EP3963823A1 - Procédé de connexion sécurisée à un service web embarqué et dispositif correspondant - Google Patents
Procédé de connexion sécurisée à un service web embarqué et dispositif correspondantInfo
- Publication number
- EP3963823A1 EP3963823A1 EP20723778.5A EP20723778A EP3963823A1 EP 3963823 A1 EP3963823 A1 EP 3963823A1 EP 20723778 A EP20723778 A EP 20723778A EP 3963823 A1 EP3963823 A1 EP 3963823A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- mobile device
- data
- individual
- client equipment
- biometric
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000015654 memory Effects 0.000 claims description 9
- 230000004913 activation Effects 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012790 confirmation Methods 0.000 claims description 5
- 230000001815 facial effect Effects 0.000 claims description 3
- 230000001755 vocal effect Effects 0.000 claims 1
- 230000008901 benefit Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 210000000554 iris Anatomy 0.000 description 8
- 238000013459 approach Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000003825 pressing Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 210000000887 face Anatomy 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/77—Graphical identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- TITLE Method of secure connection to an embedded web service and corresponding device.
- the field of the invention is that of simplifying and securing connection and data transfer between electronic equipment (server and client), regardless of their operating system (Windows / Apple / Linux / Android (registered trademark) ), and in particular the establishment of secure wireless connections (wifi, Bluetooth (registered trademark), etc.) with strong authentication.
- the invention applies in particular to the secure connection of client equipment to a web service embedded in a mobile device, in particular for web services for identifying or authenticating people.
- server Securing the connections between two items of equipment, referred to hereinafter as “server” and “client” is a major concern, and many solutions have been proposed. This is in particular the case when the server must provide control and authentication services, and for example recognition and / or identification, in particular for security checks (police forces for example), access to reserved areas, products or data, for identifications (access to a ballot for example).
- security checks Police forces for example
- access to reserved areas, products or data for identifications (access to a ballot for example).
- 2D bar codes are used, for example, to confirm the identity of a user when he tries to connect to a web service.
- the user will use his phone's camera to read a barcode provided by the server and restore on the screen of a client computer, and transmit, via a wireless link, a return to the server confirming the user's identity.
- the server then serves the client.
- the invention proposes a method of connection between client equipment, comprising a screen, and server equipment.
- said server equipment is a mobile device equipped with a camera, and the method, implemented by said mobile device, comprises:
- the invention proposes a completely new and inventive approach to securely and simplify connection of client equipment to a web service. To do this, it is based on the use of a single mobile device, which performs both the authentication functions of the client device, the routing of the wireless connection of said client device and the server providing the web service requested by the client equipment.
- the mobile device sends a pictogram to a client device only when the latter requests to connect to said device.
- the mobile device generates each time a unique pictogram, for example using a pseudo-random generator.
- it continuously generates unique pictograms, for example every millisecond, when it is on.
- the mobile device sends a different pictogram for each connection request, and on the other hand, it is he who chooses the client equipment located nearby, on the screen of which it will capture the pictogram sent and displayed.
- This guarantees the impossibility for a hacker to reproduce a connection or to attempt to recover the pictogram intended for another client equipment.
- pirate equipment located at a distance from the mobile device, intercepts the pictogram intended for the client equipment which has requested to connect to said device, it cannot in any case replace the requesting customer equipment, since he cannot physically present his screen to the mobile device in place of that of the requesting client equipment and actually near said device.
- the pictograms generated randomly by said device are different from each other. Above all, it is impossible to deduce a pictogram on the basis of the pictograms previously generated.
- the authentication proposed by the invention is therefore strong.
- the establishment of the secure wireless connection between the client equipment and the mobile device is performed by the latter. This is very different from the classic approach, where connection establishment is carried out by a router, for example a wifi router, which cannot be moved at the level of the customer equipment.
- the connection is established according to the invention in a simple and efficient manner, without having to enter any “login” / password.
- the data exchanged can then be encrypted for increased security.
- the mobile device implements the web service requested by the client equipment. It therefore also plays a role of server, for the web service (s) it embeds.
- web service is meant a computer interface software or middleware (for “middleware") which allows the exchange of data between heterogeneous systems, without requiring the installation of suitable software or applications at the site. server or at the client.
- this service can be provided locally, or, alternatively, by using remote data accessible via the secure connection, when the client equipment is connected to the Internet.
- the solution proposed by the invention is integrated into a single mobile device, making it possible both to reduce the complexity of the operations and exchanges to be carried out to provide access to the service requested by the client equipment, and to limit the associated risks security, while avoiding the need for specific software applications on client equipment.
- the connection to the web service established according to the invention is unique and temporary, since with each new activation of the web service, the method must be reproduced in full.
- the method of the invention comprises an initial step of authenticating the user of the mobile device using biometric data of said user, such as fingerprints, facial, voice or personal data. the iris.
- This biometric authentication of the user of the mobile device reinforces the security of the method for providing access to a web service. Indeed, it makes it possible to ensure that the user of the mobile device is effectively authorized to access said web service, and therefore prevents an impostor from fraudulently using the mobile device.
- the step of wireless connection between the mobile device and client equipment is set up following the activation of a web service embedded in the mobile device by a user, on said mobile device. .
- the user simply turns on the mobile device, which triggers the activation of the web service, or he presses a physical button on the mobile device to choose the service to activate.
- a physical activation is that it does not require the use of telecommunications means. It provides a additional security, since only a user with the mobile device at hand can activate a web service.
- the establishment of the secure wireless connection between the mobile device and a client equipment item comprises the opening of a secure channel, of the SSL tunnel type, between said client and said mobile device.
- the secure channel is an SSL tunnel (for “Secure Sockets Layer”).
- SSL tunnel for “Secure Sockets Layer”.
- the or one of said web services embedded in the mobile device is an identity control and / or authentication service of an individual, and comprises the following steps:
- biometric means located on said device.
- biometric means correspond to sensors, configured to record biometric data representative of this individual, such as, for example, his fingerprints, his face, his irises, etc.
- biometric means can comprise a data card reader, configured to read biometric data recorded in an identification data card of the individual, such as for example his driving license, his national identity card or his passport.
- read biometric data constitute reference biometric data for identity control.
- the mobile device which performs the comparison of the biometric data recorded with the reference biometric data and verifies their correspondence. In this way, all the control operations are performed by the mobile device and only the result of this identity check is sent to the user's client equipment.
- An advantage of the method of the invention is therefore to make the identity control service accessible to any user of terminal equipment, regardless of the hardware and software configuration of this equipment. It will be noted that such a problem of hardware and software compatibility is particularly important in the field of biometric data processing, due to the fact that the software solution development tools or SDK (for “Software Development Kit”) made available developers are not compatible with all operating systems or OS (for "Operating System", in English) installed on mobile phones on the market. In this context, the solution of the invention, based on a web service embedded in a mobile device, therefore finds a particularly relevant and useful application.
- first reference data of the monitored individual is obtained by reading a data card, using the mobile device, said data card comprising said first reference data.
- the reader is a contactless data reader, based on an NFC type technology (for “NearField Communication”).
- the reader is a smart card reader and comprises a slot in which the card is inserted.
- An advantage of this embodiment is that the mobile device on its own makes it possible to obtain all the biometric data of the individual, without requiring means of connection to a communication network.
- the identity of the individual can thus be controlled locally, by a single mobile device.
- Such independence from the quality of the mobile network coverage guarantees a quality of control service. identity preserved in a white area or enjoying a degraded quality of access to the mobile network.
- second reference data of the monitored individual are obtained by interrogation of a remote database via the secure connection established with the client equipment, these said reference data are compared with biometric data obtained and a message confirming the identity of said individual is only transmitted if a match between said biometric data obtained and said reference data has been found.
- non-biometric identification data such as the first and last name of the individual
- identification data card is read from the individual's identification data card and transmitted to the remote database in a request.
- interrogation which responds by sending the second reference biometric data stored in association with this non-biometric identification data.
- Such a method has the advantage of reinforcing the control of the identity of the individual, by taking advantage of the established secure connection and of access to a remote communications network, for example the Internet, through the intermediary of a connection to the mobile network, available at the customer equipment level.
- a remote communications network for example the Internet
- the fact of being able to securely access remote databases using the client equipment connected to the mobile device makes it possible, for example, to detect a falsification of the official identity document presented, or to obtain additional information on the controlled individual, for example recorded in his criminal record.
- the service offered is provided with an increased level of security, without requiring an additional physical interface at the level of the mobile device, which remains simple and inexpensive.
- the invention also relates to a mobile device comprising a camera, a processor and at least one memory, this memory comprising a computer program product capable of providing, when it is executed by the processor, a function of securing a connection.
- a mobile device comprising a camera, a processor and at least one memory
- this memory comprising a computer program product capable of providing, when it is executed by the processor, a function of securing a connection.
- such a mobile device is able to implement a method of secure connection and of providing access to an onboard web service, as described above, according to its various embodiments.
- the mobile device performs on its own both the authentication functions of the client equipment, routing of the wireless connection of said client equipment and server providing the web service requested by the client equipment.
- the mobile device comprises:
- biometric data sensor configured to collect biometric data from an individual
- a data medium reader configured to read reference data stored in a data medium for identifying said individual
- processor is further configured for:
- the mobile device integrates both the physical interfaces necessary to obtain biometric data and corresponding reference data of the controlled individual, and the software and hardware computing means to perform the operations of verifying the biometric data obtained.
- the web service embedded in the mobile device natively allowing the exchange of data between such heterogeneous means, only the result of the identity check is transmitted to the client equipment.
- the means implemented to provide the identity control service are entirely located on the mobile device completely relieves the user of the client equipment from the problems of software and hardware compatibility of the prior art.
- the client equipment In order for the service to be rendered, it suffices for the client equipment to have a screen and a wireless connection means to connect with the mobile device.
- the processor is configured to obtain second reference biometric data from said individual, by querying a remote database via the secure connection with the client equipment, and to compare the biometric data obtained. to said second biometric reference data, the message confirming the identity of said individual being transmitted to said client equipment only if a match has been found between said recorded biometric data and said second biometric reference data.
- second biometric reference data allows the reinforcement and reliability of the identity check of the individual, through the secure connection established.
- the aforementioned mobile device has at least the same advantages as those conferred by the connection method according to the present invention.
- FIG.l schematically illustrates the principle of secure connection of one or more client equipment to a mobile device according to the invention
- FIG.2A illustrates an embodiment of the method of the invention
- FIG.2B schematically illustrates the authentication of the client equipment by the mobile device
- FIG.3A illustrates an embodiment of the method of the invention, when the onboard web service performs an identity check of an individual
- FIG.3B schematically illustrates another embodiment of the method of the invention, when the on-board web service performs an identity check of an individual
- FIG.3C schematically illustrates the interactions between the mobile device, the user, the user's client equipment and the individual to be checked, when the on-board web service performs such an identity check
- FIG.4 schematically illustrates an example of the hardware structure of a mobile device implementing the method of the invention.
- One principle of the invention is to provide a user of client equipment with secure access to one or more web services embedded on a mobile device located near him.
- a web service is a standardized medium, in the form of a software module, capable of performing specific tasks.
- a server, embedding the web service can be queried by a client, through requests. The server returns the requested data. The data is exchanged according to the XML standard.
- these web services can in particular be:
- services linked to recognition and authentication for example to control means of reading documents, in particular secure documents, such as an identity card, a driving license, a voter card, an authorization of access, etc., for example in the form of a camera and / or a card reader, with or without contact;
- secure documents such as an identity card, a driving license, a voter card, an authorization of access, etc., for example in the form of a camera and / or a card reader, with or without contact;
- biometric data recognition fingerprint, facial recognition, voice recognition, iris recognition, etc.
- these different services are implemented in a mobile device, preferably equipped with the sensors necessary for the implementation of these services.
- This mobile device first initiates a secure connection with client equipment, for example a mobile phone or a tablet, which in particular acts as a terminal, in particular via its screen.
- client equipment for example a mobile phone or a tablet, which in particular acts as a terminal, in particular via its screen.
- the client equipment thus has secure access to the web services provided for the mobile device, without having to first have any dedicated application or any particular configuration.
- Any conventional terminal having a screen and able to use web services, may be paired with the mobile device, which ensures the entire process of securing the connection and then implementing the web services.
- a user of a client equipment 11 who wishes to establish a secure connection to access a particular web service, from his client equipment 11, for example a computer, a tablet or a mobile phone, equipped with a screen 111.
- his client equipment 11 for example a computer, a tablet or a mobile phone, equipped with a screen 111.
- his client equipment 11 for example a computer, a tablet or a mobile phone, equipped with a screen 111.
- he uses a dedicated mobile device 12, equipped in particular with a camera 121.
- he may be a member of the police who wishes to carry out checks identity, using his phone or tablet (which does not need to have any particular application, and can therefore be of any type and of any standard, as long as he is able to communicate via the Internet) and the mobile device of the invention.
