EP3685563A1 - Procédé pour établir une authentification d'utilisateur au niveau d'un terminal au moyen d'un terminal mobile et pour connecter un utilisateur à un terminal mobile - Google Patents
Procédé pour établir une authentification d'utilisateur au niveau d'un terminal au moyen d'un terminal mobile et pour connecter un utilisateur à un terminal mobileInfo
- Publication number
- EP3685563A1 EP3685563A1 EP18803528.1A EP18803528A EP3685563A1 EP 3685563 A1 EP3685563 A1 EP 3685563A1 EP 18803528 A EP18803528 A EP 18803528A EP 3685563 A1 EP3685563 A1 EP 3685563A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- terminal
- user
- mobile terminal
- network
- time password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/35—Protecting application or service provisioning, e.g. securing SIM application provisioning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/77—Graphical identity
Definitions
- the invention relates to a method for establishing user authentication at a terminal by means of a mobile terminal and subsequently logging on a user at a digital terminal.
- the invention relates to a method for authenticating the user to the terminal.
- the invention is directed to a method of logging a user in a network by means of a one-time password in the absence of a mobile terminal used to authenticate the user.
- the invention also includes a mobile terminal and two different computer program products.
- a login of a user to a terminal in a network should always be secure in order to protect the network from unauthorized access and to keep confidential data safe.
- a so-called two-factor authentication has been used.
- the logging in user must be in possession of two independent factors.
- a chip card also called a smart card.
- Every smart card to be used in the network must be personalized and output to the respective user. This requires a complex infrastructure for creating the smart cards and also requires a corresponding output system. The replacement of a defective or a lost chip card represents a significant overhead.
- Each terminal that a user must authenticate to requires a corresponding card reader. This reader must be constantly carried if the terminal has no corresponding reader in the network. This significantly reduces user acceptance. Alternatively, each terminal must be equipped with a corresponding reader, which in turn increases the hardware costs for the IT infrastructure, if a reader is available for the respective terminal at all.
- Smart cards are often unpopular with users because they have to be felt as an additional means of authentication and do not fulfill any additional purpose, ie they are useless after authentication at the end device.
- US 7 783 702 B2 describes a method for accessing a terminal by means of a mobile telephone via Bluetooth.
- an “engine” (“phone-to-computer” or “computer-to-phone”)
- a remote access to the terminal is made possible by the mobile terminal, thereby enabling an authentication at the terminal by the mobile terminal Identity uses the phone number of the mobile device, and the infrastructure used is unsecured, allowing an attacker to gain easy access to the device.
- US 2014/0068723 A1 describes two-factor authentication.
- This method uses a mobile phone on which a message is displayed as soon as authentication is requested from an authentication service, such as a website or a terminal.
- the mobile phone uses a universal user identity, UUID, for identification.
- UUID universal user identity
- the mobile phone should learn the authentication behavior of the mobile phone user and a recognized typical authentication behavior, such as service and location and time, the authentication of the user is enabled without further user interaction.
- This procedure is highly uncertain, especially if an unauthorized third party simply copies and applies the learned pattern.
- US 8,646,060 B2 a method for adaptive authentication is explained. In this case, a smartphone is used as an authentication device to log on to a terminal. The user is automatically logged off when the user leaves the terminal.
- the smartphone uses a Bluetooth connection.
- This method uses a communication server or an authentication application.
- the data transmission between the terminal and the smartphone can be certificate-based, comprise a public-key infrastructure, or PKI for short, and run in a secure memory or a security element. If the mobile phone is lost, two-factor authentication is not possible. The user therefore can not log on to the system securely.
- a major disadvantage of the previous solutions for authentication by means of a mobile phone is the much lower security level for authentication than, for example, when using a smart card solution.
- cryptographic keys are generated in the mobile phone, but these are generated by the operating system of the mobile phone itself, and only in a memory area, such as a software container that is directly accessible from the operating system, filed. An unauthorized third party can gain access to the keys in this way.
- An improvement in security is achieved by the method described in US 2015/0121068 AI for a user authentication to an online service.
- using a secure runtime environment, English Trusted Execution Environment (TEE) and a secure application, English Trusted Application, TA for short increases security. Only certified software vendors have access to this TEE.
- TEE Trusted Execution Environment
- TA English Trusted Application
- US 2016/0 330 199 A1 describes a method for authenticating a user of a terminal for accessing a service provider. The authentication is performed by means of a mobile phone of the user. If the mobile phone does not exist, it will Authenticated using a mobile phone of a colleague and performed during the authentication by means of the service provider generated OTP.
- a disadvantage of the existing solutions is the lack of compatibility with already established systems. So far there is no possibility of a mixed operation for the authentication with smart card and authentication with a mobile phone. In addition, the smart card or the mobile phone must necessarily be carried along by the user in each of the previous solutions. In the event of a loss, a forgetting, a defect or a temporary inoperability, for example if the accumulator is undercharged, two-factor authentication is no longer possible in these systems. If permitted in the respective environment, then a one-factor solution is used, which significantly reduces the security of the network. Environments where the use of two factors is mandatory do not allow authentication in this case.
- the object of the present invention is to eliminate the above-mentioned disadvantages.
- a registration method by means of two-factor authentication is to be provided, which is simple and flexible and can always be used.
- the object is achieved with the technical measures described in the independent claims.
- Advantageous embodiments are described in the respective dependent claims.
- the object is achieved by a method for the method for establishing user authentication at a terminal by means of a mobile terminal, the method comprising the following steps: setting up a secure application on the mobile terminal; Connecting the secure application to a management system for activating the secure application; Requesting and obtaining a new user certificate at a certification authority by the activated secure application; Securing access to the new user certificate by assigning a PIN or using existing biometric authentication; Starting the secure application on the mobile terminal and establishing a wireless communication connection from the mobile terminal to the terminal; Starting the authorization request routine in the terminal and establishing a communication connection to the network or a directory service for authenticating the user; Generate one Authorization request by the network or directory service and transmitting it to the terminal; Signing the authorization request by means of the user certificate in the secure application; Transmitting the signed authorization request to the network or the directory service for verifying the signature, preferably checking the validity of the
- the method further comprises: generating a one-time password by the entitlement request routine of the terminal; and storing the one-time password at a registrar and / or a registration service.
- the linking step obtains information from the registration authority for establishing a connection to the management system in the secure application and provides this information as a QR code and records it by means of a camera of the mobile terminal.
- the secure application runs in a secure runtime environment of the mobile terminal and the user certificate is generated for a cryptographic key pair stored in a secure storage area of the mobile terminal accessible only to the secure runtime environment.
- the object is achieved by a method for registering a user at a terminal by means of the generated one-time password in the absence of a mobile terminal to be used for authenticating the user.
- the method comprises the following steps: Switching the logon process on the terminal to use a one-time password instead of authentication by means of the mobile terminal for authenticating this user to this terminal, wherein the one-time password in a previous authentication of the user, ie a successful logon the user on the network, has been created and stored in a registry; Providing the one-time password to the user; Querying the one-time password for login by means of an authorization request routine of the terminal; Checking the one-time password and authenticating the user at the terminal of the network; Generate one new one-time password through the entitlement request routine of the terminal; and storing the new one-time password in the registry instead of the previous one-time password and using the new one-time password upon subsequently enrolling the user on the terminal in the absence of the mobile terminal to be used to authenticate the user.
- the query step also includes, for example, a transfer step, wherein the input one-time password is transmitted by means of the authorization request routine of the terminal. If there is no connection to the registrar during the authentication process, the generation of the new one-time password and the transfer to the registrar will be postponed to a later date and then executed if there is a communication link to the registrar. Until then, the original one-time password remains valid and can be used to authenticate the user.
- a terminal is here understood to mean a device which is connected to a public or private data or telecommunications network.
- the terminal is for example a client.
- a client communicates with a server over the network to retrieve its services.
- the terminal may be a stationary terminal, so a workstation, a PC, a workstation or even a portable terminal, such as a notebook, a netbook, an ultrabook or a tablet PC.
- a mobile terminal is a terminal that is due to its size and weight without major physical effort portable and therefore mobile, for example, a terminal for mobile, network-independent data, voice and video communication and navigation, such as a smartphone, a mobile phone or a handheld.
- logging on the user at the terminal is meant in particular its authentication by the network or the terminal.
- the user authenticates himself to the network or terminal and upon user verification the user is considered authentic.
- logging in particular means the process of an authorization check for the certification, if necessary, of a genuineness of an actually existing access authorization.
- the user is authorized to use the terminal as part of their network permissions.
- the inventive switching of the logon process at the terminal can be done automatically, for example, after a certain period of time, in which the terminal has indeed recognized the presence of a user but not a commonly used for authentication mobile terminal. Switching can also be done by the user at the terminal through user interaction.
- the switching can also be done by means of a remote access to the terminal via a network, for example based on a command of a registration authority.
- the switching may involve changing a graphical user interface, or GUI, at the terminal, which requests the input of an authentication sequence.
- a network is a computer network or computer network, ie an association of various technical, primarily independent terminals. This merger allows communication among the terminals.
- the goal here is the sharing of resources such as network printers, servers, media files and databases. Also important is the ability to centrally manage devices, users, their permissions and data.
- the presence of a communication connection to the network is not absolutely necessary, so that a logon to the terminal could also be made locally in a so-called offline mode of the terminal.
- a one-time password is used.
- a one-time password English one-time password, OTP for short, is a one-time-authentication for the user authentication.
- Each one-time password is valid in a preferred embodiment only for a single use and can not be used a second time to authenticate the user. Accordingly, each authentication or authorization requires a new one-time password. It is safe against passive attacks, ie unauthorized listening. So-called replay attacks are impossible. In offline mode, the one-time password remains valid until the new one-time password has been successfully negotiated with the registrar.
- the OTP makes it possible to carry out a two-factor authentication even without the presence of its mobile terminal, which is usually provided for authentication on the network.
- the OTP has been compulsorily generated during a previous authentication of the user, that is, the OTP is not a random string provided by a system, but a string negotiated upon successful authentication of the user such that the OTP has the security level of the otherwise used user certificate of the mobile terminal.
- This OTP is stored in a registry of the network. There are two variants for using the one-time password.
- the one-time password is used to encrypt a stored in a secure area of the terminal replacement user certificate. During authentication, this is then decrypted with the one-time password entered by the user and used for authentication. If it is entered incorrectly, the decryption process fails. In this embodiment, the one-time password is not stored on the terminal.
- Hash algorithms can not be reversed, i. a hash value can no longer be used to derive the original one-time password.
- the one-time password entered by the user is also hashed and compared to the stored value.
- the one-time password may be changed by the user e.g. be requested by telephone or via a different route from the registry. In this process, the latter has the opportunity to ascertain the identity of the applicant without any doubt.
- the registration authority is an entity in the network and can be designed, for example, as a self-administration portal in order to enable a user to independently log on to the method according to the invention.
- This registry for example, creates information for a secure application, English Trusted Application, TA for short, in a secure runtime environment, English Trusted Execution Environment, short TEE, in the mobile device, so that a safe and easy initialization of the method can be done. For example, based on the switching of the logon process, the registrar also checks whether the user is authorized to use the terminal. The registry can also transmit necessary configuration data. If necessary, the OTP is provided to the user. In a preferred embodiment, the OTP is communicated to the user via one of the connection between the terminal and the network provided various connection.
- the user in a simple application, a phone call or video call with, for example, a service or information point of the network (help desk) and asks the OTP by verbal announcement.
- the user must uniquely identify himself, for example by means of an identification document or a stored photo of the user.
- the helpdesk verifies the user based on the stored data and provides the OTP if it matches.
- the OTP can also be transmitted via a different channel than the telephone, for example a second mobile terminal of the user or a hardware token, for example a USB stick or memory card. It is important that the user receives the OTP only if his identity has been established, ie the identity of the user has been verified beyond doubt.
- the OTP is requested by the terminal.
- an authorization request routine of the terminal English Credential Provider, short CP used.
- This CP is used to authenticate the user, in particular to a so-called domain controller to allow a login to the terminal.
- the CP is, for example, the CP already installed on the terminal within the scope of the authentication application according to the invention by means of the mobile terminal, so that the security level is maintained.
- This CP alters the conventional logon procedure at the terminal and is usually responsible for communication with the mobile terminal. By using a CP that directly controls and monitors communication with the mobile device, the security level in the system is significantly increased.
- the CP is a trusted entity and is part of the authentication system.
- the CP prevents a malicious mini-driver from being installed that allows an attacker to record the communication between the terminal and the mobile terminal.
- This CP is now also advantageously used when entering the OTP, to prevent the OTP is tapped by an attacker and used for unauthorized logon.
- the user then uses the provided OTP in a corresponding input mask of the terminal.
- the terminal verifies and verifies the OTP allowing authentication of the user.
- the OTP is used to access a replacement certificate which is stored in a secure memory area, for example a trusted platform module TPM, of the terminal.
- TPM trusted platform module
- This first embodiment variant finds Application, if a registration on the terminal must be made by means of a certificate, for example, is mandatory due to a company policy.
- the OTP can be used as a second factor for logging in at the terminal with a user name and a further password. In this second embodiment variant, therefore, a conventional login on the terminal is only released after a successful verification and verification of the OTP, so that the two-factor authentication is retained here as well.
- a new OTP is generated by the CP and stored encrypted in the registry. If the OTP is used together with a replacement user certificate, it will be invalidated and the CP will automatically request a new one. This new certificate is encrypted with the OTP and stored in secure storage. If the OTP is used with username and another password, only the hash value of the old OTP will be replaced by the one of the new one. This new OTP is to be used when the user logs in again without the mobile terminal to be used to authenticate the user. If there is no connection to the registrar at the time of authentication, the generation and transfer to the registrar is postponed until the connection is restored.
- the transfer and storage of the new OTP is preferably cryptographically encrypted.
- Encryption also ciphering, hereby means the conversion of data in the "plaintext" into data in the "ciphertext", also called cipher, by means of a key, so that the plaintext from the ciphertext can only be retrieved using a secret key. It is used for confidentiality of messages, for example to protect data against unauthorized access or to transmit messages confidentially.
- the corresponding keys are negotiated between the terminal and the registration office or distributed in advance by correspondingly secure transmission.
- the method according to the invention always ensures a two-factor authentication.
- the first factor is ownership of the mobile terminal with the certificate thereon.
- the second factor is the PIN or a biometric value, for example a fingerprint or an eye scan, which is additionally requested by the user.
- the second factor is replaced by the telephone call or video call with the help desk and the required verification of the identity of the user.
- the procedure with the help desk ensures that the user is actually the appropriate employee.
- the OTP can be created on the terminal side or registration site side. The generation of the OTP on the terminal is ensured that the terminal is not provided externally a manipulated and an attacker known OTP.
- This method enables a secure fallback method for logging on to a terminal even in the event that the otherwise commonly used mobile terminal is not present, for example because of a defect or a loss or a low battery state or simply forgetting this.
- the two-factor authentication is maintained, the security level is not lowered and a simple authentication of the user is possible.
- This solution can also be used if there is no communication connection between the terminal and the network. Thus, an offline login is also possible.
- the new OTP is automatically made available to the registrar as soon as a communication link between the terminal and the network is available again.
- the system thus also represents an advantage over the smart card solutions for logging in on the terminal, since no secure possibility can be created here if the smart card is not available.
- the solution according to the invention offers the possibility here of using a second factor for a single application, which is securely negotiated between the CP and the registration office.
- a directory service is used in the network to authenticate the user, and the user is logged on to the terminal by successful authentication in the directory service.
- the directory service is preferably network-wide central and in the case of a Windows TM operating system, the Active Directory, short AD.
- a network is structured according to the real structure of the enterprise or its spatial distribution. It manages various objects in a network such as users, groups, computers, services, servers, file shares, and other devices such as printers and scanners and their properties. With the help of AD the information of the objects can be organized, provided and monitored.
- the users of the Networks are granted according to access restrictions, so not every user can view or use any file or network object.
- the login then takes place, for example, by means of Kerberos certificate authentication.
- the OTP can also be stored in the directory service to facilitate access to it from existing help desk applications. Preferably, the storage of the OTP is encrypted.
- a (digital) certificate is a digital dataset that confirms certain properties of the user and whose authenticity and integrity can be tested by cryptographic methods.
- the digital certificate contains in particular the data required for its verification.
- the public-key certificates of the public-key infrastructure, PKI for short are relevant for this invention, which are defined, for example, according to the standard X.509 and which confirm the identity of the owner and other properties of a public cryptographic key.
- the validity of the digital certificate is usually limited to a period of time specified in the certificate.
- the validity of a certificate can be revoked if, in the absence of the mobile terminal, an authentication of the user in the network for logging on to a terminal is nevertheless to take place. This is preferably done when the mobile terminal foreseeable by loss or technical defect is no longer used. This ensures that the user certificate is not being used by an attacker to log on to the network. In less severe cases, such as non-usability by an empty accumulator, the validity of the certificate remains.
- the authorization request routine will negotiate each new one-time password with the registry and transmit the new one-time password cryptographically secured, for example, by asymmetric or symmetric encryption. In this way, an attacker will not be able to corrupt the fallback method.
- the OTP was negotiated between a secure runtime environment of the mobile terminal and an instance of the network, for example the registrar.
- a cryptographic challenge method for example, according to the Challenge Handshake Authentication Protocol, short CHAP, applied.
- OTP generation is equated with OTP negotiation.
- a new user certificate is created for authenticating the user, this creation comprising the following method steps: setting up (installing) a secure application on a further mobile terminal; Connecting the secure application to a management system for activating the secure application; Creating new keys for use in cryptographic techniques in secure application; Requesting and obtaining the new user certificate at a certification authority by the activated secure application; Logging in using the new user certificate of the secure application and the authorization request routine of the terminal in the network; Generating a new one-time password by the entitlement request routine of the terminal; Storing the new one-time password in the registry instead of the previous one-time password and using the new one-time password on a subsequent user login on the terminal in the absence of the mobile terminal to be used to authenticate the user.
- the secure application TA preferably runs in the secure runtime environment TEE of the mobile terminal.
- the user certificate is generated for a cryptographic key pair stored in a secure storage area of the mobile terminal accessible only to the secure runtime environment.
- the TA is installed on the mobile terminal of the user.
- This TA is used in the user certificate creation phase to generate the key pair that forms the basis of the user certificate.
- this TA is in the usual application procedure used to perform all cryptographic operations during user authentication. For this the terminal is selected and the TA is started. Within the usual login procedure, the user must always prove that he is authorized to access this key pair. He can do this via a PIN or one of the biometric sensors of the new mobile device.
- a service is also installed on the mobile terminal together with the TA. The biometric sensor then queries an existing biometric authentication. This service automatically checks the security level of the new mobile device.
- the login process automatically detects whether the new mobile device is secure or rooted and whether all relevant security patches have been imported. If this is not the case, this new mobile terminal can not be used as a second secure factor.
- the TA for example, is an application for the operating systems Android TM or iOS TM and, in addition to the normal program processing, enables the execution of program code within a TEE on the mobile terminal or an alternatively protected area in the mobile terminal and is therefore called a secure application.
- the part of the TA running in the TEE generates and stores the key pair in the new mobile terminal.
- the Trusted Application Manager is an instance of the network or a remote system and checks for a license and also a registry of the secure application.
- This TAM also known as Trusted Server, is responsible for building a secure channel into the TEE of the new mobile device. This channel can not be viewed by the operating system of the mobile device.
- information is obtained from the registration authority for establishing a connection to the TAM in the TA.
- This information can be provided, for example, as a QR code and captured by means of a camera of the mobile terminal.
- the information from the registration authority also contains information for retrieving the user certificate from the certification authority, for example based on the Simple Certificate Enrollment Protocol, or SCEP for short.
- SCEP Simple Certificate Enrollment Protocol
- the mobile terminal authentication step comprises the steps of: starting the secure application on the mobile terminal and establishing a wireless communication connection from the mobile terminal to the terminal; Starting the authorization request routine in the terminal and establishing a communication connection to the network for authenticating the user; Generating an authorization request by the network and transmitting it to the terminal; Activation of the user certificate in the mobile terminal by entering a PIN or by using a biometric sensor; Signing the authorization request by means of the user certificate in the secure application; Transmitting the signed authorization request to the network for verifying the signature and validity of the certificate; and granting a login permission from the network upon successful verification.
- This application method bypasses the disadvantages of a smart card login and an unsafe login by means of a mobile terminal alike.
- This solution can be put into operation by the user himself, in case of replacement or loss of the mobile terminal, a logon can still be made.
- the mobile terminal is an independent terminal and is usually transported separately from the terminal on which the user wishes to log in, so that user acceptance for the method according to the invention also increases.
- the required keys are generated directly on the mobile terminal within a TEE.
- a cryptographic encryption method is used, in particular an asymmetric encryption method.
- the private key of the generated key pair does not leave the mobile terminal. Only via the TEE can it be accessed. All operations related to this key pair also occur within the TEE.
- the terminal receives the CP.
- This CP makes the communication with the mobile terminal completely transparent to the operating system.
- the communication between the terminal and the mobile terminal is radio-based, for example by means of short-range technology according to the standard Bluetooth LE, which ensures that the user of the mobile terminal is also physically in the vicinity of the terminal.
- a mixed operation is possible at any time, so that the user can also use other authentication.
- An evaluation of the field strength measurement can be used to detect whether a user is approaching a terminal or of and, accordingly, the CP can initiate a login procedure or log off the user.
- the terminal automatically recognizes the availability of a paired mobile terminal and logs on the user when it has started the TA and logged in with the PIN or a suitable biometric sensor to this.
- the biometric sensor queries a biometric authentication of the user, which was previously deposited. The user does not have to make any selection of the CP at the end device, but merely to be within the communication range of the end device.
- this method works even if the mobile device and / or the device is disconnected from the network. This is achieved by the direct communication between the mobile terminal and the terminal on which the user wishes to log on. The use of a central login server is waived.
- the invention also includes a mobile terminal for registering a user with a terminal of a network according to the method described above.
- the mobile terminal includes a secure runtime environment including the secure application; a wireless connection module, such as Bluetooth LE module, configured to communicate with an authorization request routine of a terminal; another wireless connection module, in particular cellular or broadband connection module, configured to communicate with a certification authority for obtaining a user certificate; a storage area for securely depositing a key pair, wherein the secure runtime environment is set up to exclusively access the storage area; and a camera for collecting information of a registrar.
- a computer program product which is executably incorporated in a secure runtime environment of a mobile terminal and which is set up for authenticating a user to a network, for which purpose the method described above is carried out.
- This computer program product includes in particular the secure application in the mobile terminal.
- a computer program product which is executable introduced in a terminal of a network and which for querying a Authorization of a user is set up, for which purpose the method described above is performed.
- This uterogram product is in particular the authorization request routine in the terminal.
- Fig.l an embodiment of a process flow diagram of a method according to the invention
- FIG. 2 shows a first embodiment of a system according to the invention for authenticating a user to a terminal
- 3 shows a second embodiment of a system according to the invention for authenticating a user to a terminal
- FIG. 5 shows an embodiment of a method sequence for registering a user according to the invention at a terminal by means of a mobile terminal.
- FIG. 6 shows a first embodiment of a method sequence for registering a user according to the invention at a terminal without a mobile terminal.
- FIG. 7 shows a second embodiment of a method sequence for registering a user according to the invention on a terminal without a mobile terminal.
- the method 100 further comprises a polling step 103 for retrieving the one-time password for log-on by means of an authorization request routine of the terminal and possibly transmitting the input one-time password by means of the authorization request routine of the terminal.
- the method 100 also includes a check step 104 for checking the one-time password by means of an authorization request routine of the terminal and authenticating the user to the terminal.
