WO2004105309A2 - Access authentication - Google Patents
Access authentication Download PDFInfo
- Publication number
- WO2004105309A2 WO2004105309A2 PCT/EP2004/005522 EP2004005522W WO2004105309A2 WO 2004105309 A2 WO2004105309 A2 WO 2004105309A2 EP 2004005522 W EP2004005522 W EP 2004005522W WO 2004105309 A2 WO2004105309 A2 WO 2004105309A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- client
- session secret
- service provider
- server
- key value
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present invention relates to a method and system for access authentication.
- it relates to protecting networks against unauthorized access and to a method and system to securely authenticate network access credentials for clients (or users) .
- a networked system with authentication it is typical for multiple computer systems, for example, to be connected together through a communications link, which comprises the network.
- the network system also provides a degree of security which establishes the services provided by the network that can be accessed by a program or user.
- a user is required to "logon" to the 1 network for the system to allow access to the network services it provides .
- the logon mechanism typically requires the user to enter identificationio ' information such as a username and a password or other identification information, hereinafter referred to as credentials.
- An authentication procedure for validating the entered credentials against known information is carried out to verify that the user is permitted to access the network services.
- the validation process may involve directly comparing the information or comparing information using well-known encryption and decryption techniques.
- the network system may store passwords for each user that is allowed to access the network. For example, during the authentication procedure, the entered password for that username or other credentials may be compared with the previously stored password information by using the entered password to encrypt a randomly agreed number. When a match occurs, the user is permitted access to the network services requested.
- a separate logon mechanism is required by each network and by the computer system (the local node) to gain access to the local services when a secure local environment is maintained.
- f(x) y
- p be a large prime number
- g a generator of the multiplicative group modp (that is, the numbers in the range 1,..., p - l )
- the inverse function called the discrete log function, is difficult to compute.
- use of the function g x m.o ⁇ p as a session key makes it difficult to compute its inverse and therefore, a third party would have difficulty interpreting the session key.
- the principles of the Diffie-Hellman key exchange protocol are illustrated in Fig. 1.
- A transmits its public key value X to party B.
- party B chooses a random integer y from the group Zq (party B' s private key value) .
- Kerberos authentication and authorization system is disclosed for example, in Technical Report, MIT Project Athena, Cambridge, MA, 1987.
- the object of the present invention is to provide user authentication in a network system for clients (or users) already logged onto the network once without having to re-enter credentials more than once and without having to access credentials for the domain. Furthermore, the access authentication that results is not platform dependent.
- the service provider may be provided on a server.
- Figure 1 illustrates the steps of the Diffie-Hellman key exchange protocol
- Figure 2 illustrates the network system incorporating the access authentication in accordance with an embodiment of the present invention
- Figure 3 illustrates a flow chart of the method steps of the access authentication of an embodiment of the present invention.
- At least one server or service provider 201 is connected to at least one client (user) 203 via a network system 205 which includes a secure communication link that allows the client to authenicate the service provider and provides message integrity and confidentiality protection.
- the server 201 comprises calculating means 207, 209, 211 and comparison means 213 and a file storage system 215.
- the client 203 comprises calculating means 217, 219, 221.
- the server 201 calculates its private key value R. in calculating means 207. This may be derived by selecting a random integer from a set of integer values.
- the client 203 calculates its private key value R- in calculating means 217. Again this may be derived by selecting a random integer from the same set of integer values from which the server' s private key value has been selected.
- the server 201 calculates its public key value N. in calculating means 209. The server's public key value is calculated as follows:
- A is a generator; R. the server's private key value and p is a large prime number.
- the server's public key value N. is then stored in a designated secure area in the file system 215, step 304.
- the designated secure area may comprise at least one secret folder or folders selected from the existing folders on the network.
- the server has one folder for each authentication group, i.e. for each group of users that have the same permissions.
- the secret folder may be assigned to any folder on the existing network.
- only the server is given write permissions for the secret folder or folders.
- a system administrator administrates the secret folder or folders by granting certain users read rights to the folders. Therefore, a user that wants authentication, would need to have at least read rights for a specific secret folder.
- step 305 the client ⁇ s public key value N c ' is calculated by calculating means 219.
- the client's public key value N c is calculated as follows:
- N c -4 ⁇ cn ⁇ od /
- A is a generator; R c the client's private key value and p is a large prime number.
- step 306 the client 203 sends the client's public key value N. to the server 201 over the secured communication link.
- the client 203 retrieves the server's public key value N s from the file store 215 over the secured communication link providing that the user on the client 203 has the read rights for the secret folder in which the server' s public key value is stored.
- the client 203 calculates its session key S c in the calculating means 221 as follows:
- step 309 the client 203 sends its session key S c to the server 201.
- step 310 the server 201 calculates its session key S. in the calculating means 211 as follows:
- step 311 the server's session key and the client's session key are compared by the comparison means 213. If the session keys are verified, the server grant permissions to the client for a specific service on the network.
- Diffie-Hellman is used to make a secure exchange of a public key between a server and a client.
- the public key is based upon a random number selected by the server and placed in a server chosen folder on an existing network.
- a new public key is constructed for each new authentication. If the user that asks for authentication can read the public key, calculate a session key from the public key and if the session key is verified by the server, the user is authenticated by the server and can then use the specific services he wants to get access to.
Abstract
A method of authenticating a client for a service on a network, wherein the client is authenticated by a service provider and granted permissions for the service if the client can read a service provider session secret, calculate a client session secret and upon comparison of the service provider and client session secrets grant permissions.
Description
ACCESS AUTHENTICATION
TECHNICAL FIELD
The present invention relates to a method and system for access authentication. In particular, it relates to protecting networks against unauthorized access and to a method and system to securely authenticate network access credentials for clients (or users) .
BACKGROUND OF THE INVENTION
In a networked system with authentication, it is typical for multiple computer systems, for example, to be connected together through a communications link, which comprises the network. The network system also provides a degree of security which establishes the services provided by the network that can be accessed by a program or user. Typically, a user is required to "logon" to the1 network for the system to allow access to the network services it provides . The logon mechanism typically requires the user to enter identificatio ' information such as a username and a password or other identification information, hereinafter referred to as credentials. An authentication procedure for validating the entered credentials against known information is carried out to verify that the user is permitted to access the network services. The validation process may involve directly comparing the information or comparing information using well-known encryption and decryption techniques. For example, the network system may store passwords for each user that is allowed to access the network. For example, during the authentication procedure, the
entered password for that username or other credentials may be compared with the previously stored password information by using the entered password to encrypt a randomly agreed number. When a match occurs, the user is permitted access to the network services requested. Typically, a separate logon mechanism is required by each network and by the computer system (the local node) to gain access to the local services when a secure local environment is maintained.
Increasingly, users can communicate with a networked computer system over a public communication network or over a wireless communication link. Such communication links, however, are not secure and the transmission of credentials may be easily intercepted and interpreted by a third party, particularly, if the credentials have not been encrypted before it is sent over the communication link.
Furthermore, it may be necessary to repeat the authentication procedure and, therefore, users already logged onto the network are prompted to reenter their credentials for reverifica ion.
In addition to authentication, public key exchange is an important part of communication across a network. Once a user has been authenticated, a secure communication channel must be set up between the user and the network services. This is generally accomplished by the user and a network driver or service provider exchanging a public key, called a session key, for use during communication subsequent to authentication .
Authentication over a network, especially a public network like the Internet or a wireless communication link, is difficult because the communication environment between the client and server is not secure. One known solution is exchanging sessions keys based on the Diffie-Hellman key exchange protocol. By way of background and to understand the terminology used hereinafter, the basic principles of the Diffie- Hellman key exchange protocol will be explained.
For a one-way function f(x) such as modular exponentiation, it is computationally infeasible to find the value of x from the function value y , where f(x) = y ■ Let p be a large prime number and g a generator of the multiplicative group modp (that is, the numbers in the range 1,..., p - l ) . Then f(x) = gx modp is generally assumed to be a one-way function. The inverse function, called the discrete log function, is difficult to compute. Thus, use of the function gx m.oάp as a session key makes it difficult to compute its inverse and therefore, a third party would have difficulty interpreting the session key.
The Diffie-Hellman key exchange protocol as described, for example, in W. Diffie and M. Hellman, New
Directions in Cryptography, IEEE Transactions on Information Theory, vol. 22, no. 6, 644-654, 1976, makes use of this function to generate sessions keys between two parties (say A and B) which wish to communicate with each other.
The principles of the Diffie-Hellman key exchange
protocol are illustrated in Fig. 1. The first party A in step 102 chooses a random integer x from a group Zq where Zq = { 0 , 1, ... , q-1} . This is known as party A' s private key value. In step 104 A computes X = gx mod p , where p is a prime number and g is a generator. X is known as party A' s public key value. In step 106, A transmits its public key value X to party B. In step 108 party B chooses a random integer y from the group Zq (party B' s private key value) . In step 110 B computes its public key value, Y - gy xoadp and transmits Y to party A in 112. Finally, party A computes gxy = (gy) mod p and party B computes
mod_p , steps
114, 116. Since gxy = gyx = k , Parties A and B now have a shared secret key k .
Beside the DH solution the problem of secure access to services has been the issue of the Kerberos and DSSA/SPX protocols. These protocols are designed to meet many security requirements in networked computer systems. Their deployment is however demanding in both (computer) management efforts and setup costs. The latter as a result of the need to have a secure way to setup the key infrastructure. It would, instead, be desirable to reuse the normally already exisiting standard management of users and their access rights, and avoid the need of a key infrastructure .
Kerberos authentication and authorization system is disclosed for example, in Technical Report, MIT Project Athena, Cambridge, MA, 1987.
For DSSA/SPX see Computer Security by D Gollmann, J
Wiley, Nov 2000.
SUMMARY OF THE INVENTION
The object of the present invention is to provide user authentication in a network system for clients (or users) already logged onto the network once without having to re-enter credentials more than once and without having to access credentials for the domain. Furthermore, the access authentication that results is not platform dependent.
This is achieved by authenticating a client and granting the client permissions for a service if the client can read a session secret, calculate a session key and successfully have the session key verified by a service provider. The service provider may be provided on a server.
BRIEF DESCRIPTION OF DRAWINGS
Embodiments of the present invention will now be described with reference to the accompanying drawings in which: Figure 1 illustrates the steps of the Diffie-Hellman key exchange protocol ;
Figure 2 illustrates the network system incorporating the access authentication in accordance with an embodiment of the present invention; and Figure 3 illustrates a flow chart of the method steps of the access authentication of an embodiment of the present invention.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
As illustrated in Figure 2, in accordance with an embodiment of the present invention, at least one server or service provider 201 is connected to at least one client (user) 203 via a network system 205 which includes a secure communication link that allows the client to authenicate the service provider and provides message integrity and confidentiality protection. The server 201 comprises calculating means 207, 209, 211 and comparison means 213 and a file storage system 215. The client 203 comprises calculating means 217, 219, 221.
The method steps of an embodiment of the present invention will now be described with reference to Figures 2 and 3. In step 301 of figure 3, the server 201 calculates its private key value R. in calculating means 207. This may be derived by selecting a random integer from a set of integer values. In step 302, the client 203 calculates its private key value R- in calculating means 217. Again this may be derived by selecting a random integer from the same set of integer values from which the server' s private key value has been selected. In step 303, the server 201 calculates its public key value N. in calculating means 209. The server's public key value is calculated as follows:
Ns = ^smodp
wherein A is a generator; R. the server's private key value and p is a large prime number.
The server's public key value N. is then stored in a designated secure area in the file system 215, step 304. The designated secure area may comprise at least one secret folder or folders selected from the existing folders on the network. Preferably, the server has one folder for each authentication group, i.e. for each group of users that have the same permissions. The secret folder may be assigned to any folder on the existing network. Preferably, only the server is given write permissions for the secret folder or folders. A system administrator administrates the secret folder or folders by granting certain users read rights to the folders. Therefore, a user that wants authentication, would need to have at least read rights for a specific secret folder.
In step 305, the clientΛs public key value Nc ' is calculated by calculating means 219. The client's public key value Nc is calculated as follows:
Nc = -4Λcnιod/
wherein A is a generator; Rc the client's private key value and p is a large prime number.
In step 306, the client 203 sends the client's public key value N. to the server 201 over the secured communication link. In step 307, the client 203 retrieves the server's public key value Ns from the file store 215 over the secured communication link providing that the user on the client 203 has the read rights for the secret folder in which the server' s public key value is stored.
In step 308, the client 203 calculates its session key Sc in the calculating means 221 as follows:
Sc =NsRcmodp
In step 309, the client 203 sends its session key Sc to the server 201.
In step 310, the server 201 calculates its session key S. in the calculating means 211 as follows:
Ss =NcRsmod p
In step 311, the server's session key and the client's session key are compared by the comparison means 213. If the session keys are verified, the server grant permissions to the client for a specific service on the network.
In this way, Diffie-Hellman is used to make a secure exchange of a public key between a server and a client. The public key is based upon a random number selected by the server and placed in a server chosen folder on an existing network. A new public key is constructed for each new authentication. If the user that asks for authentication can read the public key, calculate a session key from the public key and if the session key is verified by the server, the user is authenticated by the server and can then use the specific services he wants to get access to.
This means that all administration of the users is made using the existing read rights for the users on the network, for example a user requests a service that is
guarded by the authentication system of the present invention. The user requests the system administrator to grant read rights to the secret folder on the network. After this is done the server can authenticate the user without further user interaction.
Although a preferred embodiment of the method and system of the present invention has been illustrated in the accompanying drawings and described in the forgoing detailed description, it will be understood that the invention is not limited to the embodiment disclosed, but is capable of numerous variations, modifications without departing from the scope of the invention as set out in the following claims.
Claims
CLAIMS :
1. A method of authenticating a client logged onto a network for a service on the network, the method comprising the steps of: the client reading a prestored service provider session secret ; the client calculating a client session secret based on the read service provider session secret; and a service provider authenticating the client and granting permissions to the client for the service upon comparison of the service provider session secret and the client session secret.
2. A method according to claim 1, wherein the method further comprises the step of: establishing a secured connection between the client and the service provider, prior to the client reading the prestored service provider session secret, that allows the service provider to authenticate the client and provides message integrity and confidentiality protection.
3. A method according to claim 2, wherein the client and service provider communicate utilising the Diffie-Hellman key exchange protocol .
4. A method according to claim 3, wherein the client session secret is calculated from a service provider public key value and a client private key value; the method further comprising the steps of: computing a service provider session secret from the client public key value and the service provider private key value .
5. A method according to claim 4, wherein the client private key value and the service provider private key value is a random integer selected from the same set of integer values .
6. A method according to claim 4 or 5 , wherein the service provider public key Ns is calculated as follows:
Ns = AKS mod p ,
wherein ^ is a generator, Rs the service provider private key value and p is a prime number.
7. A method according to any one of claims 4 to 6 , wherein the client public key value Nc is calculated as follows:
Nc =^cmod ,
where A is a generator, Rc the client private key value and p is a prime number.
8. A method according to any one of claims 4 to 7 , wherein the service provider session key Ss is calculated as follows:
Sy = N§smodp ,
wherein Rs the service provider private key value, Nc is the client public key value and p is a prime number.
9. A method according to any one of claims 4 to 8, wherein the client session key Sc is calculated as follows:
SC =NS-Rc mod p ,
wherein Rc is the client private key value, Ns is the service provider public key value and p is a prime number.
10. A method according to any one of the preceding claims, wherein the method further comprises the step of: storing the session secret in a designated secure area .
11. A method according to claim 10, wherein the method further comprises the steps of: determining the client's rights; and allowing the client access to the designated secure area on the basis of the determined rights.
12. A method according to any one of the preceding claims, wherein the method further comprises the step of: generating a session secret for each authentication.
13. A system comprising: at least one server; at least one client in communication with the server; means for authenticating the client for a service, wherein the client comprises means for retrieving a server session secret, means for calculating a client session secret based on the server session secret and the server comprises means for authenticating the client and granting permissions to the client for a service upon comparison of the server session secret and the client session secret.
