EP2215800A1 - Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift - Google Patents
Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreiftInfo
- Publication number
- EP2215800A1 EP2215800A1 EP08787535A EP08787535A EP2215800A1 EP 2215800 A1 EP2215800 A1 EP 2215800A1 EP 08787535 A EP08787535 A EP 08787535A EP 08787535 A EP08787535 A EP 08787535A EP 2215800 A1 EP2215800 A1 EP 2215800A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- user
- terminal
- remote server
- computer
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Definitions
- the field of the invention is that of securing access to online resources, such as for example Web services. More specifically, the present invention relates to a method for a user to establish mutual authentication between a remote service and the user, through the computer that it uses to connect to this remote service.
- a user wishes to connect to a remote server, for example to a merchant service such as eBay TM, to carry out transactions.
- a remote server for example to a merchant service such as eBay TM
- the execution of transactions requires, for security reasons, mutual authentication between the site server and the user.
- Mutual authentication means on the one hand that the user must be certain that he / she is accessing a server on the eBay TM site (to which he / she will send personal details such as bank details, for example).
- the server of the site of eBay TM is certain that the user who wishes to carry out transactions corresponds well to the one which has previously registered with this site and that it is thus not a question of a fraudster.
- Authentication is therefore the procedure that consists, for a computer system, in verifying the identity of an entity (person, computer, etc.), in order to allow this entity access to resources (systems, networks, etc.). , applications ).
- Authentication thus makes it possible to validate the authenticity of the entity in question and, unlike the identification which makes it possible to know the identity of an entity, authentication makes it possible to verify this identity.
- the most commonly used solutions for authenticating a user to a remote server are usually a password combined with a username. These solutions have the disadvantage of being insecure because the user can, except having lost his password and no longer able to access the server, have been stolen his password and his username. A malicious third party can then pretend to be the real holder of the username and password and make transactions in his place.
- Another known solution consists in authenticating the user with the aid of a key, for example of the USB type, to be inserted in the computer.
- This authentication is relatively secure but the user may have had his key stolen and the problem previously invoked is not avoided.
- the key must be able to be inserted into the computer, which is not always possible, for example in cybercafés where users do not have access to the computers themselves but only to screen / keyboard / mouse interfaces . This is also not possible when the number of ports on the computer is small and there is no available USB port left.
- the compatibility of this type of solution is generally restricted to a small number of operating systems, for example only works with Microsoft TM and not with Apple TM.
- the customer connects to the secure SSL merchant site and asks him to authenticate.
- the server upon receipt of the request, sends a certificate to the client, containing the public key of the server, signed by a certification authority.
- the certification authority is known to the user, for example when the certificate authority is present by default in the certificate stores of the Internet browser, the user is able to check the validity of the server certificate and the certificate. ensure its authenticity.
- the client verifies the validity of the certificate (and therefore the authenticity of the merchant), then creates a random secret key (more exactly a supposedly random block), encrypts this key using the public key of the server, then sends him the result (the session key).
- the server is able to decrypt the session key with its private key.
- the two entities are in possession of a common key of which they are only connoisseurs.
- the rest of the transactions can be done using session keys, ensuring the integrity and confidentiality of the data exchanged.
- the disadvantage of this solution is that, by default, the establishment of this channel only allows one-way authentication: the user authenticates the server but additional authentication is necessary for the server to authenticate the user.
- Another known solution is described in patent application WO / 0306341 1 entitled "Two-factor authentication method with one-time ephemeral password”.
- This alternative is a method of authenticating, with an information system, a user having a mobile phone that includes a data display means, a data input means and a medium reading a data carrier.
- the mobile phone is equipped with a smart card with asymmetrical key applications and software to exploit this key.
- the user sends an access request message from a transmitting computer terminal to the information system, the latter generates an SMS message containing a one-time password and has a limited validity period and sends the SMS message to destination of the mobile phone of the user.
- the user using the data input means of his mobile phone, introduces a secret personal code in the mobile phone and submits a personal data medium by means of reading the mobile phone which decrypts a private key assigned to the user, so that the mobile phone is allowed to decode the SMS message and extract the password.
- the user sends, by the transmitting computer terminal, the password to the information system that authorizes the access of the user.
- This solution is based on the use of an SMS encrypted by asymmetrical key. Its disadvantage is that it requires the deployment of a proprietary asymmetric key distribution infrastructure outside of any existing system such as PKI based on the use of standardized X509 digital certificates.
- One of the objectives of the invention is to enable a service user, typically a user, to access services in a simple and secure manner, regardless of the computer he uses while offering a higher level of security. important than a simple username associated with a password.
- This computer can be his personal computer, that of his office, that of an acquaintance or a friend or that of a cybercafé.
- This objective, as well as others that will appear later, is achieved by a method of authenticating a user accessing a remote server from a computer, the method comprising:
- the aforementioned authentications are advantageously performed by SSL protocol.
- the terminal is a mobile terminal comprising a TCP / IP SIM card.
- the mobile terminal is a mobile phone.
- the mobile terminal is a PDA.
- Authentication of the terminal at the remote server is preferably performed after the user has entered a PIN in the terminal. This makes it possible to implement a two-factor authentication.
- a user 10 accesses a computer 20 to connect to a remote server 30, for example an eBay TM server previously exemplified.
- the user 10 also has a terminal 40, here constituted by a mobile phone comprising a SIM card (not shown) supporting an Internet transmission protocol, for example the TCP / IP protocol, and a secure exchange protocol and mutually authenticated such as SSL.
- a secure exchange protocol for authenticating the user 10 of the terminal 40 to the server 30.
- the sim card includes the user's certificate 10 (issued and / or in which the remote server 30 trusts) and also a trusted third party certificate allowing the SIM card to trust the certificates presented by the server 30.
- the user 10 uses the computer 20 in a conventional manner by entering the web address of the site to access its general home page. He then enters his username (for example his username).
- the connection identified by 1 between the computer 20 and the server 30 is protected by SSL (the Internet exchange security protocol previously presented) but the SSL authentication 1 is unidirectional, that is to say that only the The identity of the server 30 is authenticated and not that of the user 10.
- the server 30 then sends, schematized by an arrow 2, a message that is unpredictable to the user 10, for example a word generated randomly or pseudo-randomly. essential is that the user 10 can not know this message before receiving it.
- the server 30 then consults the profile of the user 10 and retrieves the identifier of a terminal of this user 10, this terminal being, in the embodiment shown, constituted by the mobile phone 40 of the identified user by the phone number of the SIM card it contains.
- this terminal being, in the embodiment shown, constituted by the mobile phone 40 of the identified user by the phone number of the SIM card it contains.
- the user's terminal 10 is not necessarily a mobile phone 40, for example of the GSM type, but may also be constituted by a PDA containing a digital certificate.
- any device connected in TCP / IP and able to contain a certificate is suitable. It can be any mobile terminal, such as a phone or a PDA, containing or not a SIM card, the main thing is that it contains a digital certificate, for example X509, for mutual authentication.
- a mutual authentication by SSL is then launched: the server 30 connects to the terminal 40 of the user 10 through the telephone number retrieved in the profile of the user 10.
- the mechanism for establishing the TCP / IP connection to the terminal The user's telephone number must be provided by the operator of the telecommunications network to which the SIM card belongs. This mechanism is not part of the present invention.
- the SIM card then authenticates the server 30 with its certificate.
- the server 30 also authenticates the user 10 by the certificate present in the SIM card. Access to this certificate may be protected by a PIN. This makes it possible to implement a two-factor authentication: something that we know (the PIN code) and something that we have (the SIM card or the terminal).
- This certificate is typically an X509 certificate from NUT. In the X.509 system, a certificate authority assigns a certificate linking a public key to a Distinguished Name (DN) of the issuing CA, to an e-mail address or a DNS record.
- DN Distinguished Name
- Root certificates are unsigned, or self-signed, but trustworthy public keys.
- Commercial CAs hold root certificates in many software programs, such as browsers.
- Internet Explorer TM or Firefox TM contain some pre-installed root certificates.
- SSL secure connection
- This SSL connection allows the remote server to authenticate the user with certainty 10.
- the TCP-IP protocol or any other protocol enabling communication between the server 30 and the terminal 40, provides the interface between the SIM card and the lnternet / the server 30.
- the user 10 is then invited to enter in his terminal 40 the unpredictable message previously received on the computer 20.
- the capture, schematized by 4, of this unpredictable message is for example made from the same way that the user 10 conventionally enters an SMS text in his terminal.
- the message is entered, it is returned (arrow 5) by the user to the server 30 and the latter authenticates the user 10 thanks to the certificate contained in the SIM card.
- the server 30 compares the unpredictable message transmitted to the computer 20 of the user with the one received via the secure SSL connection 5. In the event of a match of the message entered by the user 10 in the terminal 40 with the unpredictable message, the user 10 is definitely authenticated in the remote server 30. The server 30 can then direct the user 10 on its home page (arrow 6) and the user 10 can communicate securely with the server 30 via the computer 20.
- the advantage of the invention is that no mutual authentication is performed directly between the server 30 and the computer 20 used by the user 10.
- the mutual authentication is performed on another channel, namely that established between the server 30 and a terminal 40 belonging to the user 10.
- the latter can therefore securely access the server 30 from any computer 20 for example from a cybercafe.
