EP3394780A1 - Verfahren und vorrichtung zur verbindung mit einem remote-server - Google Patents

Verfahren und vorrichtung zur verbindung mit einem remote-server

Info

Publication number
EP3394780A1
EP3394780A1 EP16829108.6A EP16829108A EP3394780A1 EP 3394780 A1 EP3394780 A1 EP 3394780A1 EP 16829108 A EP16829108 A EP 16829108A EP 3394780 A1 EP3394780 A1 EP 3394780A1
Authority
EP
European Patent Office
Prior art keywords
user
remote server
authentication data
password
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP16829108.6A
Other languages
English (en)
French (fr)
Inventor
Chidung LAC
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
Orange SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Orange SA filed Critical Orange SA
Publication of EP3394780A1 publication Critical patent/EP3394780A1/de
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration

Definitions

  • the present invention relates to digital communications.
  • the present invention relates to the protection of confidential data of users of a digital communications network, such as the Internet.
  • the digital universe in which we are immersed daily makes it necessary for everyone to identify with a large number of services, which cover both the professional and personal sphere, such as access to a social network, the treatment e-mail, administrative procedures, management of bank accounts, or online purchase of products.
  • the first step in accessing any digital service is user authentication, regardless of whether the service is free (for example, social) or paid (for example, online).
  • This authentication usually consists of the user providing an identifier and a password.
  • the present invention relates only to the pair identifier / password which is, and will remain for a long time, the most common means of authentication.
  • Phishing is defined as criminal activity in a digital network in which a hacker tries to fraudulently acquire private information, such as identifiers, passwords, or details of a particular device. credit card, of a certain user of a computer system.
  • the term “phishing” refers to the use of electronic lures to "fish" a user's private data, from a website, or in an electronic message. The pirate is done usually pass for a person, an entity, or an activity known to the user, and tries to convince the user to communicate private data. Phishing is a growing problem in IT services, and there are state-of-the-art ways to protect users. However, these means have limited effectiveness in that it is very difficult for a user to differentiate between a legitimate and illegitimate correspondent, for example between a legitimate World Wide Web page and an illegitimate web page.
  • US patent application 2012/0272330 discloses an anti-phishing system, which is implemented when the user of a computer seeks to communicate with a remote server. This anti-phishing system then searches for the e-mail address of the remote server in a "white" list of trusted e-mail addresses. Then:
  • the computer transmits the identifier / password pair of the user to the remote server;
  • the computer implements, before transmitting the identifier and the password to the remote server, a protective action such as the stopping transmission of the identifier / password pair to the remote server, and / or displaying a message intended to alert the user to the fact that this remote server is not (or is not yet) deemed reputable.
  • the pair identifier / password is entered by the user, and his web browser sends this authentication data to the remote server when the latter appears on said whitelist, that is to say when he is reputed to be trustworthy.
  • no verification is performed by the anti-phishing system as to the relevance of these authentication data.
  • this authentication data may not correspond to the real user identifier / password pair for this remote server.
  • a loss of confidentiality of the identifier / password pair can occur if the identifier, the password, or both at the same time are accidentally disclosed by this user.
  • This password is therefore wrong in this case, but the user will not realize its error after receiving in response from the server a message of the type "Wrong password! ".
  • the danger of this situation is that the manager of the social network therefore knows, on the basis of the wrong password, the correct identifier / password of this user for his banking services; if this manager is dishonest, or if a hacker accesses the data recorded in the server of the social network, this manager or this hacker will only have to search to which servers (other than that of the social network) the user accesses usually, to then impersonate that user from his bank. But this type of error is common.
  • the present invention therefore relates to a method of connection to a remote server, comprising a preliminary step during which, during an access of a user to said remote server by means of a connection device, said user has said record in said connection device, in association with an identifier of this remote server, the result of the application of a certain function to the authentication data of this user from this remote server.
  • Said method further comprises, during a subsequent access of the user to the remote server by means of the connection device, the following steps:
  • authentication data for authentication to the remote server, said authentication data comprising at least one password
  • connection device In the event of a discrepancy, sending the connection device to the user with a message asking him to check that the authentication data he has entered in step a) are the ones he wants to send to the remote server, and offers the user an interface to allow him to respond.
  • the present invention proposes to alert a user who, in order to be able to connect to a certain remote server (to which this user has already connected previously), has entered incorrect authentication data (by inattention, or by confusion with the authentication data associated with another remote server).
  • the user is given the possibility of correcting his error before sending the authentication data to the remote server.
  • the present invention is not at all incompatible with the use of a whitelist of the type used by the method according to the application US 2012/0272330 described briefly above.
  • the invention advantageously requires the user to enter authentication data each time he wishes to access this remote server.
  • the pair identifier / password is initially recorded in a dedicated memory in relation to an identifier of the remote server; when the user tries again to communicate with this remote server, the pair identifier / password is simply provided or completed by his computer.
  • This conventional method has the disadvantage that any person belonging to the environment (domestic or professional) of the legitimate user of the service, and able to use his computer, can access the remote server even without knowing the password (which does not is, moreover, usually not displayed on the screen associated with the computer). However, some of these people who can use this computer (for example, the children of the legitimate user of the service) may not have the right to access this remote server.
  • said method further comprises the following steps:
  • said method further comprises the following steps:
  • the user can quickly update the record associated with its authentication data, and connect to the remote server.
  • said method further comprises the following steps:
  • connection device can implement the invention for a plurality of users (each having its own pair identifier / password).
  • the result of said function comprises, in plaintext or in encrypted form, at least a part of said password of the user for said remote server.
  • the variant of encrypting the authentication data of the user makes it possible to avoid recording these authentication data in the clear in the memory dedicated to the recording according to the invention. This makes it possible to better protect the authentication data (of a very confidential nature as recalled above) associated with the various remote servers to which the user usually connects. Indeed, when these data are stored in clear in said memory, a third party can use the computer of the legitimate user, or a hacker able to break into this memory, would at the same time access all of these data. authentication, which would obviously have very unfortunate consequences for the legitimate user.
  • the invention relates to a device for connecting to a remote server, in particular for retrieving, and / or processing, and / or sending digital data over the Internet.
  • This connection device can be hosted, for example, in a fixed or mobile terminal such as a personal computer, a tablet or a "smartphone", or in a residential gateway ("Residential Gateway" in English) is located in a business.
  • Said connection device is remarkable in that it has means for:
  • authentication data entered by a user of said connection device and intended to authenticate said user with said remote server, said authentication data comprising at least one password
  • connection device also has means for, in case of discrepancy:
  • connection device also has means for, in case of discrepancy:
  • connection device also has means for, in case of discrepancy:
  • the result of said function comprises, in plaintext or in encrypted form, at least a part of said password of the user for said remote server.
  • the invention relates to a web browser. Said web browser is remarkable in that it contains a connection device as briefly outlined above.
  • connection device and this web browser are essentially the same as those offered by the correlative methods succinctly set forth above.
  • connection device and this web browser in the context of software instructions and / or in the context of electronic circuits.
  • the invention also relates to a computer program downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor.
  • This computer program is notable in that it includes instructions for performing the steps of the method of connection to a remote server succinctly set forth above, when executed on a computer.
  • connection device according to the invention is incorporated in a web browser hosted by a personal computer.
  • a user of this computer connects to a remote server offering a service desired by this user.
  • the browser has verified, in a manner known per se, that the remote server is registered on a whitelist (that is to say a list of reputable servers reputable); the skilled person may provide various measures for the case where the remote server is not registered on said whitelist, for example the display of a message intended to alert the user to the fact that this server is not not (or not yet) deemed worthy of trust, and a confirmation request that the user nevertheless wants to connect to this server (in case of confirmation, this server is then registered on the whitelist).
  • a whitelist that is to say a list of reputable servers reputable
  • the browser (or a suitable computer module) of the user applies a predetermined function to the data enabling this user to authenticate with this remote server.
  • the result of this application includes, in clear or in encrypted form, at least a portion of said user's password for this remote server.
  • said result also includes, in clear or in encrypted form, at least a portion of the user ID for this remote server.
  • this encryption can take the form of a digest ("hash" in English), that is to say a non-invertible function of the authentication data.
  • This result is then recorded in a dedicated memory (for example, in the user's computer or in a cloud ("cloud" in English) of an Internet operator), in association with an identifier of the remote server, for example its IP (Internet Protocol) address.
  • a dedicated memory for example, in the user's computer or in a cloud ("cloud" in English) of an Internet operator
  • IP Internet Protocol
  • a step S1 during any subsequent access of this user to this remote server, the user enters data to authenticate with the remote server.
  • This authentication data includes at least its password.
  • the user also enters his identifier in full.
  • the user in a manner known per se, the user only enters part of the identifier, then chooses the complete identifier from a list proposed by the browser; this second variant is useful in the case where several persons (each having their own identifier) have the right to use said computer; indeed, in the absence of any indication from the user, the browser could not know what identifier is concerned for this connection.
  • the browser automatically provides the identifier of the user (assumed to be unique) of the computer for the remote server concerned.
  • the browser or a suitable computer module of the user applies said function to the data entered by the user during said step S1, and compares the result of this application with that which has been recorded. for this remote server during the step SO described above.
  • the browser sends the remote server the username and password of the user, and the session between the user and the remote server can start.
  • the browser verifies that the remote server is still registered on the whitelist before sending the authentication data.
  • the browser sends the user a message asking him if he is of course wanting to send to the remote server the data he has just entered; the user can thus check if he was mistaken by entering the authentication data.
  • the browser offers the user an interface (for example, by opening a window on the screen associated with the computer).
  • step S4 If, following the reception of said message, the user realizes that he is mistaken, he then indicates in said interface, according to a step S4, his wish to correct his input; the user then re-enters, in said interface or in the initial input fields, data intended to authenticate him with the remote server, said data comprising at least his password, analogously to step S1 ci -above.
  • step S5 analogously to step S2 above, the browser (or a suitable computer module) of the user applies said function to the data entered by the user during said step S4, and compares the result of this application with the one that has been recorded for this remote server during the step SO.
  • step S6 the browser sends the remote server the user's ID and password (after, optionally, verifying that the server remote is always whitelisted), and the session can then start.
  • step S'3 the user can perceive that the data entered in step S1 are those that enable him to authenticate with the remote server. This case may indeed occur if the user, during a previous session with the remote server, has changed his identifier and / or his password with this server, so that the result of the application of the function to authentication data that was saved during the preliminary step S0, is obsolete.
  • a step S'4 the user indicates in said interface his wish to update his authentication data.
  • step S'5 the user re-enters his authentication data in said interface or in the initial input fields, or the browser retrieves the authentication data entered in step S1; the result of the application of said function to these authentication data is then recorded in said dedicated memory.
  • the browser sends the remote server the username and password of the user (after, optionally, verifying that the remote server is still registered on a whitelist), and the session can start.
  • step S'3 Another possible case, following said step S'3, is when a new user wishes to register with a connection device according to the invention with which at least one user is already registered.
  • step S "5 the new user re-enters his authentication data in said interface or in the initial input fields, or the browser retrieves the authentication data entered during the step S1.
  • the result of the application of said function to the authentication data of this new user is recorded in said dedicated memory, and -
  • the browser sends the remote server the username and password of this new user (after, optionally, verification that the remote server is still registered on a whitelist).
  • the session can then start.
  • the invention can be implemented within nodes of communication networks, for example computers, terminals or gateways, by means of software and / or hardware components.
  • the software components can be integrated into a typical network node management computer program. Therefore, as indicated above, the present invention also relates to a computer system.
  • This computer system conventionally comprises a central processing unit controlling signals by a memory, as well as an input unit and an output unit.
  • this computer system can be used to execute a computer program comprising instructions for implementing any of the methods of connection to a remote server according to the invention.
  • the invention also relates to a downloadable computer program from a communication network comprising instructions for performing the steps of a connection method to a remote server according to the invention, when it is executed on a computer.
  • This computer program may be stored on a computer readable medium and may be executable by a microprocessor.
  • This program can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any another desirable form.
  • the invention also relates to an information carrier, irremovable, or partially or completely removable, readable by a computer, and comprising instructions of a computer program as mentioned above.
  • the information carrier may be any entity or device capable of storing the program.
  • the medium may include a storage medium, such as a ROM, for example a CD-ROM or a microelectronic circuit ROM, or a magnetic recording medium, such as a hard disk, or a USB flash drive. ).
  • the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means.
  • the computer program according to the invention can in particular be downloaded to an Internet type network.
  • the information carrier may be an integrated circuit in which the program is embedded, the circuit being adapted to execute or to be used in the execution of any of the methods of connection to a remote server according to the present invention. invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
EP16829108.6A 2015-12-24 2016-12-16 Verfahren und vorrichtung zur verbindung mit einem remote-server Pending EP3394780A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1563291A FR3046272A1 (fr) 2015-12-24 2015-12-24 Procede et dispositif de connexion a un serveur distant
PCT/FR2016/053500 WO2017109352A1 (fr) 2015-12-24 2016-12-16 Procede et dispositif de connexion a un serveur distant