15. A client in communication with a server, the client including means for retrieving a server session secret and means for calculating a client session secret based on the server session secret such that the server authenticates the client and grants permissions to the client for a service upon comparison of the server session secret and the client session secret.
16. A server in communication with at least one client; the server comprising means for authenticating a client for a service if the client can retrieve a server session secret and be verified upon comparison of the server session secret and a client session secret .
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP03253137A EP1480374B1 (en) | 2003-05-20 | 2003-05-20 | Access authentication |
EP03253137.8 | 2003-05-20 | ||
US47383403P | 2003-05-27 | 2003-05-27 | |
US60/473,834 | 2003-05-27 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004105309A2 true WO2004105309A2 (en) | 2004-12-02 |
WO2004105309A3 WO2004105309A3 (en) | 2005-02-17 |
Family
ID=33477643
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2004/005522 WO2004105309A2 (en) | 2003-05-20 | 2004-05-21 | Access authentication |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2004105309A2 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5668876A (en) * | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
US6226383B1 (en) * | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
US20020023213A1 (en) * | 2000-06-12 | 2002-02-21 | Tia Walker | Encryption system that dynamically locates keys |
-
2004
- 2004-05-21 WO PCT/EP2004/005522 patent/WO2004105309A2/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5668876A (en) * | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
US6226383B1 (en) * | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
US20020023213A1 (en) * | 2000-06-12 | 2002-02-21 | Tia Walker | Encryption system that dynamically locates keys |
Non-Patent Citations (2)
Title |
---|
MENEZES A ET AL: "Handbook of Applied Cryptography , IDENTIFICATION AND ENTITY AUTHENTICATION" HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS, BOCA RATON, FL, CRC PRESS, US, 1997, pages 385-424, XP002262234 ISBN: 0-8493-8523-7 * |
MENEZES A ET AL: "Handbook of Applied Cryptography KEY ESTABLISHMENT PROTOCOLS" HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS, BOCA RATON, FL, CRC PRESS, US, 1997, pages 489-541, XP002304953 ISBN: 0-8493-8523-7 * |
Also Published As
Publication number | Publication date |
---|---|
WO2004105309A3 (en) | 2005-02-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Chang et al. | An efficient and secure multi-server password authentication scheme using smart cards | |
US7366900B2 (en) | Platform-neutral system and method for providing secure remote operations over an insecure computer network | |
EP1927211B1 (en) | Authentication method and apparatus utilizing proof-of-authentication module | |
Brainard et al. | A New {Two-Server} Approach for Authentication with Short Secrets | |
US8413221B2 (en) | Methods and apparatus for delegated authentication | |
CA2280869C (en) | System for providing secure remote command execution network | |
EP2098006B1 (en) | Authentication delegation based on re-verification of cryptographic evidence | |
US7865936B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
JP4790731B2 (en) | Derived seed | |
US20010034841A1 (en) | Method for providing simultaneous parallel secure command execution on multiple remote hosts | |
EP1147637A1 (en) | Seamless integration of application programs with security key infrastructure | |
JP2003536320A (en) | System, method and software for remote password authentication using multiple servers | |
EP1697818A2 (en) | Authentication system for networked computer applications | |
Tsaur | A flexible user authentication scheme for multi-server internet services | |
US20140149738A1 (en) | Method for accessing a service of a service provider by providing anonymously an attribute or a set of attributes of a user | |
Bajpai et al. | Security service level agreements based authentication and authorization model for accessing cloud services | |
EP1480374B1 (en) | Access authentication | |
Bajpai et al. | Authentication and authorization interface using security service level agreements for accessing cloud services | |
WO2004105309A2 (en) | Access authentication | |
Vandenwauver et al. | Public Key Extensions used in SESAME V4 | |
WO2005055516A1 (en) | Method and apparatus for data certification by a plurality of users using a single key pair | |
Chew et al. | IAuth: An authentication system for Internet applications | |
Hakim | A remote authentication model using smart cards | |
Zidaric-Sudovacki | Secure WWW Server for Lotus Notes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
122 | Ep: pct application non-entry in european phase |