AU2006100953A4 - Method of using conventional media as an authentication device - Google Patents

Method of using conventional media as an authentication device Download PDF

Info

Publication number
AU2006100953A4
AU2006100953A4 AU2006100953A AU2006100953A AU2006100953A4 AU 2006100953 A4 AU2006100953 A4 AU 2006100953A4 AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A4 AU2006100953 A4 AU 2006100953A4
Authority
AU
Australia
Prior art keywords
media
client
session
stored
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
AU2006100953A
Other versions
AU2006100953A6 (en
AU2006100953A8 (en
AU2006100953A9 (en
Inventor
Debi Brennan
Paul Cuthbert
Gabriel Haythornthwaite
Steve Vujovic
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CASTELAIN Pty Ltd
Original Assignee
CASTELAIN Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2005906324A external-priority patent/AU2005906324A0/en
Application filed by CASTELAIN Pty Ltd filed Critical CASTELAIN Pty Ltd
Priority to AU2006100953A priority Critical patent/AU2006100953A4/en
Application granted granted Critical
Publication of AU2006100953A6 publication Critical patent/AU2006100953A6/en
Publication of AU2006100953A4 publication Critical patent/AU2006100953A4/en
Publication of AU2006100953A8 publication Critical patent/AU2006100953A8/en
Publication of AU2006100953A9 publication Critical patent/AU2006100953A9/en
Anticipated expiration legal-status Critical
Expired legal-status Critical Current