Publications (1)

Publication Number Publication Date
EP3394780A1 true EP3394780A1 (de) 2018-10-31

Family

ID=55806498

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16829108.6A Pending EP3394780A1 (de) 2015-12-24 2016-12-16 Verfahren und vorrichtung zur verbindung mit einem remote-server

Country Status (4)

Country Link
US (1) US20190020642A1 (de)
EP (1) EP3394780A1 (de)
FR (1) FR3046272A1 (de)
WO (1) WO2017109352A1 (de)

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8166406B1 (en) * 2001-12-04 2012-04-24 Microsoft Corporation Internet privacy user interface
US20060090073A1 (en) * 2004-04-27 2006-04-27 Shira Steinberg System and method of using human friendly representations of mathematical values and activity analysis to confirm authenticity
US20060020812A1 (en) * 2004-04-27 2006-01-26 Shira Steinberg System and method of using human friendly representations of mathematical function results and transaction analysis to prevent fraud
US7681234B2 (en) * 2005-06-30 2010-03-16 Microsoft Corporation Preventing phishing attacks
KR20070006559A (ko) * 2005-07-07 2007-01-11 (주)화이트코어 안티피싱 방법
US20070245422A1 (en) * 2006-04-18 2007-10-18 Softrun, Inc. Phishing-Prevention Method Through Analysis of Internet Website to be Accessed and Storage Medium Storing Computer Program Source for Executing the Same
US8220047B1 (en) * 2006-08-09 2012-07-10 Google Inc. Anti-phishing system and method
WO2011097543A2 (en) * 2010-02-05 2011-08-11 Ivan Andrew Pointer Financial, account and ledger web application and method for use on personal computers and internet capable mobile devices
US9609495B2 (en) * 2012-11-16 2017-03-28 Verizon Patent And Licensing Inc. Central information management system
LT2936369T (lt) * 2012-12-21 2020-07-27 Biobex, Llc Slaptažodžio patvirtinimas, naudojant klaviatūra ir saugų slaptažodžio įvedimo režimą
US20140331119A1 (en) * 2013-05-06 2014-11-06 Mcafee, Inc. Indicating website reputations during user interactions
JP5735687B1 (ja) * 2014-07-30 2015-06-17 株式会社 ディー・エヌ・エー ログインを警告するためのプログラム、方法、及びシステム
US10200381B2 (en) * 2015-08-05 2019-02-05 Mcafee, Llc Systems and methods for phishing and brand protection

Also Published As

Publication number Publication date
US20190020642A1 (en) 2019-01-17
WO2017109352A1 (fr) 2017-06-29
FR3046272A1 (fr) 2017-06-30

Similar Documents

Publication Publication Date Title
US9712497B2 (en) Method and system for creation and verification of anonymous digital credentials
EP2884716B1 (de) Authentifizierungsmechanismus über jeton
EP1549011A1 (de) Kommunikationsverfahren und System zwischen einem Endgerät und mindestens einer Kommunikationsvorrichtung
MX2008011277A (es) Pase digital para la descripcion funcional de la red.
EP3391614B1 (de) Verfahren zum senden von digitalen informationen
EP3022867B1 (de) Strenges authentifizierungsverfahren
WO2013021107A9 (fr) Procede, serveur et systeme d'authentification d'une personne
EP2614458A2 (de) Authentifizierungsverfahren für den zugang zu einer website
FR3111203A1 (fr) Dispositif informatique et procédé pour l’authentification d’un utilisateur
US9197591B2 (en) Method and system for validating email from an internet application or website
FR2980011A1 (fr) Procede de mise en oeuvre, a partir d'un terminal, de donnees cryptographiques d'un utilisateur stockee dans une base de donnees distante
FR3061971A1 (fr) Procede d'authentification en deux etapes, dispositif et programme d'ordinateur correspondant
WO2019102120A1 (fr) Procédés et dispositifs pour l'enrôlement et l'authentification d'un utilisateur auprès d'un service
EP3394780A1 (de) Verfahren und vorrichtung zur verbindung mit einem remote-server
EP3673633B1 (de) Verfahren zur authentifizierung eines benutzers mit einem authentifizierungsserver
WO2012116944A1 (fr) Procede d'authentification d'un utilisateur
EP3672193A1 (de) Authentifizierungsverfahren und -system eines kundenendgeräts durch einen zielserver mithilfe einer triangulation über einen authentifizierungsserver
EP3899765B1 (de) Neuinitialisierung eines anwendungsgeheimnisses über das endgerät
WO2018029564A1 (fr) Systeme et procede d'authentification sans mot de passe d'un utilisateur d'un systeme applicatif par un serveur central
EP2071799A1 (de) Verfahren und Server für den Zugang zu einem elektronischen Safe über mehrere Einheiten
FR2913551A1 (fr) Methode d'authentification mutuelle et recurrente sur internet.
FR3007929A1 (fr) Procede d'authentification d'un utilisateur d'un terminal mobile
FR3114714A1 (fr) Procédé d’accès à un ensemble de données d’un utilisateur.
WO2012022856A1 (fr) Procédé d'authentification d' un utilisateur du réseau internet
FR3026875A1 (fr) Procedes de configuration d'un peripherique de type terminal connecte a un reseau afin de permettre une authentification forte d'un utilisateur

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180625

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20200330

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ORANGE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ORANGE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS