AU2006100953A6 - Method of using conventional media as an authentication device - Google Patents
Method of using conventional media as an authentication device Download PDFInfo
- Publication number
- AU2006100953A6 AU2006100953A6 AU2006100953A AU2006100953A AU2006100953A6 AU 2006100953 A6 AU2006100953 A6 AU 2006100953A6 AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A AU2006100953 A AU 2006100953A AU 2006100953 A6 AU2006100953 A6 AU 2006100953A6
- Authority
- AU
- Australia
- Prior art keywords
- client
- media
- stored
- application
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Description
DESCRIPTION
The invention provides a convenient, cheap and secure hardware authentication device for the purposes of accessing online services. The invention uses removable data storage media, such as Compact Disk (CD), Digital Video Disk (DVD), or other data storage media, as an authentication device, which is used in conjunction with a standard Personal Computer to establish a secure, mutually authenticated session over the Internet. The invention does not require any specialised software to be previously installed on the client's computer.
The media used by the invention may use "Business Card CD", "Hockey Rink CD" or similarly sized media. This type of media uses the same underlying technology for storing computer data as a regular Compact Disk, but is smaller and more convenient for a client to carry on their person.
The media used by the invention may employ anti-cloning, obfuscation, or other protection measures to protect part or all of the contents of the media from being copied. These measures may be implemented in a number of different ways, including but not limited to encrypting some of the contents of the media, or deliberately modifying the way in which data is written on the media so as to not show certain files when a person attempts to list or copy the contents of the media. In particular, but without limitation, these measures may be designed to provide an elevated level of protection of any authentication credentials that are stored on the media.
Referring now to the diagram, the invention operates by a Client inserting the Media Device 20 into a standard Personal Computer 30. The autorun feature provided by many computer operating systems, or an action by the Client, is then used to begin the process of running a Security Software component 21 that is stored on the Media Device.
The Security Software component may perform a series of security and other checks once it starts. These checks may include, without limit, checks to confirm that the Security Software component is being run from the Media Device and not from a computer hard drive, checks that the Client's computer has anti-virus software installed or other minimum security requirements, and checks that the Client's computer software environment is supported.
Following the successful completion of these checks, the Security Software component 21 executes the Session Software component 22 that is also stored on the Media Device. The Session Software is the software used Sto establish a secure session over the Internet with a server. It may be a Web browser, VPN client software, or other client software.
Upon starting, the Session Software component uses the Network SServices 31 of the Client Computer 30 to establish a Secure Session 51 over the Internet with a pre-defined Computer Server 41 that is operated by an 0Institution 40, using any of a number of possible authentication schemes.
O These authentication schemes may involve the use of Authentication SCredentials 23 that are stored on the Media Device and are unique to each Media Device. The Authentication Credentials could, for example, be a digital key and certificate pair.
In a preferred form of the invention, the Session Software 22 is a Web browser, and the Secure Sockets Layer (SSL) or Transport Level Security (TLS) Internet security protocol is used to establish a mutually authenticated secure browser session between the Client Computer 30 and the Web server 41. In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for SSL client authentication.
In another preferred form of the invention, the Session Software 22 is a Virtual Private Network (VPN) client, and a VPN protocol such as SSL or the Layer 2 Tunnelling Protocol with IP Security (L2TP/IPec), is used to establish a secure VPN session between the Client Computer 30 and a VPN Server 41.
In this case the Authentication Credentials 23 are a digital key and certificate pair suitable for VPN client authentication.
The Session Software component 22 may be customised to include, without limitation, functionality to automatically connect to a predefined Computer Server 41, functionality to prompt the Client to select from one of multiple possible Computer Servers to connect to, functionality to enhance the Client's user experience, functionality to automatically detect the correct pathway to the Internet by trial and error or by using proxy configuration information read from the Client Computer, functionality to download and use o100 specialised content for the current session such as virus signature information or other security-relevant information, and functionality to authenticate the Client to the Computer Server. The Session Software may also be built or deliberately configured so as to only include the required functionality for the session, and to not include unnecessary functionality that may pose a 105 potential security risk, such as Web scripting technologies or support for "rich" Web content.
