EP2215800A1 - Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift - Google Patents

Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift

Info

Publication number
EP2215800A1
EP2215800A1 EP08787535A EP08787535A EP2215800A1 EP 2215800 A1 EP2215800 A1 EP 2215800A1 EP 08787535 A EP08787535 A EP 08787535A EP 08787535 A EP08787535 A EP 08787535A EP 2215800 A1 EP2215800 A1 EP 2215800A1
Authority
EP
European Patent Office
Prior art keywords
user
terminal
remote server
computer
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP08787535A
Other languages
English (en)
French (fr)
Inventor
Edouard Lafargue
Gabriel Rangoni
Jérôme SION
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemalto SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemalto SA filed Critical Gemalto SA
Priority to EP08787535A priority Critical patent/EP2215800A1/de
Publication of EP2215800A1 publication Critical patent/EP2215800A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Definitions

  • the field of the invention is that of securing access to online resources, such as for example Web services. More specifically, the present invention relates to a method for a user to establish mutual authentication between a remote service and the user, through the computer that it uses to connect to this remote service.
  • a user wishes to connect to a remote server, for example to a merchant service such as eBay TM, to carry out transactions.
  • a remote server for example to a merchant service such as eBay TM
  • the execution of transactions requires, for security reasons, mutual authentication between the site server and the user.
  • Mutual authentication means on the one hand that the user must be certain that he / she is accessing a server on the eBay TM site (to which he / she will send personal details such as bank details, for example).
  • the server of the site of eBay TM is certain that the user who wishes to carry out transactions corresponds well to the one which has previously registered with this site and that it is thus not a question of a fraudster.
  • Authentication is therefore the procedure that consists, for a computer system, in verifying the identity of an entity (person, computer, etc.), in order to allow this entity access to resources (systems, networks, etc.). , applications ).
  • Authentication thus makes it possible to validate the authenticity of the entity in question and, unlike the identification which makes it possible to know the identity of an entity, authentication makes it possible to verify this identity.
  • the most commonly used solutions for authenticating a user to a remote server are usually a password combined with a username. These solutions have the disadvantage of being insecure because the user can, except having lost his password and no longer able to access the server, have been stolen his password and his username. A malicious third party can then pretend to be the real holder of the username and password and make transactions in his place.
  • Another known solution consists in authenticating the user with the aid of a key, for example of the USB type, to be inserted in the computer.
  • This authentication is relatively secure but the user may have had his key stolen and the problem previously invoked is not avoided.
  • the key must be able to be inserted into the computer, which is not always possible, for example in cybercafés where users do not have access to the computers themselves but only to screen / keyboard / mouse interfaces . This is also not possible when the number of ports on the computer is small and there is no available USB port left.
  • the compatibility of this type of solution is generally restricted to a small number of operating systems, for example only works with Microsoft TM and not with Apple TM.
  • the customer connects to the secure SSL merchant site and asks him to authenticate.
  • the server upon receipt of the request, sends a certificate to the client, containing the public key of the server, signed by a certification authority.
  • the certification authority is known to the user, for example when the certificate authority is present by default in the certificate stores of the Internet browser, the user is able to check the validity of the server certificate and the certificate. ensure its authenticity.
  • the client verifies the validity of the certificate (and therefore the authenticity of the merchant), then creates a random secret key (more exactly a supposedly random block), encrypts this key using the public key of the server, then sends him the result (the session key).
  • the server is able to decrypt the session key with its private key.
  • the two entities are in possession of a common key of which they are only connoisseurs.
  • the rest of the transactions can be done using session keys, ensuring the integrity and confidentiality of the data exchanged.
  • the disadvantage of this solution is that, by default, the establishment of this channel only allows one-way authentication: the user authenticates the server but additional authentication is necessary for the server to authenticate the user.
  • Another known solution is described in patent application WO / 0306341 1 entitled "Two-factor authentication method with one-time ephemeral password”.
  • This alternative is a method of authenticating, with an information system, a user having a mobile phone that includes a data display means, a data input means and a medium reading a data carrier.
  • the mobile phone is equipped with a smart card with asymmetrical key applications and software to exploit this key.
  • the user sends an access request message from a transmitting computer terminal to the information system, the latter generates an SMS message containing a one-time password and has a limited validity period and sends the SMS message to destination of the mobile phone of the user.
  • the user using the data input means of his mobile phone, introduces a secret personal code in the mobile phone and submits a personal data medium by means of reading the mobile phone which decrypts a private key assigned to the user, so that the mobile phone is allowed to decode the SMS message and extract the password.
  • the user sends, by the transmitting computer terminal, the password to the information system that authorizes the access of the user.
  • This solution is based on the use of an SMS encrypted by asymmetrical key. Its disadvantage is that it requires the deployment of a proprietary asymmetric key distribution infrastructure outside of any existing system such as PKI based on the use of standardized X509 digital certificates.
  • One of the objectives of the invention is to enable a service user, typically a user, to access services in a simple and secure manner, regardless of the computer he uses while offering a higher level of security. important than a simple username associated with a password.
  • This computer can be his personal computer, that of his office, that of an acquaintance or a friend or that of a cybercafé.
  • This objective, as well as others that will appear later, is achieved by a method of authenticating a user accessing a remote server from a computer, the method comprising:
  • the aforementioned authentications are advantageously performed by SSL protocol.
  • the terminal is a mobile terminal comprising a TCP / IP SIM card.
  • the mobile terminal is a mobile phone.
  • the mobile terminal is a PDA.
  • Authentication of the terminal at the remote server is preferably performed after the user has entered a PIN in the terminal. This makes it possible to implement a two-factor authentication.
  • a user 10 accesses a computer 20 to connect to a remote server 30, for example an eBay TM server previously exemplified.
