EP3398104A1 - Second dynamic authentication of an electronic signature using a secure hardware module - Google Patents
Second dynamic authentication of an electronic signature using a secure hardware moduleInfo
- Publication number
- EP3398104A1 EP3398104A1 EP16825785.5A EP16825785A EP3398104A1 EP 3398104 A1 EP3398104 A1 EP 3398104A1 EP 16825785 A EP16825785 A EP 16825785A EP 3398104 A1 EP3398104 A1 EP 3398104A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- signature
- key
- activation
- server
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 230000004913 activation Effects 0.000 claims abstract description 46
- 238000000034 method Methods 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000004891 communication Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000344 soap Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 1
- 230000003213 activating effect Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/313—User authentication using a call-back technique via a telephone network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
- G06F21/645—Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2115—Third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Definitions
- the present invention relates to a second dynamic authentication system of an electronic signature, comprising a secure hardware module, and a method of dynamic authentication of a signature implementing such a system.
- the electronic exchanges require in some cases an electronic signature ensuring identification and authentication of the user with a sufficiently high level of security to ensure confidence parties, avoiding the risk of incidents or malicious.
- These exchanges may concern confidential personal data, companies or administrations. In particular, financial transactions must ensure this level of security.
- Secure applications include a first user authentication factor for using a private signature key, which may be immaterial as a password, or hardware such as a USB key or a smart card.
- the user can be a natural person or a machine.
- a known dual authentication system uses for the second authentication a one-time password, called "OTP" (abbreviation of the English terms “one time password”), issued by a hardware support also called token (in English “token”). ).
- OTP a one-time password
- token in English “token”
- the user holding the hardware support makes its connection with the application by entering the temporary code provided by this support.
- This temporary code is established synchronously by cryptographic technology.
- the hardware support may be in particular a smart card, or a box (called “token” in English), which is connected to a computer via a USB port.
- This system is a so-called connected technology, it is necessary to connect to a device which has drawbacks because it is not easily portable.
- Another known dual authentication system uses hardware support for the first authentication, and code for the second. This is particularly the case for cash dispensers at automatic bank withdrawal machines, requesting after the insertion of a smart card the seizure of a secret code. This system also entails significant costs.
- Another known double authentication system uses for the second authentication a dynamic grid generated by the application according to a particular coding renewed with each request, which is sent to the user. The user then enters his password on the grid, which encrypts the password.
- This system used in particular by banks to secure orders placed over the Internet, poses in particular a problem of seizure by the signatory password on the dynamic grid, which is not very simple.
- it includes costs for creating and distributing dynamic grids.
- Another known double authentication system uses the signatory's biometric data for the second authentication.
- This system already used for example on smartphones to unlock, includes a sensor that reads the fingerprints of a finger on it, in order to recognize them.
- Another known double authentication system uses for the second authentication an asynchronous OTP single-use password, generated after each first authentication, which is sent to the user's telephone as an "SMS" service message ( abbreviation of the English term “short message service”). This system is used in particular to secure bank orders.
- SMS short message service
- the OTP one-time password may be sent in other forms, and any other kind of connected peripheral hardware to receive it, such as a smartphone, tablet or computer.
- the present invention aims in particular to avoid these drawbacks of the prior art, by performing for this double authentication system a link between the user, the private signature key, and optionally, the document to be signed, within the framework of a protocol guaranteeing the security of the transport of the OTP single-use password throughout the procedure, which in particular eliminates the possibilities of network-spying type attack, and interception of a communication between two MITM parts.
- This system proposes, for this purpose, a system for a second dynamic authentication of an electronic signature by a signatory user of a document having signature keys located in a content container in a signature server; enrollment and signing applications being connected to this server.
- This system is remarkable in that it comprises a secure hardware module intended to be connected to the signature server, comprising means for constructing an activation challenge from a key identifier, and a word of initialization pass given by the signatory, to issue this challenge to the signature server which then requests a calculation application to calculate a one-time password to be sent to the signer.
- This secure hardware system constitutes a highly secure external element delivering the activation challenge to obtain the second authentication, which is linked to both the signature key and the initialization password, that makes it impossible to access the key contained in the signer's key container, without the activation of this module. This gives a high level of security.
- the invention may further comprise one or more of the following features, which may be combined with each other.
- the invention comprises a method for implementing a system for a second authentication, implementing a system comprising the preceding features.
- the method realizes a generation of the signature key comprising a step of transmission by the signature server to the secure hardware module, a key identifier, a maximum usage counter and a password. initialization, to obtain in return a key pair in the form of a key token linked to the user and contained in its key container, which is produced by this module.
- the method performs a request for a signature certificate associated with the generated signature key, successively comprising a request for activation of the signature key, the calculation of a one-time password, and a request for signature of the signature key. the certificate application.
- the signature key activation request may comprise a step of transmission by the signature server to the secure hardware module, of a key identifier that has been issued by the signatory, and a date of activation, to obtain in return an activation challenge which is then issued to a computing application calculating from this challenge a one-time password, then a step of transmitting the signature server to the secure hardware module, key identifier, the one-time password and the certificate signing request, to obtain in return the signed certificate request demonstrating proof of ownership of the key.
- the method can then perform a deposit of the signed certificate to a cryptographic key management infrastructure, to obtain a signature certificate issued to the signature server.
- the method carries out with a signature application, an activation of the signature key of a document, then a signature of this document.
- the activation of the signature key of the document may comprise a step of transmission by the signature server to the secure hardware module, the key identifier and the activation date, to obtain a challenge in return. activation which is then issued to a calculation application calculating a one-time password, then a step of transmitting this password to the signer, and then after the entry of this password by the signer and the transmission.
- FIG. 1 presents the environment of a signature server using a second authentication system according to the invention
- FIGS. 2, 3 and 4 show three successive parts of the method of enrolling the signatory by an enrollment application using the second authentication system.
- FIG. 5 shows the next part of the method comprising the signature of a document by a signature application.
- FIG. 1 shows a signature server 4 comprising a signature server application presenting a signature module 6 and a user management module 8 carrying out exchanges with a database 10.
- the signature server application 4 includes a service software web "administrator” 12 ("Web service” in English), making exchanges with a client application external enrollment of the signatory 14, and with a single-use password calculation application OPT, and a service software web “signature"("Webservice” in English), making exchanges with an application external client of signature.
- a service software web "administrator” 12 (“Web service” in English)
- OPT single-use password calculation application
- service software web "signature"("Webservice” in English making exchanges with an application external client of signature.
- the signature server application 4 also includes a software structure 1 6, called in English "Framework”.
- the signature server application 4 exchanges with an external secure hardware module 18 of the "HSM” type (abbreviation of the English terms “Hardware Security Module”), via a public key cryptography standard interface. of the "PKCS” (short for Public Key Cryptography Standards) type, using in particular an SSL-based Internet exchange security protocol (abbreviation of the "Secure Sockets Layer”).
- HSM Secure Sockets Layer
- FIGS. 2, 3, 4 and 5 show on the left the enrolling application of the signatory 14 or the signature application 122, which is the external client application, comprising an interface user of the application 20 turned towards the signatory 30, and a communication module 22 with the signature server 4, using the SOAP message transmission protocol.
- the signature server 4 comprising the "web service” web service software "web”, which exchanges with the communication module 22 of the enrolling application of the signatory 14 or the application of signature 122, and a centralized interface 24 exchanging with the external secure hardware module 18 HSM which is a reputable inviolable device offering cryptographic functions, which can generate, store and protect cryptographic keys.
- the following steps shown in Figures 2, 3 and 4 are performed to successively enroll a signer and generate a signature key, then activate this key to perform a certificate request, and finally file the certificate obtained by a cryptographic key management infrastructure.
- Figure 2 shows the first part of the registration process or enrollment of the user or signatory, who will create this signer and generate a signature key from an identifier.
- a first step 32 the signer 30 makes a request for enrollment, giving the enrollment application 14 its user name NU, and a key activation secret SA which is the first factor authentication.
- the enrollment application 14 requests the signature server 4 to log on.
- the enrollment application 14 requests the signature server 4 to create a user defining a key container in this server, dedicated to the signer 30, by transmitting to him the name of the user NU and the secret of activation of the SA key container.
- the key container defines a space in the signature server 4, dedicated to the user, containing data that is accessible only by him.
- the signature server 4 In return in a next step 38 the signature server 4 generates an UI user identifier transmitted to the enrollment application 14, then in a next step 40 this enrollment application transmits the user identifier UI to the signer 30.
- the signer 30 can request several signature keys for the same container, in order to differentially sign different documents contained in this container.
- the generation of the signature key that will allow the second authentication is performed, carrying out the following steps.
- a first step 42 to obtain a key identifier IC and to allow access to the container the signer 30 transmits to the enrollment application 14 the user identifier received IU, the activation secret of the SA key container, an IC key identifier, and an initialization password of the MdP key that can be provided by a trusted third party application, to create the second authentication factor system that will be linked to the key.
- a next step 44 for generating the signature key comprising a public part and a private part remaining hidden in the secure hardware module 18, the enrollment application 14 transmits to the signature server 4 the user identifier IU, the key identifier IC and the initialization password of the password key.
- the signature server 4 transmits to the secure hardware module 18 the key identifier IC, a maximum utilization counter CU and the initialization password MdP, for it. generates a signature key.
- the secure hardware module 18 will use the password MdP initialization to associate with the generation of the signature key a particular property to build a dynamic secret, also called password OTP, which is linked to the key and therefore to the user.
- a dynamic secret also called password OTP
- the secure hardware module 1 8 transmits to the signature server 4 a key token, associated with the user JC, forming a pair of keys also called two-key.
- the signature server 4 transmits the key identifier IC to the enrollment application 14, this application in turn addresses it in a following step 52 to the user 30.
- the certificate request for activating the signature key comprising the following steps is carried out.
- FIG. 3 presents in a first step 56 the request for activation of the signature key by the enrollment application 14 transmitting to the signature server 4 the activation request of the signature key, comprising the user identifier UI, the key identifier IC and the activation secret of the SA key container.
- the signature server 4 transmits to the secure hardware module 18 the key identifier IC, and an activation date DA.
- the secure hardware module 18 then associates with the signature key a CA activation challenge which is calculated from the MdP initialization password, and transmits it in a following step 60 to the signature server 4.
- the signature server 4 transmits the activation challenge CA to the enrollment application 14, which in turn transmits it to a next calculation step 64 to an OTP calculation application 66 calculating from this challenge.
- a dynamic activation secret that is a OTP one-time password.
- the OTP calculation application 66 transmits to the enrollment application 14 the one-time password OTP.
- the enrollment application 14 transmits to the signature server 4 a certificate signing request "CSR" (abbreviation of the "Certificate Signing Request”), coupled to the signature key, comprising the identifier IU user, the IC key identifier, the SA key container activation secret, and the OTP built-in one-time password.
- CSR certificate signing request
- the signature key comprising the identifier IU user, the IC key identifier, the SA key container activation secret, and the OTP built-in one-time password.
- the signature server 4 transmits in a next step 72 to the secure hardware module 18 this CSR certificate signing request, comprising the key identifier IC, the OTP single-use password and the certificate request to be signed CaS.
- this CSR certificate signing request comprising the key identifier IC, the OTP single-use password and the certificate request to be signed CaS.
- the secure hardware module 18 transmits to the signature server 4 the signed certificate request CS, which is then transmitted in a following step 76 to the enrollment application 14.
- the certificate is deposited in the signature server 4, comprising the following steps.
- a first step 78 the enrollment application 14 transmits the certificate request to an external key management infrastructure Cryptographic "IGC” (abbreviation for "Key Management Infrastructure”).
- IRC external key management infrastructure Cryptographic
- the key management infrastructure IGC delivers to the enrollment application 14 a CdS signature certificate comprising public data coupled to the signature key.
- the enrollment application 14 makes a deposit of the certificate to the signature server 4, by transmitting to it the user identifier UI, the key identifier IC, the activation secret of the key container SA and the CdS signature certificate.
- CdS signature certificate can be according to the standard
- X509 which is a cryptographic standard of the International Telecommunication Union for public key infrastructures, including a standard electronic certificate format and an algorithm for certification path validation.
- the signature server can directly request the IGC key management infrastructure to issue the certificate to the signature server 4.
- the signature server 4 then verifies that the signature certificate received corresponds to the private key of the signer, then in a next step 86 delivers to the enrollment application 14 the information that the imported signature certificate CdS is available. In a next step 88, the enrollment application 14 presents the signer 30 with the signature key and the available CdS signature certificate.
- a first step 90 for the signature of a document the signer 30 delivers to the signature application 122 the activation secret of the SA key container, and optionally the DOC document to be signed. Alternatively the document to be signed may be provided in a subsequent step.
- the signature application 122 For the activation request of the signature key, the signature application 122 then transmits in a next step 92 the user identifier IU, the key identifier IC and the activation secret SA to the OTP calculation application 66, which in turn transmits these elements to the signature server 4 in a next step 94.
- the signature server 4 makes a request for activation of the signature key, transmitting by a next step 96 the key identifier IC and the activation date DA to the secure hardware module 18, which then sets a challenge of AC activation calculated from the password MdP initialization, and optionally the condensate of the document if it has been provided, to deliver it in a next step 98 to the signature server.
- the signature server 4 delivers the activation challenge CA to the OTP calculation application 66, which on the one hand in a subsequent operation 102 sends the signer 30 a message of the SMS type containing the password.
- OTP constructs a single-use, and secondly in a parallel operation 104 informs the signature application 122 of this sending.
- the OTP calculation application 66 can only issue its OTP built-in password if it receives the SA key container activation secret and the CA activation challenge. Without this last piece of information coming from the secure hardware module 18, the OTP single use password can not be delivered, which ensures a good level of security.
- the OTP calculation application 66 does not transmit the OTP single-use password to the signature application 122, so this application can not perform the signature operation without the intervention of the signer.
- the signature application 122 can not exchange with the signature server 4 by using the "administrator" web service 12 to request the activation of the key itself, which ensures a good level. security by partitioning actions allowed from this signature server.
- a next step 106 the signer 30 enters the OTP-only one-time password on the signature application 122. Then there is the signature of the document comprising a next step 108 in which the signature application 122 transmits to a service software of the "signature" web 120 of the signature server 4, the identifier of the signer IS, the identifier of the IC key, the SA key container activation secret, the OTP built-in password and the DOC document to be signed.
- the signature of the condensate or imprint of the data to be signed constituted from the document to be signed, comprising a next step 1 10 in which the signature server 4 transmits to the secure hardware module 18 the key identifier IC, the word OTP built-in password and a condensate of the document to be signed CDOC.
- the secure hardware module 18 sends back to the signature server 4 the signature of the condensate of the document to be signed CDOCS
- a next step 1 14 the service software of the "signature" web 120 of the signature server 4 transmits to the signature application 122 the signed document or the detached signature DS.
- the signature application 122 transmits the signed document to the signatory 30 so that he can retrieve it.
- the secure hardware module 18, which can be easily connected to the signature server 4, thus provides an independent component that generates signature keys and keeps them with a high level of security, and that can not deliver the signature of data to be signed.
- CDOCS that if given the correct one-time password builds OTP.
- the signer and the private signature key are linked in this secure hardware module 18, and not at the application level, which provides enhanced security on the use of this key.
- the dynamic nature of the activation secret makes it possible to guarantee the uniqueness of the transactions, by eliminating the problem of the re-game.
- the means known in the prior art for generating OTP single-use passwords only make it possible to authenticate a user with an application, they do not guarantee against the use of the signature key by another way.
- the signature application 122 as well as the enrollment application 14 do not know the secure hardware module 18 which is an external component, so that it is protected from an attack of these sets containing software. which can be more easily forced.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1563364A FR3046271B1 (en) | 2015-12-28 | 2015-12-28 | SECOND DYNAMIC AUTHENTICATION OF AN ELECTRONIC SIGNATURE USING SECURE HARDWARE MODULE |
PCT/EP2016/082675 WO2017114809A1 (en) | 2015-12-28 | 2016-12-26 | Second dynamic authentication of an electronic signature using a secure hardware module |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3398104A1 true EP3398104A1 (en) | 2018-11-07 |
Family
ID=55806502
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16825785.5A Withdrawn EP3398104A1 (en) | 2015-12-28 | 2016-12-26 | Second dynamic authentication of an electronic signature using a secure hardware module |
Country Status (4)
Country | Link |
---|---|
US (1) | US20190007218A1 (en) |
EP (1) | EP3398104A1 (en) |
FR (1) | FR3046271B1 (en) |
WO (1) | WO2017114809A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10887090B2 (en) * | 2017-09-22 | 2021-01-05 | Nec Corporation | Scalable byzantine fault-tolerant protocol with partial tee support |
CN108900311B (en) * | 2018-08-15 | 2021-04-27 | 江苏恒宝智能系统技术有限公司 | Certificateless Bluetooth key signature method and system |
US20200259663A1 (en) * | 2019-02-07 | 2020-08-13 | Guardtime Sa | One-Time Data Signature System and Method with Untrusted Server Assistance |
FR3102589B1 (en) * | 2019-10-27 | 2022-05-13 | Lex Persona | Open and secure electronic signature request processing system and associated method |
CN114900321B (en) * | 2022-07-14 | 2022-10-14 | 云上人和物联科技有限公司 | Autonomous real-name electronic identity certificate generation system and method |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7210037B2 (en) * | 2000-12-15 | 2007-04-24 | Oracle International Corp. | Method and apparatus for delegating digital signatures to a signature server |
GB0119629D0 (en) * | 2001-08-10 | 2001-10-03 | Cryptomathic As | Data certification method and apparatus |
EP2587715B1 (en) * | 2011-09-20 | 2017-01-04 | BlackBerry Limited | Assisted certificate enrollment |
WO2014106031A1 (en) * | 2012-12-28 | 2014-07-03 | Vasco Data Security, Inc. | Remote authentication and transaction signatures |
EP2819050B1 (en) * | 2013-06-25 | 2019-12-25 | Aliaslab S.p.A. | Electronic signature system for an electronic document using a third-party authentication circuit |
WO2016092318A1 (en) * | 2014-12-12 | 2016-06-16 | Cryptomathic Ltd | Systems and method for enabling secure transaction |
-
2015
- 2015-12-28 FR FR1563364A patent/FR3046271B1/en active Active
-
2016
- 2016-12-26 US US16/066,517 patent/US20190007218A1/en not_active Abandoned
- 2016-12-26 EP EP16825785.5A patent/EP3398104A1/en not_active Withdrawn
- 2016-12-26 WO PCT/EP2016/082675 patent/WO2017114809A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
WO2017114809A1 (en) | 2017-07-06 |
FR3046271A1 (en) | 2017-06-30 |
US20190007218A1 (en) | 2019-01-03 |
FR3046271B1 (en) | 2018-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP2021536698A (en) | Method and device for managing user identification authentication data | |
JP4790731B2 (en) | Derived seed | |
JP5470344B2 (en) | User authentication methods and related architectures based on the use of biometric identification technology | |
WO2018131004A2 (en) | Methods and systems for executing programs in secure environments | |
US20170339138A1 (en) | Multifactor privacy-enhanced remote identification using a rich credential | |
EP3398104A1 (en) | Second dynamic authentication of an electronic signature using a secure hardware module | |
WO2011117486A1 (en) | Non-hierarchical infrastructure for the management of paired security keys of physical persons | |
FR3041195A1 (en) | METHOD OF ACCESSING ONLINE SERVICE USING SECURE MICROCIRCUIT AND SECURITY TOKENS RESTRICTING THE USE OF THESE TOKENS TO THEIR LEGITIMATE HOLDER | |
CN103701919A (en) | Remote login method and system | |
CN101312453A (en) | User terminal, method for login network service system, method for binding and debinding | |
CN110414981A (en) | A kind of homomorphic cryptography method that supporting ZKPs and block chain transaction amount encryption method | |
KR101879758B1 (en) | Method for Generating User Digital Certificate for Individual User Terminal and for Authenticating Using the Same Digital Certificate | |
FR3041798A1 (en) | IMPROVED AUTHENTICATION METHOD AND DEVICE | |
CN108833431A (en) | A kind of method, apparatus, equipment and the storage medium of password resetting | |
CN110533417B (en) | Digital asset management device, issuing method and system | |
CN109347923A (en) | Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond | |
LU93150B1 (en) | Method for providing secure digital signatures | |
Diebold et al. | Self-Sovereign Identity using Smart Contracts on the Ethereum Blockchain | |
KR101204980B1 (en) | Method and System of One-Time Password Authentication Scheme Provide Enhanced Randomness | |
FR3113800A1 (en) | Data exchange between a client and a remote device, for example a secure module | |
CN113869901B (en) | Key generation method, key generation device, computer-readable storage medium and computer equipment | |
Hlaing et al. | Secure One Time Password OTP Generation for user Authentication in Cloud Environment | |
Chakraborty et al. | Generation and verification of digital signature with two factor authentication | |
Chang et al. | A highly efficient and secure electronic cash system based on secure sharing in cloud environment | |
Madhuravani et al. | A comprehensive study on different authentication factors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20180713 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20190701 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20200114 |