Once the Secure Session has been established, additional security checks may be performed by the Security Software 21 or Session Software 22 components, based on information that is automatically downloaded across I io the Internet. This provides a way of dynamically responding to any newly identified security threats, such as threats from new computer viruses or vulnerabilities in the Media Device itself.
Once the Secure Session has been established, and before or after any additional security checks have been performed, the Computer Server 41 115 can identify the Media Device 20 based on the Authentication Credentials 23 that were used to establish the session, for example by extracting information from a digital certificate. The Computer Server can then identify the Client based on Customer Database records 42 of who the Media Device was issued to.
120 Once the Client has been identified, the Computer Server may prompt the Client for a password or similar response within the secure session before providing them with access to online services. This password or response can be checked using information from the Customer Database 42. The use of an additional authentication step in this manner provides "two-factor 125 authentication", where one factor is provided by the Authentication Credentials 23 that are stored on the Media Device, and the other factor is the information that is entered by the Client The Client's password or response could utilise any number of a range of existing technologies for Client authentication. For example, the response 130 could be a simple password value that is entered by the Client, the client may have to enter a password by using their mouse to click on a visual representation of a keyboard or number pad, or the client may have to use a separate device such as a One-Time-Password (OTP) token or Transaction Number (TAN) sheet to obtain the correct password for the session.
135 When the Computer Server checks the Client's password or response, a limited number of attempts may be allowed before temporarily or permanently disabling the Client's account, to help protect against attempts at guessing the correct value.
Once the Client has been successfully authenticated, the Computer 140 Server may pass additional information to the Client for use during that session. In particular, the Computer Server may retrieve a specific cryptographic key that relates to that Client from the Customer Database 42 and pass this key over the secure session to the Security Software 21 or Session Software 22 component. This key may then be used to "unlock" a file 145 or additional key material that is stored on the Client Computer 30 or Media Device 20. The unlocked file or media device may be used for a number of different purposes, such as to digitally sign individual transactions to the Computer Server or to access local data that is otherwise secure.
By using Authentication Credentials 23 that do not include any 150 information about the Client 10, the Media Devices 20 can be manufactured in advance of these devices being issued 52 to Clients by the Institution's Customer Services 43 (or similar) department. This represents a nonstandard use of Public Key Infrastructure (PKI) technology, because unlike with most PKI implementations, the digital certificates used by the Media 155 Devices do not directly bind a public key to a Client, but instead bind a public key to a Media Device 20, which is then bound to the Client using the Customer Database 42.
Claims (3)
- 2. A method as claimed in claim 1, where the media includes a set of cryptographic keys that are required for the authentication process and are stored on the media in a way that makes it difficult to copy or read 170 them. This may be through the use of key obfuscation, hiding of the key file, or other protection measures. They are used to uniquely identify the media device, and do not need to include any information about the client that uses the device.
- 3. A method as claimed in claims 1 and 2, where an application is stored 175 on the media and is used to automatically establish a mutually authenticated session with a predefined Web server using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Internet protocol. The application is designed to provide an improved client experience and to improve the security of the session; for example, by automatically 180 connecting to a predefined Web server where the Web server address has been stored on the media device, by severely restricting the number of SSL/TLS digital certificates that the application will trust, and by deliberately limiting the functionality of the application.
- 4. A method as claimed in claims 1 and 2, where a Virtual Private Network 185 (VPN) client application is stored on the media and is used to automatically establish a mutually authenticated session with a predefined VPN server computer. A method as claimed in claims 3 or 4, where following authentication of the client by the Web or VPN server, the server passes a client-specific 190 cryptographic key to the client software for the purposes of "unlocking" additional information that may be stored on the client computer or on the media device. This key could be used, for example, to unlock a second cryptographic key that is stored encrypted on the media device and is used by the Web browser or VPN client application to digitally 195 sign individual transactions or to decrypt local files. ICN ^1-
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2006100953A AU2006100953A6 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2005906324 | 2005-11-15 | ||
| AU2005906324A AU2005906324A0 (en) | 2005-11-15 | A method of using Read-Only media as an authentication device for secure online services | |
| AU2006100953A AU2006100953A6 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Publications (4)
| Publication Number | Publication Date |
|---|---|
| AU2006100953A4 AU2006100953A4 (en) | 2007-01-11 |
| AU2006100953A9 AU2006100953A9 (en) | 2007-01-11 |
| AU2006100953A6 true AU2006100953A6 (en) | 2007-01-11 |
| AU2006100953A8 AU2006100953A8 (en) | 2007-01-11 |
Family
ID=37649729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2006100953A Expired AU2006100953A6 (en) | 2005-11-15 | 2006-11-08 | Method of using conventional media as an authentication device |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2006100953A6 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679260A (en) * | 2021-12-20 | 2022-06-28 | 北京亿赛通科技发展有限责任公司 | Method, system and terminal for encrypting data by compatibly extending main key through bypass audit |
-
2006
- 2006-11-08 AU AU2006100953A patent/AU2006100953A6/en not_active Expired
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114679260A (en) * | 2021-12-20 | 2022-06-28 | 北京亿赛通科技发展有限责任公司 | Method, system and terminal for encrypting data by compatibly extending main key through bypass audit |
| CN114679260B (en) * | 2021-12-20 | 2024-02-09 | 北京亿赛通科技发展有限责任公司 | Bypass audit compatible extension master key encryption data method, system and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2006100953A4 (en) | 2007-01-11 |
| AU2006100953A9 (en) | 2007-01-11 |
| AU2006100953A8 (en) | 2007-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757641B2 (en) | Decentralized data authentication | |
| US8978125B2 (en) | Identity controlled data center | |
| US7346775B2 (en) | System and method for authentication of users and web sites | |
| Josang et al. | Usability and privacy in identity management architectures | |
| US8365266B2 (en) | Trusted local single sign-on | |
| DK2481185T3 (en) | RELAY OBJECT TO MULTI-IDENTITY ACCESS CONTROL TUNNEL | |
| US20100313018A1 (en) | Method and system for backup and restoration of computer and user information | |
| US20080244689A1 (en) | Extensible Ubiquitous Secure Operating Environment | |
| JP2006120148A (en) | Authentication with expiring binding digital certificate | |
| WO2012160421A1 (en) | Systems and methods for device based secure access control using encryption | |
| EP2465246A1 (en) | Layered protection and validation of identity data delivered online via multiple intermediate clients | |
| US20100257359A1 (en) | Method of and apparatus for protecting private data entry within secure web sessions | |
| AU2006100953A6 (en) | Method of using conventional media as an authentication device | |
| Panek | Security fundamentals | |
| GB2474036A (en) | Providing secure access to a computer network | |
| WO2007127349A2 (en) | Secure user environment software | |
| Tijms et al. | Jakarta EE Foundations | |
| Harisha et al. | Open Standard Authorization Protocol: OAuth 2.0 Defenses and Working Using Digital Signatures | |
| Abdullahi et al. | Internet banks login-a study of security solutions | |
| Sumitra et al. | Safe Cloud: Secure and Usable Authentication Framework for Cloud Environment | |
| Samantray et al. | LAYER X: A Novel Distributed Working System for VCS | |
| Joubert | Auditing Windows 2000: Methodologies and Issues |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) | ||
| DA3 | Amendments made section 104 |
Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 14 FEB 2007 |
|
| DA3 | Amendments made section 104 |
Free format text: THE NATURE OF THE AMENDMENT IS AS SHOWN IN THE STATEMENT(S) FILED 20 DEC 2006 |
|
| SREP | Specification republished | ||
| TH | Corrigenda |
Free format text: IN VOL 21, NO 14, PAGE(S) 1550 UNDER THE HEADING AMENDMENTS, SECTION 104 - AMENDMENTS MADE DELETE ALL REFERENCE TO 2006100953 |
|
| MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |