AU2006100953A4 - Method of using conventional media as an authentication device - Google Patents
Method of using conventional media as an authentication device Download PDFInfo
- Publication number
- AU2006100953A4 AU2006100953A4 AU2006100953A AU2006100953A AU2006100953A4 AU 2006100953 A4 AU2006100953 A4 AU 2006100953A4 AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A4 AU2006100953 A4 AU 2006100953A4
- Authority
- AU
- Australia
- Prior art keywords
- media
- client
- session
- stored
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Description
O Description 0 z 00 METHOD OF USING CONVENTIONAL MEDIA AS AN AUTHENTICATION DEVICE FOR ONLINE SERVICES SPECIFICATION DESCRIPTION The invention provides a convenient, cheap and secure hardware authentication device for the purposes of accessing online services. The invention uses conventional data storage media, such as Compact Disk Digital Video Disk (DVD), or Universal Serial Bus (USB) Flash Memory media, as an authentication device, which is used in conjunction with a standard Personal Computer to establish a secure, mutually authenticated session over the Internet. The invention does not require any specialised software to be previously installed on the client?s computer.
The media used by the invention may use ?Business Card CD?, ?Hockey Rink CD? or similarly sized media. This type of media uses the same underlying technology for storing computer data as a regular Compact Disk, but is smaller and more convenient for a client to carry on their person.
The media used by the invention may employ anti-cloning, obfuscation, or other protection measures to protect part or all of the contents of the media from being copied. These measures may be implemented in a number of different ways, including but not limited to encrypting some of the contents of the media, or deliberately modifying the way in which data is written on the media so as to not show certain files when a person attempts to list or copy the contents of the media. In particular, but without limitation, these measures may be designed to provide an elevated level of protection of any authentication credentials that are stored on the media.
Referring now to the diagram, the invention operates by a Client 10 inserting the Media Device 20 into a standard Personal Computer 30. The autorun feature O provided by many computer operating systems, or an action by the Client, is then used to begin the process of running a Security Software component 21 that is stored on the Media Device.
0 z 00 The Security Software component may perform a series of security and other checks once it starts. These checks may include, without limit, checks to confirm that the Cc Security Software component is being run from the Media Device and not from a computer hard drive, checks that the Client?s computer has anti-virus software installed or other minimum security requirements, and checks that the Client?s Scomputer software environment is supported.
Following the successful completion of these checks, the Security Software component 21 executes the Session Software component 22 that is also stored on the Media Device. The Session Software is the software used to establish a secure session over the Internet with a server. It may be a Web browser, VPN client software, or other client software.
Upon starting, the Session Software component uses the Network Services 31 of the Client Computer 30 to establish a Secure Session 51 over the Internet with a predefined Computer Server 41 that is operated by an Institution 40, using any of a number of possible authentication schemes. These authentication schemes may involve the use of Authentication Credentials 23 that are stored on the Media Device and are unique to each Media Device. The Authentication Credentials could, for example, be a digital key and certificate pair.
In a preferred form of the invention, the Session Software 22 is a Web browser, and the Secure Sockets Layer (SSL) or Transport Level Security (TLS) Internet security protocol is used to establish a mutually authenticated secure browser session between the Client Computer 30 and the Web server 41. In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for SSL client authentication.
In another preferred form of the invention, the Session Software 22 is a Virtual Private Network (VPN) client, and a VPN protocol such as SSL or the Layer 2 IO Tunnelling Protocol with IP Security (L2TP/IPec), is used to establish a secure VPN Osession between the Client Computer 30 and a VPN Server 41. In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for VPN 0 z client authentication.
00 The Session Software component 22 may be customised to include, without a limitation, functionality to automatically connect to a predefined Computer Server 41, functionality to prompt the Client to select from one of multiple possible Computer Servers to connect to, functionality to enhance the Client?s user experience, functionality to automatically detect the correct pathway to the Internet by trial and error or by using proxy configuration information read from the Client Computer, functionality to download and use specialised content for the current session such as virus signature information or other security-relevant information, and functionality to authenticate the Client to the Computer Server. The Session Software may also be built or deliberately configured so as to only include the required functionality for the session, and to not include unnecessary functionality that may pose a potential security risk, such as Web scripting technologies or support for ?rich? Web content.
Once the Secure Session has been established, additional security checks may be performed by the Security Software 21 or Session Software 22 components, based on information that is automatically downloaded across the Internet. This provides a way of dynamically responding to any newly identified security threats, such as threats from new computer viruses or vulnerabilities in the Media Device itself.
Once the Secure Session has been established, and before or after any additional security checks have been performed, the Computer Server 41 can identify the Media Device 20 based on the Authentication Credentials 23 that were used to establish the session, for example by extracting information from a digital certificate. The Computer Server can then identify the Client 10 based on Customer Database records 42 of who the Media Device was issued to.
Once the Client has been identified, the Computer Server may prompt the Client for a password or similar response within the secure session before providing them with access to online services. This password or response can be checked using INO information from the Customer Database 42. The use of an additional authentication step in this manner provides ?two-factor authentication?, where one factor is provided by the Authentication Credentials 23 that are stored on the Media Device, and the 0 z other factor is the information that is entered by the Client 00 The Client?s password or response could utilise any number of a range of existing Cc technologies for Client authentication. For example, the response could be a simple password value that is entered by the Client, the client may have to enter a password by using their mouse to click on a visual representation of a keyboard or number pad, \O or the client may have to use a separate device such as a One-Time-Password (OTP) token or Transaction Number (TAN) sheet to obtain the correct password for the session.
When the Computer Server checks the Client?s password or response, a limited number of attempts may be allowed before temporarily or permanently disabling the Client?s account, to help protect against attempts at guessing the correct value.