- Said method comprises the following steps:
- - step 21 the user turns on, or activates, the mobile device 12, which triggers the activation of the web service, if there is only one available on said device 12, or he selects, by for example by pressing a physical button on this mobile device 12, the web service to be activated from among the various services offered;
- - step 22 in the two cases presented in step 21, the activation of the web service triggers the activation of a wireless connection service, for example of the Wifi type.
- the mobile device 12 activates an on-board WiFi router.
- the exchanges can of course be implemented with other data exchange protocols, for example Bluteooth ® or Zigbee ® ;
- client devices 11 and 11 ' may request connection with said device 12 (client devices 11 and 11 '), for example in the case of law enforcement agencies sharing the same mobile device, each having its own client device, for example example his phone.
- the mobile device 12 receives the connection request from the client equipment 11 (or each request, which will then be processed independently);
- step 24 an IP connection is established between the mobile device 12 and the client equipment 11;
- the mobile device 12 responds to the client equipment 11 by transmitting to it a unique pictogram PI, which it has generated in a pseudo-random manner. If several clients (11, 11 ') request to connect with said device 12, said device sends a different pictogram (PI, R) to each of the clients (see FIG. 1);
- step 26 the camera 121 of the mobile device 12 reads the pictogram displayed on the screen 111 of the client equipment 11. This step 26 is illustrated with more precision in FIG. 2B, where it is visible that the device 12 is capturing an image of the PI pictogram displayed on the screen 111 of the customer 11, using his camera 121;
- step 27 the mobile device 12 then internally compares the data of the pictogram PI recorded by its camera 121 on the screen 111 of the customer 11 with the data of the pictogram that it has itself sent, to confirm the source;
- step 28 if there is a match, the mobile device 12 authenticates the client equipment 11 and authorizes the router to establish a secure connection with the authenticated client equipment 11. Otherwise, it rejects the connection request. The mobile device 12 thus ensures itself the establishment of a secure, unique and distinct connection with the client equipment 11.
- the secure connection implements data encryption, for example according to a public key / private key mechanism, the public key having been transmitted in or at the same time as the pictogram.
- the mobile device 12 provides the client equipment 11 with access to the web service that it has requested.
- the mobile device 12 authenticates the client equipment 11 '.
- the client equipment 11 ' rather than asking to connect to the Wifi router of the mobile device 12 in the same way as the client 11, could also be pirate equipment which would have intercepted the message comprising the pictogram PI intended for the client equipment 11.
- it will not be able to authenticate itself with the mobile device 12, unless it is physically available, to use it and take the image of the pictogram displayed on its screen. But even in this case, the mobile device 12 would identify a problem and would go into security mode, since a first connection would have been made with the same pictogram.
- the established connection is secured by the fact that the authentication (initiation, with the generation of the pictogram and its reading on the screen) and the establishment of the connection are carried out by the same device, which also ensures the provision of the on-board web service requested by the client equipment.
- connection is for single use and the customer is identified locally by reading the pictogram displayed on his screen using the camera of the mobile device.
- a pirate client who intercepts a pictogram transmitted by the mobile device, intended for a real client, will never be able to be authenticated with said device, since the local step of reading said pictogram on the screen of the client equipment is required to complete this authentication.
- the fact of obtaining information by the camera of the mobile device prevents any attack of the type "man in the middle" (in English: "man in the middle”).
- the wireless connection process is simplified to the extreme, since there is no password. pass laborious to enter, neither on client equipment nor on the mobile device, and no software application to install on either of these devices. This avoids the risk of error on the password, of loss of this one, or of inscription in memory of this one.
- the invention thus makes it possible to offer a connection associated with an on-board web service, and therefore to offer a service, for example, of cross-platform file sharing (iOS (registered trademark), Android (registered trademark), Windows (registered trademark). registered), Linux (registered trademark), etc.), effortlessly and without third-party software to install on client equipment.
- iOS registered trademark
- Android registered trademark
- Windows registered trademark
- Linux registered trademark
- FIGS. 3A to 3C An embodiment of the invention is now described in relation with FIGS. 3A to 3C, according to which the web service on board the mobile device 12 is an identity control service for an individual.
- the user of the client equipment 11 and of the mobile device 12 is a law enforcement officer and he wishes to check the identity of an individual whom he has just called.
- the mobile device 12 is equipped with one or more specific physical interfaces, suitable for reading the biometric data of an individual and / or for reading information recorded on a data card.
- a data card removable or a dedicated data medium.
- This is, for example, a fingerprint sensor / reader, a camera or a contactless smart card or data reader.
- a mobile device 12 is described in more detail below, in relation to FIG. 4.
- the identity control method of the invention comprises the following steps:
- step 31 reading the biometric data of the individual using a suitable physical interface, integrated into the mobile device 12, for example taking his fingerprints using a fingerprint reader, or capturing his face and / or the iris using a camera, for example a standard and / or infrared camera;
- step 32 reading by a dedicated reader of a data card presented by said individual and intended to officially identify him, such as his driving license or his ID card ; for example, it is a smart card that is inserted into a smart card reader integrated into the mobile device 12, or a data card that is brought close to a contactless data card reader (NFC for example), and obtaining the reference biometric data of the individual, stored in said card, representative for example of one of his fingerprints or one of his irises;
- a dedicated reader of a data card presented by said individual and intended to officially identify him such as his driving license or his ID card ; for example, it is a smart card that is inserted into a smart card reader integrated into the mobile device 12, or a data card that is brought close to a contactless data card reader (NFC for example), and obtaining the reference biometric data of the individual, stored in said card, representative for example of one of his fingerprints or one of his irises;
- step 33 comparison of the biometric data of the individual, recorded using the physical interfaces (sensors / readers) of the mobile device 12, with the reference biometric data of said individual, obtained by reading the data card of the 'individual;
- step 34 transmission to the client equipment 11 of a message confirming or denying the identity of the controlled individual, according to the results of the comparison of step 33.
- FIG. 3B illustrates a variant of the embodiment of the identity control web service according to the invention.
- the first step 3 is equivalent to step 31 of the method of FIG. 3A and is not described further. It is assumed here that the client equipment 11 has a connection to an extended communication network, of the Internet or Intranet type, for example via a mobile radio access network.
- step 32 of obtaining reference data of the method further comprises:
- step 321 reading non-biometric identification data, for example the name and the first name of the individual, on the data card of the individual;
- step 322 transmission of an interrogation request from a remote database, via the secure connection with the client equipment 11 and an access available to the client equipment to an extended communication network.
- This request comprises the non-biometric identification data read in step 321, and a request to obtain second reference biometric data of the individual, stored in the remote database in association with the non-biometric identification data. biometrics of that individual;
- step 323 receiving a response to said request
- the mobile device 12 carries out an additional comparison, that of the biometric data collected with the second reference biometric data and only confirms the identity of the individual in the event of a double match.
- Step 34 ' is unchanged from step 34 of the method of FIG. 3A.
- the second biometric reference data of the controlled individual are obtained remotely, through the secure connection. It is understood that this identity check offers a reinforced level of security, since it makes it possible to detect whether the individual presents a falsified identity document.
- FIG. 3C illustrates the interactions between the mobile device 12, the client equipment 11, the user of this equipment, for example a control agent U and the individual I. To better distinguish them, we have represented by dotted lines. physical / direct interactions and by full lines the exchange of data through a communication channel.
- the control agent U activates / turns on at 21 the mobile device 12 according to the invention.
- he authenticates in 21 'with the mobile device which records his biometric data (fingerprints, face, iris, voice, etc.) and compares them with reference data.
- the agent U interacts physically with the mobile device 12 (reference Set U in FIG. 3C), for example by placing his finger on the fingerprint sensor of said device.
- the control agent activates at 21 "the web identity control service on board the mobile device 12, for example by pressing a button of a man / machine interface of the mobile device 12.
- the mobile device 12 opens a Wi-Fi connection
- the control agent selects the wireless connection service of the mobile device, visible on the screen of its client equipment 11 and sends in 23 a connection request Req to the mobile device 12
- the mobile device 12 receives this connection request and establishes at 24 a wireless connection with the client equipment 11.
- the mobile device 12 generates a unique and non-sequential pictogram P, for example in a pseudo-random fashion, and sends it at 25 to the client equipment via the wireless connection.
- the customer equipment 11 displays it on its screen.
- the control agent U then places the screen of his client equipment 11 in the field of the camera of the mobile device 12 (reference Set 11), so that the mobile device can read the pictogram displayed at 26.
- the mobile device 12 compares the pictogram data that it has sent with the pictogram data read by its camera on the display screen. the client equipment 11. If there is a match, the mobile device authenticates at 28 the client equipment 11, establishes a secure connection with said equipment, for example by an SSL tunnel, and gives the client equipment 11 access to the identity control service requested by agent U.