Links

Description

O Description 0 z 00 METHOD OF USING CONVENTIONAL MEDIA AS AN AUTHENTICATION DEVICE FOR ONLINE SERVICES SPECIFICATION DESCRIPTION The invention provides a convenient, cheap and secure hardware authentication device for the purposes of accessing online services. The invention uses conventional data storage media, such as Compact Disk Digital Video Disk (DVD), or Universal Serial Bus (USB) Flash Memory media, as an authentication device, which is used in conjunction with a standard Personal Computer to establish a secure, mutually authenticated session over the Internet. The invention does not require any specialised software to be previously installed on the client?s computer.
The media used by the invention may use ?Business Card CD?, ?Hockey Rink CD? or similarly sized media. This type of media uses the same underlying technology for storing computer data as a regular Compact Disk, but is smaller and more convenient for a client to carry on their person.
The media used by the invention may employ anti-cloning, obfuscation, or other protection measures to protect part or all of the contents of the media from being copied. These measures may be implemented in a number of different ways, including but not limited to encrypting some of the contents of the media, or deliberately modifying the way in which data is written on the media so as to not show certain files when a person attempts to list or copy the contents of the media. In particular, but without limitation, these measures may be designed to provide an elevated level of protection of any authentication credentials that are stored on the media.
Referring now to the diagram, the invention operates by a Client 10 inserting the Media Device 20 into a standard Personal Computer 30. The autorun feature O provided by many computer operating systems, or an action by the Client, is then used to begin the process of running a Security Software component 21 that is stored on the Media Device.
0 z 00 The Security Software component may perform a series of security and other checks once it starts. These checks may include, without limit, checks to confirm that the Cc Security Software component is being run from the Media Device and not from a computer hard drive, checks that the Client?s computer has anti-virus software installed or other minimum security requirements, and checks that the Client?s Scomputer software environment is supported.
Following the successful completion of these checks, the Security Software component 21 executes the Session Software component 22 that is also stored on the Media Device. The Session Software is the software used to establish a secure session over the Internet with a server. It may be a Web browser, VPN client software, or other client software.
Upon starting, the Session Software component uses the Network Services 31 of the Client Computer 30 to establish a Secure Session 51 over the Internet with a predefined Computer Server 41 that is operated by an Institution 40, using any of a number of possible authentication schemes. These authentication schemes may involve the use of Authentication Credentials 23 that are stored on the Media Device and are unique to each Media Device. The Authentication Credentials could, for example, be a digital key and certificate pair.
In a preferred form of the invention, the Session Software 22 is a Web browser, and the Secure Sockets Layer (SSL) or Transport Level Security (TLS) Internet security protocol is used to establish a mutually authenticated secure browser session between the Client Computer 30 and the Web server 41. In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for SSL client authentication.
In another preferred form of the invention, the Session Software 22 is a Virtual Private Network (VPN) client, and a VPN protocol such as SSL or the Layer 2 IO Tunnelling Protocol with IP Security (L2TP/IPec), is used to establish a secure VPN Osession between the Client Computer 30 and a VPN Server 41. In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for VPN 0 z client authentication.
00 The Session Software component 22 may be customised to include, without a limitation, functionality to automatically connect to a predefined Computer Server 41, functionality to prompt the Client to select from one of multiple possible Computer Servers to connect to, functionality to enhance the Client?s user experience, functionality to automatically detect the correct pathway to the Internet by trial and error or by using proxy configuration information read from the Client Computer, functionality to download and use specialised content for the current session such as virus signature information or other security-relevant information, and functionality to authenticate the Client to the Computer Server. The Session Software may also be built or deliberately configured so as to only include the required functionality for the session, and to not include unnecessary functionality that may pose a potential security risk, such as Web scripting technologies or support for ?rich? Web content.
Once the Secure Session has been established, additional security checks may be performed by the Security Software 21 or Session Software 22 components, based on information that is automatically downloaded across the Internet. This provides a way of dynamically responding to any newly identified security threats, such as threats from new computer viruses or vulnerabilities in the Media Device itself.
Once the Secure Session has been established, and before or after any additional security checks have been performed, the Computer Server 41 can identify the Media Device 20 based on the Authentication Credentials 23 that were used to establish the session, for example by extracting information from a digital certificate. The Computer Server can then identify the Client 10 based on Customer Database records 42 of who the Media Device was issued to.
Once the Client has been identified, the Computer Server may prompt the Client for a password or similar response within the secure session before providing them with access to online services. This password or response can be checked using INO information from the Customer Database 42. The use of an additional authentication step in this manner provides ?two-factor authentication?, where one factor is provided by the Authentication Credentials 23 that are stored on the Media Device, and the 0 z other factor is the information that is entered by the Client 00 The Client?s password or response could utilise any number of a range of existing Cc technologies for Client authentication. For example, the response could be a simple password value that is entered by the Client, the client may have to enter a password by using their mouse to click on a visual representation of a keyboard or number pad, \O or the client may have to use a separate device such as a One-Time-Password (OTP) token or Transaction Number (TAN) sheet to obtain the correct password for the session.
When the Computer Server checks the Client?s password or response, a limited number of attempts may be allowed before temporarily or permanently disabling the Client?s account, to help protect against attempts at guessing the correct value.
By using Authentication Credentials 23 that do not include any information about the Client 10, the Media Devices 20 can be manufactured in advance of these devices being issued 52 to Clients by the Institution?s Customer Services 43 (or similar) department. This represents a non-standard use of Public Key Infrastructure (PKI) technology, because unlike with most PKI implementations, the digital certificates used by the Media Devices do not directly bind a public key to a Client, but instead bind a public key to a Media Device 20, which is then bound to the Client using the Customer Database 42.

Claims (5)

1. A method of using a conventional read-only or read-write media device, like oCompact Disc Digital Video Disc (DVD) or Universal Serial Bus (USB) flash memory media, as an authentication device to establish and conduct a secure session between a client computer and a server over the Internet for secure online services, without requiring any specialised software to have previously been installed on the client computer.
2. A method as claimed in claim 1, where the media used by the invention may use ?Business Card CD?, ?Hockey Rink CD?, or similarly sized media that is convenient for a client to carry on their person. This media may include an additional protective layer or other technique to provide increased protection against scratches or abrasions.
3. A method as claimed in claim 1, where the media includes a set of cryptographic keys that are required for the authentication process. These keys may be stored on the media in a way that makes it difficult to copy or read them, such as through the use of key obfuscation, hiding of the key file, or other protection measures. They are used to uniquely identify the media device, and do not need to include any information about the client that uses the device.
4. A method as claimed in claims 1, 2 and 3, where a Web browser is stored on the media and is used to automatically establish a mutually authenticated session with a predefined Web server using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Internet protocol. The Web browser may be customised, without limit, to provide an improved client experience and to improve the security of the session; for example, by automatically connecting to a predefined Web server where the Web server address has been stored on the media device, by severely restricting 6 \O the number of SSL/TLS digital certificates that the browser will trust, and by 0 0deliberately limiting the functionality of the browser. z
5. A method as claimed in claims 1, 2 and 3, where a Virtual Private Network 00 (VPN) client application is stored on the media and is used to automatically establish a mutually authenticated session with a predefined VPN server computer.
AU2006100953A 2005-11-15 2006-11-08 Method of using conventional media as an authentication device Expired AU2006100953A4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2006100953A AU2006100953A4 (en) 2005-11-15 2006-11-08 Method of using conventional media as an authentication device

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
AU2005906324A AU2005906324A0 (en) 2005-11-15 A method of using Read-Only media as an authentication device for secure online services
AU2005906324 2005-11-15
AU2006100953A AU2006100953A4 (en) 2005-11-15 2006-11-08 Method of using conventional media as an authentication device

Publications (4)

Publication Number Publication Date
AU2006100953A6 AU2006100953A6 (en) 2007-01-11
AU2006100953A4 true AU2006100953A4 (en) 2007-01-11
AU2006100953A8 AU2006100953A8 (en) 2007-01-11
AU2006100953A9 AU2006100953A9 (en) 2007-01-11

Family

ID=37649729

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2006100953A Expired AU2006100953A4 (en) 2005-11-15 2006-11-08 Method of using conventional media as an authentication device

Country Status (1)

Country Link
AU (1) AU2006100953A4 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679260B (en) * 2021-12-20 2024-02-09 北京亿赛通科技发展有限责任公司 Bypass audit compatible extension master key encryption data method, system and terminal

Also Published As

Publication number Publication date
AU2006100953A6 (en) 2007-01-11
AU2006100953A8 (en) 2007-01-11
AU2006100953A9 (en) 2007-01-11

Similar Documents

Publication Publication Date Title
US11057218B2 (en) Trusted internet identity
US11757641B2 (en) Decentralized data authentication
JP6473499B2 (en) System and method for renewing ownership factor certificates
US8365266B2 (en) Trusted local single sign-on
JP5300045B2 (en) Method and apparatus for managing digital identities through a single interface
JP4249181B2 (en) Storage piracy prevention key encryption (SAKE) device method and apparatus for controlling data access to a network
US8978125B2 (en) Identity controlled data center
DK2481185T3 (en) RELAY OBJECT TO MULTI-IDENTITY ACCESS CONTROL TUNNEL
US10142111B2 (en) Binding digitally signed requests to sessions
US10726111B2 (en) Increased security using dynamic watermarking
US20090006232A1 (en) Secure computer and internet transaction software and hardware and uses thereof
US20150200932A1 (en) Single sign on for a remote user session
US20080244689A1 (en) Extensible Ubiquitous Secure Operating Environment
US20070220274A1 (en) Biometric authentication system
WO2012160421A1 (en) Systems and methods for device based secure access control using encryption
US11601281B2 (en) Managing user profiles securely in a user environment
US10298404B1 (en) Certificate echoing for session security
JP2022533193A (en) Mitigating ransomware damage in integrated and isolated applications
JP2009076069A (en) Software maker trust extension application
WO2009065154A2 (en) Method of and apparatus for protecting private data entry within secure web sessions
Anderson et al. Seven deadliest USB attacks
AU2006100953A4 (en) Method of using conventional media as an authentication device
US20130031597A1 (en) Method and equipment for security isolation of a client computer
Panek Security fundamentals
GB2474036A (en) Providing secure access to a computer network

Legal Events

Date Code Title Description
FGI Letters patent sealed or granted (innovation patent)
DA3 Amendments made section 104

Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 14 FEB 2007

DA3 Amendments made section 104

Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 20 DEC 2006

SREP Specification republished
TH Corrigenda

Free format text: IN VOL 21, NO 14, PAGE(S) 1550 UNDER THE HEADING AMENDMENTS, SECTION 104 - AMENDMENTS MADE DELETE ALL REFERENCE TO 2006100953

MK22 Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry