AT500770A1 - AUTHORIZATION OF TRANSACTIONS - Google Patents

Description

Authorization of transactions

The invention relates to the authorization check and authorization confirmation of a user for a via a computer network, in particular the Internet, offered and / or rendered service. Transactions over the Internet or other computer networks are routinely required to confirm the user's eligibility to use these services, particularly if financial and / or personal information is involved. The invention relates to transactions based on such services of any kind where an electronic signature is required for authorization of the user, e.g. Telebanking / Internet banking, Internet payments, or the like

Known authorization checking methods use PIN codes that the user inputs at the beginning of a transaction via his computer terminal, or so-called TANs ('transaction numbers') for authorizing one transaction at a time. These methods are often under-secure because the PIN codes can be read by the terminal; Also the danger of a guessing can not be excluded.

In addition, the use of smart cards is known, which are inserted or pulled through for the authentication of the user in a provided by the terminal reading device, wherein an identification of the user is read. This is often perceived as a nuisance by the users of such systems; In addition, the installation of special hardware at the site of the terminal is necessary for this, which is particularly expensive for private users (for example, in home telebanking).

It is an object of the invention to provide a way for an authorization check and acknowledgment independent of the terminal used in a transaction without the need for dedicated hardware.

With regard to a method for checking the authorization, the stated object is achieved by an authorization server to a mobile terminal of a mobile network assigned to the user - whereby this terminal is not involved in the actual performance of the service for which the authorization is being checked - via the mobile radio network an acknowledgment request is sent, and a confirmation message is received from the terminal and evaluated as to whether it has any in relation to the P8999 '···· «· · · · * ······· B ·· ··· ····· * ·· -2-

User expected confirmation message, in the case of a positive evaluation result, the authorization check is considered successful.

The invention allows a verification of the authorization or authenticity of the user in an "authorization dialogue". with a device independent of the parties involved in the transaction, namely a mobile device that is already regularly in use and used by a user. This results in increased security; above all, the risk of manipulation at the terminal of the user - be it by third parties, the access codes "steal". want, or by the user himself - significantly reduced.

In the event that the authorization dialog is performed not by the mobile but by the authorization server, the user's associated terminal may conveniently be designated by the authorization server using a list of authorized users.

Likewise, as regards the authorization confirmation of a user, the invention is solved by a method in which, according to the invention, a confirmation request via the mobile network is received from a mobile terminal of a mobile network assigned to the user, and access characteristics are accepted via an input of the user, and using the An identification message for answering the confirmation request and sent to the sender of the confirmation request; In this case, the terminal is not involved in the performance of the service for which the authorization is being checked, otherwise - ie for purposes other than the authorization or authentication process.

In an advantageous embodiment of the invention, an access key is used to create the confirmation response, which was decrypted using the access characteristics from an encrypted information stored in the memory of the terminal. This can be done by calculating a first key from the access data and decrypting the access key from the encrypted information by means of this first key.

To increase the security, it is also advantageous if the processing of the access code and the confirmation request takes place in a memory area protected from other application programs of the mobile device. P8999 · ····· «· f ······ ··· ♦ # -3-

Under "protected execution " In this disclosure, it is to be understood that the execution of a program in which this program is provided with its own ("protected") area to which other, in particular concurrent application programs have no access, and / or during which the execution of other application programs is not is allowed. The basic idea is to store an encrypted memory block in a persistent data area of the terminal. The key to encrypt the data area is generated from a password that the user has to enter in the terminal. This prevents other application programs from reading the contents of the memory block. The data block in turn contains keys that can be used for authorization and authentication in networks.

The invention is particularly easy to implement for modern mobile phones on which a Java interpreter is set up. Of course, the invention is not limited to Java-enabled mobile devices, but rather any device is in question, on which a software platform is set up, which allows the protected execution of programs.

The invention together with further advantages will be explained in more detail below with reference to a non-limiting embodiment. For this purpose, the attached drawings are used, which show:

Fig. 1 is a schematic overview of the devices and networks involved in the embodiment;

2 shows the registration of a user;

3 shows the authentication of the user;

4 shows the authorization of a transaction.

Three devices are involved in the authorization verification and authentication process according to the invention, namely an authorization server AUS, a data collection device and an authorization device. According to the invention, the authorization device is a terminal MOG of a telecommunication network MFN, from which an access to the Internet IPN or the respective computer data network can be established via the network MFN and communicate with other computers of this network via the protocols used in the Internet can. The connection of the mobile network MFN to the Internet IPN is done in a known manner, e.g. by means of a gateway server GW. In the embodiment considered here, the terminal MOG serving as an authorization device is, for example, P8999.vs. ♦♦♦ · t ·· -4-way a Java-enabled mobile device, the well-known in the art as a so-called "mobile phone". to a mobile network MFN e.g. connected according to the GSM standard.

The data acquisition device in the embodiment considered here is a computer ITS (e.g., a personal computer) connected to the Internet IPN, with which the transactions performed by the user BN are performed via the Internet, e.g. in the context of a telebanking service, which is provided by a server computer TBK of a bank. In an extension of the invention may serve as a data collection device according to the invention, another device, e.g. an Internet server ΓΓ2 through which the transaction messages of the computer ITS are exchanged.

The server computer TBK and the authorization server AUS together form a system for carrying out transactions requiring authorization via the computer network of the Internet. In the example considered here, the servers TBK, OFF are different devices that are interconnected via the Internet; in other implementations of the invention, these devices may also be interconnected or even identical in some other way.

It should be noted that the exchange of messages and signals according to the invention takes place in a known manner and that both the communication paths and the type of network nodes used for this exchange have no influence on the method. Similarly, the network provider of the mobile device merely has the role of a relay station and has no significant involvement in the process for understanding the invention.

In order to be able to use the security services of the mobile device MOG according to the invention, an application program (so-called "application") must be started there. The application is started manually by the user BN or automatically on the basis of a command from the data acquisition device, depending on the options implemented on the mobile device ITS, eg in the form of a short message (via SMS) to the mobile device. The mobile device MOG and the authorization server AUS can now exchange messages with each other, whereby a communication connection can be established in the participating networks as needed

Before the user BN can use a service of the system, the authorizing device, i. the mobile device MOG, access key can be made available. This is preferably done in a logon process, which will be explained below with reference to the signal flow diagram of FIG. 2. In the signal sequence diagram shown here, P8999 1 0 0 9 «« V «mwww 0 0 0 0 9 0 0 0 0 0 9 0 0 0 0 0 0 0 0 0 9 0 0 0 0 0 ···· 0 ·» - 5 times, the time runs from top to bottom, and the digits involved are vertical

Lines are shown between which messages are exchanged symbolized by arrows. 1. On the part of the operator of the service - in the example of the bank server TBK - or the authorization server OFF initialization data are generated ini, which consist of at least a user ID and a password. The initialization data is held by the authorization server AUS (or a memory ASR associated therewith). This data ini is intended for the first login of user BN to the system. The user BN receives this data ini e.g. in writing or in electronic form (for example on chip card) e.g. in a personal message by mail. 2. The user inputs the initialization data ini into his mobile device MOG. The data is e.g. entered via the keyboard. Alternatively, the data may also be recorded in electronic form, e.g. by reading a chip card with this data. 3. On the mobile device, an access key ak (symbolized by a vertical line next to the line of the terminal MOG) is generated, which is to be used subsequently as a key for system access. The access key ak may be e.g. be a symmetric key according to the Triple DES method or an asymmetric key pair (public and private key) according to the RSA method. The key generation is performed by a known method in which the key generation is incomprehensible for third parties, preferably from the initialization data ini e.g. with a so-called 'one way function'. Examples of such one-way functions are known hash algorithms such as SHA-1, MD5 or an encryption algorithm. 4. The access key ak is sent to the authorization server AUS; if it is an asymmetric key pair, only the public key is transmitted. In this case, in particular if the access key ak is a symmetric key, it is expedient if it is encrypted for the transmission. For this encryption, an initialization key ik is used, which is generated from the initialization data ini, so that the initialization key can also be generated by the server AUS and used for decryption. The access key is thus sent as cipher ik [ak]; here and below the notation k [x] is used for an information x encrypted with a key k. In one variant, the authorization server AUS, since the initialization data ini are available to it, on the basis of this generate the access key ak, in which case the transmission of the key ak or its cipher ik [ak] is unnecessary. On the side of the authorization server AUS, the access key ak thus received (possibly after decryption) is stored in an entry e relating to the user BN for later use; In this case, the user BN can also use P8999 * • # ··· «· 9 9 m« ···· * · · «· · ····« «· I ·· ·· ·· ··» ·· «· ·· -6- be identified by a user number that is additionally assigned during the registration process or is an already existing identification number, such as the account number at the bank. Various such entries e, in each case for different users, are held on the server AUS or the associated memory ASR in the form of a list or table file LST. 5. Another security key sk is generated on the mobile device MOG. To do this, the user gives the mobile device a password sp - e.g. in the form of a PIN code - a, and from this password sp, the key sk is derived according to a reproducible method. The password sp, which represents the access identification data in the sense of the invention, can be freely selected by the user and is in particular used by others, e.g. independent of the passwords or PIN codes used by the mobile device (which may be different or equal). 6. The access key ak is encrypted on the mobile device by means of the security key sk and stored securely in this encrypted form (cipher) sk [ak] in the persistent memory of the mobile device MOG. 7. The security key ak and the password sp are deleted (symbolized by a cross in the signal flow diagrams), e.g. by overwriting by other data. This data is therefore held in the mobile device's RAM memory only temporarily in the mobile device and deleted immediately after use, so that they are only in the temporary memory as long as they are needed.

In a variant of the method according to the invention, when the access key ak is sent to the authorization server AUS (in step 4 above), the key ak can also be sent together with further data, e.g. with a MAC number ('Media Access Control', number for identifying hardware components) and / or an address (telephone number) of the mobile device MOG; Furthermore, a signature can be used which is likewise generated on the basis of the initialization data and on the basis of which the authenticity of the data or of the sender can be checked by the server AUS. This data would then also be stored in the entry e associated with the user BN and can be checked. In this way - if appropriate - a binding of the user to a particular terminal or hardware component (SIM card, identified by MAC number component) are enforced.

The data ik [ak], aoc, aor, auc, aur (FIGS. 2 to 4) exchanged with the Java-capable terminal MOG are transmitted in a known manner via an HTTP or HTTPS connection. The connection used in the GSM network MFN for this purpose is set up at the beginning of the respective process and remains upright for the duration of the entire process; Structure P8999 * · · · · · · · · · · · · · · · · · 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 Normally initiated by the user BN or his terminal MOG, a connection originating from the server OUT can take place if the information for reaching the terminal MOG (call address in the network MFN or assigned IP address) is available to the latter. Of course, it is also possible that a connection is made in sections or for each message individually. In other embodiments of the invention, the messages may be transmitted in another suitable manner permitted by the network MFN; A message service, such as SMS, is basically possible if sufficient security of the message transmission is guaranteed.

If required, several access keys can be generated, transferred and stored in this way. The access keys may e.g. for various applications and / or for various purposes of an application, including authentication and authorization. The encryption of the access key may be performed by one and the same security key or by different, e.g. each with its own security key.

By means of this log-in process, the user BN can now participate in the system, as will be explained below with reference to FIGS. 3 and 4. For the authorization of one or more transactions or an authentication, the user enters his password into the mobile device from which the security key is generated, with which in turn the access key can be decrypted for further use. In this case, all the components password sp, security key sk and (in plain text) access key ak are stored in a secure memory area and are thus not accessible to other applications running on the device. For the same reason, each of these data components is conveniently erased at the earliest time, when it is no longer needed, or made illegible (e.g., by overwriting). For reasons of security, these data are only temporarily stored in RAM memory and are not stored in persistent memory.

Referring to FIG. 3, the system authenticates (authorization) in an authorization dialog according to a challenge-response method according to a known manner, the process being performed by the mobile device MOG (based on a corresponding input from the user BN), the data acquisition device ITS or can be triggered by the bank server TBK, eg by your own authorization request aun. The authorization server AUS then sends out a random number m in a confirmation request aoc ('authorization challenge') to the mobile device MOG, which then sends the random number m with the access code P8999 * • · • · ··· · 9 • 9 • Key ak is encrypted and the encrypted number ak [m] in a confirmation message aor ('authorization response') to the server OFF. On the part of the authorization server AUS, the received data is checked as to whether the originally random number is recovered in the decryption of the received number. If the check is positive then the authorization is successful and the authorization server AUS sends a corresponding message aok to the bank server TBK. In this case, no security-relevant information is entered or stored in the data acquisition device ITS.

If necessary, the HTTP connection required for the authorization dialog, as already mentioned above, must first be established by the mobile device MOG (this is not shown in the signal flow diagrams for the sake of clarity). In a variant of the invention, the connection to the terminal can be made starting from the authorization server AUS, provided that the latter has the information necessary for this, in order to sufficiently determine the terminal therefrom; these (e.g., call address in network MFN) may be e.g. be held in the user BN associated entry e.

The authorization of a transaction session ts, which generally may comprise a plurality of individual transactions, takes place as explained below with reference to FIG. 4. When a transaction ts is carried out, the individual transaction processes or the associated transaction data are acquired at the data acquisition device ITS. Thereafter, a unique checksum hsum, e.g. according to a hash algorithm of known kind about the detected transaction (s)), and the thus obtained hash value is displayed to the user BN together with the transaction concerned and made known to the authorization server AUS. This can e.g. There are two ways: a) The data collector sends a copy ts1 of the transaction to the server. This calculates the hash value hsum and sends the hash value hsum and, more favorably, also the transaction (not shown in FIG. 3 for the sake of clarity) to the data acquisition device HS, where the data thus obtained are then displayed. This method variant requires the existence of a secure connection between server OFF and data acquisition device ITS. b) The data acquisition device ITS itself calculates the hash value hsum and sends it together with the transactions ts1 to the authorization server. The server can, if necessary, calculate the hash value from the transaction data and thus verify the integrity of the transaction.

The server AUS then sends the hash value in the form of a confirmation request auc ('authentication challenge') to the mobile device MOG, which takes the hash value csum from this request and displays it to the user. The call address of the MOG mobile device will be P8999 * • • • • ··· • • • '• • •' • * 4 »• • • • • • • • * • • • • · · · · · · · • • · -9 - determined on the basis of the list LST of the server OFF as a data collection device associated terminal. The user BN compares the value csum displayed on the mobile device MOG with that on the data acquisition device, on which, as mentioned, the transaction and, if no error exists, the value csum, have the same hash value hsum. He confirms the correspondence of these displayed values hsum, csum by entering his access codes for the transaction, i. the password sp, in the mobile device. With the security key sk obtained from the password, the access key ak is again decrypted and can be used for a unique authorization with respect to the server, for example by encrypting the hash value with the access key and encrypting the encrypted value ak [csum] in an acknowledgment message. 'authentication response') is sent back to the server OFF. The server decrypts this cipher and checks if the decrypted content csum matches the original hash value hsum. If this check is positive, an authorization confirmation acf is sent to the device ITS, as a result of which the user BN is authorized for the transaction ts.

The method presented above may be extended in a variant with an additional fuse, provided that a further component, such as e.g. a smart card, which is uniquely identifiable and by means of a separate password, e.g. PIN code, is accessible. In this case, the PIN of the chip card is set as a password. If the PEM is now entered in the above-described method in order to decrypt the access key, the authenticity of the chip card is checked in advance by the mobile device and a PIN check by the chip card is initiated. Only when the authenticity of the card has been determined and the smart card has accepted the PIN is the PIN used by the mobile device to provide the access key according to the method described above. This variant offers the additional advantage that one often already for payment functions or the like. can be used in addition to authorization and authentication, without changes to the map would have to be made.

Vienna, the 2 0. F6b. 2003

Claims (6)

P8999 * 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 8 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 8 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 BN) for a service offered and / or provided via a computer network (IPN), characterized in that on the part of an authorization server (AUS) to a user (BN) associated mobile terminal (MOG) of a mobile network (MFN), said Terminal (MOG) at the actual performance of the service for which the authorization is checked is not involved, via the mobile network (MFN) a confirmation request (aoc, auc) is sent, and an acknowledgment message (aor, aur) of the terminal (MOG ) and evaluated to determine whether it corresponds to a confirmation message expected in relation to the user (BN), in which case the authorization check is considered successful in the case of a positive evaluation result. Method according to claim 1, characterized in that the terminal (MOG) associated with the user (BN) is determined by the authorization server (AUS) using a list (LST) of authorized users. 3. A method for authorization confirmation of a user (BN) for a computer network (IPN) offered and / or performed service, characterized in that from the user (BN) associated mobile terminal (MOG) of a mobile network (MFN) a confirmation request ( aoc, auc) is received via the mobile network (MFN) and access codes (ps) are received via an input of the user (BN), and using the access codes, generates an acknowledgment message (aor, aur) for answering the confirmation request (aoc, auc) and sent to the sender of the acknowledgment request, the MOG not being otherwise involved in the performance of the service for which the authorization is being checked. A method according to claim 3, characterized in that an access key (ak) is used to generate the acknowledgment response, which has been decrypted using the access code (ps) from an encrypted information (sk [ak]) stored in the memory of the terminal. P8999., P8999 - 5. The method according to claim 4, characterized in that the access key (ak) is decrypted that from the access characteristics (ps) a first key (sk) is calculated and by means of this first key (sk) of the access key (ak) from the encrypted information (sk [ak]) is decrypted. 6. The method according to any one of claims 3 to 5, characterized in that the processing of the access identification data and the confirmation request takes place in a memory area protected from other application programs of the mobile device. Vienna, the Ts' i)