- the method 100 also includes generating step 105 for generating and storing a new one-time password through the entitlement request routine of the terminal.
- the method 100 also includes a store step 106 for storing the new one-time password in the registry instead of the previous one-time password and using the new one-time password on subsequent enrollment of the user on the terminal, again to authenticate the user to use mobile terminal.
- FIG. 2 shows a first exemplary embodiment of a system according to the invention for authenticating a user to a terminal 1.
- the system consists of the terminal 1, which includes an authorization request routine 9, hereinafter referred to as Credential Provider CP 9.
- the system also consists of a mobile terminal 2, which is used to authenticate a user (not shown) on the terminal 1.
- the mobile terminal 2 includes a secure runtime environment, also referred to as TEE (not shown), and a secure application 8, also referred to as TA 8.
- the TA 8 is set up to access a secure memory area of the mobile terminal 2, in which a key pair 11 generated by the mobile terminal 2 is stored.
- the mobile terminal 2 further comprises a wireless communication module for establishing a Bluetooth LE communication 6 with the terminal 1 and exchanging data for logging in and authenticating the user.
- Bluetooth LE or BLE for short, is a radio technology with which the two terminals 1 and 2 can network in an environment of about 10 meters, whereby a comparatively low power consumption is required.
- An advantage of BLE is that the field strength between the connected terminals 1 and 2 can be evaluated and one can thus indicate the approximate distance from which the connection is deemed to be insufficient and the terminal 1 is blocked. Due to the CP 9 and the TA 8, despite the limited connection parameters in BLE, it is possible to carry out a certificate application.
- the system also includes a registry 3, on which a registration application 10 is set up.
- the terminal 1 and the registration point 3 are, for example, objects of the same network 13.
- the communication between the terminal 1 and the registration point 3 takes place, for example, via a wired connection, such as LAN, or wirelessly via WLAN or a broadband mobile connection, such as LTE.
- the registration authority 3 is set up as a self-administration portal to allow a user to set up the registration process.
- information for an installation of the TA 8 and the CP 9 can be retrieved, should the network 13 not provide this information otherwise.
- the authorization of the user is checked as to whether he is ever released for the use of the terminal 1.
- the registrar 3 transmits the necessary configuration data, including a SCEP-OTP of the certification authority required for generating an associated user certificate, to the mobile terminal 2 by means of a QR code
- Terminal 2 has a camera (not shown) to detect the QR code.
- the QR code is then evaluated by means of a processor of the mobile terminal 2 and thus receive the information of the QR code.
- the information of the QR code provides the connection information to the TAM 5.
- This information also represents the information for establishing a connection and requesting the user certificate in a certification authority 4 on the basis of a key pair 11, for example a SCEP-OTP.
- the use of QR codes and the associated optical information transmission to the mobile terminal 2 a recording of the radio communication 6 ineffective.
- the information of the registration office 3 can also be transmitted via the network 13 to the terminal 1 and transmitted from there to the mobile terminal 2.
- the information of the government agency 3 via a mobile network (not shown) or an alternative broadband network, for example. WLAN are transmitted directly to the mobile terminal 2.
- only first parts of the information of the registration office 3 can be received via the QR code, with further parts of the information of the government office 3 being transmitted via the mobile radio network / broadband network or the network 13 to the mobile terminal 2.
- the system also includes a certification authority 4, English Certificate Authority, or CA 4 for short, ie an entity issuing digital certificates, including user certificate 14.
- the digital certificates 14 used in the system according to the invention contain cryptographic keys and additional information which serve to authenticate the user and also to encrypt and decrypt confidential data, which are then distributed over the network 13 or also the mobile radio network or alternative broadband networks.
- additional information for example, validity period, references to certificate revocation lists, etc. are included, which are introduced by the CA 4 in the certificate 14.
- the role of the CA 4 is to issue and verify these digital user certificates 14. She wears the responsible for the provision, allocation and integrity of the certificates issued by it. This forms the core of the public-key infrastructure, PKI for short.
- the CA 4 is not necessarily part of the network 13 and may be an external entity.
- the CA 4 issues the user certificate 14 for the key pair 1 1 generated in the mobile terminal 2.
- the confidential key also called a private key, does not leave the TEE of the mobile terminal 2.
- the CA 4 creates the certificate 14 and returns it to the mobile terminal 2.
- the SCEP is used for the distribution.
- the system also includes a management system 5, English Trusted Application Manager, TAM 5 short This TAM 5 is responsible for establishing a secure channel in the TEE of the mobile terminal 2. Thus, data can be transmitted to the mobile terminal 2 without being able to be intercepted by the operating system of the mobile terminal 2.
- TAM 5 English Trusted Application Manager
- the TAM 5 registers the TA 8 and checks the license of the TA 8 by means of an associated whivergabestelle 7.
- the TAM 5 is also able to generate in the mobile terminal 2 to be used key pair 1 1 and store in the TA should the TA 8 to be set up, for example, when using RSA keys instead of previously generated in TEE elliptic curve cryptography, short ECC keys.
- the communication between TA 8 and TAM 5 is cryptographically secured.
- the system according to FIG. 2 therefore comprises a PKI consisting of generated key pairs 11 and user certificates 14 generated by means of certification authority 4.
- a registration authority 3 provides the information required for initializing TA 8 and CP 9.
- a registration application 10 is used.
- the TA 8 is in a TEE of the mobile terminal 2 which is configurable by means of TAM 5 and licensing authority 7.
- the communication 6 between terminal 1 and mobile terminal 2 is BLE-based.
- FIG. 3 shows a second exemplary embodiment of a system according to the invention for authenticating a user to a terminal 1.
- the system according to FIG. 3 completely corresponds to the system according to FIG. 2 and only the differences between these systems are referred to below.
- FIG. 3 shows further server services 15 that can be used for logging the events that have occurred as well as for communication with third-party systems.
- the created certificates 14 can be transferred to a card management system, in short CMS, so that the logon authorization can also be withdrawn directly from the network 13.
- an OTP can be generated and securely stored encrypted in the TA 8 and the server 15. Should the user be offline and have no access to the mobile terminal 2, the system according to the invention, for example by means of an information center (help desk) or the registration point 3 OTP - after sufficient identification of the user - to be asked to log in.
- the history is stored in TA 8 via the user's key pair 1 1.
- This history is requested by the registration office 3, the further server 15 or the certification authority 4.
- This communication is based on a public-key cryptography standard, in short PKCS, ie a standard for asymmetric cryptography, for example a PKCS # 11 interface or a mini-driver or a CMP protocol, which the further server 15 should support.
- the registration center 3 receives the key history from the further server 15 as a PKCS # 12 file and encrypts this with the public key of the user certificate 14
- the TA 8 connects to the registrar 3 in a TLS session.
- the TA 8 downloads the encrypted PKCS # 12 file, decrypts this file with the private key of the key pair 11, and stores the file in the TEE of the mobile terminal 2.
- the registry 3 obtains the key history from the other server 15 as PKCS # 12 File and sends this as PUSH message to the terminal 1 in encrypted form, using the cryptographic key during the initialization phase of the TA 8 is used.
- the Registrar 3 obtains the key history from the other server 15 as a PKCS # 12 file and divides this file into various parts to be transmitted to the mobile terminal 2 as a QR code.
- the detection of the QR code by means of a camera of the mobile terminal 2 takes place in the same way as in the initialization phase of the system for providing the information of the registration authority 3. It is important here that the information is encrypted with the public key of the user certificate 11 and only then QR code to be converted.
- the camera of the mobile terminal 2 acquires the information of the QR Codes and decrypts the information with the private key of key pair 11 for storage in the TEE.
- the method according to FIG. 4 comprises the terminal 1, the mobile terminal 2, the registration point 3, the certification center 4 (CA 4) and the management system 5 (TAM 5) according to FIGS. 2 and 3 described above.
- a step a the user is enabled in the registry 3 for the system.
- the identity of the user can be taken from the directory service 12.
- the registry 3 also connects to the CA 4 in step a 'to retrieve information needed to request the user certificate.
- the registry 3 causes the installation of the CP 9 in the terminal 1 according to step b, for example via the network 13, if it has not already been installed on the terminal via other methods.
- the TA 8 is installed on the mobile terminal 2 in step c.
- the CA 4 transmits a SCEP-OTP for the creation of the user certificate 14 back to the registration site 3 in step a '.
- the SCEP-OTP can also be transmitted directly from the CA 4 to the mobile terminal 2.
- the steps a, b and c can be performed simultaneously or consecutively.
- the registration office 3 creates a QR code in step d.
- This QR code includes information for the mobile terminal 2.
- the information may represent a bundle of information, including the SCEP-OTP from the CA 4, connection information to the CA 4, and connection information to the TAM 5. This information may also be divided into separate QR - Codes converted and the mobile terminal 2 are provided.
- the QR code or the QR codes are received by the mobile terminal 2 in step e by detecting the QR code by means of a camera.
- the information contained in the QR code can also be transmitted via other means such as the network 13 or in other formats.
- the TA 8 is set up, with the QR code read out to set up the TA 8.
- the TA 8 connects to the TAM 5 in step f based on the connection information contained in the QR code.
- the license of the TA 8 is checked and activated.
- a key pair 11 is generated in the TA 8 (step g). The key pair 11 is generated either in the TA8 or the TEE of the mobile terminal 2 itself or generated by the TAM 5 in the case of missing functionality in the TEE and the TA 8 is provided.
- a certificate 14 is also requested for the key pair 11 (step h) and, by means of the connection information contained in the QR code, establishes a connection to the CA4.
- a certificate 14 is created in the CA4, see step i and the certificate 14 is transmitted to the TA 8 and optionally stored in the TEE (step j).
- the user assigns an access password or PIN for the TA 8.
- the user may use biometric backup methods such as fingerprints to retrieve a biometric value deposited in the method.
- step b the registry 3 causes the directory service 14 to install after step j.
- the CA 4 also creates a replacement certificate, which is stored cryptographically secured in step j 'in a secure memory area of the terminal 1.
- the cryptographic keys for this certificate are generated on the terminal 1 and transmitted to the CA 4 for certificate generation.
- This application can be made via SCEP, or another method.
- the replacement certificate is preferably stored in the TPM of the terminal 1. This first variant embodiment is used when a registration on the terminal 1 is to be made possible exclusively by means of a certificate.
- the user can now log on to the terminal 1 by means of his mobile terminal 2.
- a Bluetooth LE connection 6 is established between the terminal 1 and the mobile terminal 2.
- a number of libraries are to be used, in particular the standard interfaces "common application programming interface" version 1 and 2, in short: CAPI vi & v2
- the CP 9 is additionally installed to control the login process of the terminal 1 for a Authentication by means of mobile terminal 2.
- the CP 9 controls and monitors the connection to the mobile terminal 2, so that no unsafe mini-driver is needed, which could allow an attacker to prevent or intercept the communication between the terminal 1 and the mobile terminal 2 ,
- step aa by the CP 9 directly OTP with the registry 3 and negotiated (in step ab) to this registry 3 and sent deposited there.
- This transfer in step is done encrypted.
- the replacement certificate can also be stored cryptographically secured in the registry 3.
- the OTP or the replacement certificate can also be stored in the directory service 12. This OTP is used in accordance with the embodiment of FIGS. 1 to 3 in order to register a user to the system if the mobile terminal 2 is not present, while the two-factor authentication is still adhered to. If there is no connection to network 13 in step aa, this step will be performed when the connection is reestablished.
- FIG. 5 shows an exemplary embodiment of a method sequence for registering a user according to the invention on a terminal 1 by means of a mobile terminal 2.
- the method shown in Figure 4 has been preferably used to set up the system.
- the method according to FIG. 5 likewise uses the system shown in FIGS. 2 and 3.
- step k there is provided a locked terminal 1 which waits for user authentication to be unlocked.
- the CP 9 is installed on the terminal 1 and an OTP according to a last login of the user has been deposited.
- step 1 the user approaches the terminal 1 with his mobile terminal 2.
- the user starts the TA 8 and inputs a PIN to start the authentication.
- a Bluetooth connection 6 is established between the terminal 1 and the mobile terminal 2.
- biometric sensors can also be used to make use of biometric authentication.
- step m the terminal 1 recognizes the mobile terminal 2 through the installed CP 9 and starts the registration procedure based on the started TA 8 in the mobile terminal 2.
- step n a connection to the directory service 12 of the terminal 1 is established.
- the directory service 12 is a network component of the network 13. If the connection to the network is not available, the user is attempted to authenticate on the basis of the data stored on the terminal 1 (offline login).
- step o the directory service 12 generates a so-called challenge, for example, according to the Challenge Handshake Authentication Protocol, CHAP for short.
- CHAP is an authentication protocol.
- step n the terminal 1 initiates a connection to the directory service 12.
- the directory service generates the challenge in step o.
- the challenge is a random value which is transmitted to the terminal 1 in step p.
- the terminal 1 sends the challenge in step q to the mobile terminal 2 via the BLE 6.
- the TA 8 signs the challenge in step u.
- the signing is an asymmetric cryptographic method in which the mobile terminal 2 calculates another value using the secret signature key (the private key) of the key pair 11 to the challenge.
- the mobile terminal 2 transmits the signed challenge back to the terminal 1.
- the terminal 1 forwards the signed challenge to the directory service 12 in step w.
- step x the directory service 12 checks the signature.
- the additional value calculated during the signature is checked by verifying the non-contestable authorship and integrity of the challenge with the aid of the public verification key (the public key) of the key pair 11. Possibly.
- step y the validity of the certificate 14 in the certification authority 4 is also queried. If the certificate 14 is valid and the signature correct, the authentication attempt is successful. Then, the terminal 1 is unlocked in step z and the registration of the user by means of his mobile terminal 2 is done.
- a new OTP is negotiated with the registration site 3 by the CP 9 and (in step ab) to this registration point 3 and, if necessary, the directory service 12 is sent and stored there, if no OTP existed or for another reason, a new OTP must be generated.
- This transfer in step is done encrypted.
- This new OTP is used according to the embodiment of FIGS. 1 to 3 to register a user to the system should the mobile terminal 2 not be present, while still maintaining two-factor authentication.
- FIGS. 6 and 7 now describe two scenarios according to the invention, in which the user 16 does not carry his mobile terminal 2 with him, for example because he has lost it or it is defective, but he nevertheless has access to the terminal 1 via a two-terminal system. Should log factor authentication. For this purpose, at least the method according to FIG. 4 should already be completed.
- step ad as in step k in Fig. 5, the terminal 1 is disabled and waits for user authentication to be unlocked.
- the CP 9 is installed on the terminal 1 and an OTP according to a last login of the user has been deposited.
- a user can log on to a terminal exclusively by means of a certificate.
- the user contacts an information point 17 in step ae and reports the loss / defect of the mobile terminal 2.
- the OTP is communicated verbally to the user, for example via a telephone connection. Alternatively, the OTP can also be transmitted via other devices and forms of communication.
- the logon process in the terminal 1 is converted to OTP input, for example automatically by the CP 9 or a user input in a logon GUI.
- the user enters the OTP on the terminal 1 in step ah.
- access to the replacement certificate in the TPM of the terminal 1 is enabled. This replacement certificate is used instead of the user certificate 14 to sign the challenge.
- the steps n to z of FIG. 6 correspond to the steps n to z according to FIG. 5, whereby instead of the user certificate 14 of the mobile terminal 2, the replacement certificate of the TPM of the terminal 1 is now used.
- step ab a new OTP negotiated with the registry 3 and (in step ab) to this registry 3 and the directory service 12 sent and stored there.
- This transfer in step is done encrypted.
- This new OTP is used according to the embodiment of Fig.l to Fig.3 to register a user at the terminal 1, should the mobile terminal 2 not be present, the two-factor authentication is still adhered to. If the connection to the network is not available in step aa, this step is moved to the time the connection is played.
- step ad shows a second exemplary embodiment according to the invention for logging onto a terminal 1 without the presence of the mobile terminal 2.
- the terminal 1 is locked and waits for user authentication unlocked to become.
- the CP 9 is installed on the terminal 1 and an OTP according to a last login of the user has been deposited.
- FIG. 7 in contrast to FIG. 6, it is possible to register a user at a terminal even without a certificate, whereby nevertheless a two-factor authentication must be realized.
- the user contacts an information point 17 in step ae and reports the loss / defect of the mobile terminal 2.
- the OTP is communicated verbally to the user, for example via a telephone connection.
- the logon process in the terminal 1 is converted to OTP input, for example automatically by the CP 9 or a user input in a logon GUI.
- the user enters the OTP on the terminal 1 in step ah.
- a login mask is now displayed in step ai and the user 16 is requested to enter a user name and another password.
- This form of registration corresponds to the conventional log on to a terminal 1.
- This user name and the further password are used instead of the user certificate 14 to log on to the directory service 12.
- the user name and additional password information can be stored in the protected memory area of the terminal (TPM) and retrieved from there using the OTP as the backup mechanism. This allows the use of much more complex passwords because the user does not have to remember this.
- step d) of FIG. The steps e) to j) according to the Fig.4 are also performed, a repetition is due to the same Operations in steps e) to j) omitted.
- steps aa and ab a new OTP is generated and stored in the registration office 3 and / or the directory service 12.
- the following describes a scenario in which the user remains locked in the system according to FIGS. 2 and 3 and the sequence according to FIG. 4 with a forgotten PIN for the TA 8 and thus the TA 8.
- the user contacts the information center, which orders a new user certificate from the registration office 3.
- the registration authority 3 requests a user certificate update at the CA 4, after which the steps d) and e) are repeated and a new PIN can be assigned by the user in the context of step e).
- a new OTP according to steps aa and from FIG. 4 or FIG. 5 is generated and stored again.
- the reset of the PIN is alternatively via a hierarchically superior password, such as a PUK.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102017121648.0A DE102017121648B3 (de) | 2017-09-19 | 2017-09-19 | Verfahren zum anmelden eines benutzers an einem endgerät |
PCT/DE2018/000274 WO2019057231A1 (fr) | 2017-09-19 | 2018-09-18 | Procédé pour établir une authentification d'utilisateur au niveau d'un terminal au moyen d'un terminal mobile et pour connecter un utilisateur à un terminal mobile |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3685563A1 true EP3685563A1 (fr) | 2020-07-29 |
Family
ID=64316236
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18803528.1A Withdrawn EP3685563A1 (fr) | 2017-09-19 | 2018-09-18 | Procédé pour établir une authentification d'utilisateur au niveau d'un terminal au moyen d'un terminal mobile et pour connecter un utilisateur à un terminal mobile |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3685563A1 (fr) |
DE (1) | DE102017121648B3 (fr) |
WO (1) | WO2019057231A1 (fr) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11792184B2 (en) * | 2019-12-05 | 2023-10-17 | Microsoft Technology Licensing, Llc | Autopilot re-enrollment of managed devices |
CN111954211B (zh) * | 2020-09-07 | 2023-05-02 | 北京计算机技术及应用研究所 | 一种移动终端新型认证密钥协商系统 |
CN117473560B (zh) * | 2023-12-28 | 2024-03-12 | 飞天诚信科技股份有限公司 | 一种联机otp设备的工作实现方法及装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7783702B2 (en) | 2005-11-30 | 2010-08-24 | Microsoft Corporation | Using a mobile phone to control a personal computer |
US9210150B2 (en) | 2011-10-25 | 2015-12-08 | Salesforce.Com, Inc. | Two-factor authentication systems and methods |
US9887983B2 (en) | 2013-10-29 | 2018-02-06 | Nok Nok Labs, Inc. | Apparatus and method for implementing composite authenticators |
US8646060B1 (en) | 2013-07-30 | 2014-02-04 | Mourad Ben Ayed | Method for adaptive authentication using a mobile device |
EP3077946A1 (fr) * | 2013-12-02 | 2016-10-12 | Gemalto SA | Système et procédé pour sécuriser une utilisation hors ligne d'un certificat par un système de mot de passe à usage unique (otp) |
US9781105B2 (en) | 2015-05-04 | 2017-10-03 | Ping Identity Corporation | Fallback identity authentication techniques |
GB2547472A (en) * | 2016-02-19 | 2017-08-23 | Intercede Ltd | Method and system for authentication |
-
2017
- 2017-09-19 DE DE102017121648.0A patent/DE102017121648B3/de not_active Expired - Fee Related
-
2018
- 2018-09-18 WO PCT/DE2018/000274 patent/WO2019057231A1/fr unknown
- 2018-09-18 EP EP18803528.1A patent/EP3685563A1/fr not_active Withdrawn
Also Published As
Publication number | Publication date |
---|---|
DE102017121648B3 (de) | 2019-01-03 |
WO2019057231A1 (fr) | 2019-03-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102015215120B4 (de) | Verfahren zur verwendung einer vorrichtung zum entriegeln einer weiteren vorrichtung | |
US7770212B2 (en) | System and method for privilege delegation and control | |
DE112008001436T5 (de) | Sichere Kommunikation | |
EP3909221B1 (fr) | Procédé pour fournir en toute sécurité une identité électronique personnalisée sur un terminal | |
US20030115154A1 (en) | System and method for facilitating operator authentication | |
EP3114600B1 (fr) | Système de sécurité à contrôle d'accès | |
EP4128695B1 (fr) | Mécanisme d'authentification personnalisé et pour un serveur spécifique | |
DE102017121648B3 (de) | Verfahren zum anmelden eines benutzers an einem endgerät | |
DE102016208512A1 (de) | Zugangskontrolle mit einem Mobilfunkgerät | |
EP3908946B1 (fr) | Procédé pour fournir en toute sécurité une identité électronique personnalisée sur un terminal | |
EP3465513B1 (fr) | Authentification d'utilisateur au moyen d'un jeton d'identification | |
DE10124427A1 (de) | System und Verfahren für einen sicheren Vergleich eines gemeinsamen Geheimnisses von Kommunikationsgeräten | |
DE102018102608A1 (de) | Verfahren zur Benutzerverwaltung eines Feldgeräts | |
EP4295257A1 (fr) | Extraction d'attributs d'identité au moyen d'un élément de sécurité distant | |
EP2631837B1 (fr) | Procédé de création d'un pseudonyme à l'aide d'un jeton d'ID | |
DE102017006200A1 (de) | Verfahren, Hardware und System zur dynamischen Datenübertragung an ein Blockchain Rechner Netzwerk zur Abspeicherung Persönlicher Daten um diese Teils wieder Blockweise als Grundlage zur End zu Endverschlüsselung verwendet werden um den Prozess der Datensammlung über das Datenübertragungsmodul weitere Daten in Echtzeit von Sensoreinheiten dynamisch aktualisiert werden. Die Blockmodule auf dem Blockchaindatenbanksystem sind unbegrenzt erweiterbar. | |
WO2023217645A1 (fr) | Système d'accès sécurisé | |
DE102017012249A1 (de) | Mobiles Endgerät und Verfahren zum Authentifizieren eines Benutzers an einem Endgerät mittels mobilem Endgerät | |
KR102288445B1 (ko) | 단체용 인증모듈의 온보딩 방법, 장치 및 프로그램 | |
EP3882796A1 (fr) | Authentification de l'utilisateur à l'aide de deux éléments de sécurité indépendants | |
CN100474825C (zh) | 域认证和用户网络权限控制统一处理的方法及系统 | |
DE102021103997A1 (de) | Nutzerauthentifizierung unter Verwendung zweier unabhängiger Sicherheitselemente | |
EP3289509A1 (fr) | Procédé pour produire une signature électronique | |
EP2381712B1 (fr) | Lecture sécurisée de données à partir d'un appareil mobile avec TPM fixe | |
EP2723111B1 (fr) | Authentification multifactorielle pour terminaux mobiles |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20200312 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20210517 |
|
RAP3 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: APIIDA AG |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20230401 |