WO2001096990A2 - Usb-compliant personal key using a smartcard processor and a smartcard reader emulator - Google Patents

Usb-compliant personal key using a smartcard processor and a smartcard reader emulator Download PDF

Info

Publication number
WO2001096990A2
WO2001096990A2 PCT/EP2001/006816 EP0106816W WO0196990A2 WO 2001096990 A2 WO2001096990 A2 WO 2001096990A2 EP 0106816 W EP0106816 W EP 0106816W WO 0196990 A2 WO0196990 A2 WO 0196990A2
Authority
WO
WIPO (PCT)
Prior art keywords
smartcard
processor
usb
compliant
interface
Prior art date
Application number
PCT/EP2001/006816
Other languages
French (fr)
Other versions
WO2001096990A3 (en
Inventor
Shawn D. Abbott
Allan D. Anderson
Patrick N. Godding
Maarten G. Punt
Mehdi Sotoodeh
Original Assignee
Rainbow Technologies, B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rainbow Technologies, B.V. filed Critical Rainbow Technologies, B.V.
Priority to EP01962744A priority Critical patent/EP1290536A2/en
Priority to AU83866/01A priority patent/AU8386601A/en
Publication of WO2001096990A2 publication Critical patent/WO2001096990A2/en
Publication of WO2001096990A3 publication Critical patent/WO2001096990A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/077Constructional details, e.g. mounting of circuits in the carrier
    • G06K19/0772Physical layout of the record carrier
    • G06K19/07732Physical layout of the record carrier the record carrier having a housing or construction similar to well-known portable memory devices, such as SD cards, USB or memory sticks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/077Constructional details, e.g. mounting of circuits in the carrier
    • G06K19/0772Physical layout of the record carrier
    • G06K19/07733Physical layout of the record carrier the record carrier containing at least one further contact interface not conform ISO-7816
    • HELECTRICITY
    • H05ELECTRIC TECHNIQUES NOT OTHERWISE PROVIDED FOR
    • H05KPRINTED CIRCUITS; CASINGS OR CONSTRUCTIONAL DETAILS OF ELECTRIC APPARATUS; MANUFACTURE OF ASSEMBLAGES OF ELECTRICAL COMPONENTS
    • H05K1/00Printed circuits
    • H05K1/02Details
    • H05K1/11Printed elements for providing electric connections to or between printed circuits
    • H05K1/117Pads along the edge of rigid circuit boards, e.g. for pluggable connectors

Definitions

  • the present invention relates to computer peripherals, and in particular to an inexpensive USB-compliant personal key that is compatible with existing smartcard processors, drivers, and instruction sets.
  • Smartcards represent a longstanding attempt to deal with at least some of the foregoing challenges. Substantial resources have been made in the design and development of smartcards, smartcard readers, and the associated reader/smartcard drivers which allow computer applications to interface with the smartcard to perform security and data storage functions. Even so, smartcards have not enjoyed widespread popularity. Smartcard readers are relatively expensive, and not widely available. Further, the lack of uniform smartcard/smartcard reader physical interface standards have resulted in smartcard/smartcard reader physical interface compatibility problems, ⁇ many of which remain unresolved.
  • USB-compliant personal keys such as that which is disclosed in co-pending and commonly assigned U.S. Patent Application Nos. 09/449,159 and 09/281,017, described above, offer the benefit of smartcard functionality in a universally accepted USB form factor.
  • the Universal Serial Bus (USB) is a connectivity standard developed by computer and telecommunication industry members for interfacing computers and peripherals. USB-compliant devices allow the user to install and hot- swap devices without long installation procedures and reboots, and features a 127 device bus capacity, dual-speed data transfer, and can provide limited power to devices attached on the bus. Because the USB connectivity standard is rapidly becoming available on most personal computers, it offers a standard, widely available physical interface, the unavailability of which has prevented smartcards from achieving widespread acceptance.
  • USB-compliant personal keys utilize special purpose processors, instead of the low cost, limited capability processors currently available for smartcards. This increases the cost of the USB-compliant personal key, making widespread acceptance more difficult. Also, because each USB-compatible personal key may use a different processor (and different instruction sets), users may require different device drivers for different personal keys. This too represents another barrier to widespread acceptance of the personal key.
  • USB-compliant personal key that is usable with legacy personal identification devices, such as processors having smartcard processors. and/or those complying with the ISO 7816.
  • USB-compliant personal key that makes maximum use of existing smartcard protocols, software and devices wherever possible, and which retain at least a limited compatibility with existing devices designed to interface with smartcards. The present invention satisfies that need.
  • the present invention satisfies all of these needs with a personal key in a form factor that is compliant with a commonly available I/O interface such as the Universal Serial Bus (USB) and at the same time, usable with existing smartcard software applications.
  • the personal key comprises a USB-compliant interface releaseably cou leable to a host processing device operating under command of an operating system; a smartcard processor having a smartcard processor-compliant interface for communicating according to a smartcard input and output protocol; and an interface processor, communicatively coupled to the USB-compliant interface and to the smartcard processor-compliant interface, the interface processor implementing a translation module for interpreting USB-compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages.
  • the method comprises the steps of accepting a message comprising a smartcard reader command selected from a smartcard reader command set from a host computer operating system in a virtual smartcard reader; packaging the message for transmission via a USB-compliant interface according to a first message transfer protocol; transmitting the packaged message to a personal key communicatively coupled to the USB-compliant interface; receiving the packaged message in the personal key; unpackaging the message in the personal key to recover the smartcard reader command; translating the smartcard reader command into a smartcard command within the personal key; and providing the smartcard command to the smartcard processor.
  • the present invention is well suited for controlling access to network services, or anywhere a password, cookie, digital certificate, or smartcard might otherwise be used, including:
  • Remote access servers including Internet protocol security (IPSec), point to point tunneling protocol (PPTP), password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), remote access dial-in user service (RADIUS), terminal access controller access
  • IPSec Internet protocol security
  • PTP point to point tunneling protocol
  • PAP password authentication protocol
  • CHAP challenge handshake authentication protocol
  • RADIUS remote access dial-in user service
  • TACACS control system
  • SET secure electronic transaction
  • MilliCent MilliCent
  • FIG. 1 is a diagram showing an exemplary hardware environment for ⁇ praetic-ingthe present invention
  • FIG. 2 is a. block diagram of a personal key communicatively coupled to a host computer
  • FIG. 3 is a block diagram of a personal key with a smartcard processor communicatively coupled to a host computer;
  • FIGs. 4A-4D are flow charts presenting exemplary method steps that can be used to practice the present invention.
  • FIG. 1 illustrates an exemplary computer system 100 that could be used to implement the present invention.
  • the host computer 102 comprises a processor 104 and a memory, such as random access memory (RAM) 106.
  • the host computer 102 is operatively. coupled to a display 122, which presents images such as windows to the user on a graphical. uset- jgrface 118B.
  • the host computer 102 may be coupled to other devices, such as a keyboard 114, a mouse device 116, a printer 128, etc.
  • keyboard 114 a keyboard 114
  • a mouse device 116 a printer 128, etc.
  • the host computer 102 operates under control of an operating system 108 stored in the memory i ⁇ 6, and interfaces with the user to accept inputs and commands and to present results through a graphical user interface (GUI) module 118 A.
  • GUI graphical user interface
  • the instructions performing the GUT functions can be resident or distributed in the operating system 108, the computer program 110, or implemented with special purpose memory-and ⁇ oeessors- .
  • the host computer 102 also implements a compiler 112 which allows an application -program 110 written in a programming language such as COBOL, C++, FORTRAN, or other language to be translated into processor 104 readable code.
  • the host computer 102 also comprises an input/output (I/O) port for a personal token 200 (hereinafter alternatively referred to also as a personal key 200).
  • I/O port is a USB- compliant interface comprising a host computer USB-compliant interface 130A and a personal token USB-compliant interface 130B (hereinafter referred to collectively as the USB-compliant interface 130.
  • instructions implementing the operating system 108, the computer program 110, and the compiler 112 are tangibly embodied in a computer- readable medium, e.g., data storage device.120, which could include one or more fixed or removable data storage devices, such as a zip drive, floppy disc drive 124, hard drive, CD-ROM drive, tape drive, etc.
  • the operating system 108 and the computer program 110 are comprised of instructions which, when read and executed by the computer 102, causes the computer.102 to perform the steps necessary to implement and/or use the present i ve ⁇ p..
  • Computer program 110 and/or operating instructions may also be tangibly embodied n memory 106 and/or data communications devices, thereby making a computer program product or article of manufacture according to the invention.
  • article of manufacture and “computer program product” as used herein are intended to encompass a computer program accessible from any computer readable device or media.
  • the host computer 102 may be communicatively coupled to a remote computer or server 134 via communication medium 132 such as a dial-up network, a wide area network (WAN), local area network (LAN), virtual private network (VPN) or the Internet.
  • Communication medium 132 such as a dial-up network, a wide area network (WAN), local area network (LAN), virtual private network (VPN) or the Internet.
  • Program instructions for computer operation, including additional or alternative application programs can be. loaded from the remote computer/server 134.
  • the compute-Cv,lQ2.sii!-npIements-an Internet browser allowing the user to • access the world wide web (WWW) ⁇ and other internet resources.
  • FIG. 2 is a block diagram illustrating the components of one embodiment of a personal key 200.
  • the personal key 200 communicates with and obtains power from the host computer 102 through a USB-compliant communication path in the USB- compliant interface 130 which includes the input/output port 130A of the host computer 102 and a matching input/output (I/O) port 130B on the personal key 200.
  • the processor 212 is communicatively coupled to a memory 214, which stores data and instructions to implement the above-described features of the invention-.
  • the memory 214 is a non- volatile random-access memory that can retain factory-supplied data as well as customer-supplied application related data.
  • the processor 212 may also include some internal memory for performing some of these functions. . • : ' .' . -
  • the processor 212 is optionally,c.pjg ⁇ unicatively coupled to an input -device 218 via an input device communication path.224. and to an output device 222 via an output device communication path 224,-both of which are distinct from the USB- compliant interface 130.
  • These separate communication paths 220 and 224 allow the user to view information about processor 212 operations and provide input related to processor 212 operations without allowing a process or other entity with visibility to the USB-compliant interface 130 to eavesdrop or intercede. This permits secure communications between the key processor 212 and the user.
  • the user communicates directly with the ' processor 212 by physical manipulation of mechanical switches or devices actuatable from the external side of the key (for example, by pressure-sensitive devices such as buttons and invention set forth more fully below, the input device includes a wheel with tactile detents indicating the selection of characters. ' -
  • the input device and output devices 218, 222 may cooperatively interact with one another to enhance the functionality of the personal key 200.
  • the output device 222 may provide information prompting the user to enter information into the input device 218.
  • the output device 222 may comprise a visual display such as an alphanumeric LED or LCD display (which can display Arabic numbers and or letters) and/or an aural device. The user may be prompted to enter information by a beeping of the aural device, by a flashing pattern of the LED, or by both.
  • the output device 222 may also optionally be used to confirm entry of information by the input device 218. For example, an aural output device may beep when the user enters information into the input device 218 or when the user input is invalid.
  • the input device 218 may take one of many forms, including different combinations of input devices. Although the input device communication path 220 and the output device communication path 224 are illustrated in FIG. 2 as separate paths, the present invention can be implemented by combining the paths 220 and 224 while still retaining a communication path distinct from the USB-comphant interface 130. For example, the input device 218 and output device 222 may be packaged in a single device and communications with the processor 212 multiplexed over a single communication path.
  • FIG. 3 is a block diagram of the personal key 200 and host computer 102 as applied to the present invention.
  • the personal key 300 illustrated in FIG. 3 comprises a smartcard processor 320.
  • the smartcard processor 300 is a processor which complies with well-known smartcard 17O protocols and smartcard command sets and functions, such as those described by the International Standards Organization (ISO) standard 7816 Part III (defining electronic properties and transmission characteristics), which is hereby incorporated by reference herein.
  • the smartcard compliant I/O interface 324 includes a serial I/O line, a reset (RST) line, a clock (CLK) line, a programming voltage (VPP), a power supply voltage (VCC) and a ground.
  • This I/O interface 324 is further described in the publication "Introduction to Smartcards" by Dr. David B. Everett, which was published in 1999 by the Smart Card News Ltd., and is incorporated by reference herein.
  • the present invention allows the use of a personal key 300 communicating with the host computer 102 via a USB-compliant interface 130.
  • the substitution of the smartcard processor 320 for the ordinary processor 212 depicted in FIG. 2 has several advantages.
  • smartcard processors 212 are relatively inexpensive and readily available.
  • a large number of application programs 110 have been developed for the use of smartcards, including the personal computer/smartcard (PC/SC) interface developed by the MICROSOFT CORPORATION.
  • PC/SC personal computer/smartcard
  • this software can be used with a personal key 300 in a USB-compliant form factor.
  • the use of the smartcard processor 320 in the personal key 300 is-enab worseled by use of an interface processor 314 communicatively coupled to the smartcard processor 320 via a smartcard-compatible (S/C 7816) interface 324.
  • the interface processor 3 * 14 comprises a smartcard reader emulator module (SREM) 316 and a translation module 318.
  • SREM smartcard reader emulator module
  • the SREM 316 implements functions that emulate those of a smartcard reader, thus projecting the image of a smartcard reader to the smartcard processor 320.
  • the SREM 316 provides all instructions and commands to the smartcard processor 320 and receives messages and responses from the smartcard processor 320 according to the S/C protocol.
  • the host computer 102 comprises a virtual smartcard reader module (VSRM) 302.
  • the VSRM comprises a communication module 312, an answer-to-reset module 308, and a smartcard insertion removal reporting module 306v-Th ⁇ L ⁇ ⁇ ommumcation module 312 packages messages intended for the personal key 300 for transmission via the USB-compliant interface.
  • messages and commands that are sent to the personal key 300 packaged as:
  • USB command USB header + USB cdata (wherein USB cdata is the smartcard compliant command) and messages and responses from the personal key 300 are packaged as:
  • USB response USB header + USB rdata (wherein USB rdata is the smartcard compliant response)
  • the VSRM 302 emulates the presence of a smartcard reader to the OS 108 in the host computer 102. These functions are accomplished in the bootup module 311, the insert/remove module 306, the answer-to-reset module 308, and the PTS module 310.
  • the host computer's 102 operating system performs a startup sequence to determine which hardware elements are available for use.
  • the smartcard reader remains coupled to the host computer 102, whether a smartcard is inserted into the reader or not.
  • the smartcard reader can respond to startup sequence queries, and the smartcard reader is recognized by the operating system 108 for further operations.
  • the operating system would ordinarily be unable to operate with a smartcard thereafter.
  • the present invention comprises a bootup module 311, which responds to messages from the operating system 108 in the same way as a smartcard reader would if it were coupled to the host computer 102.
  • the insert/remove module 306 provides an indication to the operating system 108 that the personal key 300 has been inserted or removed from the USB-compliant interface 130. This is accomplished by querying the host computer USB-compliant interface port 130A.
  • the smartcard reader passes a reset command to the smartcard.
  • the smartcard returns an answer-to- reset message which indicates, among other things, the protocol and I/O interface supported by the attached smartcard.
  • the reset signal is used to start up the program contained in a memory 322 communicatively coupled to or resident within the- smartcard processor 320.
  • the ISO standard defines three reset modes, internal reset, active low reset, and synchronous high active reset. Most smartcard processors 320 operate using the active low reset mode. In this mode, the smartcard processor 320 transfers control to the entry address for the program when the reset signal returns to the high voltage level.
  • the synchronous mode of operation is more commonly met with smartcards used for telephonic applications.
  • the sequence of operations for activating the smartcard processor 320 is defined in order to minimize the possibility of damaging the smartcard processor 320. Of particular importance is avoiding corruption of the non- volatile memory 322 of the smartcard.
  • Most smartcard processors 320 operate using an active low reset mode in which the smartcard processor 320 transfers control to the entry address for the program when the reset signal returns to the high voltage level.
  • the sequence performed by the smartcard processor includes the steps of setting the RST line low, applying VCC to the proper supply voltage, setting the I/O in the receive mode, setting VPP in the idle mode, applying the clock, and taking the RST line high (active low reset).
  • the smartcard processor 320 responds with an answer-to-reset message.
  • the answer-to-reset signal is at most 33 characters, and includes 5 fields including an initial character (TS), a format character (TO), interface characters (TAi, TBi, TCi, and TDi), historical characters (Tl, T2, ... , TK), and a check character (TCK).
  • TS initial character
  • TO format character
  • TO interface characters
  • Ti TAi, TBi, TCi, and TDi
  • historical characters Tl, T2, ... , TK
  • TCK check character
  • the answer-to-reset signal provides an indication of the smartcard protocol(s) which are supported smartcard processor.
  • the reset signal is provided by the VSRM 302, packaged by the communication module 312, and sent via the USB-compliant interface 130B to the personal key 300.
  • the message is unwrapped by the translation module 318.
  • the smartcard reader emulation module activates the RST signal path in the smartcard interface 324, thus providing the RST command to the smartcard processor 320.
  • the smartcard processor 320 responds with an answer-to-reset message, sends the message via the serial I/O line of the smartcard interface 324 to the interface processor 314.
  • the personal key 300 does not comprise a smartcard processor 320, but rather a special purpose processor which does not respond to messages and commands in the smartcard I/O protocol (such as that which is illustrated in FIG. 1).
  • the present invention can still be used with existing smartcard applications 110, however, because the VSRM 302 and the interface processor 314 can be used to simulate the presence of a smartcard processor 320.
  • the NSRM accepts the reset command from the PC/SC modules in the operating system 108, translates the reset message into a functionally equivalent message for the special purpose processor in the personal key 300, and transmits the message to the personal key 300.
  • the personal key 300 After the personal key 300 is activated, it sends a message indicating as such to the host computer 102.
  • the VSRM 302 and translates this ⁇ message to a response that is compatible with the smartcard application 110, namely, an ATR message.
  • the smartcard command to special purpose processor command translation can occur i the emulation processor 314 in the personal key 300:
  • a protocol type selection (PTS) message maybe sent to the smartcard processor 320.
  • the PTS-message from the OS 108 is received by the ' PTS ' riiodule 310 in the VSRM 302, packaged for transmission via the USB-compliant interface 130 to the personal key 300, where it is unpackaged and provided to the smartcard processor 320.
  • the smartcard provides a response consistent with the ISO standards to the emulation module 316. The response is packaged, and transmitted over the USB-compliant interface 130 to the host computer 102, where it is unpackaged by the communication module 312 and provided to the operating system.
  • FIGS. 4A-4D are flow charts presenting exemplary method steps used to practice one embodiment of the present invention.
  • the virtual smartcard reader 302 accepts 402 a bootup query from the host ⁇ computer's operating system 108. Although a smartcard reader is not communicatively coupled to the host computer 130 the virtual smartcard reader 302 emulates the existence of a smartcard reader and provides an indication that a smartcard reader is available to the OS 108. Consequently, when the bootup procedures are completed, a smartcard reader will be registered as an available device to smartcard applications 110.
  • a personal key 300 may or may not be communicatively coupled to the USB-compliant interface 130.
  • the VSRM 302 When a personal key 300 is not attached, the VSRM 302 provides 404 the same indication to the operating system 108 as would be supplied by a smartcard reader without an inserted smartcard. This is accomplished by receiving 406 an indication that the personal key has been communicatively coupled to the USB-compliant interface, and providing an indication to the host computer operating system. Since the NSRM is emulating the functions of a smartcard, the indicatio is provided 408 to the host computer operating system (or equivalently, the personal computer/smartcard (PC/SC) interface modules therein) is that of an insert event. . .
  • PC/SC personal computer/smartcard
  • a protocol type selection (PTS) command may be issued by the operating system 108.
  • the VSRM 302 receives ;4iiQ ihe.PTS command, packages the command for transmission to the personal key 300 via the USB-compliant interface 130.
  • the wrapped PTS command is then transmitted over the USB-compliant interface 130 and received by the personal key 300.
  • the PTS command is unwrapped by the translate module 318 in the interface processor 314 and provided to the smartcard processor 320 via the smartcard-compliant interface 324.
  • the smartcard processor computes the appropriate response, sends the response to the interface processor 314, where the response is packaged by the translate module 318 for transmission to the host computer 102 via the USB-compliant interface 130.
  • FIG. 4B is a flow chart .describing exemplary method steps used to provide commands and or data from the OS 108 to the smartcard processor 320 and from the smartcard processor 320 to the OS 108.
  • a message which may comprise a smartcard reader command belonging to a smartcard reader command set is accepted 414 from a host computer operating system 108 in the virtual smartcard reader module (VSRM) 302.
  • the message is packaged 416 for transmission via the USB-compliant interface 130 according to a first message transfer protocol.
  • the packaged message is then transmitted 418 to the communicatively coupled personal key 300 via the USB-compliant interface 130.
  • the packaged message is received 420 and unpackaged 422 in the personal key 300.
  • the smartcard reader command is translated 424 into a smartcard command within the personal key 300 before being provided 426 to the smartcard processor 320.
  • the smartcard processor 320 -then performs the indicated operation, and a response is accepted 428 from the smartcard processor 320.
  • the smartcard response requires further processing by a smartcard.reader, the smartcard response is translated 430 into a smartcard reader reader response is then packaged 432 and transmitted 434 to the host computer 102 via the USB.-com ⁇ liant interface 130.
  • the host computer 102 receives 436" and unpackages 438 the message and provides 440 the response to the smartcard software application 110 that issued the command.
  • the VSRM 302 reports 444 an indication to the OS 108 that the "virtual smartcard" (the personal key 300) has been removed.
  • the provided indication is the same as that which would be provided by a smartcard reader when a smartcard is. ⁇ emoved..
  • the indication can be obtained, for example by receiving 442 an indication-from. a USB driver or other device indicating the removal of a USB device.
  • Tables I and ⁇ pE ⁇ sides- an summary of the communication protocol for an OS 108 command from-.the host, computer 102 to the smartcard processor 320 in the personal key (Table 1) ⁇ . and for a smartcard processor 320 response to the operating system 108.
  • Table H Tables m and IV provides a summary of the communication protocol for a request from an application program 110 to the smartcard processor 320 and for a request from an application program 110 to the smartcard processor 320.
  • the present invention describes a personal key comprising a USB-compliant interface releaseably coupleable to a host processing device operating under command of an operating system; a smartcard processor having a smartcard processor-compliant interface for communicating according to a smartcard input and output protocol; and an interface processor, communicatively coupled to the USB- compliant interface and to the smartcard processor-compliant interface, the interface processor implementing a translation module for interpreting USB-compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages.
  • the invention is described by a method comprising the steps of accepting a message comprising a smartcard reader command selected from a smartcard reader command set from a host computer operating system in a virtual smartcard reader; packaging the message for transmission via a USB-compliant interface according to a first message transfer protocol; transmitting the packaged message to a personal key communicatively coupled to the USB-compliant interface; receiving the packaged message in the personal key; unpackaging the message in the personal key to recover the smartcard reader command; translating the smartcard reader command into a smartcard command within the personal key; and providing the smartcard command to the smartcard processor.

Abstract

A compact, self-contained, personal key is disclosed. The personal key comprises a USB-compliant interface releaseably coupleable to a host processing device operating under command of an operating system; a smartcard processor having a smartcard processor-compliant interface of communicating according to a smartcard input and output protocol; and an interface processor, communicatively coupled to the USB-compliant interface and to the smartcard processor-compliant interface, the interface processor implementing a translation module for interpreting USB-compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages.

Description

USB-COMPLIANT PERSONAL KEY USING A SMARTCARD PROCESSOR AND A SMARTCARD READER EMULATOR
- - CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation-in-part of U.S. Patent Application No. 09/449,159, filed November 24, 1999, by Shawn D. Abbott, Bahra Afghani, Mehdi Sotoodeh, Norman L. Denton III, and Calvin W. Long, and entitled "USB-Compliant Personal Key with Integral Input and Output Devices," which is a continuation-in-part of U.S. Patent Application No. 09/281,017, filed March 30, 1999 by Shawn D. Abbott, Bahram Afghani, Allan D. Anderson, Patrick N. Godding, Maarten G. Punt, and Mehdi Sotoodeh, and entitled "USB-Compliant Personal Key," which claims benefit of U.S. Provisional Patent Application No. 60/116,006, filed January 15, 1999 by Shawn D. Abbott, Barham Afghani, Allan D. Anderson, Patrick N. Godding,
Maarten G. Punt, and Mehdi Sotoodeh, and entitled "USB-Compliant Personal Key," all of which applications are hereby incorporated by reference herein.
BACKGROUND OF THE INVENTION 1. Field of the Invention
The present invention relates to computer peripherals, and in particular to an inexpensive USB-compliant personal key that is compatible with existing smartcard processors, drivers, and instruction sets.
2. Description of the Related Art hi the last decade, the use of personal computers in both the home and in the office have become widespread. These computers provide a high level of functionality to many people at a moderate price, substantially surpassing the performance of the large mainframe computers of only a few decades ago. The trend is further evidenced by the increasing popularity of laptop and notebook computers, which provide high-performance computing power on a mobile basis. The widespread availability of personal computers has had a profound impact on interpersonal communications as well. Only a decade ago, telephones or fax machines offered virtually the only media for rapid business communications. Today, a growing number of businesses and individuals communicate via electronic mail (e- mail). Personal computers have also been instrumental in the emergence of the Internet and its growing use as a medium of commerce.
While certainly beneficial, the growing use of computers in personal communications, commerce, and business has also given rise to a number of unique challenges. These challenges include the prevention of unauthorized use of software, ensuring the security of e-mail and other electronic communications, as well as Internet commerce.
Smartcards represent a longstanding attempt to deal with at least some of the foregoing challenges. Substantial resources have been made in the design and development of smartcards, smartcard readers, and the associated reader/smartcard drivers which allow computer applications to interface with the smartcard to perform security and data storage functions. Even so, smartcards have not enjoyed widespread popularity. Smartcard readers are relatively expensive, and not widely available. Further, the lack of uniform smartcard/smartcard reader physical interface standards have resulted in smartcard/smartcard reader physical interface compatibility problems, ■ many of which remain unresolved.
USB-compliant personal keys, such as that which is disclosed in co-pending and commonly assigned U.S. Patent Application Nos. 09/449,159 and 09/281,017, described above, offer the benefit of smartcard functionality in a universally accepted USB form factor. The Universal Serial Bus (USB) is a connectivity standard developed by computer and telecommunication industry members for interfacing computers and peripherals. USB-compliant devices allow the user to install and hot- swap devices without long installation procedures and reboots, and features a 127 device bus capacity, dual-speed data transfer, and can provide limited power to devices attached on the bus. Because the USB connectivity standard is rapidly becoming available on most personal computers, it offers a standard, widely available physical interface, the unavailability of which has prevented smartcards from achieving widespread acceptance.
While smartcards have not enjoyed widespread popularity in the United States, they are widely accepted in Europe. Hence, many software applications and drivers have been developed for existing smartcard-based devices and their readers. Unfortunately, smartcard interface protocols such as those described in ISO 7816 are incompatible with the USB protocols used in the above-described devices. This incompatibility has led to two unfortunate consequences. First, to comply with USB interface protocol requirements, current USB-compliant personal keys utilize special purpose processors, instead of the low cost, limited capability processors currently available for smartcards. This increases the cost of the USB-compliant personal key, making widespread acceptance more difficult. Also, because each USB-compatible personal key may use a different processor (and different instruction sets), users may require different device drivers for different personal keys. This too represents another barrier to widespread acceptance of the personal key.
From the foregoing, it is apparent that there is a need for a USB-compliant personal key that is usable with legacy personal identification devices, such as processors having smartcard processors. and/or those complying with the ISO 7816. There is also a need for a USB-compliant personal key that makes maximum use of existing smartcard protocols, software and devices wherever possible, and which retain at least a limited compatibility with existing devices designed to interface with smartcards. The present invention satisfies that need.
SUMMARY OF THE INVENTION
The present invention satisfies all of these needs with a personal key in a form factor that is compliant with a commonly available I/O interface such as the Universal Serial Bus (USB) and at the same time, usable with existing smartcard software applications. The personal key comprises a USB-compliant interface releaseably cou leable to a host processing device operating under command of an operating system; a smartcard processor having a smartcard processor-compliant interface for communicating according to a smartcard input and output protocol; and an interface processor, communicatively coupled to the USB-compliant interface and to the smartcard processor-compliant interface, the interface processor implementing a translation module for interpreting USB-compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages.
In one embodiment, the method comprises the steps of accepting a message comprising a smartcard reader command selected from a smartcard reader command set from a host computer operating system in a virtual smartcard reader; packaging the message for transmission via a USB-compliant interface according to a first message transfer protocol; transmitting the packaged message to a personal key communicatively coupled to the USB-compliant interface; receiving the packaged message in the personal key; unpackaging the message in the personal key to recover the smartcard reader command; translating the smartcard reader command into a smartcard command within the personal key; and providing the smartcard command to the smartcard processor.
The present invention is well suited for controlling access to network services, or anywhere a password, cookie, digital certificate, or smartcard might otherwise be used, including:
• Remote access servers, including Internet protocol security (IPSec), point to point tunneling protocol (PPTP), password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), remote access dial-in user service (RADIUS), terminal access controller access
. control system (TACACS);
• Providing Extranet and subscription-based web access control, including hypertext transport protocol (HTTP), secure sockets layer (SSL); Supporting secure online banking, benefits administration, account management;
■ Supporting secure workflow and supply chain integration (form signing); Preventing laptop computer theft (requiring personal key for laptop operation);
Workstation logon authorization; Preventing the modification or copying of software; i Encrypting files; Supporting secure e-mail, for example, with secure multipurpose Internet mail'extensions (S/M E), and open pretty good privacy (OpenPGP)
Administering network equipment administration; and Electronic wallets, with, for example, secure electronic transaction (SET, MilliCent, eWallet)
' BRIEF DESCRIPTION OF THE DRAWINGS
Referring now to the drawings in which like reference numbers represent corresponding parts throughout:
FIG. 1 is a diagram showing an exemplary hardware environment for praetic-ingthe present invention; FIG. 2 is a. block diagram of a personal key communicatively coupled to a host computer;
FIG. 3 is a block diagram of a personal key with a smartcard processor communicatively coupled to a host computer; and
FIGs. 4A-4D are flow charts presenting exemplary method steps that can be used to practice the present invention.
' DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS In the following description, reference is made to the accompanying drawings which form a part hereof, and which is shown, by way of illustration, several .embodiments of the present invention. It is understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the present invention.
FIG. 1 illustrates an exemplary computer system 100 that could be used to implement the present invention. The host computer 102 comprises a processor 104 and a memory, such as random access memory (RAM) 106. The host computer 102 is operatively. coupled to a display 122, which presents images such as windows to the user on a graphical. uset- jgrface 118B. The host computer 102 may be coupled to other devices, such as a keyboard 114, a mouse device 116, a printer 128, etc. Of course, those skilled in the art will recognize that any combination of the above components, or any number of different components, peripherals, and other devices, maybe used with the host computer 102.
Generally, the host computer 102 operates under control of an operating system 108 stored in the memory iθ6, and interfaces with the user to accept inputs and commands and to present results through a graphical user interface (GUI) module 118 A. Although the GUI module 118A is depicted as a separate module, the instructions performing the GUT functions can be resident or distributed in the operating system 108, the computer program 110, or implemented with special purpose memory-andφϊoeessors- .The host computer 102 also implements a compiler 112 which allows an application -program 110 written in a programming language such as COBOL, C++, FORTRAN, or other language to be translated into processor 104 readable code. After completion, the application 110 accesses and manipulates data stored in the memory 106 of the host computer 102 using the relationships and logic that are generated using the compiler 112. The host computer 102 also comprises an input/output (I/O) port for a personal token 200 (hereinafter alternatively referred to also as a personal key 200). hi one embodiment, the I/O port is a USB- compliant interface comprising a host computer USB-compliant interface 130A and a personal token USB-compliant interface 130B (hereinafter referred to collectively as the USB-compliant interface 130. In one embodiment, instructions implementing the operating system 108, the computer program 110, and the compiler 112 are tangibly embodied in a computer- readable medium, e.g., data storage device.120, which could include one or more fixed or removable data storage devices, such as a zip drive, floppy disc drive 124, hard drive, CD-ROM drive, tape drive, etc. Further, the operating system 108 and the computer program 110 are comprised of instructions which, when read and executed by the computer 102, causes the computer.102 to perform the steps necessary to implement and/or use the present i ve^ p.. Computer program 110 and/or operating instructions may also be tangibly embodied n memory 106 and/or data communications devices, thereby making a computer program product or article of manufacture according to the invention. As such, the terms "article of manufacture" and "computer program product" as used herein are intended to encompass a computer program accessible from any computer readable device or media.
The host computer 102 may be communicatively coupled to a remote computer or server 134 via communication medium 132 such as a dial-up network, a wide area network (WAN), local area network (LAN), virtual private network (VPN) or the Internet. Program instructions for computer operation, including additional or alternative application programs can be. loaded from the remote computer/server 134. In one embodiment, the compute-Cv,lQ2.sii!-npIements-an Internet browser, allowing the user to access the world wide web (WWW) ■ and other internet resources.
Those skilled in the art will recognize that many modifications may be made to this configuration without departing from the scope of the present invention. For example, those skilled in the art will recognize that any combination of the above components, or any number of different components, peripherals, and other devices, may be used with the present invention.
FIG. 2 is a block diagram illustrating the components of one embodiment of a personal key 200. The personal key 200 communicates with and obtains power from the host computer 102 through a USB-compliant communication path in the USB- compliant interface 130 which includes the input/output port 130A of the host computer 102 and a matching input/output (I/O) port 130B on the personal key 200. The processor 212 is communicatively coupled to a memory 214, which stores data and instructions to implement the above-described features of the invention-. In one embodiment, the memory 214 is a non- volatile random-access memory that can retain factory-supplied data as well as customer-supplied application related data. The processor 212 may also include some internal memory for performing some of these functions. . :' .' . -
The processor 212 is optionally,c.pjg^unicatively coupled to an input -device 218 via an input device communication path.224. and to an output device 222 via an output device communication path 224,-both of which are distinct from the USB- compliant interface 130. These separate communication paths 220 and 224 allow the user to view information about processor 212 operations and provide input related to processor 212 operations without allowing a process or other entity with visibility to the USB-compliant interface 130 to eavesdrop or intercede. This permits secure communications between the key processor 212 and the user. In one embodiment of the invention set forth more fully below, the user -communicates directly with the ' processor 212 by physical manipulation of mechanical switches or devices actuatable from the external side of the key (for example, by pressure-sensitive devices such as buttons and
Figure imgf000010_0001
invention set forth more fully below, the input device includes a wheel with tactile detents indicating the selection of characters. ' -
The input device and output devices 218, 222 may cooperatively interact with one another to enhance the functionality of the personal key 200. For example, the output device 222 may provide information prompting the user to enter information into the input device 218. For example, the output device 222 may comprise a visual display such as an alphanumeric LED or LCD display (which can display Arabic numbers and or letters) and/or an aural device. The user may be prompted to enter information by a beeping of the aural device, by a flashing pattern of the LED, or by both. The output device 222 may also optionally be used to confirm entry of information by the input device 218. For example, an aural output device may beep when the user enters information into the input device 218 or when the user input is invalid. The input device 218 may take one of many forms, including different combinations of input devices. Although the input device communication path 220 and the output device communication path 224 are illustrated in FIG. 2 as separate paths, the present invention can be implemented by combining the paths 220 and 224 while still retaining a communication path distinct from the USB-comphant interface 130. For example, the input device 218 and output device 222 may be packaged in a single device and communications with the processor 212 multiplexed over a single communication path.
FIG. 3 is a block diagram of the personal key 200 and host computer 102 as applied to the present invention. Unlike the personal key 200 illustrated in FIG. 2, the personal key 300 illustrated in FIG. 3 comprises a smartcard processor 320. The smartcard processor 300 is a processor which complies with well-known smartcard 17O protocols and smartcard command sets and functions, such as those described by the International Standards Organization (ISO) standard 7816 Part III (defining electronic properties and transmission characteristics), which is hereby incorporated by reference herein. Physically, the smartcard compliant I/O interface 324 includes a serial I/O line, a reset (RST) line, a clock (CLK) line, a programming voltage (VPP), a power supply voltage (VCC) and a ground. This I/O interface 324 is further described in the publication "Introduction to Smartcards" by Dr. David B. Everett, which was published in 1999 by the Smart Card News Ltd., and is incorporated by reference herein.
As was the case with the personal key 200 and host computer 102 illustrated in FIG. 1, the present invention allows the use of a personal key 300 communicating with the host computer 102 via a USB-compliant interface 130. However, the substitution of the smartcard processor 320 for the ordinary processor 212 depicted in FIG. 2 has several advantages. First, smartcard processors 212 are relatively inexpensive and readily available. Second, a large number of application programs 110 have been developed for the use of smartcards, including the personal computer/smartcard (PC/SC) interface developed by the MICROSOFT CORPORATION. By providing a smartcard processor (which complies with the smartcard I/O protocols and supports smartcard command sets), this software can be used with a personal key 300 in a USB-compliant form factor. The use of the smartcard processor 320 in the personal key 300is-enab„led by use of an interface processor 314 communicatively coupled to the smartcard processor 320 via a smartcard-compatible (S/C 7816) interface 324. The interface processor 3*14 comprises a smartcard reader emulator module (SREM) 316 and a translation module 318. The SREM 316 implements functions that emulate those of a smartcard reader, thus projecting the image of a smartcard reader to the smartcard processor 320. The SREM 316 provides all instructions and commands to the smartcard processor 320 and receives messages and responses from the smartcard processor 320 according to the S/C protocol.
The host computer 102 comprises a virtual smartcard reader module (VSRM) 302. The VSRM comprises a communication module 312, an answer-to-reset module 308, and a smartcard insertion removal reporting module 306v-Th©LθΛommumcation module 312 packages messages intended for the personal key 300 for transmission via the USB-compliant interface. In one embodiment, messages and commands that are sent to the personal key 300 packaged as:
USB command = USB header + USB cdata (wherein USB cdata is the smartcard compliant command) and messages and responses from the personal key 300 are packaged as:
USB response = USB header + USB rdata (wherein USB rdata is the smartcard compliant response)
These packaged messages are unpacked by the translation module 318 in the personal key 300. Similarly, messages transmitted by the smartcard processor 320 to the host computer 102 are packaged by the translation module 318 and unpackaged by& the communication module 312 before being provided to the operating system 108. the application program interface 260, and the application 110 using the personal key 300 to perform operations.
Just as the SREM 316 emulates the presence of a smartcard reader for the smartcard processor 320, the VSRM 302 emulates the presence of a smartcard reader to the OS 108 in the host computer 102. These functions are accomplished in the bootup module 311, the insert/remove module 306, the answer-to-reset module 308, and the PTS module 310.
As a part of a normal bootup sequence, the host computer's 102 operating system performs a startup sequence to determine which hardware elements are available for use. In prior art smartcard systems, the smartcard reader remains coupled to the host computer 102, whether a smartcard is inserted into the reader or not. Hence, the smartcard reader can respond to startup sequence queries, and the smartcard reader is recognized by the operating system 108 for further operations. However, in the present invention, there is no smartcard reader to answer to the bootup query, and the operating system would ordinarily be unable to operate with a smartcard thereafter. To solve this problem, the present invention comprises a bootup module 311, which responds to messages from the operating system 108 in the same way as a smartcard reader would if it were coupled to the host computer 102. Similarly, the insert/remove module 306 provides an indication to the operating system 108 that the personal key 300 has been inserted or removed from the USB-compliant interface 130. This is accomplished by querying the host computer USB-compliant interface port 130A.
When a software application calls 110, via API 260 and the operating system 108 invokes a command that calls for a smartcard related function, the smartcard reader passes a reset command to the smartcard. The smartcard returns an answer-to- reset message which indicates, among other things, the protocol and I/O interface supported by the attached smartcard.
The reset signal is used to start up the program contained in a memory 322 communicatively coupled to or resident within the- smartcard processor 320. The ISO standard defines three reset modes, internal reset, active low reset, and synchronous high active reset. Most smartcard processors 320 operate using the active low reset mode. In this mode, the smartcard processor 320 transfers control to the entry address for the program when the reset signal returns to the high voltage level. The synchronous mode of operation is more commonly met with smartcards used for telephonic applications.
The sequence of operations for activating the smartcard processor 320 is defined in order to minimize the possibility of damaging the smartcard processor 320. Of particular importance is avoiding corruption of the non- volatile memory 322 of the smartcard. Most smartcard processors 320 operate using an active low reset mode in which the smartcard processor 320 transfers control to the entry address for the program when the reset signal returns to the high voltage level. The sequence performed by the smartcard processor includes the steps of setting the RST line low, applying VCC to the proper supply voltage, setting the I/O in the receive mode, setting VPP in the idle mode, applying the clock, and taking the RST line high (active low reset).
In prior art smartcard systems, after the reset signal is applied by the smartcard reader, the smartcard processor 320 responds with an answer-to-reset message. For the active low reset mode, the smartcard processor 320 should respond between 400 and 40,000 clock cycles after the rising edge of the reset signal. The answer-to-reset signal is at most 33 characters, and includes 5 fields including an initial character (TS), a format character (TO), interface characters (TAi, TBi, TCi, and TDi), historical characters (Tl, T2, ... , TK), and a check character (TCK). Among other things, the answer-to-reset signal provides an indication of the smartcard protocol(s) which are supported smartcard processor. Typical smartcard protocols include the T=0 protocol (asynchronous half duplex byte transmission) and T=l (asynchronous half duplex block transmission). h the embodiment of the present invention shown in FIG. 3, the reset signal is provided by the VSRM 302, packaged by the communication module 312, and sent via the USB-compliant interface 130B to the personal key 300. The message is unwrapped by the translation module 318. Then, the smartcard reader emulation module activates the RST signal path in the smartcard interface 324, thus providing the RST command to the smartcard processor 320. The smartcard processor 320 responds with an answer-to-reset message, sends the message via the serial I/O line of the smartcard interface 324 to the interface processor 314. The message is then packaged by the translation module 318 and transmitted to the host computer 102 via the USB-compliant interface 326. The message is then unpackaged by the communication module 312 and provided to the operating system 108 and ultimately, the application 110 that requested the use of the smartcard. In another embodiment of the present invention, the personal key 300 does not comprise a smartcard processor 320, but rather a special purpose processor which does not respond to messages and commands in the smartcard I/O protocol (such as that which is illustrated in FIG. 1). The present invention can still be used with existing smartcard applications 110, however, because the VSRM 302 and the interface processor 314 can be used to simulate the presence of a smartcard processor 320. When the smartcard software application 110 desires use of the personal key 300, the NSRM accepts the reset command from the PC/SC modules in the operating system 108, translates the reset message into a functionally equivalent message for the special purpose processor in the personal key 300, and transmits the message to the personal key 300. After the personal key 300 is activated, it sends a message indicating as such to the host computer 102. The VSRM 302, and translates this message to a response that is compatible with the smartcard application 110, namely, an ATR message. Alternatively, the smartcard command to special purpose processor command translation can occur i the emulation processor 314 in the personal key 300:
Returning to the embodiment disclosed in FIG. 3, after the smartcard processor has', issued the ATR message, a protocol type selection (PTS) message maybe sent to the smartcard processor 320. The PTS-message from the OS 108 is received by the ' PTS 'riiodule 310 in the VSRM 302, packaged for transmission via the USB-compliant interface 130 to the personal key 300, where it is unpackaged and provided to the smartcard processor 320. The smartcard provides a response consistent with the ISO standards to the emulation module 316. The response is packaged, and transmitted over the USB-compliant interface 130 to the host computer 102, where it is unpackaged by the communication module 312 and provided to the operating system. FIGs. 4A-4D are flow charts presenting exemplary method steps used to practice one embodiment of the present invention. When the host computer 102 is booted up, the virtual smartcard reader 302 accepts 402 a bootup query from the host ■ computer's operating system 108. Although a smartcard reader is not communicatively coupled to the host computer 130 the virtual smartcard reader 302 emulates the existence of a smartcard reader and provides an indication that a smartcard reader is available to the OS 108. Consequently, when the bootup procedures are completed, a smartcard reader will be registered as an available device to smartcard applications 110. When the host computer is booted up, a personal key 300 may or may not be communicatively coupled to the USB-compliant interface 130. When a personal key 300 is not attached, the VSRM 302 provides 404 the same indication to the operating system 108 as would be supplied by a smartcard reader without an inserted smartcard. This is accomplished by receiving 406 an indication that the personal key has been communicatively coupled to the USB-compliant interface, and providing an indication to the host computer operating system. Since the NSRM is emulating the functions of a smartcard, the indicatio is provided 408 to the host computer operating system (or equivalently, the personal computer/smartcard (PC/SC) interface modules therein) is that of an insert event. . .
If desired and the-smartcard processor 320 supports multiple protocols, a protocol type selection (PTS) command may be issued by the operating system 108. The VSRM 302 receives ;4iiQ ihe.PTS command, packages the command for transmission to the personal key 300 via the USB-compliant interface 130. The wrapped PTS command is then transmitted over the USB-compliant interface 130 and received by the personal key 300. The PTS command is unwrapped by the translate module 318 in the interface processor 314 and provided to the smartcard processor 320 via the smartcard-compliant interface 324. The smartcard processor computes the appropriate response, sends the response to the interface processor 314, where the response is packaged by the translate module 318 for transmission to the host computer 102 via the USB-compliant interface 130. The communication module 312 unpackages the response," and the PTS module 310 formats the response, if necessary, to be consistent with a PTS response received from a smartcard reader. The formatted response is then provideds i:2' to -the- OS 108. FIG. 4B is a flow chart .describing exemplary method steps used to provide commands and or data from the OS 108 to the smartcard processor 320 and from the smartcard processor 320 to the OS 108. A message, which may comprise a smartcard reader command belonging to a smartcard reader command set is accepted 414 from a host computer operating system 108 in the virtual smartcard reader module (VSRM) 302. The message is packaged 416 for transmission via the USB-compliant interface 130 according to a first message transfer protocol.
The packaged message is then transmitted 418 to the communicatively coupled personal key 300 via the USB-compliant interface 130. The packaged message is received 420 and unpackaged 422 in the personal key 300. If the smartcard reader command requires additional processing before being forwarded to the smartcard processor 320, the smartcard reader command is translated 424 into a smartcard command within the personal key 300 before being provided 426 to the smartcard processor 320. The smartcard processor 320 -then performs the indicated operation, and a response is accepted 428 from the smartcard processor 320. If the smartcard response requires further processing by a smartcard.reader, the smartcard response is translated 430 into a smartcard reader
Figure imgf000018_0001
reader response is then packaged 432 and transmitted 434 to the host computer 102 via the USB.-comρliant interface 130. The host computer 102 receives 436" and unpackages 438 the message and provides 440 the response to the smartcard software application 110 that issued the command.
Next, when the personal key 300 is removed, the VSRM 302 reports 444 an indication to the OS 108 that the "virtual smartcard" (the personal key 300) has been removed. The provided indication is the same as that which would be provided by a smartcard reader when a smartcard is.χemoved.. The indication can be obtained, for example by receiving 442 an indication-from. a USB driver or other device indicating the removal of a USB device.
In summary, Tables I andΛpE©sides- an summary of the communication protocol for an OS 108 command from-.the host, computer 102 to the smartcard processor 320 in the personal key (Table 1)^ . and for a smartcard processor 320 response to the operating system 108.
Figure imgf000019_0001
Table I
Figure imgf000019_0002
Table H Tables m and IV provides a summary of the communication protocol for a request from an application program 110 to the smartcard processor 320 and for a request from an application program 110 to the smartcard processor 320.
Figure imgf000020_0001
Table m
Figure imgf000021_0001
Table TV
Conclusion This concludes the description of the preferred embodiments of the present invention. In summary, the present invention describes a personal key comprising a USB-compliant interface releaseably coupleable to a host processing device operating under command of an operating system; a smartcard processor having a smartcard processor-compliant interface for communicating according to a smartcard input and output protocol; and an interface processor, communicatively coupled to the USB- compliant interface and to the smartcard processor-compliant interface, the interface processor implementing a translation module for interpreting USB-compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages. In another embodiment, the invention is described by a method comprising the steps of accepting a message comprising a smartcard reader command selected from a smartcard reader command set from a host computer operating system in a virtual smartcard reader; packaging the message for transmission via a USB-compliant interface according to a first message transfer protocol; transmitting the packaged message to a personal key communicatively coupled to the USB-compliant interface; receiving the packaged message in the personal key; unpackaging the message in the personal key to recover the smartcard reader command; translating the smartcard reader command into a smartcard command within the personal key; and providing the smartcard command to the smartcard processor.
The foregoing description of the preferred embodiment of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. It is intended that the scope of the invention be limited not by this detailed description, but rather by the claims appended hereto. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the invention. Since - many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.

Claims

WHAT IS CLAIMED IS:
1. A compact personal token (300), comprising: a USB-compliant interface (130B) releaseably coupleable to a host processing device (102) operating under command of an operating system (108); a smartcard processor (320) having a smartcard processor-compliant interface
(324) for communicating according to a smartcard input and output protocol; an input device (218) communicatively coupled to the smartcard processor for providing secure input to the processor; an interface processor (314), communicatively coupled to the USB-compliant interface (130B) and to smartcard processor-compliant interface (324) the interface processor (314) implementing a translation module (318) for interpreting USB- compliant messages into smartcard processor-compliant messages and for interpreting smartcard processor-compliant messages into USB-compliant messages.
2. The apparatus of claim 1, wherein the interface processor (314) emulates a smartcard reader to the smartcard processor (320).
3. The apparatus of claim 1, wherein: the host processing device (102) comprises a virtual smartcard reader in communication with the operating system, the virtual smartcard reader for emulating a smartcard reader communicatively coupled to the host processing device (102) and including a communication module (312) for packaging messages for transmission to the personal token (300) via the USB compliant interface (130) according to a first protocol and for unpackaging messages received from the personal token (300) via the USB-compliant interface according to the first protocol; and the interface processor translation module (318) unpackages messages from the host processing device (102) according to the first protocol and packages messages destined for the host processing device (102) according to the first protocol.
4. The apparatus of claim 3, wherein the virtual smartcard reader further comprises a bootup module (311) for responding to an operating system bootup procedure with an indication that a smartcard reader is communicatively coupled to the host processor.
5. The apparatus of claim 3, wherein the virtual smartcard reader further comprises an answer-to-reset (ATR) module (308) for providing an ATR message to the operating system (108) in response to a reset message. :
6. The apparatus of claim 3, wherein the virtual smartcard reader further comprises a reporting module for receiving and reporting the insertion of the personal token in a USB-compliant port communicatively coupled to the host processor (102) and the removal of the personal token as a removal of a smartcard from a smartcard reader.
7. The apparatus of claim 3, wherein the virtual smartcard reader further comprises a protocol selection module for receiving a protocol type selection (PTS) command from the operating system and providing a PTS response message to the operating system (108).
8. A method of communicating between a smartcard processor (320) in a personal key (300) communicatively coupled to a host computer (102) via a USB- compliant interface (130), comprising the steps of: accepting a message comprising a smartcard reader command selected from a smartcard reader command set from a host computer operating system (108) in a virtual smartcard reader; packaging the message for transmission via a USB-compliant interface (130) according to a first message transfer protocol; transmitting the packaged message to a personal key (300) communicatively coupled to the USB-compliant interface (130); receiving the packaged message in the personal key (300); unpackaging the message in the personal key (300) to recover the smartcard reader command; translating the smartcard reader command into a smartcard command within the personal key (300); and providing the smartcard command to the smartcard processor (320); accepting a user input to the smartcard processor (320) via an input device (218) communicatively coupled to the smartcard processor (320) via an input communication device communication path distinct from the USB-compliant interface (130); accepting a smartcard response from the smartcard processor (320); translating the smartcard response into a smartcard reader response; packaging the smartcard reader response for transmission to the host processor
(102) via the USB-compliant interface (130); transmitting the packaged message from the personal key (300) to the host processor (102); receiving the packaged message in the host computer (102); unpackaging the smartcard reader response; and providing the smartcard reader response to the host processor operating system (108).
9. The method of claim 8, further comprising the steps of: accepting a startup query from the host computer operating system (108) in the virtual smartcard reader; and- providing an indication that a smartcard reader is communicatively coupled to the host computer to the host computer operating system (108).
10. The method of claim 9, further comprising the steps of: receiving an indication that the personal key (300) has been communicatively coupled to the USB-compliant interface (130); reporting'the indication that the personal key (300) is communicatively coupled to the USB-compliant interface (130) to the host processor operating system
(108) as the insertion of a smartcard; receiving an indication that the personal key (300) has been communicatively decoupled from the USB-compliant interface (130); and reporting the indication that the personal key has been communicatively decoupled from the USB-compliant interface (130) to the host processor operating system (108) as the removal of the smartcard.
11. The- methodvof. claim 8 ,- further comprising the steps of: receiving a protocol type selection (PTS) command from the host-computer operating system (108); and - providing a PTS response message to the operating system (108).
PCT/EP2001/006816 2000-06-15 2001-06-15 Usb-compliant personal key using a smartcard processor and a smartcard reader emulator WO2001096990A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP01962744A EP1290536A2 (en) 2000-06-15 2001-06-15 Usb-compliant personal key using a smartcard processor and a smartcard reader emulator
AU83866/01A AU8386601A (en) 2000-06-15 2001-06-15 Usb-compliant personal key using a smartcard processor and smartcard reader emulator

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US59445600A 2000-06-15 2000-06-15
US09/594,456 2000-06-15

Publications (2)

Publication Number Publication Date
WO2001096990A2 true WO2001096990A2 (en) 2001-12-20
WO2001096990A3 WO2001096990A3 (en) 2002-04-04

Family

ID=24378943

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2001/006816 WO2001096990A2 (en) 2000-06-15 2001-06-15 Usb-compliant personal key using a smartcard processor and a smartcard reader emulator

Country Status (3)

Country Link
EP (1) EP1290536A2 (en)
AU (1) AU8386601A (en)
WO (1) WO2001096990A2 (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003079163A2 (en) * 2002-03-13 2003-09-25 Fujitsu Siemens Computers Gmbh Access protection for a computer by means of a transportable storage medium
WO2004031923A1 (en) * 2002-10-07 2004-04-15 Axalto Sa Signature creation device
EP1429283A2 (en) * 2002-12-12 2004-06-16 Giesecke & Devrient GmbH Portable data carrier
US6752321B1 (en) 2003-03-31 2004-06-22 Stmicroelectronics, Inc. Smart card and method that modulates multi-color LED indicative of operational attributes and/or transactions between the smart card and USB port of a USB host
US6769622B1 (en) 2003-03-14 2004-08-03 Stmicroelectronics, Inc. System and method for simulating universal serial bus smart card device connected to USB host
US6772956B1 (en) 2003-03-31 2004-08-10 Stmicroelectronics, Inc. Smart card and method that modulates traffic signaling indicative of operational attributes of the smart card and/or transactions between the smart card and USB port of a USB host
WO2004109529A1 (en) * 2003-05-22 2004-12-16 Nokia Corporation A connection bus, an electronic device, and a system
FR2856211A1 (en) * 2003-06-11 2004-12-17 Laurent Olivier Philipp Maitre Removable device for user identification and authentication, and signing of user action, has mode of connection to host, memories storing data and software, and microcontroller connected to memories and embedded security sub-set
WO2004059562A3 (en) * 2002-12-20 2005-01-06 Giesecke & Devrient Gmbh Portable data carrier with network server functionality
US6843423B2 (en) 2003-03-13 2005-01-18 Stmicroelectronics, Inc. Smart card that can be configured for debugging and software development using secondary communication port
US6945454B2 (en) 2003-04-22 2005-09-20 Stmicroelectronics, Inc. Smart card device used as mass storage device
US7044390B2 (en) 2003-06-02 2006-05-16 Stmicroelectronics, Inc. Smart card emulator and related methods using buffering interface
US7127649B2 (en) * 2003-06-09 2006-10-24 Stmicroelectronics, Inc. Smartcard test system and related methods
US7178724B2 (en) 2003-04-21 2007-02-20 Stmicroelectronics, Inc. Smart card device and method used for transmitting and receiving secure e-mails
US7213766B2 (en) 2003-11-17 2007-05-08 Dpd Patent Trust Ltd Multi-interface compact personal token apparatus and methods of use
WO2007149671A2 (en) * 2006-06-23 2007-12-27 Sentillion, Inc. Remote network access via virtual machine
WO2009003682A2 (en) * 2007-07-02 2009-01-08 Giesecke & Devrient Gmbh Execution of applications on a mobile phone card
US7597250B2 (en) 2003-11-17 2009-10-06 Dpd Patent Trust Ltd. RFID reader with multiple interfaces
US7762470B2 (en) 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
US7823133B2 (en) 2003-04-23 2010-10-26 Stmicroelectronics, Inc. Smart card device and method for debug and software development
GB2486920A (en) * 2010-12-31 2012-07-04 Daniel Cvrcek USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device
US8326449B2 (en) 2007-04-05 2012-12-04 Microsoft Corporation Augmenting a virtual machine hosting environment from within a virtual machine
US20140032809A1 (en) * 2012-07-24 2014-01-30 Walton Advanced Engineering Inc. Composite data transmission interface and a judgment method thereof
US9213513B2 (en) 2006-06-23 2015-12-15 Microsoft Technology Licensing, Llc Maintaining synchronization of virtual machine image differences across server and host computers
US20210064767A1 (en) * 2016-11-23 2021-03-04 Entrust Corporation Printer identity and security

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4799258A (en) * 1984-02-13 1989-01-17 National Research Development Corporation Apparatus and methods for granting access to computers
EP0936530A1 (en) * 1998-02-16 1999-08-18 Siemens Nixdorf Informationssysteme AG Virtual smart card
WO2000023936A1 (en) * 1998-10-21 2000-04-27 Litronic, Inc. Apparatus and method of providing a dual mode card and reader
EP1001329A2 (en) * 1998-11-10 2000-05-17 Aladdin Knowledge Systems Ltd. A user-computer interaction method for use by flexibly connectable computer systems
WO2000075755A1 (en) * 1999-06-08 2000-12-14 Eutron Infosecurity S.R.L. Identification device for authenticating a user

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4799258A (en) * 1984-02-13 1989-01-17 National Research Development Corporation Apparatus and methods for granting access to computers
EP0936530A1 (en) * 1998-02-16 1999-08-18 Siemens Nixdorf Informationssysteme AG Virtual smart card
WO2000023936A1 (en) * 1998-10-21 2000-04-27 Litronic, Inc. Apparatus and method of providing a dual mode card and reader
EP1001329A2 (en) * 1998-11-10 2000-05-17 Aladdin Knowledge Systems Ltd. A user-computer interaction method for use by flexibly connectable computer systems
WO2000075755A1 (en) * 1999-06-08 2000-12-14 Eutron Infosecurity S.R.L. Identification device for authenticating a user

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003079163A2 (en) * 2002-03-13 2003-09-25 Fujitsu Siemens Computers Gmbh Access protection for a computer by means of a transportable storage medium
WO2003079163A3 (en) * 2002-03-13 2004-03-18 Fujitsu Siemens Computers Gmbh Access protection for a computer by means of a transportable storage medium
WO2004031923A1 (en) * 2002-10-07 2004-04-15 Axalto Sa Signature creation device
EP1429283A2 (en) * 2002-12-12 2004-06-16 Giesecke & Devrient GmbH Portable data carrier
EP1724713A3 (en) * 2002-12-12 2007-01-24 Giesecke & Devrient GmbH Portable data carrier
EP1429283A3 (en) * 2002-12-12 2004-07-14 Giesecke & Devrient GmbH Portable data carrier
EP1724713A2 (en) * 2002-12-12 2006-11-22 Giesecke & Devrient GmbH Portable data carrier
WO2004059562A3 (en) * 2002-12-20 2005-01-06 Giesecke & Devrient Gmbh Portable data carrier with network server functionality
US6910638B2 (en) 2003-03-13 2005-06-28 Stmicroelectronics, Inc. Smart card that can be configured for debugging and software development using secondary communication port
US6843423B2 (en) 2003-03-13 2005-01-18 Stmicroelectronics, Inc. Smart card that can be configured for debugging and software development using secondary communication port
US6769622B1 (en) 2003-03-14 2004-08-03 Stmicroelectronics, Inc. System and method for simulating universal serial bus smart card device connected to USB host
US6772956B1 (en) 2003-03-31 2004-08-10 Stmicroelectronics, Inc. Smart card and method that modulates traffic signaling indicative of operational attributes of the smart card and/or transactions between the smart card and USB port of a USB host
US6752321B1 (en) 2003-03-31 2004-06-22 Stmicroelectronics, Inc. Smart card and method that modulates multi-color LED indicative of operational attributes and/or transactions between the smart card and USB port of a USB host
US7178724B2 (en) 2003-04-21 2007-02-20 Stmicroelectronics, Inc. Smart card device and method used for transmitting and receiving secure e-mails
US6945454B2 (en) 2003-04-22 2005-09-20 Stmicroelectronics, Inc. Smart card device used as mass storage device
US7823133B2 (en) 2003-04-23 2010-10-26 Stmicroelectronics, Inc. Smart card device and method for debug and software development
WO2004109529A1 (en) * 2003-05-22 2004-12-16 Nokia Corporation A connection bus, an electronic device, and a system
US7430625B2 (en) 2003-05-22 2008-09-30 Spyder Navigations L.L.C. Connection of a memory component to an electronic device via a connection bus utilizing multiple interface protocols
US7044390B2 (en) 2003-06-02 2006-05-16 Stmicroelectronics, Inc. Smart card emulator and related methods using buffering interface
US7127649B2 (en) * 2003-06-09 2006-10-24 Stmicroelectronics, Inc. Smartcard test system and related methods
FR2856211A1 (en) * 2003-06-11 2004-12-17 Laurent Olivier Philipp Maitre Removable device for user identification and authentication, and signing of user action, has mode of connection to host, memories storing data and software, and microcontroller connected to memories and embedded security sub-set
US7597250B2 (en) 2003-11-17 2009-10-06 Dpd Patent Trust Ltd. RFID reader with multiple interfaces
US7213766B2 (en) 2003-11-17 2007-05-08 Dpd Patent Trust Ltd Multi-interface compact personal token apparatus and methods of use
US7762470B2 (en) 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
WO2007149671A3 (en) * 2006-06-23 2008-08-28 Sentillion Inc Remote network access via virtual machine
WO2007149671A2 (en) * 2006-06-23 2007-12-27 Sentillion, Inc. Remote network access via virtual machine
US9213513B2 (en) 2006-06-23 2015-12-15 Microsoft Technology Licensing, Llc Maintaining synchronization of virtual machine image differences across server and host computers
US9392078B2 (en) 2006-06-23 2016-07-12 Microsoft Technology Licensing, Llc Remote network access via virtual machine
US8326449B2 (en) 2007-04-05 2012-12-04 Microsoft Corporation Augmenting a virtual machine hosting environment from within a virtual machine
WO2009003682A3 (en) * 2007-07-02 2009-02-26 Giesecke & Devrient Gmbh Execution of applications on a mobile phone card
WO2009003682A2 (en) * 2007-07-02 2009-01-08 Giesecke & Devrient Gmbh Execution of applications on a mobile phone card
GB2486920A (en) * 2010-12-31 2012-07-04 Daniel Cvrcek USB data storage and generation device connected to a host computer as or as an interface to a Human Interface Device
US20140032809A1 (en) * 2012-07-24 2014-01-30 Walton Advanced Engineering Inc. Composite data transmission interface and a judgment method thereof
US8959273B2 (en) * 2012-07-24 2015-02-17 Walton Advanced Engineering Inc. Composite data transmission interface and a judgment method thereof
US20210064767A1 (en) * 2016-11-23 2021-03-04 Entrust Corporation Printer identity and security

Also Published As

Publication number Publication date
WO2001096990A3 (en) 2002-04-04
AU8386601A (en) 2001-12-24
EP1290536A2 (en) 2003-03-12

Similar Documents

Publication Publication Date Title
WO2001096990A2 (en) Usb-compliant personal key using a smartcard processor and a smartcard reader emulator
EP1473664B1 (en) Smart card device as mass storage device
RU2267155C2 (en) Method for user-computer interaction for use by a set of flexibly connected computer systems, device, having block for connection to flexibly connected computer systems, a set of devices, having a block for connection to flexibly connected computer system, universal serial bus key, method for interaction with main computer via usb and data storage method (variants)
US6769622B1 (en) System and method for simulating universal serial bus smart card device connected to USB host
US7011247B2 (en) Method of communication between a smart card and a host station
EP2698738B1 (en) User authentication device having multiple isolated host interfaces
US6470284B1 (en) Integrated PC card host controller for the detection and operation of a plurality of expansion cards
EP1643372B1 (en) USB device with secondary USB on-the-go function
US6385729B1 (en) Secure token device access to services provided by an internet service provider (ISP)
US7222240B2 (en) Token for storing installation software and drivers
WO2006053278A2 (en) System and method for securing the intialization of a smartcard controller
US20010024066A1 (en) Handheld device, smart card interface device (IFD) and data transmission method
CN104102870B (en) Electron underwriting authentication expansion equipment and information processing method
Itoi et al. SCFS: A UNIX Filesystem for Smartcards.
Balacheff et al. Smartcards–from security tokens to intelligent adjuncts
Itoi et al. Practical security systems with smartcards
TW567440B (en) Smart card virtual hub
Catuogno et al. Securing operating system services based on smart cards
Seminar GPD/STIP Technology For Devices
KR20010099413A (en) authentication device for PDA

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWE Wipo information: entry into national phase

Ref document number: 2001962744

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2001962744

Country of ref document: EP

NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Ref document number: 2001962744

Country of ref document: EP