EP1922856A2

EP1922856A2 - Method for authenticating a user and device therefor

Info

Publication number: EP1922856A2
Application number: EP06808284A
Authority: EP
Inventors: Alain Leclercq; Yves Arnail; Bernard Delbourg; Pierre Rabischong
Original assignee: MEDISCS SARL
Current assignee: MEDISCS Sas
Priority date: 2005-09-07
Filing date: 2006-09-06
Publication date: 2008-05-21
Also published as: FR2890509B1; WO2007028925A3; WO2007028925A2; US20080209520A1; FR2890509A1

Abstract

The invention concerns a method for authenticating a user via a terminal (1) connected to a network (2) and comprising means (4) for reading a medium (3) wherein, when said support (3) is created, identifying data (5) concerning said user are recorded on the medium (3) by etching means and on storage means (6); data (7) concerning the etching of said medium (3) are collected and stored in the form of a trace via said storage means (6), said trace indexing random errors occurring during etching; and, wherein, when said medium (3) is used, said identifying data (5) are read and transmitted via secure connection means (8) to said remote storage means (6) via said network for comparing and authenticating same.

Description

METHOD FOR AUTHENTICATING A USER AND DEVICE FOR IMPLEMENTING IT

The present invention relates to a method for authenticating a user through a terminal connected to a computer type network and comprising means for reading a ROM memory medium, of the CD, CD CARD or DVD type.

The present invention is in the field of secure and remote authentication of a user, in particular the identification of a user through a computer type network.

The invention relates more particularly to such an authentication method and its implementation device.

The present invention will find a particular application in the field of banking and online payment, in the manner of a bank card.

In known manner, the remote authentication of a user, connected to a computer network through a computer, can be performed through a system using a smart card. Like systems using bank cards, a computer can be provided with a terminal for reading a smart card. The latter contains authentication information, such as an electronic signature, which is then transferred from said terminal through said network to be compared and authenticated. Access is guaranteed. In addition, in a known manner, the connection is secured through known encryption tools and protocols.

However, such a device does not provide satisfactory security, particularly in case of theft of the card which can then be used on another terminal. That is why the banking devices use a code known to the user alone. In addition, this type of device requires the purchase and installation of a specific reader for reading the card. This reader, which is generally external, is only a means of reading the data contained on the smart card and has no means of encryption. It therefore offers no transmission security between the terminal and the computer, in particular through its physical wired link.

In addition, as part of secure access to an online payment site by credit card, for example on the Internet, no code is required. Just enter the numbers on the card to validate the purchase. Again, in case of theft of the latter, no security then prevents fraudulent use.

For these reasons, through WO 01/59547, it has been imagined a support compatible with most existing readers on a terminal, including ROM memory drives, such as a CD or DVD player . A PIN code is requested at each insertion of said CD / DVD to authenticate the user.

However, the use of a support as widespread as the CD or DVD does not prevent the reproduction of the latter.

It has therefore been imagined to prevent this reproduction through the voluntary generation, during the etching of said support, marks. The latter are then counted by a suitable software and contribute to the identification of said support. This solution is briefly described in WO 2004/084487.

The disadvantage of this solution lies in the fact that, since it is possible to knowingly generate marks when etching, adapted software can read said marks and thus reproduce them during a copy operation in order to falsify the support.

In addition, the entry of bank details, even through a secure connection, can be hacked by the presence of spyware. Moreover, said data can be stored on the site, even temporarily, and offers a security breach.

Finally, if the data presented on the card can be copied, no means prevents the forgery of this card and its reproduction.

The object of the invention is to overcome the disadvantages of the state of the art by proposing a secure authentication method and its implementation device offering an optimal security, an impossible reproduction rendering them unfalsifiable.

In particular, the invention creates a link between the data contained on a medium and the medium itself, so that the copy of one independently of the other is not feasible. In particular, in the case of the present invention, the data relating to the support relates to the errors that occurred during the etching of said support.

Similar methods exist in the prior art.

Through this strong authentication support, the procedure is freed from the entry of bank details by the user. Furthermore, the procedure for transmitting said bank details is then transparent for said user.

In addition, support is provided compatible with readers equipping most computer terminals, such as DVD players or CDs.

The present invention therefore provides a unique, secure and tamper-proof payment solution.

To do this, the present invention relates to a method for authenticating a user through a terminal connected to a computer type network and comprising means for reading a ROM memory medium, of the CD, CD CARD type. or DVD, in which, when creating said medium:

identification data relating to said user are recorded, on the one hand, on said medium through etching means and, on the other hand, on storage means;

information relating to the etching of said medium is collected and stored in the form of a trace through said storage means, said trace listing the random errors that occurred during the etching of said medium; and, wherein, when using said support:

said identification data are read through said reading means and transmitted through secure means of connection to said remote storage means through said network;

said transmitted data is compared with said data contained on said storage means in order to be authenticated; said method also comprising:

physically controlling said support during its reading and transmitting the results of said control to said remote storage means; comparing the result of its control with said trace in order to authenticate said support; and, after authentication of said medium and said information, to allow access of said user to an application.

According to other characteristics of the invention, the connection through secure means consists of:

when carrying out said medium, register a code on said storage means;

when using said medium, executing input means by a user of said code; then encrypting said code and transmitting it through a secure connection of said network to said storage means; and check the validity of said code by comparison with the code contained in said storage means.

In addition, such a method may consist in transmitting bank data transparently to the user in order to automatically fill out an online payment form.

The invention also relates to a device for implementing the authentication method, comprising a medium containing personal data concerning a user and able to be read through a terminal provided with reading means, said terminal being connected to the through a computer network, to means for comparing, on the one hand, said personal data with data contained on storage means and, on the other hand, information relating to the etching of said data on said medium with collected information relating to the physical level of said medium in the form of a trace listing the random errors that occurred during the etching of said medium. Advantageously, said comparison means comprise means for burning data concerning the user on said medium and means for collecting information relating to said etching, and means for storing said data and said information.

According to one embodiment, said medium is a ROM memory comprising a chip.

Other features and advantages of the invention will emerge from the following detailed description of non-limiting embodiments of the invention, with reference to the attached figure which is a schematic representation of the operation of the invention.

The present invention relates to a method of authenticating a user and its implementation device. In particular, the invention aims to authenticate a user from a terminal 1 connected to a computer network 2.

In this regard, the network 2 is preferably the Internet network but the invention also relates to any computer type network in which two terminals are connected to one another.

The invention will find its application in the secure connection of a user, when transmitting information requiring a high level of confidentiality, for example in the case of access to an online payment site where it is necessary to communicate risk banking data. The invention also relates to any type of connection or access where it is necessary to identify with certainty the user wishing to connect, for example in the case of an intranet or other network. Advantageously, in order to authorize the previously mentioned access, the present invention confers a strong authentication of the personal medium to the user and consequently of the latter. It uses the combined comparison, on the one hand, of characteristics related to a physical medium 3 with information related to these same characteristics previously stored and, on the other hand, information stored or contained on said medium with previously stored information.

To do this, a user wishing to connect to an application, a payment site or the like, acquires a terminal 1, connected to said computer network 2, and comprising means 4 for reading said medium 3.

In this regard, the support 3 is a support equipped with a ROM-type memory such as a CD, CD CARD or DVD. This memory can be provided rewritable, such as a C-D or a DVD-RW, or non-rewritable, this characteristic thus conferring on said support 3 a security preventing the modification of the data recorded therein. It will therefore be noted that the reading means 4 are of known type, such as a ROM-type memory reader, such as a CD and DVD disc player.

According to a particular embodiment, said support 3 may comprise a chip so that it is compatible with smart card systems, in particular in the case of a CD CARD type support.

The support 3 has been made in advance and sent through a conventional routing network, for example postal. During the creation of said support 3, identification data 5 are recorded on said support 3. These data are personal to each user and may relate to the identity of the person (name, surname, contact details, bank account number , etc.) and may contain an identifier of connection for the recognition of said support 3 when using the latter. This data may also include the bank details of the user, said support 3 can be issued by a bank. The recording of said data is performed by etching through conventional etching means. On the other hand, these same data are copied and stored in storage means 6.

An advantage of the present invention resides in the fact that information 7 relating to the etching of said medium 3 is stored on said storage means 6. This etching information 7 is collected in the form of a trace after the finalization of said medium 3. This trace lists the errors that occurred during this operation of etching at the physical level of said support 3. In fact, each etching produces random physical errors, impossible to reproduce, and unique to each support 3. In the manner of a fingerprint, the surface of said support 3 therefore contains an identification of its own.

An advantage in terms of security therefore consists in comparing the trace of the support 3 with the support 3 used during the connection. Thus, any reproduction or duplication of the support 3 is not possible.

Another advantage lies in the fact that only the trace of the inserted medium 3 is transmitted over the network, the comparison being made with the trace stored on a remote server. Thus, in case of falsification, the original data are not transmitted, minimizing the risk of piracy.

In addition, during the use of said support 3, the user inserts this support 3 into the reading means 4. Said identification data 5 contained on said support 3 are then read and transmitted through secure means 8. connection to said storage means 6. This transfer takes place through said network 2, the terminal 1 and the storage means 6 being remote.

It should be noted that this data may be encrypted beforehand and / or encoded to prevent any modifications or interception during the transfer. In addition, secure connections and secure data transfer protocols can be used (SSL, private and public key encryption or other).

There is then a step of verifying the transmitted identification data. In particular, the communicated identifier makes it possible to find within the storage means 6 the data previously recorded and linked to the user and his bank details. Data cohesion provides a first step in authenticating the user.

It should be noted that this procedure for authenticating the data is done transparently for the user. It is no longer necessary for him to enter his bank details, minimizing the risk of hacking, including through spyware residing on the user's terminal.

In addition, the bank details can be specific to online use, through specific forms and automatically filled by means dedicated to this purpose. The invention consists of transparently transmitting bank data to the user in order to automatically fill out an online payment form.

When reading said medium 3, the latter is physically checked in order to list the apparent engraving errors. The same procedure is used with similar means, in particular an application designed and dedicated to this task, to list these errors to list the information engraving 7 previously mentioned. The result of this control is transmitted, securely or otherwise, to said remote storage means. This result is then compared with the trace, thereby strongly authenticating the support 3. This comparison is carried out through comparison means 11.

These two authentication steps then guarantee a perfect and unique identity between the data initially recorded on the medium 3 and the medium used by the user to connect.

The comparison of the identification data 5 and information 7 related to the etching is performed by comparison means 11 connected to said network 2 and said storage means 6. In this respect, the latter can group the data stored therein. known manner in the form of a database.

Advantageously, in addition to protection, the connection through secure means 8 can be based on the entry and encrypted sending of a confidential code 9 known to the user alone. This code can be transmitted to the user at the same time or separately from said medium 3, by means of classic mailing, by electronic mail or any other means. When reading said medium 3, an application is executed on said terminal 1 opening input means 10 through which the user can enter his code 9. These input means 10 comprise an interface for entering said code 9, especially through a keyboard or a keypad, especially a secure keypad.

According to a first embodiment, the code 9 can be directly compared with code encoded and encrypted on the support 3. In this way, the support 3 can be recognized during each introduction in the reader 4 and may not be requested later. This usage option facilitates the repeated identification of the same user, for example in the case of several separate and consecutive purchases.

According to another embodiment, the code 9 is then encrypted and sent through the network 2, through secure lines, to said storage means 6. It is then decrypted and compared with the previously recorded code, when performing the support 3, in said storage means 6. Once the validity of the code 9 has been checked, the user, with authentication of the medium 3 as previously mentioned, obtains an access authorization.

To limit the possibilities of fraud, the user can enter up to three times said code 9 before blocking said data contained in said storage means 6. In other words, access to the data is immediately blocked and the further use of the support 3 will not allow any connection. In addition, security messages can be sent to an administrator managing the system. The support 3 is then unusable until the restoration of access to the data or the realization of another support 3.

Another peculiarity lies in the fact that it is not necessary to memorize a username. By similarity with the credit card systems, it is necessary to introduce only the code 9. Moreover, the entry of a code 9 greatly improves the security, in particular in case of theft of the support 3.

The preceding comparison steps are performed through comparison means 11, remote and connected, on the one hand, to the storage means 6 and, on the other hand, to said network 2. On request, they make it possible to compare the data received by the network with the data contained in the storage means 6, in particular and vice versa the data transmitted with the identification data 5, the data relating to the support 3 with the trace, and finally the code 9.

The present invention thus provides a secure way to access sensitive areas on a network safely. A dedicated application preferentially remains the payment on the Internet. It is no longer necessary to transmit his bank details from his terminal or computer whose security is less than banking networks.

In addition, the invention does not require any additional device and is adaptable to any terminal equipped with a CD, DVD or similar type of reader. Compatibility is optimal while providing strong authentication of the support 3 and its user.

Claims

A method of authenticating a user through a terminal (1) connected to a network (2) of the computer type and comprising means (4) for reading a medium (3) with a ROM memory, type CD, CD CARD or DVD, in which, when creating said medium (3):

identification data (5) concerning said user are recorded, on the one hand, on said medium (3) through etching means and, on the other hand, on storage means (6);

information (7) relating to the etching of said medium (3) is collected and stored in the form of a trace through said storage means (6), said trace listing the random errors that occurred during the etching of said medium (3); ); and, wherein, when using said support (3):

said identification data (5) are read through said reading means (4) and transmitted through secure connection means (8) to said remote storage means (6) through said network (2);

said transmitted data is compared with said data contained on said storage means (6) in order to be authenticated; said method also comprising:

- physically control said support (3) during its reading and transmit the results of said control to said remote storage means (6);

comparing the result of its control with said trace in order to authenticate said medium (3); and, after authentication said medium (3) and said information, to allow access of said user to an application.

2. Authentication method according to claim 1, characterized in that the connection through secure means (8) consists of:

during the production of said support (3), register a code (9) on said storage means (6);

when using said medium (3), executing input means (10) by a user of said code (9); then encrypting said code (9) and transmitting it through a secure connection of said network (2) to said storage means (6); and checking the validity of said code (9) by comparison with the code (9) contained in said storage means (6).

3. Authentication method according to any one of claims 1 or 2, characterized in that it consists in transmitting transparently vis-à-vis the user of bank data to automatically fill out a payment form. online.

4. Device for implementing the authentication method according to any one of the preceding claims, characterized in that it comprises a support (3) containing personal data (5) concerning a user and able to be read at through a terminal (1) provided with reading means (4), said terminal (1) being connected, via a computer network (2), to comparison means (11), on the one hand, said personal data (5) with data contained on storage means (6) and, on the other hand, information (7) relating to the etching of said data on said medium (3) with information collected on the level physical of said support (3) in the form of a trace listing the random errors that occurred during the etching of said support (3).

5. Device according to any one of claims 5 or 6, characterized in that said comparison means (11) comprise data etching means (5) for the user on said support (3) and means for collecting information relating to said etching, and storage means (6) of said data (5) and said information (7).

6. Device according to any one of claims 5 to 7, characterized in that said support (3) is ROM memory comprising a chip.