EP2286567A1 - Authentification de sessions entre des clients mobiles et un serveur - Google Patents

Authentification de sessions entre des clients mobiles et un serveur

Info

Publication number
EP2286567A1
EP2286567A1 EP09742898A EP09742898A EP2286567A1 EP 2286567 A1 EP2286567 A1 EP 2286567A1 EP 09742898 A EP09742898 A EP 09742898A EP 09742898 A EP09742898 A EP 09742898A EP 2286567 A1 EP2286567 A1 EP 2286567A1
Authority
EP
European Patent Office
Prior art keywords
server
mobile
mobile client
security
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09742898A
Other languages
German (de)
English (en)
Inventor
Bjorn Sloth
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Systek As
Original Assignee
Systek As
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Systek As filed Critical Systek As
Publication of EP2286567A1 publication Critical patent/EP2286567A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention is related to authenticating sessions between mobile clients and a server in a network, and especially to a method and system comprising a layering of access levels to services, wherein an access level provides a certain level of security for the session, and wherein a session is only granted if the mobile client has a capability to provide the level of access security required for the service being requested from the mobile client.
  • Modern telecommunication systems and mobile telephones provide a possibility to access a plurality of services regardless of where a person is located. This freedom of movement without missing any form of contact with other people and institutions and services is starting to become characteristics of our times.
  • many types of services such as banking services may only be accessible over a network if the security of the session is high.
  • Mobile telephones are typically mobile clients having a limited computing power, memory capacity etc. which many times limits the practical use of a program running in the mobile telephone. Even though the mobile telephone may comprise a miniature computer system, the constraints on power consumption in the mobile telephone limits for example the functionality and processing speed of the mobile telephone.
  • a mobile telephone may typically not be of practical use if a session with a server requires a high degree of security, since the computational speed etc. would render the use too slow and frustrating for the user when security checks, encryption/decryption etc. is performed during the session.
  • development of advanced mobile telephones continues and some models do have the capability to perform more complex routines, for example security related tasks.
  • US 2002678 Al by Chow et. al. disclose a method for secure authenticatin of a first computer program to a second computer program.
  • the method is based on a protocol comprising a one-time password calculation based on a seed value. This method allows a user to access different server computers providing different level of security level in each respective server computer.
  • services and not only the server- computer system as such may require different levels of access security, between them and/ or within each respective service.
  • To access a service from a mobile client access is granted only if the mobile client can provide access security at a required level. That requires that the mobile terminal in itself has the necessary resources to provide the necessary security level.
  • a mobile telephone may comprise a full blown computing environment while others do have limited memory, computing speed etc. that makes it impossible to execute for example an advanced encryption/decryption algorithm in the mobile terminal.
  • preinstalled security elements such as certificates must be present. If the service has different functionality, each functional aspect of the service may require a different level of security (for example certificate).
  • this type of service requires only a simple access control, for example the initial level of security is to enter a PIN code as part of the session. If the user also wants to transfer money from an account to another, this part of the session would require a higher level of security, for example a one time password may be generated.
  • Any mobile telephone can be used to enter a PIN code, but providing an embedded one time password calculator as part of the mobile telephone requires certain processing and functional capabilities of the mobile telephone. Therefore, access to this service would beneficially be provided if the server could identify the security capability of the mobile client accessing the server.
  • the access of this mobile telephone is limited only to those services requiring for example a PIN code alone.
  • the teaching of the present invention allows an adaptation of access to services that is a function of the capabilities of the mobile client and the required level of security required by the respective services.
  • the service When a service is accessed from a mobile terminal, the service must adapt what kind of functionality the service can allow to provide for the user of the mobile terminal according to spesific attributes, including physical attributes, of the mobile terminal itself.
  • a method for authenticating an extent of interactions in a session between a user of a mobile terminal and a service in a server system is provided for by adapting a security level in the session that reflects the allowed extent of the interactions in the session based on the security level the mobile terminal is providing for in the session, by identifying the following:
  • a method for authenticating sessions between mobile clients and a server in a network wherein the server provides a plurality of services, wherein respective services requires different levels of access security for any session to be activated between a respective mobile client requesting a session for a specific service and the server, wherein the access to the requested service will be limited if the mobile client has a capability of providing access security lower than required by the session to be activated, wherein the method comprises the steps of:
  • the server when the server receives a mobile client request for a service in the server, the server identifies the mobile client's capability to provide access security by either transferring an access security capability identifier from the mobile client to the server, or by using an identifier identifying the mobile clients identity and using the mobile clients identity to search a list of pre-recorded mobile clients in the server, wherein the list comprises records of the respective mobile clients access security capability identifiers,
  • the server comparing the service security level identifier with the mobile client access capability identifier, and whenever the mobile client capability identifier is compatible with the service security level identifier, authenticate the session between the mobile client and the server,
  • the mobile client capability identifier is not compatible with the service security level identifier, then limit the access to the server from the mobile client.
  • a respective service comprises a plurality of sub services, wherein each respective sub service requires a different level of access security
  • the method comprises a further step of assigning a security level identifier to the respective service comprising sub services having a description of the different access levels for each respective sub service.
  • the authentication of a session between a mobile client and the server for a service further comprises a step of authenticating a user's identity, wherein the user is operating the mobile client.
  • the step of authenticating a user's identity further comprises using an authentication mechanism reflecting the level of access security provided for by the security level identifier assigned to the service the user is requesting.
  • the authentication of a session between a mobile client and the server for a service further comprises a step providing authentication of the physical identity of the mobile client.
  • the step of authenticating the mobile client's identity further comprises initializing a communication protocol in the server and the respective mobile client that is compatible with the session's required access security level.
  • the communication protocol is one of a Secure Socket Layer (SSL) protocol, Transport Layer Security (TLS) protocol, Wireless Transport Layer Security (WTLS) protocol, Wireless Application Protocol (WAP), or similar protocol.
  • SSL Secure Socket Layer
  • TLS Transport Layer Security
  • WTLS Wireless Transport Layer Security
  • WAP Wireless Application Protocol
  • the method according to the present invention is implemented as a program being executed in a server computer in a network.
  • a data carrier comprising program instructions, wherein the instructions when downloaded to a mobile telephone enables the mobile telephone to have the access capability according to the present invention.
  • Figure 1 illustrates an example of client server configuration according to the present invention.
  • Figure 2 illustrates examples of steps for providing a client according to the present invention.
  • Figure 3 illustrates examples of steps for providing a client according to the present invention.
  • Figure 4 illustrates an example of downloading and activation of a client according to the present invention.
  • Figure 5 illustrates an example of sequence steps for authenticating a session according to the present invention..
  • FIG. 1 illustrates an example of a typical use of an embodiment of the present invention.
  • a mobile client for example a mobile telephone
  • Other application areas for a method and system according to the present invention can be mobile office systems, industrial automation systems, or any system that can benefit from having a layered access system for authenticating sessions between a client and a server.
  • the layered structure of the access system according to the present invention allows any mobile client to be granted some form of access to services in a session with a security level adapted to the capability of the mobile client itself. Many types of services do actually have different needs for security related to the sessions between the client and the server.
  • a banking system may operate with a PIN code mechanism for securing access to some services while requiring a more elaborate security for other services, for example by requiring a one time password generated by a one time password calculator.
  • An aspect of the present invention is the ability to always allow a certain level of access to a service from a mobile client, and not to reject completely the request for a session from the mobile client.
  • the plurality of services provided for in a server may each comprise a descriptor identifying the required security level each respective service need to have for being activated.
  • This descriptor can be a link from a service entry point to a list or a database record, for example.
  • a service may have different security levels or sub services having different security access levels within the service itself. Such conditions can be accounted for in the descriptor as formatted sections, for example, wherein each respective section describes the relevant security level required for each respective sub service linked with this respective section.
  • the mobile client may comprise a descriptor identifying the capability of the mobile client.
  • a client capability identifier may be downloaded to the mobile client when a user registers himself as a user of services from the server provider's server, for example, hi another example of embodiment of the present invention, the server may comprise a list of physical identities (telephone numbers, IP addresses etc.) or physical addresses of mobile clients in the network. Whenever a mobile client requests a service the client capability identifier is made available in the server, either via a transfer of the descriptor from the mobile client to the server, or by inquiring the list of mobile clients capabilities registered in the server.
  • the server is then comparing the respective descriptors for the services and the requesting mobile client, and if the descriptors are compatible, the requested service is granted. If the descriptors are not compatible, the server may reject the request for the service completely, but preferably grant access at a predefined level, for example a security level only requiring a PIN code access mechanism for example, wherein any access from the mobile client to the server is correspondingly limited, for example only permitting reading information out of the server.
  • a predefined level for example a security level only requiring a PIN code access mechanism for example
  • the security level identifier can for example comprise sections, wherein each respective sections is linked to respective functional elements of the services.
  • the corresponding security level identifier section is compared with the mobile client capability identifier.
  • the server is then comparing the respective descriptors for the services functional elements and the requesting mobile client, and if the descriptors are compatible, the requested functional element is granted. If the descriptors are not compatible, the server may reject the request for the functional element completely, but preferably grant access at a predefined level, for example providing a limitation of the functional element being requested, for example only permitting reading of information from the server.
  • a server operated by a service provider requires that users with mobile clients or mobile telephones register a user name and an identification of the mobile client, for example a telephone number in the server. Entry points in the server as known to a person skilled in the art can point to such information stored in the server.
  • an identity of the mobile telephone for example a telephone number, IP address etc. is read out from the mobile client.
  • a list of mobile client identities sorted according to the type of identity i.e.
  • the mobile client capability identifier and security level identifier descriptors are outlined above as information elements comprising values or contents identifying a level of respectively a capability of physical attributes of the mobile client and security level required by services, which are initialized.
  • the server may obtain the value or information content of the mobile client capability identifier by interrogating the mobile client through an exchange of messages between the mobile client and the server, for example. Such exchange of messages is well known in the prior art.
  • the mobile client can identify the value or information content of the security level identifier by exchanging messages with the server. It is therefore within the scope of the present invention that the mobile client assesses the level of security required by the session with a server, and that the mobile client only requests services that requires a security level that is compatible with its own level of providing security for the session.
  • such an exchange of messages for establishing values or information contents of the descriptors according to the present invention may also be performed via a third participating system in the process.
  • a security broker computer in a network can establish mobile client capabilities and security level requirements for services, and then inform parties about the conditions to the participating parties of a session that is to commence between a mobile client and a server. It is therefore within the scope of the present invention that grant of sessions according to the present invention can be performed outside the mobile client and/or server.
  • a mobile client may acquire the correct initialization for utilizing services from a specific server as depicted in the flow diagram illustrated in figure 2.
  • the method steps according to the present invention provides first a generic client configuration as depicted in figure 2, while a specific client may be produced according to the method steps illustrated in figure 3.
  • An aspect of the present invention is to provide a system authenticating a user according to actual requirements for authenticating a service.
  • a simple user authentication scheme requires only user name and a password. Strong user authentication schemes require often that the user have possession of an item, for example a physical unit such as a one time password calculator or similar device. Such schemes also often require a
  • authentication of a user will not be performed if the service does not require a user authentication. It is also an aspect of the present invention to provide strong authentication without the needs for external items. It is further an aspect of the present invention to provide a secure communication channel independent of network providers.
  • FIG 2 an example of a generic client generation is depicted.
  • the first step is to identify which Java platform to use.
  • the Java platform concept provides a network independent client which is one of the aspects described above of the present invention.
  • Examples of Java platforms for mobile telephones are Mobile Information Device Profile (MIDP) and Connected Limited Device Configuration (CLDC) as known to a person skilled in the art.
  • a next step is to select a secure communication platform. Examples of such platforms for mobile clients are: Secure Socket Layer (SSL),
  • Transport Layer Security TLS
  • WTLS Wireless Transport Layer Security
  • WAP Wireless Application Protocol
  • a next step is to select a user authentication mechanism.
  • Examples are enCap, BankID, or any similar type of authentication mechanism developed for mobile clients in a network.
  • the type of authentication mechanism is a function of the capabilities of the mobile client.
  • a further authentication mechanism can be installing a one time password calculator algorithm in the mobile client, for example such as a one time password algorithm that is part of the enCap solution. The use of this algorithm is dependent on the capabilities of the mobile client. If the authentication mechanism is a Java based solution the authentication mechanism is integrated before producing the generic platform. If the authentication mechanism is not Java based, an interface to the authentication mechanism is created before producing the generic platform.
  • a specific mobile client is generated by selecting a specific service provider (or server(s)) together with the unique capabilities of the service provider.
  • a mobile client identity is then generated.
  • a mobile client capability identifier can be part of this mobile client identity.
  • the value or content of the mobile client capability identifier is related to the mobile client capability to execute algorithms, storage capacity etc.
  • the client capability identifier can be used by the service provider to limit access to services of users using this particular mobile client despite the mobile client do have physical characteristics allowing a higher degree of security than reflected by the initialized mobile client capability identifier. This can for example be used to distinguish between super users, ordinary users etc. (user privileges) or reflect a status of a subscription of a particular service, for example.
  • the mobile client capability identifier can at any time be updated remotely from the server when communicating with the mobile client.
  • a user performs following steps of a method according to the present invention comprising a Bank service provider:
  • a user downloads a Java based mobile bank client and installs the client in his mobile telephone.
  • a gateway of the system displays an activating code to the user on his mobile telephone display.
  • the Java client reads out profile data from the mobile telephone.
  • the Java client reads out profile data from the mobile telephone such that a user interface can be adapted to the mobile telephone display. Other features such a functional buttons are configured.
  • the Java client identifies the communication capabilities of the mobile telephone and establishes a secure communication protocol.
  • the Java client displays an activating page to the user.
  • the user receives a starting page with a possibility to log into the server or activating services directly from the page.
  • Figure 5 illustrates an example of a sequence diagram for authenticating a user according to the present invention. Similar sequence diagrams can be provided for the authentication of a physical identity of a mobile client, etc. as known to a person skilled in the art.
  • the method steps according to the present invention and a system providing embodiments of method steps according to the present invention is applicable in any client server configuration in a network, wherein the client can be a physical entity (a mobile telephone for example) or a logical entity (a software entity), wherein it is beneficial to provide a layered security access scheme from clients to services provided for in the server.
  • client can be a physical entity (a mobile telephone for example) or a logical entity (a software entity), wherein it is beneficial to provide a layered security access scheme from clients to services provided for in the server.
  • Examples of such areas can be a banking server system, a broker server system, an insurance server system, a mobile office system, an industrial automation server system, or similar type of server system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un système d'authentification de sessions entre des clients mobiles et un serveur dans un réseau. Selon l'invention, le serveur fournit une pluralité de services qui requièrent respectivement différents niveaux de sécurité d'accès pour une quelconque session à activer entre un client mobile respectif demandant une session pour un service spécifique et le serveur, et l'accès au service demandé sera limité si la sécurité d'accès que peut fournir le client mobile est inférieure à celle requise par la session à activer.
EP09742898A 2008-05-05 2009-05-04 Authentification de sessions entre des clients mobiles et un serveur Withdrawn EP2286567A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NO20082083 2008-05-05
PCT/NO2009/000172 WO2009136795A1 (fr) 2008-05-05 2009-05-04 Authentification de sessions entre des clients mobiles et un serveur

Publications (1)

Publication Number Publication Date
EP2286567A1 true EP2286567A1 (fr) 2011-02-23

Family

ID=41264739

Family Applications (1)

Application Number Title Priority Date Filing Date
EP09742898A Withdrawn EP2286567A1 (fr) 2008-05-05 2009-05-04 Authentification de sessions entre des clients mobiles et un serveur

Country Status (2)

Country Link
EP (1) EP2286567A1 (fr)
WO (1) WO2009136795A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8495219B2 (en) 2011-01-13 2013-07-23 International Business Machines Corporation Identity management method and system
US9398050B2 (en) 2013-02-01 2016-07-19 Vidder, Inc. Dynamically configured connection to a trust broker
US10469262B1 (en) 2016-01-27 2019-11-05 Verizon Patent ad Licensing Inc. Methods and systems for network security using a cryptographic firewall
US10554480B2 (en) 2017-05-11 2020-02-04 Verizon Patent And Licensing Inc. Systems and methods for maintaining communication links
US11928737B1 (en) 2019-05-23 2024-03-12 State Farm Mutual Automobile Insurance Company Methods and apparatus to process insurance claims using artificial intelligence
US11669907B1 (en) 2019-06-27 2023-06-06 State Farm Mutual Automobile Insurance Company Methods and apparatus to process insurance claims using cloud computing

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US20020169874A1 (en) * 2001-05-09 2002-11-14 Batson Elizabeth A. Tailorable access privileges for services based on session access characteristics
US7162525B2 (en) * 2001-08-07 2007-01-09 Nokia Corporation Method and system for visualizing a level of trust of network communication operations and connection of servers
ES2264853B1 (es) * 2004-06-24 2007-12-16 Vodafone España, S.A. Sistema y metodo de asercion de identidades en una red de telecomunicaciones.

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2009136795A1 *

Also Published As

Publication number Publication date
WO2009136795A1 (fr) 2009-11-12

Similar Documents

Publication Publication Date Title
US20190370479A1 (en) Method for providing simplified account registration service and user authentication service, and authentication server using same
US7188181B1 (en) Universal session sharing
US5778072A (en) System and method to transparently integrate private key operations from a smart card with host-based encryption services
KR100786551B1 (ko) 복수 개의 방식에 의한 일회용 비밀번호의 사용자 등록,인증 방법 및 그러한 방법을 수행하는 프로그램이 기록된컴퓨터 판독 가능 기록 매체
US7085840B2 (en) Enhanced quality of identification in a data communications network
US7275260B2 (en) Enhanced privacy protection in identification in a data communications network
CN1610292B (zh) 能共同操作的凭证收集以及访问的方法和装置
US7496751B2 (en) Privacy and identification in a data communications network
JP4433472B2 (ja) 分散型認証処理
US7296149B2 (en) Secure user and data authentication over a communication network
US20140041008A1 (en) Establishing historical usage-based hardware trust
EP1244998A1 (fr) Procede et appareil assurant une authentification securisee de dispositifs portatifs via des serveurs hotes internet
US20030084302A1 (en) Portability and privacy with data communications network browsing
US20030084171A1 (en) User access control to distributed resources on a data communications network
US8082213B2 (en) Method and system for personalized online security
US20070186277A1 (en) System and method for utilizing a token for authentication with multiple secure online sites
JP2008538668A (ja) 移動体端末装置に収容されたsimカードに接続する方法および接続装置
EP2286567A1 (fr) Authentification de sessions entre des clients mobiles et un serveur
US20080046750A1 (en) Authentication method
JP2007272600A (ja) 環境認証と連携した本人認証方法、環境認証と連携した本人認証システムおよび環境認証と連携した本人認証用プログラム
KR20050009945A (ko) 이동식 저장장치를 이용한 가상 저장 공간의 관리 방법 및시스템
KR101171235B1 (ko) 인증서 운영 방법
KR20220080904A (ko) 인증수단/전자서명 통합 플랫폼 제공 방법 및 시스템
Chen et al. New authentication method for mobile centric communications
KR20090095946A (ko) 비대면 금융거래 전문 처리 방법 및 시스템과 이를 위한기록매체

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20101202

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA RS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20121201