EP2220812A2 - Method of authenticating a user - Google Patents

Method of authenticating a user

Info

Publication number
EP2220812A2
EP2220812A2 EP08864309A EP08864309A EP2220812A2 EP 2220812 A2 EP2220812 A2 EP 2220812A2 EP 08864309 A EP08864309 A EP 08864309A EP 08864309 A EP08864309 A EP 08864309A EP 2220812 A2 EP2220812 A2 EP 2220812A2
Authority
EP
European Patent Office
Prior art keywords
user
browser
server
telephone
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP08864309A
Other languages
German (de)
French (fr)
Inventor
Alain Leclercq
Yves Arnail
Bernard Delbourg
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MEDISCS (SOCIETE PAR ACTIONS SIMPLIFIEE)
Original Assignee
MEDISCS (SOCIETE PAR ACTIONS SIMPLIFIEE)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR0759714A external-priority patent/FR2958826A1/en
Application filed by MEDISCS (SOCIETE PAR ACTIONS SIMPLIFIEE) filed Critical MEDISCS (SOCIETE PAR ACTIONS SIMPLIFIEE)
Publication of EP2220812A2 publication Critical patent/EP2220812A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Definitions

  • the present invention is in the field of authentication of a user from a terminal, in particular from a cellular telephone.
  • the invention more particularly relates to a method of strong authentication of a user from a cell phone type terminal.
  • the present invention will find a very particular application in the context of the application for remote access and secured by a user from a mobile phone to a service hosted on a server, in particular through a portal viewed through a browser.
  • WAP Wireless Application Protocol
  • WAP is a communication network whose purpose is to allow access to the Internet using a mobile terminal, such as cell phone, PDA or the like.
  • the remote and secure access to a service is through a browser, displaying an access portal that the user views.
  • the secure aspect of this access requires the authentication of said user.
  • Two techniques are generally adopted to verify with certainty the identity of the person wishing to connect to said service.
  • a message can be sent on his phone through the short message service (or sms for "short service message").
  • This message contains connection information, including a code valid for one or more accesses.
  • the user enters the access code during an identification request at the time of his connection to the service and a session is then opened.
  • Such a code can be used in a unique or repeated manner.
  • a disadvantage is the total lack of security in the sms service. No protection is envisaged, leaving a third party free to intercept the code when it is transmitted or received.
  • TOKEN a generation of numbers synchronized with an authentication device.
  • an access key is generated and sent to the phone.
  • Time synchronization is performed before or at the time of the connection attempt.
  • the key is then exchanged with the remote service during an identification phase, manual or automatic. This key is only valid for a single use.
  • an exemplary protocol is described in WO 01/17310.
  • a user wishing to access a remote service connects to a portal through a computer via a browser. It identifies itself through a procedure for entering a login and / or a password.
  • a request is then sent to the remote server which identifies the telephone number corresponding to said user and sends, on the one hand, an authentication request to the browser integrating a first token and, on the other hand, a message to the telephone including a second token.
  • the user then enters the first token on his phone and sends back to the server a message automatically integrating the second token.
  • the server authenticates said user and gives him access to said service.
  • a first disadvantage lies in the multiplication of requests sent, increasing the underlying procedures and related costs. In particular, the user must once again identify himself beforehand to set up the authentication procedure.
  • WTLS secure protocols of each of these networks
  • SSL SSL
  • the object of the invention is to overcome the drawbacks of the state of the art by proposing to authenticate in a certain and strong way the user from his mobile phone.
  • the protocol according to the invention simplifies the then strong authentication process of said user. In addition, it allows the electronic signature of document type data, electronic mail or the like.
  • the subject of the present invention is a method of authenticating a user from a cellular telephone mobile terminal, in which:
  • said user visualizes, through a browser, a portal for accessing a service hosted on a server;
  • said user requests his authentication through the browser via said portal;
  • said portal initiates a pre-session so as to display through said browser, temporary access data independent of said user;
  • said telephone automatically sends a request to said server, including at least one authentication certificate specific to the user and said visualized data;
  • said request is encrypted using the public key of a certificate of said server and, in case of authentication of the user, access to the service is authorized through a secure session in the browser. According to other characteristics, after authentication of said user, said browser automatically displays said secure session.
  • each document to be signed is listed and said list is transmitted to said telephone; said telephone retrieves from said server all or part of the documents to be signed; and thanks to the key of one of the certificates it contains, said telephone electronically signs the documents chosen by the user and sends these signatures to said server.
  • said browser executes a separate computer terminal.
  • Such an authentication protocol offers a profoundly different alternative in that the user wishing to access a remote service via a portal viewed on a browser, has no need to identify himself on the browser. Indeed, the invention sends identification data to the browser regardless of the identity of the user. The latter will be automatically confirmed during the authentication by the phone.
  • Another advantage lies in the fact that the invention allows both the identification and authentication of the user from a single terminal, including a telephone, while limiting the number of connection and sends a request, considerably reducing the security risks.
  • the present invention allows the strong authentication of a user 1 wishing to connect securely to a remote service by means of a mobile terminal 2, in particular cell phone type 2, while the use of the remote service itself is made through a browser, in particular executed by means of another computer terminal 3, for example a computer.
  • said service is hosted on a server 4, more particularly on a web server connected to an Internet-type computer network.
  • This service is accessible online through a portal.
  • said portal is displayed on any type of terminal through a browser.
  • This terminal can be said computer 3 connected to said Internet network but also another fixed or mobile terminal.
  • the user 1 displays the data transmitted from the server 4 to the browser.
  • User 1 thus visualizes the access portal to said service. Through its navigation, it performs an authentication request via said portal, in particular through a dedicated web page for this purpose.
  • said portal initiates a pre-session. This last is unique and dynamically created with temporary access data.
  • Each request from a user 1 therefore corresponds to a single pre-session with unique access data, specific to each request.
  • said data is transferred from said server 4 through a first step I.
  • the connection between the computer 3 and said server 4 can then be secured.
  • This data may be in the form of an identifier 5, in particular one or more access codes or the like. They are displayed on the browser so that the user 1 displays them (step II).
  • the portal does not take into account the identity of the user 1: it automatically issues an identifier 5 without identifying the person wishing to access the service .
  • step III the user 1 entered on his phone 2 said data, in particular the identifier 5, in particular through an application dedicated to said service and included at said telephone 2.
  • each dedicated application contains the connection data of each service to which it is linked, for example the addresses (URL or the like) of said server 4.
  • This application can advantageously be coded in JAVA language, portable and compatible with many platforms heterogeneous.
  • This request 6 includes at least one authentication certificate 7 specific to the user 1.
  • the query 6 is encrypted with the public key contained in the certificate 8 of said server 4. The latter is known through said dedicated application.
  • the certificate 7 of the user 1 is also contained in said telephone 2 or through a complementary terminal.
  • said certificate 7 of the user 1 can be contained on the SIM card of the telephone 2 or on a cryptographic chip.
  • the request 6 can also include the data previously viewed and entered on the telephone 2, in particular the identifier 5. This data can also be used for encrypting the request 6, using the key of said server 4.
  • said server 4 Upon receipt of the request 6, said server 4 verifies the certificate 7. In case of authentication of the user 1, access to the service is authorized through a secure session. The latter can then be displayed automatically on said browser, as visible on step V.
  • the authentication of the user 1 by the server 4 may also include a step of approval of this authentication by the browser. This approval can be made by the user who confirms that the open session corresponds to his or her personal identity.
  • This approval can also take place via said telephone 2, in particular by information transmitted back from the request 6.
  • the communication protocol used for the transmission of said request 6 to the server 4 may include feedback information. , in particular to confirm the status of the transmission and if the request 6 is This means that, within this information, additional identification data can be transmitted back to the telephone 2. The user can then enter it through the browser to validate the secure session.
  • User 1 can then navigate as he sees fit on the access portal, certain to be connected to the real service.
  • the service is certain that the connected user 1 is the right one.
  • the user 1 can operate the electronic signature of documents contained via said portal on said server 4. For example, the user 1 can access an electronic mail and decide to send emails signed electronically.
  • said user 1 displays at least one document to be signed through the session displayed by said browser.
  • the electronic signature of this user 1 being contained on said telephone 2, each document to be signed is listed and said list is transmitted to said telephone 2.
  • said telephone 2 sends to said server 4 the certificates and electronic signature necessary for the signature of each document.
  • the authentication method according to the invention thus provides increased security during a remote connection to a service, through a cellular phone 2 and via a browser on a separate terminal, including a computer 3.
  • the invention is also based on a combination of the identification and authentication phases on said telephone 2, thus ensuring increased security.
  • the remote electronic signature via the cell phone 2 is made possible.
  • the advantage of the present invention lies in the strong authentication aspect and the high level of security offered through the interoperability between the mobile communication network and the Internet, without leaving any security flaw.

Abstract

The invention relates to a method of authenticating a user (1) on the basis of a mobile terminal of cellular telephone type (2), in which said user (1) views through a browser a portal for accessing a service hosted on a server (4); said user (1) requests his authentication through the browser via said portal; said portal initiates a presession in such a way as to display through said browser, temporary access data (5) independent of said user (1); said user (1) inputs into his telephone (2) the data viewed; said telephone (2) automatically dispatches a request (6) to said server (4), including at least one authentication certificate (7) specific to the user (1) and said viewed data (5); said request (6) is encrypted with the aid of the public key of a certificate (8) of said server (4) and, in the event of authentication of the user (1), access to the service is authorized through a secure session in the browser.

Description

PROCEDE D' AUTHENTIFICATION D'UN UTILISATEURMETHOD FOR AUTHENTICATING A USER
La présente invention entre dans le domaine de l'authentification d'un utilisateur depuis un terminal, en particulier depuis un téléphone cellulaire .The present invention is in the field of authentication of a user from a terminal, in particular from a cellular telephone.
L'invention concerne plus particulièrement un procédé d' authentification forte d'un utilisateur depuis un terminal de type téléphone cellulaire .The invention more particularly relates to a method of strong authentication of a user from a cell phone type terminal.
La présente invention trouvera une application toute particulière dans le cadre de la demande d' accès distant et sécurisé par un utilisateur depuis un téléphone portable à un service hébergé sur un serveur, notamment au travers d'un portail visualisé au travers d'un navigateur.The present invention will find a very particular application in the context of the application for remote access and secured by a user from a mobile phone to a service hosted on a server, in particular through a portal viewed through a browser.
Elle s'inscrit dans le cadre d'une connexion par le biais d'un réseau informatique et de télécommunication de type Internet, notamment au travers du « WAP » (pour « Wireless Application Protocole ») . Le WAP est un réseau de communication dont le but est de permettre d'accéder à Internet à l'aide d'un terminal mobile , de type téléphone cellulaire , PDA ou analogue .It is part of a connection through a computer network and telecommunication type Internet, especially through the "WAP" (for "Wireless Application Protocol"). WAP is a communication network whose purpose is to allow access to the Internet using a mobile terminal, such as cell phone, PDA or the like.
De manière connue, l'accès distant et sécurisé à un service s'effectue au travers d'un navigateur, affichant un portail d'accès que l'utilisateur visualise. L'aspect sécurisé de cet accès nécessite l'authentification dudit utilisateur. Deux techniques sont généralement adoptées pour vérifier de manière certaine l'identité de la personne désireuse de se connecter audit service .In known manner, the remote and secure access to a service is through a browser, displaying an access portal that the user views. The secure aspect of this access requires the authentication of said user. Two techniques are generally adopted to verify with certainty the identity of the person wishing to connect to said service.
D'une part, sur demande de l'utilisateur, un message peut être envoyé sur son téléphone au travers du service de messages courts (ou sms pour « short service message ») . Ce message contient des informations de connexion, notamment un code valide pour un ou plusieurs accès . En possession dudit code d'accès, l'utilisateur saisit ce dernier lors d'une demande d' identification au moment de sa connexion au service et une session est alors ouverte. Un tel code peut être utilisé de manière unique ou répétée .On the one hand, at the request of the user, a message can be sent on his phone through the short message service (or sms for "short service message"). This message contains connection information, including a code valid for one or more accesses. In possession of said access code, the user enters the access code during an identification request at the time of his connection to the service and a session is then opened. Such a code can be used in a unique or repeated manner.
Un inconvénient réside dans l'absence totale de sécurité au niveau du service sms. Aucune protection n'est envisagée laissant toute liberté à un tiers pour intercepter le code lors de sa transmission ou de sa réception.A disadvantage is the total lack of security in the sms service. No protection is envisaged, leaving a third party free to intercept the code when it is transmitted or received.
Une autre solution repose sur le principe « TOKEN », à savoir une génération de nombres synchronisés avec un dispositif d' authentification. Toujours sur demande dudit utilisateur, une clef d' accès est générée et envoyées sur le téléphone . Une synchronisation horaire est effectuée avant ou au moment de la tentative de connexion. La clef est alors échangée avec le service distant lors d'une phase d'identification, manuelle ou automatique. Cette clef est seulement valable pour un usage unique .Another solution is based on the "TOKEN" principle, namely a generation of numbers synchronized with an authentication device. Always on request of said user, an access key is generated and sent to the phone. Time synchronization is performed before or at the time of the connection attempt. The key is then exchanged with the remote service during an identification phase, manual or automatic. This key is only valid for a single use.
Dans ce cadre, un exemple de protocole est décrit dans le document WO 01/17310. Un utilisateur désireux d'accéder à un service distant se connecte à un portail au travers d'un ordinateur via un navigateur. Il s'identifie au travers d'une procédure de saisie d'un login et/ou d'un mot de passe. Une requête est alors envoyée au serveur distant qui identifie le numéro de téléphone correspondant audit utilisateur et envoie, d'une part, une requête d' authentification vers le navigateur intégrant un premier token et, d'autre part, un message vers le téléphone incluant un second token. L'utilisateur saisie alors le premier token sur son téléphone et renvoie vers le serveur un message intégrant automatiquement le second token. Par comparaison, le serveur authentifie ledit utilisateur et lui donne accès audit service . Un premier inconvénient réside dans la multiplication des requêtes envoyées, augmentant les procédures sous jacentes et coûts y relatifs. En particulier, l'utilisateur doit encore une fois s'identifier au préalable pour la mise en place de la procédure d' authentification .In this context, an exemplary protocol is described in WO 01/17310. A user wishing to access a remote service connects to a portal through a computer via a browser. It identifies itself through a procedure for entering a login and / or a password. A request is then sent to the remote server which identifies the telephone number corresponding to said user and sends, on the one hand, an authentication request to the browser integrating a first token and, on the other hand, a message to the telephone including a second token. The user then enters the first token on his phone and sends back to the server a message automatically integrating the second token. By comparison, the server authenticates said user and gives him access to said service. A first disadvantage lies in the multiplication of requests sent, increasing the underlying procedures and related costs. In particular, the user must once again identify himself beforehand to set up the authentication procedure.
Dans le cadre de la technologie de « TOKEN », on connait aussi le protocole OTP pour « One Time Pad », aussi appelé « masque jetable », utilisant une liste de mots de passe dynamiques à usage unique. Les listes d'OTP sont partagées par les deux protagonistes de la connexion sécurisée à établir . Les codes sont consommés dans l'ordre prévu. À chaque émission d'un mot de passe d'une liste A, il est vérifié puis rayé dans une liste B.As part of the technology of "TOKEN", we also know the OTP protocol for "One Time Pad", also called "disposable mask", using a list of dynamic passwords for single use. The OTP lists are shared by the two protagonists of the secure connection to be established. The codes are consumed in the expected order. Each time a password is sent from a list A, it is checked and then deleted from a list B.
Quoi qu'il en soit, la transmission de données s'effectue généralement au travers du réseau WAP vers Internet. Un problème réside dans le fait que les protocoles sécurisés de l'un et l'autre de ces réseaux sont différents : WTLS et SSL. La passerelle est alors obligée de décrypter les données en WTLS pour les chiffrer de nouveau sous SSL .Be that as it may, data transmission is usually done through the WAP network to the Internet. One problem is that the secure protocols of each of these networks are different: WTLS and SSL. The gateway is then forced to decrypt the data in WTLS to encrypt them again under SSL.
De plus, il n'existe aucun moyen de s'assurer que la connexion s'effectue sur le serveur original, laissant ouverte la possibilité de tromper l'utilisateur au travers d'un serveur factice .In addition, there is no way to ensure that the connection is made to the original server, leaving open the possibility of misleading the user through a dummy server.
D'autres solutions sont envisagées, mais n'apportent pas entière satisfaction. En effet, l'utilisateur est toujours obligé de s'identifier en envoyant une demande d'accès, au travers d'une clef ou d'un code de connexion avant de pouvoir accéder audit service .Other solutions are envisaged, but do not provide complete satisfaction. Indeed, the user is still obliged to identify himself by sending an access request, through a key or a connection code before being able to access said service.
De plus, aucune solution ne permet la signature électronique de document après authentification . L'invention a pour but de pallier les inconvénients de l'état de la technique en proposant d' authentifier de manière certaine et forte l'utilisateur depuis son téléphone portable.Moreover, no solution allows the electronic signature of document after authentication. The object of the invention is to overcome the drawbacks of the state of the art by proposing to authenticate in a certain and strong way the user from his mobile phone.
Outre le niveau élevé de sécurité, le protocole selon l'invention simplifie la démarche d' authentification alors forte dudit utilisateur. De plus, elle autorise la signature électronique de données de type document, courrier électronique ou analogue .In addition to the high level of security, the protocol according to the invention simplifies the then strong authentication process of said user. In addition, it allows the electronic signature of document type data, electronic mail or the like.
Pour ce faire, la présente invention a pour objet un procédé d' authentification d'un utilisateur à partir d'un terminal mobile de type téléphone cellulaire, dans lequel :To do this, the subject of the present invention is a method of authenticating a user from a cellular telephone mobile terminal, in which:
ledit utilisateur visualise au travers d'un navigateur un portail d'accès à un service hébergé sur un serveur ;said user visualizes, through a browser, a portal for accessing a service hosted on a server;
- ledit utilisateur demande son authentification au travers du navigateur via ledit portail ;said user requests his authentication through the browser via said portal;
ledit portail initie une présession de manière à afficher au travers dudit navigateur, des données temporaires d'accès indépendante dudit utilisateur ;said portal initiates a pre-session so as to display through said browser, temporary access data independent of said user;
- ledit utilisateur saisie sur son téléphone les données visualisées ;- said user entered on his phone the data displayed;
ledit téléphone envoie automatiquement une requête audit serveur, incluant au moins un certificat d' authentification propre à l'utilisateur et lesdites données visualisées ;said telephone automatically sends a request to said server, including at least one authentication certificate specific to the user and said visualized data;
ladite requête est chiffrée à l'aide de la clef publique d'un certificat dudit serveur et, en cas d' authentification de l'utilisateur, l'accès au service est autorisé au travers d'une session sécurisée dans le navigateur. Selon d'autres caractéristiques, après authentification dudit utilisateur, ledit navigateur affiche automatiquement ladite session sécurisée.said request is encrypted using the public key of a certificate of said server and, in case of authentication of the user, access to the service is authorized through a secure session in the browser. According to other characteristics, after authentication of said user, said browser automatically displays said secure session.
Avantageusement, au travers de la session affichée par ledit navigateur, est visualisé par l'utilisateur au moins un document à signer ; chaque document à signer est listé et ladite liste est transmise vers ledit téléphone ; ledit téléphone récupère dudit serveur tout ou partie des documents à signer ; et grâce à la clef d'un des certificats qu'il contient, ledit téléphone signe électroniquement les documents choisis par l'utilisateur et renvoie ces signatures vers ledit serveur .Advantageously, through the session displayed by said browser, is viewed by the user at least one document to be signed; each document to be signed is listed and said list is transmitted to said telephone; said telephone retrieves from said server all or part of the documents to be signed; and thanks to the key of one of the certificates it contains, said telephone electronically signs the documents chosen by the user and sends these signatures to said server.
De plus, ledit navigateur s'exécute un terminal distinct de type ordinateur .In addition, said browser executes a separate computer terminal.
Un tel protocole d' authentification offre une alternative profondément différente en ce que l'utilisateur souhaitant accéder à un service distant via un portail visualisé sur un navigateur, n'a aucunement besoin de s'identifier sur le navigateur. En effet, l'invention envoie des données d' identification vers le navigateur sans tenir compte de l'identité de l'utilisateur. Cette dernière sera automatiquement confirmée lors de l' authentification par le téléphone .Such an authentication protocol offers a profoundly different alternative in that the user wishing to access a remote service via a portal viewed on a browser, has no need to identify himself on the browser. Indeed, the invention sends identification data to the browser regardless of the identity of the user. The latter will be automatically confirmed during the authentication by the phone.
Par conséquent, un autre avantage réside dans le fait l'invention permet à la fois l'identification et 1' authentification de l'utilisateur à partir d'un seul terminal, notamment un téléphone, tout en limitant le nombre de connexion et d' envoie de requête, diminuant considérablement les risques de sécurités .Therefore, another advantage lies in the fact that the invention allows both the identification and authentication of the user from a single terminal, including a telephone, while limiting the number of connection and sends a request, considerably reducing the security risks.
D'autres caractéristiques et avantages de l'invention ressortiront de la description détaillée qui va suivre des modes de réalisation non limitatifs de l'invention, en référence à la figure annexée, représentant schématiquement l'architecture et le déroulement des étapes d'un mode de réalisation dudit protocole d'authentification.Other features and advantages of the invention will emerge from the detailed description which follows of non-limiting embodiments of the invention, with reference to the attached figure, schematically showing the architecture and the steps of an embodiment of said authentication protocol.
La présente invention permet l' authentification forte d'un utilisateur 1 désireux de se connecter de manière sécurisée à un service distant au moyen d'un terminal mobile 2, notamment du type téléphone cellulaire 2, alors que l'utilisation du service distant proprement dit est faite au travers d'un navigateur, notamment exécuté au moyen d'un autre terminal informatique 3 , par exemple un ordinateur .The present invention allows the strong authentication of a user 1 wishing to connect securely to a remote service by means of a mobile terminal 2, in particular cell phone type 2, while the use of the remote service itself is made through a browser, in particular executed by means of another computer terminal 3, for example a computer.
Il convient de bien différencier, d'une part, le terminal informatique 3 au travers duquel l'utilisateur 1 accède audit service et navigue et, d'autre part, le téléphone cellulaire 2 depuis lequel il est authentifié, ledit ordinateur 3 et ledit téléphone 2 étant distincts .It is necessary to differentiate, on the one hand, the computer terminal 3 through which the user 1 accesses said service and navigates and, on the other hand, the cellular phone 2 from which it is authenticated, said computer 3 and said telephone 2 being distinct.
Par ailleurs, on notera que ledit service est hébergé sur un serveur 4 , plus particulièrement sur un serveur de type web connecté à un réseau informatique de type Internet. Ce service est accessible en ligne au travers d'un portail.Moreover, it will be noted that said service is hosted on a server 4, more particularly on a web server connected to an Internet-type computer network. This service is accessible online through a portal.
De manière connue, ledit portail est affiché sur tout type de terminal au travers d'un navigateur. Ce terminal peut être ledit ordinateur 3 connecté audit réseau Internet mais aussi un autre terminal fixe ou mobile. Ainsi, l'utilisateur 1 visualise les données transmises depuis le serveur 4 vers le navigateur .In known manner, said portal is displayed on any type of terminal through a browser. This terminal can be said computer 3 connected to said Internet network but also another fixed or mobile terminal. Thus, the user 1 displays the data transmitted from the server 4 to the browser.
L'utilisateur 1 visualise donc le portail d'accès audit service. Au travers de sa navigation, il effectue une demande d'authentification via ledit portail, notamment au travers d'une page web dédiée à cet effet.User 1 thus visualizes the access portal to said service. Through its navigation, it performs an authentication request via said portal, in particular through a dedicated web page for this purpose.
Dès lors, ledit portail initie une présession. Cette dernière est unique et créée dynamiquement avec des données temporaires d'accès. A chaque demande d'un utilisateur 1 correspond donc une unique présession avec des données d'accès uniques, propres à chaque demande .Therefore, said portal initiates a pre-session. This last is unique and dynamically created with temporary access data. Each request from a user 1 therefore corresponds to a single pre-session with unique access data, specific to each request.
Comme visible sur la figure, lesdites données sont transférées depuis ledit serveur 4 au travers d'une première étape I. La connexion entre l'ordinateur 3 et ledit serveur 4 peut alors être sécurisée .As shown in the figure, said data is transferred from said server 4 through a first step I. The connection between the computer 3 and said server 4 can then be secured.
Ces données peuvent se présenter sous la forme d' un identifiant 5, notamment un ou plusieurs codes d'accès ou analogue. Elles sont affichées sur le navigateur afin que l'utilisateur 1 les visualise (étape II) .This data may be in the form of an identifier 5, in particular one or more access codes or the like. They are displayed on the browser so that the user 1 displays them (step II).
On notera que ces données temporaires sont indépendantes dudit utilisateur 1. En d' autres termes , le portail ne tient aucunement compte de l'identité de l'utilisateur 1 : il émet automatiquement un identifiant 5 sans identifier la personne désireuse d'accéder au service.Note that these temporary data are independent of said user 1. In other words, the portal does not take into account the identity of the user 1: it automatically issues an identifier 5 without identifying the person wishing to access the service .
Une fois visualisées, au cours de l'étape III, l'utilisateur 1 saisie sur son téléphone 2 lesdites données, en particulier l'identifiant 5, notamment au travers d'une application dédiée audit service et incluse au niveau dudit téléphone 2.Once viewed, during step III, the user 1 entered on his phone 2 said data, in particular the identifier 5, in particular through an application dedicated to said service and included at said telephone 2.
A ce titre, chaque application dédiée contient les données de connexion de chaque service auquel elle est liée, par exemple les adresses (URL ou analogue) dudit serveur 4. Cette application peut avantageusement être codée en langage JAVA, portable et compatible avec des nombreuses plateformes hétérogènes .As such, each dedicated application contains the connection data of each service to which it is linked, for example the addresses (URL or the like) of said server 4. This application can advantageously be coded in JAVA language, portable and compatible with many platforms heterogeneous.
Ensuite, ledit téléphone 2 envoie automatiquement une requête 6 audit serveur 4, étape IV. Cette requête 6 inclut au moins un certificat d' authentification 7 propre à l'utilisateur 1. La requête 6 est cryptée avec la clef publique contenue dans le certificat 8 dudit serveur 4. Ce dernier est connu au travers de ladite application dédiée. Le certificat 7 de l'utilisateur 1 est également contenu dans ledit téléphone 2 ou au travers d'un terminal complémentaire. Par exemple, ledit certificat 7 de l'utilisateur 1 peut être contenu sur la carte SIM du téléphone 2 ou sur une puce cryptographique .Then, said telephone 2 automatically sends a request to said server 4, step IV. This request 6 includes at least one authentication certificate 7 specific to the user 1. The query 6 is encrypted with the public key contained in the certificate 8 of said server 4. The latter is known through said dedicated application. The certificate 7 of the user 1 is also contained in said telephone 2 or through a complementary terminal. For example, said certificate 7 of the user 1 can be contained on the SIM card of the telephone 2 or on a cryptographic chip.
La requête 6 peut aussi inclure les données précédemment visualisées et saisies sur le téléphone 2 , en particulier l'identifiant 5. Ces données peuvent aussi servir au cryptage de la requête 6, à l'aide de la clef dudit serveur 4.The request 6 can also include the data previously viewed and entered on the telephone 2, in particular the identifier 5. This data can also be used for encrypting the request 6, using the key of said server 4.
Dès lors, seul ledit serveur 4, possédant la clef privée de son propre certificat 7, est à même de décrypter la requête 6 qu'il reçoit.Therefore, only said server 4, having the private key of its own certificate 7, is able to decrypt the request 6 it receives.
A réception de la requête 6 , ledit serveur 4 vérifie le certificat 7. En cas d' authentification de l'utilisateur 1, l'accès au service est autorisé au travers d'une session sécurisée. Cette dernière peut alors être affichée automatiquement sur ledit navigateur, comme visible sur l'étape V.Upon receipt of the request 6, said server 4 verifies the certificate 7. In case of authentication of the user 1, access to the service is authorized through a secure session. The latter can then be displayed automatically on said browser, as visible on step V.
On notera que l' authentification de l'utilisateur 1 par le serveur 4 peut aussi comprendre une étape d' approbation de cette authentification par le navigateur. C'est approbation peut s'effectuer par l'utilisateur qui confirme que la session ouverte correspond bien à son identité personnelle .Note that the authentication of the user 1 by the server 4 may also include a step of approval of this authentication by the browser. This approval can be made by the user who confirms that the open session corresponds to his or her personal identity.
Cette approbation peut aussi avoir lieu au travers dudit téléphone 2 , notamment par des informations transmises en retour de la requête 6. En effet, le protocole de communication utilisé pour la transmission de ladite requête 6 vers le serveur 4 , peut inclure des informations en retour , notamment pour confirmer l'état de la transmission et si la requête 6 est bien parvenue audit serveur 4. Dès lors , au sein de ces informations , des données d' identification supplémentaire peuvent être transmise en retour au téléphone 2. L'utilisateur pourra alors les saisir au travers dudit navigateur afin de valider la session sécurisée.This approval can also take place via said telephone 2, in particular by information transmitted back from the request 6. Indeed, the communication protocol used for the transmission of said request 6 to the server 4 may include feedback information. , in particular to confirm the status of the transmission and if the request 6 is This means that, within this information, additional identification data can be transmitted back to the telephone 2. The user can then enter it through the browser to validate the secure session.
L'utilisateur 1 peut dès lors naviguer comme bon lui semble sur le portail d'accès, certain d'être connecté au véritable service. De l'autre côté, le service est certain que l'utilisateur 1 connecté est le bon.User 1 can then navigate as he sees fit on the access portal, certain to be connected to the real service. On the other hand, the service is certain that the connected user 1 is the right one.
Au cours de cette navigation, du fait de la présence de certificats, l'utilisateur 1 peut opérer la signature électronique de documents contenus via ledit portail sur ledit serveur 4. Par exemple, l'utilisateur 1 peut accéder à une messagerie électronique et décider d'envoyer des mails signés électroniquement .During this navigation, because of the presence of certificates, the user 1 can operate the electronic signature of documents contained via said portal on said server 4. For example, the user 1 can access an electronic mail and decide to send emails signed electronically.
Pour ce faire, ledit utilisateur 1 visualise au moins un document à signer au travers de la session affichée par ledit navigateur. La signature électronique de cet utilisateur 1 étant contenue sur ledit téléphone 2 , chaque document à signer est listé et ladite liste est transmise vers ledit téléphone 2. Après réception, ledit téléphone 2 envoie audit serveur 4 les certificats et signature électronique nécessaires à la signature de chaque document.To do this, said user 1 displays at least one document to be signed through the session displayed by said browser. The electronic signature of this user 1 being contained on said telephone 2, each document to be signed is listed and said list is transmitted to said telephone 2. After reception, said telephone 2 sends to said server 4 the certificates and electronic signature necessary for the signature of each document.
Le procédé d' authentification selon l'invention offre donc une sécurité accrue au cours d'une connexion distante à un service, au travers d'un téléphone cellulaire 2 et via un navigateur sur un terminal distinct, notamment un ordinateur 3.The authentication method according to the invention thus provides increased security during a remote connection to a service, through a cellular phone 2 and via a browser on a separate terminal, including a computer 3.
L'invention repose aussi sur une combinaison des phases d'identification et d' authentification sur ledit téléphone 2, assurant de ce fait une sécurité accrue . De plus, la signature électronique à distance via le téléphone cellulaire 2 est rendu possible.The invention is also based on a combination of the identification and authentication phases on said telephone 2, thus ensuring increased security. In addition, the remote electronic signature via the cell phone 2 is made possible.
L'avantage de la présente invention réside dans l'aspect fort d'authentification et du niveau de sécurité élevé offert au travers de l'interopérabilité entre le réseau de communication mobile et le réseau Internet, sans laisser de faille de sécurité .The advantage of the present invention lies in the strong authentication aspect and the high level of security offered through the interoperability between the mobile communication network and the Internet, without leaving any security flaw.
Bien entendu, l'invention n'est pas limitée aux exemples illustrés et décrits précédemment qui peuvent présenter des variantes et modifications sans pour autant sortir du cadre de 1 ' invention . Of course, the invention is not limited to the examples illustrated and described above which may have variants and modifications without departing from the scope of the invention.

Claims

REVENDICATIONS
1. Procédé d' authentification d'un utilisateur (1) à partir d'un terminal mobile de type téléphone cellulaire (2), dans lequel :A method of authenticating a user (1) from a cellular telephone mobile terminal (2), wherein:
- ledit utilisateur (1) visualise au travers d'un navigateur un portail d'accès à un service hébergé sur un serveur (4) ;said user (1) visualizes, through a browser, a portal for accessing a service hosted on a server (4);
- ledit utilisateur (1) demande son authentification au travers du navigateur via ledit portail ;said user (1) requests his authentication through the browser via said portal;
- ledit portail initie une présession de manière à afficher au travers dudit navigateur, des données (5) temporaires d'accès indépendantes dudit utilisateur (1) ;said portal initiates a pre-session so as to display, through said browser, temporary access data (5) independent of said user (1);
- ledit utilisateur (1) saisie sur son téléphone (2) les données visualisées ;said user (1) entered on his telephone (2) the data displayed;
- ledit téléphone (2) envoie automatiquement une requête (6) audit serveur (4) , incluant au moins un certificat d' authentification (7) propre à l'utilisateur (1) et lesdites données visualisées (5) ;said telephone (2) automatically sends a request (6) to said server (4), including at least one authentication certificate (7) specific to the user (1) and said visualized data (5);
- ladite requête (6) est chiffrée à l'aide de la clef publique d'un certificat (8) dudit serveur (4) et, en cas d' authentification de l'utilisateur (1), l'accès au service est autorisé au travers d'une session sécurisée dans le navigateur.- said request (6) is encrypted using the public key of a certificate (8) of said server (4) and, in case of user authentication (1), access to the service is authorized through a secure session in the browser.
2. Procédé selon la revendication 1 , caractérisé en ce qu'après authentification dudit utilisateur (1), ledit navigateur affiche automatiquement ladite session sécurisée.2. Method according to claim 1, characterized in that after authentication of said user (1), said browser automatically displays said secure session.
3. Procédé selon la revendication 2 , caractérisé en ce que : - au travers de la session affichée par ledit navigateur, est visualisé par l'utilisateur (1) au moins un document à signer ;3. Method according to claim 2, characterized in that: - Through the session displayed by said browser, is viewed by the user (1) at least one document to be signed;
- chaque document à signer est listé et ladite liste est transmise vers ledit téléphone (2) ;each document to be signed is listed and said list is transmitted to said telephone (2);
- ledit téléphone (2) récupère dudit serveur (4) tout ou partie des documents à signer ; etsaid telephone (2) retrieves from said server (4) all or part of the documents to be signed; and
- grâce à la clef d'un des certificats qu'il contient, ledit téléphone (2) signe électroniquement les documents choisis par l'utilisateur (1) et renvoie ces signatures vers ledit serveur (4) .thanks to the key of one of the certificates it contains, said telephone (2) electronically signs the documents chosen by the user (1) and sends these signatures to said server (4).
4. Procédé selon l'une quelconque des revendications précédentes, caractérisé en ce que ledit navigateur s'exécute sur un terminal distinct de type ordinateur (3) . 4. Method according to any one of the preceding claims, characterized in that said browser runs on a separate terminal type computer (3).
EP08864309A 2007-12-11 2008-12-11 Method of authenticating a user Withdrawn EP2220812A2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0759714A FR2958826A1 (en) 2007-12-11 2007-12-11 User authenticating method for e.g. cellular telephone, involves encrypting request by public key of certificate of server, and authorizing access to service through secured session in browser in event of authentication of user
FR0850367A FR2958821A1 (en) 2007-12-11 2008-01-21 METHOD FOR AUTHENTICATING A USER
PCT/FR2008/052280 WO2009080999A2 (en) 2007-12-11 2008-12-11 Method of authenticating a user

Publications (1)

Publication Number Publication Date
EP2220812A2 true EP2220812A2 (en) 2010-08-25

Family

ID=40756506

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08864309A Withdrawn EP2220812A2 (en) 2007-12-11 2008-12-11 Method of authenticating a user

Country Status (4)

Country Link
US (1) US20100257366A1 (en)
EP (1) EP2220812A2 (en)
FR (1) FR2958821A1 (en)
WO (1) WO2009080999A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104838629A (en) * 2012-12-07 2015-08-12 微秒资讯科技发展有限公司 Method and system for authenticating user using mobile device and by means of certificates

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8627422B2 (en) 2010-11-06 2014-01-07 Qualcomm Incorporated Authentication in secure user plane location (SUPL) systems
GB2481663B (en) 2010-11-25 2012-06-13 Richard H Harris Handling encoded information
US10009319B2 (en) 2011-02-07 2018-06-26 Qualcomm Incorporated Methods, apparatuses and articles for identifying and authorizing location servers and location services using a proxy location server
US8738027B2 (en) 2011-02-07 2014-05-27 Qualcomm Incorporated Methods and apparatus for identifying and authorizing location servers and location services
US8935777B2 (en) 2012-02-17 2015-01-13 Ebay Inc. Login using QR code
FI20135275A (en) * 2013-03-22 2014-09-23 Meontrust Oy Transaction authorization method and system
US11683325B2 (en) 2020-08-11 2023-06-20 Capital One Services, Llc Systems and methods for verified messaging via short-range transceiver

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5884158A (en) * 1996-10-15 1999-03-16 Pitney Bowes Inc. Cellular telephone authentication system using a digital certificate
JP3905961B2 (en) * 1997-11-11 2007-04-18 インターナショナル・ビジネス・マシーンズ・コーポレーション Temporary signature authentication method and system
MXPA02002018A (en) * 1999-08-31 2002-09-18 Ericsson Telefon Ab L M Gsm security for packet data networks.
US6834112B1 (en) * 2000-04-21 2004-12-21 Intel Corporation Secure distribution of private keys to multiple clients
US7207060B2 (en) * 2001-10-18 2007-04-17 Nokia Corporation Method, system and computer program product for secure ticketing in a communications device
US7337229B2 (en) * 2001-11-08 2008-02-26 Telefonktiebolaget Lm Ericsson (Publ) Method and apparatus for authorizing internet transactions using the public land mobile network (PLMN)
GB2401293B (en) * 2002-01-17 2004-12-22 Toshiba Res Europ Ltd Data transmission links
US7366905B2 (en) * 2002-02-28 2008-04-29 Nokia Corporation Method and system for user generated keys and certificates
WO2005004069A1 (en) * 2003-07-02 2005-01-13 Mobipay International, S.A. Digital mobile telephone transaction and payment system
US9282455B2 (en) * 2004-10-01 2016-03-08 Intel Corporation System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
JP4555046B2 (en) * 2004-10-15 2010-09-29 ヒタチグローバルストレージテクノロジーズネザーランドビーブイ Data transfer system and data transfer method
US20060206710A1 (en) * 2005-03-11 2006-09-14 Christian Gehrmann Network assisted terminal to SIM/UICC key establishment
US7661146B2 (en) * 2005-07-01 2010-02-09 Privamed, Inc. Method and system for providing a secure multi-user portable database
EP1905191B1 (en) * 2005-07-20 2014-09-03 Verimatrix, Inc. Network user authentication system and method
US7958370B2 (en) * 2005-09-29 2011-06-07 Hitachi Global Storage Technologies, Netherlands, B.V. System and device for managing control data
US20100242102A1 (en) * 2006-06-27 2010-09-23 Microsoft Corporation Biometric credential verification framework
US8225096B2 (en) * 2006-10-27 2012-07-17 International Business Machines Corporation System, apparatus, method, and program product for authenticating communication partner using electronic certificate containing personal information
US8347361B2 (en) * 2006-12-14 2013-01-01 Mosaid Technologies Incorporated Distributed network management hierarchy in a multi-station communication network
US8406428B2 (en) * 2008-12-11 2013-03-26 International Business Machines Corporation Secure method and apparatus to verify personal identity over a network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2009080999A2 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104838629A (en) * 2012-12-07 2015-08-12 微秒资讯科技发展有限公司 Method and system for authenticating user using mobile device and by means of certificates
CN104838629B (en) * 2012-12-07 2017-11-21 微秒资讯科技发展有限公司 Use mobile device and the method and system that are authenticated by means of certificate to user

Also Published As

Publication number Publication date
WO2009080999A3 (en) 2009-08-20
FR2958821A1 (en) 2011-10-14
US20100257366A1 (en) 2010-10-07
WO2009080999A2 (en) 2009-07-02

Similar Documents

Publication Publication Date Title
EP2859489B1 (en) Enhanced 2chk authentication security with query transactions
WO2009080999A2 (en) Method of authenticating a user
FR3041195A1 (en) METHOD OF ACCESSING ONLINE SERVICE USING SECURE MICROCIRCUIT AND SECURITY TOKENS RESTRICTING THE USE OF THESE TOKENS TO THEIR LEGITIMATE HOLDER
EP3391614B1 (en) Method for sending digital information
EP1549011A1 (en) Communication method and system between a terminal and at least a communication device
FR2825869A1 (en) Authentication procedure assigns keys for mobile to public terminal links
EP2617155B1 (en) Secure registration to a service provided by a web server
FR2944667A1 (en) METHOD FOR AUTHENTICATING A CLIENT MOBILE TERMINAL FROM A REMOTE SERVER
EP2912818B1 (en) Method for mutual authentication between a terminal and a remote server via a third-party portal
EP2822285B1 (en) Pairing devices through distinct networks
EP3219077B1 (en) Method and system for managing user identities intended to be implemented during communication between two web browsers
WO2009056374A1 (en) Method of authenticating a user accessing a remote server from a computer
EP1400090B1 (en) Method and device for securing communications in a computer network
EP2159763A1 (en) System and method for delivering a good or a service to a user
EP3668047A1 (en) Method for opening a secure session on a computer terminal
FR2958826A1 (en) User authenticating method for e.g. cellular telephone, involves encrypting request by public key of certificate of server, and authorizing access to service through secured session in browser in event of authentication of user
EP2630746B1 (en) Authentication method and system
EP1992104B1 (en) Authenticating a computer device at user level
FR3099974A1 (en) DIGITAL INFORMATION TRANSMISSION PROCESS
EP2339775A1 (en) Method and device for distributed encryption based on a key server
WO2007101941A1 (en) Method for secure pairing of two systems prior to setting up communication between them
FR2855926A1 (en) METHOD FOR ACCESSING A NETWORK OR A SERVICE USING A PROTOCOL FROM THE PPPoX FAMILY OF PROTOCOLS, AND ARCHITECTURE IMPLEMENTING SUCH A METHOD
FR3022375A1 (en) METHOD AND DEVICE FOR SECURING A PASSWORD PROTECTED SYSTEM
FR2971350A1 (en) METHOD AND DEVICE FOR CONNECTING TO A REMOTE SERVICE FROM A HOST DEVICE

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20100528

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20110701