- the advantage of the invention is the ability to establish strong authentication using certificates (PKI) through a mutual authentication SSL channel, avoiding any interaction with the computer used.
- PKI certificates
- SSL is the only one implemented on the default browsers and therefore the most used.
- the invention also makes it possible to delegate an authentication: let us take the example of a child who wishes to buy a product via the Internet.
- This child connects to the seller site by entering the username of his parents, receives an unpredictable message and contacts (for example by telephone) his parents to obtain permission to buy this property.
- His parents receive a message on their terminal (mobile phone for example) with the description of the product desired by the child.
- Parents then enter into their mobile phone the unpredictable message that was indicated to them by their child, which authorizes the purchase by the child of the property mentioned.
- the phone number of the user's terminal can be entered either when connecting to the server beforehand or when the user enters his username in the server.
- Another aspect of the invention resides in the loading of the certificates into the SIM card. This loading can be done in different ways. Four solutions are given below.
- a first solution is to provide the user with a SIM card with only a limited number of root certificates.
- Means are available to service providers, such as eBay TM for example, to register by OTA mechanism ("Over The Air" in English) user certificates in the SIM card, at the request of the user, by example when the user requests to be authenticated in the profile he completes with eBay TM.
- a second solution is to provide the user with a SIM card containing only a certificate belonging to his mobile operator.
- Service providers then require the operator (who becomes a certification authority) a user certificate when the user requests to be authenticated in the profile he fulfills with these service providers.
- These user certificates are then transmitted via OTA to the SIM card.
- a third solution is to ask a trusted third party to send certificates via OTA to SIM cards.
- trusted third parties are, for example, Keynectics TM or Chambersign TM and offer their customers the provision of public key infrastructures for the deployment of electronic certificates.
- a fourth solution is to provide the user with a SIM card containing a user certificate and the service provider links the name of the issuing certification authority (DN) with the user's profile when the user request to be authenticated in the profile it fulfills with these service providers.
- DN issuing certification authority
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP08787535A EP2215800A1 (de) | 2007-10-29 | 2008-08-27 | Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP07301510A EP2056565A1 (de) | 2007-10-29 | 2007-10-29 | Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift |
EP08787535A EP2215800A1 (de) | 2007-10-29 | 2008-08-27 | Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift |
PCT/EP2008/061245 WO2009056374A1 (fr) | 2007-10-29 | 2008-08-27 | Procede d'authentification d'un utilisateur accedant a un serveur distant a partir d'un ordinateur |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2215800A1 true EP2215800A1 (de) | 2010-08-11 |
Family
ID=39495411
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP07301510A Withdrawn EP2056565A1 (de) | 2007-10-29 | 2007-10-29 | Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift |
EP08787535A Withdrawn EP2215800A1 (de) | 2007-10-29 | 2008-08-27 | Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP07301510A Withdrawn EP2056565A1 (de) | 2007-10-29 | 2007-10-29 | Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift |
Country Status (3)
Country | Link |
---|---|
US (1) | US8423782B2 (de) |
EP (2) | EP2056565A1 (de) |
WO (1) | WO2009056374A1 (de) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2974471B1 (fr) * | 2011-04-19 | 2013-04-19 | Sephira | Traitement de donnees pour permettre l'acces a un service heberge dans un serveur |
CN104205112B (zh) * | 2012-04-16 | 2018-09-21 | 英特尔公司 | 安全控制器、电子设备、用于可信用户交互的方法和装置 |
CN105471884B (zh) * | 2015-12-21 | 2019-05-31 | 联想(北京)有限公司 | 一种认证方法、服务器 |
CN112688979B (zh) * | 2019-10-17 | 2022-08-16 | 阿波罗智能技术(北京)有限公司 | 无人车远程登录处理方法、装置、设备及存储介质 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19722424C5 (de) * | 1997-05-28 | 2006-09-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Verfahren zum Sichern eines Zugreifens auf ein fernab gelegenes System |
ATE367060T1 (de) * | 2000-02-21 | 2007-08-15 | E Plus Mobilfunk Gmbh & Co Kg | Verfahren zum festellen der authentizität der identität eines dienste-nutzers und vorrichtung zum durchführen des verfahrens |
JP2002082911A (ja) * | 2000-09-11 | 2002-03-22 | Nec Corp | 認証システム |
JP2002158650A (ja) * | 2000-11-21 | 2002-05-31 | Fujitsu Ltd | 認証・暗号化処理代行用のサーバ、アクセスカード、プログラム記録媒体及び携帯端末 |
US7133662B2 (en) * | 2001-05-24 | 2006-11-07 | International Business Machines Corporation | Methods and apparatus for restricting access of a user using a cellular telephone |
FR2835129B1 (fr) | 2002-01-23 | 2004-11-26 | Sagem | Procede d'authentification a deux facteurs avec mot de passe ephemere a usage unique |
JP4311174B2 (ja) * | 2003-11-21 | 2009-08-12 | 日本電気株式会社 | 認証方法、移動体無線通信システム、移動端末、認証側装置、認証サーバ、認証代理スイッチ及びプログラム |
BRPI0519861A2 (pt) * | 2005-01-28 | 2009-03-24 | Ericsson Telefon Ab L M | métodos para autenticar um cliente, e para operar servidor de autenticação dentro de um sistema de comunicações, servidor de autenticação, método para operar um cliente acoplado a uma rede de comunicação, terminal de cliente, e, método para autenticar equipamento de usuário |
US20060265262A1 (en) * | 2005-05-18 | 2006-11-23 | Microsoft Corporation | Distributed conference scheduling |
JP4867482B2 (ja) * | 2006-06-06 | 2012-02-01 | 富士ゼロックス株式会社 | 制御プログラムおよび通信システム |
US8590027B2 (en) * | 2007-02-05 | 2013-11-19 | Red Hat, Inc. | Secure authentication in browser redirection authentication schemes |
-
2007
- 2007-10-29 EP EP07301510A patent/EP2056565A1/de not_active Withdrawn
-
2008
- 2008-08-27 WO PCT/EP2008/061245 patent/WO2009056374A1/fr active Application Filing
- 2008-08-27 US US12/740,655 patent/US8423782B2/en not_active Expired - Fee Related
- 2008-08-27 EP EP08787535A patent/EP2215800A1/de not_active Withdrawn
Non-Patent Citations (2)
Title |
---|
None * |
See also references of WO2009056374A1 * |
Also Published As
Publication number | Publication date |
---|---|
US20100263033A1 (en) | 2010-10-14 |
WO2009056374A1 (fr) | 2009-05-07 |
US8423782B2 (en) | 2013-04-16 |
EP2056565A1 (de) | 2009-05-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6012125B2 (ja) | 問い合わせ型トランザクションによる強化された2chk認証セキュリティ | |
KR101019458B1 (ko) | 확장된 일회용 암호 방법 및 장치 | |
EP2820795B1 (de) | Verfahren zur verifizierung der identität eines benutzers eines kommunikationsterminal und dazugehörendes system | |
FR3041195A1 (fr) | Procede d'acces a un service en ligne au moyen d'un microcircuit securise et de jetons de securite restreignant l'utilisation de ces jetons a leur detenteur legitime | |
EP3391614B1 (de) | Verfahren zum senden von digitalen informationen | |
EP3174241B1 (de) | Methode zur herstellung einer gesicherten end-zu-end-kommunikation zwischen dem endgerät eines nutzers und einem verbundenen objekt | |
FR2825869A1 (fr) | Procede d'authentification entre un objet de telecommunication portable et une borne d'acces public | |
EP3375133B1 (de) | Verfahren zur sicherung und authentifizierung einer telekommunikation | |
FR2964812A1 (fr) | Procede d'authentification pour l'acces a un site web | |
WO2005079090A1 (fr) | Emission de cle publique par terminal mobile | |
EP2220812A2 (de) | Verfahren zur authentifizierung eines benutzers | |
FR3111203A1 (fr) | Dispositif informatique et procédé pour l’authentification d’un utilisateur | |
EP2215800A1 (de) | Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift | |
EP1514377A1 (de) | Schnittstellenverfahren- und einrichtung zum online-austausch von inhaltsdaten auf sichere weise | |
WO2022137192A1 (fr) | Procédé et dispositif de contrôle de l'accès à un service utilisant une chaîne de blocs | |
EP3673633B1 (de) | Verfahren zur authentifizierung eines benutzers mit einem authentifizierungsserver | |
WO2012156365A1 (fr) | Procede de securisation d'une platforme d'authentification, dispositifs materiels et logiciels correspondants | |
CA2831167C (fr) | Infrastructure non hierarchique de gestion de bi-cles de securite de personnes physiques ou d'elements (igcp/pki) | |
FR2903544A1 (fr) | Procede de securisation d'une authentification par utilisation de plusieurs canaux | |
FR3007929A1 (fr) | Procede d'authentification d'un utilisateur d'un terminal mobile | |
WO2024042289A1 (fr) | Procédé d'enrôlement d'un dispositif auprès d'un serveur | |
EP2630746B1 (de) | Authentifikationsverfahren und -system | |
FR3099974A1 (fr) | Procédé de transmission d’une information numérique | |
FR2901438A1 (fr) | Un procede d'embarquement d'un protocole securise dans des cartes a puces, des capteurs et des objets intelligents | |
FR2823929A1 (fr) | Procede et dispositif d'authentification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20100531 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA MK RS |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20140204 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20190416 |