By using Authentication Credentials 23 that do not include any information about the Client 10, the Media Devices 20 can be manufactured in advance of these devices being issued 52 to Clients by the Institution?s Customer Services 43 (or similar) department. This represents a non-standard use of Public Key Infrastructure (PKI) technology, because unlike with most PKI implementations, the digital certificates used by the Media Devices do not directly bind a public key to a Client, but instead bind a public key to a Media Device 20, which is then bound to the Client using the Customer Database 42.
Claims (5)
1. A method of using a conventional read-only or read-write media device, like oCompact Disc Digital Video Disc (DVD) or Universal Serial Bus (USB) flash memory media, as an authentication device to establish and conduct a secure session between a client computer and a server over the Internet for secure online services, without requiring any specialised software to have previously been installed on the client computer.
2. A method as claimed in claim 1, where the media used by the invention may use ?Business Card CD?, ?Hockey Rink CD?, or similarly sized media that is convenient for a client to carry on their person. This media may include an additional protective layer or other technique to provide increased protection against scratches or abrasions.
3. A method as claimed in claim 1, where the media includes a set of cryptographic keys that are required for the authentication process. These keys may be stored on the media in a way that makes it difficult to copy or read them, such as through the use of key obfuscation, hiding of the key file, or other protection measures. They are used to uniquely identify the media device, and do not need to include any information about the client that uses the device.
4. A method as claimed in claims 1, 2 and 3, where a Web browser is stored on the media and is used to automatically establish a mutually authenticated session with a predefined Web server using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Internet protocol. The Web browser may be customised, without limit, to provide an improved client experience and to improve the security of the session; for example, by automatically connecting to a predefined Web server where the Web server address has been stored on the media device, by severely restricting 6 \O the number of SSL/TLS digital certificates that the browser will trust, and by 0 0deliberately limiting the functionality of the browser. z
5. A method as claimed in claims 1, 2 and 3, where a Virtual Private Network 00 (VPN) client application is stored on the media and is used to automatically establish a mutually authenticated session with a predefined VPN server computer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2006100953A AU2006100953A4 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2005906324A AU2005906324A0 (en) | 2005-11-15 | A method of using Read-Only media as an authentication device for secure online services | |
AU2005906324 | 2005-11-15 | ||
AU2006100953A AU2006100953A4 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Publications (4)
Publication Number | Publication Date |
---|---|
AU2006100953A6 AU2006100953A6 (en) | 2007-01-11 |
AU2006100953A4 true AU2006100953A4 (en) | 2007-01-11 |
AU2006100953A8 AU2006100953A8 (en) | 2007-01-11 |
AU2006100953A9 AU2006100953A9 (en) | 2007-01-11 |
Family
ID=37649729
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
AU2006100953A Expired AU2006100953A4 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Country Status (1)
Country | Link |
---|---|
AU (1) | AU2006100953A4 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114679260B (en) * | 2021-12-20 | 2024-02-09 | 北京亿赛通科技发展有限责任公司 | Bypass audit compatible extension master key encryption data method, system and terminal |
-
2006
- 2006-11-08 AU AU2006100953A patent/AU2006100953A4/en not_active Expired
Also Published As
Publication number | Publication date |
---|---|
AU2006100953A6 (en) | 2007-01-11 |
AU2006100953A8 (en) | 2007-01-11 |
AU2006100953A9 (en) | 2007-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11057218B2 (en) | Trusted internet identity | |
US11757641B2 (en) | Decentralized data authentication | |
JP6473499B2 (en) | System and method for renewing ownership factor certificates | |
US8365266B2 (en) | Trusted local single sign-on | |
JP5300045B2 (en) | Method and apparatus for managing digital identities through a single interface | |
JP4249181B2 (en) | Storage piracy prevention key encryption (SAKE) device method and apparatus for controlling data access to a network | |
US8978125B2 (en) | Identity controlled data center | |
DK2481185T3 (en) | RELAY OBJECT TO MULTI-IDENTITY ACCESS CONTROL TUNNEL | |
US10142111B2 (en) | Binding digitally signed requests to sessions | |
US10726111B2 (en) | Increased security using dynamic watermarking | |
US20090006232A1 (en) | Secure computer and internet transaction software and hardware and uses thereof | |
US20150200932A1 (en) | Single sign on for a remote user session | |
US20080244689A1 (en) | Extensible Ubiquitous Secure Operating Environment | |
US20070220274A1 (en) | Biometric authentication system | |
WO2012160421A1 (en) | Systems and methods for device based secure access control using encryption | |
US11601281B2 (en) | Managing user profiles securely in a user environment | |
US10298404B1 (en) | Certificate echoing for session security | |
JP2022533193A (en) | Mitigating ransomware damage in integrated and isolated applications | |
JP2009076069A (en) | Software maker trust extension application | |
WO2009065154A2 (en) | Method of and apparatus for protecting private data entry within secure web sessions | |
Anderson et al. | Seven deadliest USB attacks | |
AU2006100953A4 (en) | Method of using conventional media as an authentication device | |
US20130031597A1 (en) | Method and equipment for security isolation of a client computer | |
Panek | Security fundamentals | |
GB2474036A (en) | Providing secure access to a computer network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FGI | Letters patent sealed or granted (innovation patent) | ||
DA3 | Amendments made section 104 |
Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 14 FEB 2007 |
|
DA3 | Amendments made section 104 |
Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 20 DEC 2006 |
|
SREP | Specification republished | ||
TH | Corrigenda |
Free format text: IN VOL 21, NO 14, PAGE(S) 1550 UNDER THE HEADING AMENDMENTS, SECTION 104 - AMENDMENTS MADE DELETE ALL REFERENCE TO 2006100953 |
|
MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |