret combination g results.

In an advantageous embodiment of the method described above, the calculated Secret combination g the user only for a certain short time displayed, e.g. For 60 seconds. However, the method also allows the user to to finish the ad before. The entered main password MPW, the key derived from it s and the calculated secret combination g become available after expiration of a certain time (e.g., 60 seconds) in which the user is inactive is, i. no further input for the control of calculations makes, clears from memory or overwritten, so that without re-entry of the main password MPW by the user no Further calculations of secret combinations are performed can.

In an advantageous embodiment of the method contained in the invention, the user can to a secret combination g (PIN, TAN or password) belonging data delete from the persistent store.

In a further advantageous application of the invention is based The user identification bid is not bid selected by the user himself and entered but from a central entity. Here can it is the manufacturer of the software, that of the invention contains underlying method, or even a party selling the software. This central Instance assigns unique user identifications bid for each User. The values of bid are hereby digitally signed Way from the central instance to the users (e.g. as certificates, which are contained in a file) and can by be read into the program. In addition, the signed user identification still contains an expiration date, about which is specified by what time the program issued the User identifications may use bid. In the program is additionally a public one key the central instance including certificate. The signature the user identification is from the central instance with the secret key generated, which matches the encoded public key. The certificate belonging to the public key has also over one Expiration date. No later than if the expiration date of this certificate is reached, the executable Program code with a new certificate of the central instance the users are distributed and installed by them on their devices become. If the signed user identification is the expiration date has reached, then a new signed user identification distributed to the user. It is important that the in the old and new version parameters match bid. The program tests each time it is used (for example, starting the program), whether the expiration date of the certificate of the central instance or the Expiration date of the signed user information has been reached. If the program determines that an expired certificate is the central one Instance is included or the signed user information has expired is, then the program refuses further calculations, e.g. by scheduling the program immediately. As reference time is in this case the time taken by the operating system of the terminal made available. If both expiration times have not yet been reached, then the program checks the validity the signature of the user identification with that in the executable Code encoded public key the central instance. If the signature verification fails, this will result Program neither calculations of counter readings and block positions off Secret combinations still calculations of secret combinations Counter readings and Block positions off. These calculations can only be performed if the expiration dates of the certificate of the central instance and the signed one User identification not exceeded are and in addition the signature verification of signed user identification with the permanently encoded public key the central instance is positive.

Claims (26)

Method for automatically generating and storing auxiliary variables assigned in each case to an application-specific secret combination (g) as a function of a main password (MPW) and the respective secret combination (g), so that the corresponding secret combination (g) can be used with the help of the skin password (MPW) Secret code (g) assigned auxiliary variables, the method comprising: - calculating a pseudo-random signal sequence (rand) in dependence on the input main password (MPW), - extracting data blocks of certain length (k) from the pseudo-random signal sequence (rand), wherein the data blocks by an encoding of an Al phabets (A), from which the secret combination (g) is formed, each associated with one character (x) from that alphabet (A), - comparing the extracted data blocks with characters (g _i ) from the secret combination (g) taking into account these Coding, - determining a block position (bp _i ) one of the data blocks for each character (g _i ) from the secret combination (g), which is assigned by the coding to this character (g _i ), and - storing the block positions (bp _i ) as auxiliary quantities in a memory ( 4 ). Method according to claim 1, characterized in that that the auxiliary sizes depend on also be formed by at least one other input size, wherein the pseudorandom Signal sequence (edge) depending on is also calculated from the at least one other input size. Method according to claim 2, characterized in that that the pseudorandom Signal sequence (rand) is calculated by taking from the entered main password (MPW) by means of a key derivation function (SAF) a key (s) is generated and a character string depending on is formed by the at least one other input size, with this key (s) encrypted becomes. Method according to claim 3, characterized that at least two of the other input sizes to form the string be chained. Method according to one of claims 3 or 4, characterized that the character string is encrypted in blocks symmetrically. Method according to claim 5, characterized in that that the string is in blocks certain block length (bl) is divided, with a plain text and / or a cipher each of the blocks each with the plaintext or cipher of another block bitwise XORed becomes. Method according to one of Claims 1 to 6, characterized in that the calculation of the pseudorandom signal sequence (edge) takes place in several sections and additionally as a function of a count (z _i ) characterizing the respective section, wherein for each character (g _i ) the Secret combination (g) in addition to the block position (bp _i ) in the corresponding section of the pseudorandom signal sequence (edge) and this section of the pseudorandom signal sequence (rand) corresponding count (z _i ) determined and stored as a further auxiliary size. A method according to claim 7, characterized in that the count (z _i ) for calculating a respective further portion of the pseudo-random signal sequence (rand) is changed to a next value, if a hitherto available portion of the pseudo-random signal sequence (rand) by extracting data blocks is consumed. Method according to one of claims 1 to 8, characterized that the data blocks from the pseudo-random Signal sequence (rand) can be extracted one after the other, for each Data block one of its length (k) corresponding number of consecutive signals from the pseudo-random signal sequence (rand) are taken, with the respective subsequent data block across from the previous data block by a certain number of signals is shifted, preferably by one of the length (k) of the data blocks corresponding Number of signals. Method according to one of Claims 1 to 9, characterized in that, for each character (g _i ) of the secret combination (g), the block position (bp _i ) of the data block assigned to this character (g _i ) is determined by taking the extracted data blocks into consideration one after the other the coding of the alphabet (a) having this sign (g _i) are compared, wherein a the mark (g _i) not corresponding data block is discarded, while the mark (g _i) of corresponding data block is not discarded by a decision function with a certain probability but is accepted by the block position (BP _i) is stored as the sign of this data block (g _i) associated with the auxiliary variable and extracting blocks of data for that character (g _i) is terminated. Method according to claim 10, characterized in that that the decision function is performed by a random decision maker, the one binary Random experiment with one of the said probability corresponding Single probability. Method according to claim 11, characterized in that that the binary Random experiment performed is made by one as a processing result of random data (zd) signal chain each one unused block extracted and assigned a value, this value with a Threshold or multiple thresholds is compared and an output of the binary random experiment dependent on is defined by a result of this comparison. A method according to claim 12, characterized in that the random data are obtained from stop times and / or differences between keystrokes in an input of the main password (MPW) and / or the secret combination (g) and / or the at least one other Input size and / or specifically for generating the random data (zd) requested keystrokes. Method according to one of claims 2 to 6 or one of claims 7 to 13, if the latter are dependent on claim 2, characterized in that the at least one input variable is given by a user identification (bid) and / or an application identification (did) and / or an application-specific user identification (dbid) and / or a position (i) of the character (g _i ) of the secret combination (g) for which an auxiliary variable is currently being determined and / or an index (ix) of a transaction number and / or the alphabet (A). Method according to one of claims 1 to 14, characterized that in the manner described auxiliary quantities for a plurality of different secret combinations (g) are generated and stored. Method for recovering a secret combination (g) from auxiliary quantities generated by a method according to one of Claims 1 to 15 and the corresponding main password (MPW), in which each character (g _i ) of the secret combination is determined by entering the main password (MPW) At least part of the pseudo-random signal sequence (edge) is calculated as in the method referred to, the data block defined by the block position (bp _i ) assigned to this character (g _i ) is extracted from the pseudo-random signal sequence (edge), this data block is assigned to a character (g _i ) according to the coding of the alphabet (A) from which the secret combination (g) is formed, and - this character (g _i ) is output. Method according to claim 16, insofar as it refers to claim 7, characterized in that for determining each character (g _i ) of the secret combination, respectively the section of the pseudorandom signal sequence (rand) is calculated, which is determined by the count assigned to this character (g _i ) (z _i ) is defined. Method according to one of claims 16 or 17, characterized that the auxiliary quantities assigned to the secret combination (g) and / or the at least one further input variable is read from the memory become. Method according to one of claims 1 to 18, characterized in that, depending on the entered skin password (MPW) by means of a one-way function, an optical marking (OM) is calculated and displayed on a display component ( 5 ) is shown. Method according to one of claims 1 to 19, characterized that it is performed by an appropriately programmed device. Programmtechnisch for performing a method according to one of the claims 1 to 20 furnished device. Apparatus according to claim 21, comprising an input component ( 1 ) for entering a main password (MPW) and at least one further input variable, a calculation component ( 2 ), an output component ( 3 ), and a memory ( 4 ), whereby the calculation component ( 2 ) is arranged to calculate the auxiliary quantities from the input component ( 1 ) and the output component ( 3 ) is set up for outputting the from the calculation component ( 2 ) calculated and transferred auxiliary quantities to the memory ( 4 ). Apparatus according to claim 21, comprising an input component ( 1 ) for entering a main password (MPW) and at least one further input variable, a calculation component ( 2 ), an output component ( 3 ), a memory ( 4 ) and a display component ( 5 ), whereby the calculation component ( 2 ) is arranged to calculate the characters (g _i ) of the secret combination (g) from the input component ( 1 ) and from memory ( 4 ) and the output component ( 3 ) is set up for outputting the from the calculation component ( 2 ) calculated and transferred characters (g _i ) of the secret combination (g) to the display component ( 5 ). Apparatus according to claim 21, comprising an input component ( 1 ) for entering a main password (MPW) and at least one further input variable, a calculation component ( 2 ), an output component ( 3 ), a memory ( 4 ) and a display component ( 5 ), whereby the calculation component ( 2 ) is arranged to calculate the auxiliary quantities from the input component ( 1 ) and for calculating the characters (g _i ) of the secret combination (g) from the input component ( 1 ) and from memory ( 4 ) and the output component ( 3 ) is set up for outputting the from the calculation component ( 2 ) calculated and transferred auxiliary quantities to the memory ( 4 ) and to output the from the calculation component ( 2 ) calculated and transferred characters (g _i ) of the secret combination (g) to the display component ( 5 ). Device according to one of claims 22 to 24, characterized in that the calculation component comprises Means for executing a key derivation function (SAF) for forming a key (s) of predetermined length (sl) from the input main password MPW), concatenation means for forming a string from at least one input size input or read from the memory, encryption means for forming a key pseudo-random signal sequence (rand) by encrypting the character string with the key (s), - means for extracting and coding data blocks from the pseudo-random signal sequence (rand). Apparatus according to claim 25, characterized in that the calculation component ( 2 ) additionally comprises means for calculating an optical tag (OM) dependent on the input main password (MPW), the output component ( 3 ) is further configured to output the from the calculation component ( 2 ) transmitted optical marking (OM) to the display component ( 5 ).