  • the user 10 also has a terminal 40, here constituted by a mobile phone comprising a SIM card (not shown) supporting an Internet transmission protocol, for example the TCP / IP protocol, and a secure exchange protocol and mutually authenticated such as SSL.
  • a secure exchange protocol for authenticating the user 10 of the terminal 40 to the server 30.
  • the sim card includes the user's certificate 10 (issued and / or in which the remote server 30 trusts) and also a trusted third party certificate allowing the SIM card to trust the certificates presented by the server 30.
  • the user 10 uses the computer 20 in a conventional manner by entering the web address of the site to access its general home page. He then enters his username (for example his username).
  • the connection identified by 1 between the computer 20 and the server 30 is protected by SSL (the Internet exchange security protocol previously presented) but the SSL authentication 1 is unidirectional, that is to say that only the The identity of the server 30 is authenticated and not that of the user 10.
  • the server 30 then sends, schematized by an arrow 2, a message that is unpredictable to the user 10, for example a word generated randomly or pseudo-randomly. essential is that the user 10 can not know this message before receiving it.
  • the server 30 then consults the profile of the user 10 and retrieves the identifier of a terminal of this user 10, this terminal being, in the embodiment shown, constituted by the mobile phone 40 of the identified user by the phone number of the SIM card it contains.
  • this terminal being, in the embodiment shown, constituted by the mobile phone 40 of the identified user by the phone number of the SIM card it contains.
  • the user's terminal 10 is not necessarily a mobile phone 40, for example of the GSM type, but may also be constituted by a PDA containing a digital certificate.
  • any device connected in TCP / IP and able to contain a certificate is suitable. It can be any mobile terminal, such as a phone or a PDA, containing or not a SIM card, the main thing is that it contains a digital certificate, for example X509, for mutual authentication.
  • a mutual authentication by SSL is then launched: the server 30 connects to the terminal 40 of the user 10 through the telephone number retrieved in the profile of the user 10.
  • the mechanism for establishing the TCP / IP connection to the terminal The user's telephone number must be provided by the operator of the telecommunications network to which the SIM card belongs. This mechanism is not part of the present invention.
  • the SIM card then authenticates the server 30 with its certificate.
  • the server 30 also authenticates the user 10 by the certificate present in the SIM card. Access to this certificate may be protected by a PIN. This makes it possible to implement a two-factor authentication: something that we know (the PIN code) and something that we have (the SIM card or the terminal).
  • This certificate is typically an X509 certificate from NUT. In the X.509 system, a certificate authority assigns a certificate linking a public key to a Distinguished Name (DN) of the issuing CA, to an e-mail address or a DNS record.
  • DN Distinguished Name
  • Root certificates are unsigned, or self-signed, but trustworthy public keys.
  • Commercial CAs hold root certificates in many software programs, such as browsers.
  • Internet Explorer TM or Firefox TM contain some pre-installed root certificates.
  • SSL secure connection
  • This SSL connection allows the remote server to authenticate the user with certainty 10.
  • the TCP-IP protocol or any other protocol enabling communication between the server 30 and the terminal 40, provides the interface between the SIM card and the lnternet / the server 30.
  • the user 10 is then invited to enter in his terminal 40 the unpredictable message previously received on the computer 20.
  • the capture, schematized by 4, of this unpredictable message is for example made from the same way that the user 10 conventionally enters an SMS text in his terminal.
  • the message is entered, it is returned (arrow 5) by the user to the server 30 and the latter authenticates the user 10 thanks to the certificate contained in the SIM card.
  • the server 30 compares the unpredictable message transmitted to the computer 20 of the user with the one received via the secure SSL connection 5. In the event of a match of the message entered by the user 10 in the terminal 40 with the unpredictable message, the user 10 is definitely authenticated in the remote server 30. The server 30 can then direct the user 10 on its home page (arrow 6) and the user 10 can communicate securely with the server 30 via the computer 20.
  • the advantage of the invention is that no mutual authentication is performed directly between the server 30 and the computer 20 used by the user 10.
  • the mutual authentication is performed on another channel, namely that established between the server 30 and a terminal 40 belonging to the user 10.
  • the latter can therefore securely access the server 30 from any computer 20 for example from a cybercafe.
  • the advantage of the invention is the ability to establish strong authentication using certificates (PKI) through a mutual authentication SSL channel, avoiding any interaction with the computer used.
  • PKI certificates
  • SSL is the only one implemented on the default browsers and therefore the most used.
  • the invention also makes it possible to delegate an authentication: let us take the example of a child who wishes to buy a product via the Internet.
  • This child connects to the seller site by entering the username of his parents, receives an unpredictable message and contacts (for example by telephone) his parents to obtain permission to buy this property.
  • His parents receive a message on their terminal (mobile phone for example) with the description of the product desired by the child.
  • Parents then enter into their mobile phone the unpredictable message that was indicated to them by their child, which authorizes the purchase by the child of the property mentioned.
  • the phone number of the user's terminal can be entered either when connecting to the server beforehand or when the user enters his username in the server.
  • Another aspect of the invention resides in the loading of the certificates into the SIM card. This loading can be done in different ways. Four solutions are given below.
  • a first solution is to provide the user with a SIM card with only a limited number of root certificates.
  • Means are available to service providers, such as eBay TM for example, to register by OTA mechanism ("Over The Air" in English) user certificates in the SIM card, at the request of the user, by example when the user requests to be authenticated in the profile he completes with eBay TM.
  • a second solution is to provide the user with a SIM card containing only a certificate belonging to his mobile operator.
  • Service providers then require the operator (who becomes a certification authority) a user certificate when the user requests to be authenticated in the profile he fulfills with these service providers.
  • These user certificates are then transmitted via OTA to the SIM card.
  • a third solution is to ask a trusted third party to send certificates via OTA to SIM cards.
  • trusted third parties are, for example, Keynectics TM or Chambersign TM and offer their customers the provision of public key infrastructures for the deployment of electronic certificates.
  • a fourth solution is to provide the user with a SIM card containing a user certificate and the service provider links the name of the issuing certification authority (DN) with the user's profile when the user request to be authenticated in the profile it fulfills with these service providers.
  • DN issuing certification authority

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
EP08787535A 2007-10-29 2008-08-27 Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift Withdrawn EP2215800A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP08787535A EP2215800A1 (de) 2007-10-29 2008-08-27 Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP07301510A EP2056565A1 (de) 2007-10-29 2007-10-29 Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift
EP08787535A EP2215800A1 (de) 2007-10-29 2008-08-27 Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift
PCT/EP2008/061245 WO2009056374A1 (fr) 2007-10-29 2008-08-27 Procede d'authentification d'un utilisateur accedant a un serveur distant a partir d'un ordinateur

Publications (1)

Publication Number Publication Date
EP2215800A1 true EP2215800A1 (de) 2010-08-11

Family

ID=39495411

Family Applications (2)

Application Number Title Priority Date Filing Date
EP07301510A Withdrawn EP2056565A1 (de) 2007-10-29 2007-10-29 Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift
EP08787535A Withdrawn EP2215800A1 (de) 2007-10-29 2008-08-27 Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP07301510A Withdrawn EP2056565A1 (de) 2007-10-29 2007-10-29 Authentifizierungsverfahren eines Benutzers, der von einem Computer auf einen Fernserver zugreift

Country Status (3)

Country Link
US (1) US8423782B2 (de)
EP (2) EP2056565A1 (de)
WO (1) WO2009056374A1 (de)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2974471B1 (fr) * 2011-04-19 2013-04-19 Sephira Traitement de donnees pour permettre l'acces a un service heberge dans un serveur
CN104205112B (zh) * 2012-04-16 2018-09-21 英特尔公司 安全控制器、电子设备、用于可信用户交互的方法和装置
CN105471884B (zh) * 2015-12-21 2019-05-31 联想(北京)有限公司 一种认证方法、服务器
CN112688979B (zh) * 2019-10-17 2022-08-16 阿波罗智能技术(北京)有限公司 无人车远程登录处理方法、装置、设备及存储介质

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19722424C5 (de) * 1997-05-28 2006-09-14 Telefonaktiebolaget Lm Ericsson (Publ) Verfahren zum Sichern eines Zugreifens auf ein fernab gelegenes System
ATE367060T1 (de) * 2000-02-21 2007-08-15 E Plus Mobilfunk Gmbh & Co Kg Verfahren zum festellen der authentizität der identität eines dienste-nutzers und vorrichtung zum durchführen des verfahrens
JP2002082911A (ja) * 2000-09-11 2002-03-22 Nec Corp 認証システム
JP2002158650A (ja) * 2000-11-21 2002-05-31 Fujitsu Ltd 認証・暗号化処理代行用のサーバ、アクセスカード、プログラム記録媒体及び携帯端末
US7133662B2 (en) * 2001-05-24 2006-11-07 International Business Machines Corporation Methods and apparatus for restricting access of a user using a cellular telephone
FR2835129B1 (fr) 2002-01-23 2004-11-26 Sagem Procede d'authentification a deux facteurs avec mot de passe ephemere a usage unique
JP4311174B2 (ja) * 2003-11-21 2009-08-12 日本電気株式会社 認証方法、移動体無線通信システム、移動端末、認証側装置、認証サーバ、認証代理スイッチ及びプログラム
BRPI0519861A2 (pt) * 2005-01-28 2009-03-24 Ericsson Telefon Ab L M métodos para autenticar um cliente, e para operar servidor de autenticação dentro de um sistema de comunicações, servidor de autenticação, método para operar um cliente acoplado a uma rede de comunicação, terminal de cliente, e, método para autenticar equipamento de usuário
US20060265262A1 (en) * 2005-05-18 2006-11-23 Microsoft Corporation Distributed conference scheduling
JP4867482B2 (ja) * 2006-06-06 2012-02-01 富士ゼロックス株式会社 制御プログラムおよび通信システム
US8590027B2 (en) * 2007-02-05 2013-11-19 Red Hat, Inc. Secure authentication in browser redirection authentication schemes

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO2009056374A1 *

Also Published As

Publication number Publication date
US20100263033A1 (en) 2010-10-14
WO2009056374A1 (fr) 2009-05-07
US8423782B2 (en) 2013-04-16
EP2056565A1 (de) 2009-05-06

Similar Documents

Publication Publication Date Title
JP6012125B2 (ja) 問い合わせ型トランザクションによる強化された2chk認証セキュリティ
KR101019458B1 (ko) 확장된 일회용 암호 방법 및 장치
EP2820795B1 (de) Verfahren zur verifizierung der identität eines benutzers eines kommunikationsterminal und dazugehörendes system
FR3041195A1 (fr) Procede d'acces a un service en ligne au moyen d'un microcircuit securise et de jetons de securite restreignant l'utilisation de ces jetons a leur detenteur legitime
EP3391614B1 (de) Verfahren zum senden von digitalen informationen
EP3174241B1 (de) Methode zur herstellung einer gesicherten end-zu-end-kommunikation zwischen dem endgerät eines nutzers und einem verbundenen objekt
FR2825869A1 (fr) Procede d'authentification entre un objet de telecommunication portable et une borne d'acces public
EP3375133B1 (de) Verfahren zur sicherung und authentifizierung einer telekommunikation
FR2964812A1 (fr) Procede d'authentification pour l'acces a un site web
WO2005079090A1 (fr) Emission de cle publique par terminal mobile
EP2220812A2 (de) Verfahren zur authentifizierung eines benutzers
FR3111203A1 (fr) Dispositif informatique et procédé pour l’authentification d’un utilisateur
EP2215800A1 (de) Verfahren zum authentifizieren eines benutzers, der von einem computer aus auf einen abgesetzten server zugreift
EP1514377A1 (de) Schnittstellenverfahren- und einrichtung zum online-austausch von inhaltsdaten auf sichere weise
WO2022137192A1 (fr) Procédé et dispositif de contrôle de l'accès à un service utilisant une chaîne de blocs
EP3673633B1 (de) Verfahren zur authentifizierung eines benutzers mit einem authentifizierungsserver
WO2012156365A1 (fr) Procede de securisation d'une platforme d'authentification, dispositifs materiels et logiciels correspondants
CA2831167C (fr) Infrastructure non hierarchique de gestion de bi-cles de securite de personnes physiques ou d'elements (igcp/pki)
FR2903544A1 (fr) Procede de securisation d'une authentification par utilisation de plusieurs canaux
FR3007929A1 (fr) Procede d'authentification d'un utilisateur d'un terminal mobile
WO2024042289A1 (fr) Procédé d'enrôlement d'un dispositif auprès d'un serveur
EP2630746B1 (de) Authentifikationsverfahren und -system
FR3099974A1 (fr) Procédé de transmission d’une information numérique
FR2901438A1 (fr) Un procede d'embarquement d'un protocole securise dans des cartes a puces, des capteurs et des objets intelligents
FR2823929A1 (fr) Procede et dispositif d'authentification

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20100531

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20140204

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20190416