- the mobile device 12 is ready to render the identity check service.
- the control officer U asks him to present an identity document, for example his national identity card, his passport or his driving license.
- the control agent records at 31 the biometric data of the individual, such as his fingerprints, his face, his iris, his voice, etc., using a biometric data sensor located on the mobile device 12
- the agent U positions the finger of the individual on the fingerprint sensor of said device (reference Set /).
- the agent inserts such a data card into the data card reader of the mobile device 12 (reference Req. ID), which reads at 32 the identification data that it contains. It can also obtain second reference data from a remote database, as described in relation to FIG. 3B.
- the mobile device 12 compares at 33 the biometric data recorded with reference data read from the data card, or at 33 ′ the biometric data recorded with reference data resulting from the interrogation of a remote database, for example example police database, and decide whether or not there is a match between them. Then, the mobile device 12 transmits at 34/34 ′ a message to the client equipment 11, confirming the identity of the individual, if it has found a match between the biometric data recorded and the reference data, or denial of the identity of the individual in the opposite case. The result of the check is displayed on the screen of the customer equipment 11.
- a remote database for example example police database
- the identity check is essentially implemented by the mobile device 12, and that the client equipment 11 does nothing other than request access to the corresponding web service, display the pictogram and receive the result of the check.
- FIG. 4 illustrates an example of the hardware structure of a mobile device 12 according to the invention, configured to establish a secure connection and provide an on-board web service to client equipment.
- the device 12 is of reduced size. As an indication, it may for example have a length L of 80mm, a width I of 25mm and a thickness e of 10mm.
- It is autonomous (powered by a rechargeable battery) and integrates processing means, in particular a microprocessor 4191 and one or more memories, making it possible to implement the steps of the method described above.
- processing means in particular a microprocessor 4191 and one or more memories, making it possible to implement the steps of the method described above.
- such a device 12 comprises a random access memory (for example a RAM memory 4193) and a read only memory (for example a ROM memory 4192 and / or a hard disk).
- Its processor is controlled by a computer program Pg, stored in ROM 4192.
- the code instructions of the computer program are for example loaded into RAM 4193 before being
- the device 12 is equipped with light interfaces, such as information lights 411 and LED lighting 412, to help the user to manage the operation of said device.
- the device 12 comprises a camera configured to read the pictogram transmitted to customer equipment.
- the mobile device 12 also comprises biometric means for providing an onboard web service according to the invention.
- biometric means for providing an onboard web service according to the invention.
- These means comprise for example a camera 413 and a front mirror 414, configured to capture the face and the image of an iris of an individual.
- It may also include a contactless data reader, for example of the NFC (for “Near Field Communication”) type configured to read and analyze the non-biometric identification data of an identity card, when they are not stored in a chip; a microphone 415, configured to capture a voice signal from an individual; a fingerprint reader 416, configured to capture the fingerprints of an individual; and a data card reader 417, configured to read a data card, such as a driver's license, comprising biometric data of the corresponding individual (fingerprints, faces, etc.).
- NFC Near Field Communication
- This is for example a chip card reader, comprising a slot inside which the individual's chip card and / or a data reader is inserted.
- contactless for example of the NFC type configured to read and analyze the non-biometric identification data stored on the identity card.
- the device 12 is also equipped with a removable protective cover 418, able to cover and protect the physical interfaces of said device 12.
- the mobile device and the connection method according to the invention find numerous applications. As mentioned above, they can advantageously be used to facilitate identity checks carried out by the police. To do this, it suffices to equip a police officer with the mobile device according to the invention. He can then easily and securely connect this mobile device to his mobile phone or tablet, without entering a login or password; take biometric data of the individual to be checked, such as his fingerprints, using the biometric data sensors integrated into the mobile device; and reading an identification data card of the individual using the reader integrated in the mobile device. Then, it is the device that is responsible for comparing the data recorded and the reference data of the individual and establishing a control result. Finally, the police officer simply receives a validation or invalidation message on his mobile phone, depending on the result obtained.
- This mobile device also finds an application in a polling station, in order to check the identity of the voters and possibly check if the people preparing to vote have not already taken part in the ballot, and more generally for any access control to a site and / or a service.
- This mobile identity control device can also be used for controlling the access of a maintenance technician to a computer network of a company.
- the device using its physical interfaces equipped with biometric means, records the biometric data of the IT technician working on said network, checks his identity, verifies that he has a valid access authorization to the computer network and gives or not access to said network, depending on the result obtained.
- the technician To access the corporate network, the technician only needs the mobile device of the invention, an accessory to his client equipment, for example his laptop or his mobile terminal. Unlike the prior art, he no longer has to memorize a complex and different login and password for each of his clients, but simply to present an identity card or a professional badge comprising identification data, biometric data and possibly an access authorization associated with a validity date. With the invention, the security of access to sensitive and confidential data of a computer network of a company is therefore reinforced in a simple and practical manner.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1904600A FR3095707B1 (fr) | 2019-05-01 | 2019-05-01 | Procédé de sécurisation d’une communication et dispositif correspondant. |
PCT/EP2020/062345 WO2020221938A1 (fr) | 2019-05-01 | 2020-05-04 | Procédé de connexion sécurisée à un service web embarqué et dispositif correspondant |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3963823A1 true EP3963823A1 (fr) | 2022-03-09 |
Family
ID=69157889
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP20723778.5A Pending EP3963823A1 (fr) | 2019-05-01 | 2020-05-04 | Procédé de connexion sécurisée à un service web embarqué et dispositif correspondant |
Country Status (4)
Country | Link |
---|---|
US (1) | US11924647B2 (fr) |
EP (1) | EP3963823A1 (fr) |
FR (1) | FR3095707B1 (fr) |
WO (1) | WO2020221938A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
USD959552S1 (en) * | 2021-07-21 | 2022-08-02 | Speedfind, Inc | Display sign |
FR3133463A1 (fr) | 2022-03-08 | 2023-09-15 | Eric Fouchard | Dispositif portable et autonome de sécurisation de transfert de données et procédé correspondant. |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9497293B2 (en) * | 2011-09-16 | 2016-11-15 | Google Inc. | Mechanism for pairing user's secondary client device with a data center interacting with the users primary client device using QR codes |
EP2891354B1 (fr) * | 2012-08-29 | 2018-10-10 | Silverlake Mobility Ecosystem Sdn Bhd | Procédé de jumelage de dispositifs mobiles |
US20140282923A1 (en) * | 2013-03-14 | 2014-09-18 | Motorola Mobility Llc | Device security utilizing continually changing qr codes |
US20160180100A1 (en) * | 2014-12-18 | 2016-06-23 | Joe Britt | System and method for securely connecting network devices using optical labels |
KR101817306B1 (ko) * | 2016-06-03 | 2018-01-11 | (주)투비스마트 | 시각화 암호를 이용한 인증 장치 및 그 방법 |
KR102462271B1 (ko) * | 2016-09-26 | 2022-11-03 | 스냅 인코포레이티드 | 광학 코드들에 의한 디바이스 페어링 |
EP3631734B1 (fr) * | 2017-05-22 | 2021-08-18 | Magic Leap, Inc. | Appariement avec un dispositif compagnon |
US10885507B1 (en) * | 2019-12-06 | 2021-01-05 | Capital One Services, Llc | Transferring a customer from an ATM transaction to a device-based transaction during an error state, and applications thereof |
-
2019
- 2019-05-01 FR FR1904600A patent/FR3095707B1/fr active Active
-
2020
- 2020-05-04 WO PCT/EP2020/062345 patent/WO2020221938A1/fr unknown
- 2020-05-04 US US17/607,679 patent/US11924647B2/en active Active
- 2020-05-04 EP EP20723778.5A patent/EP3963823A1/fr active Pending
Also Published As
Publication number | Publication date |
---|---|
US11924647B2 (en) | 2024-03-05 |
US20220232390A1 (en) | 2022-07-21 |
FR3095707A1 (fr) | 2020-11-06 |
FR3095707B1 (fr) | 2022-06-03 |
WO2020221938A1 (fr) | 2020-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3690686B1 (fr) | Procédé d'authentification, serveur et dispositif électronique d'identité | |
EP2716005B1 (fr) | Procédé et système de sécurisation d'échanges de données entre un module client et un module serveur | |
EP1549011A1 (fr) | Procédé et système de communication entre un terminal et au moins un équipment communicant | |
FR2922396A1 (fr) | Procede d'authentification biometrique, programme d'ordinateur, serveur d'authentification, terminal et objet portatif correspondants | |
JP2006146914A (ja) | バイオセンサを有するidカード及びユーザー認証方法 | |
FR2864289A1 (fr) | Controle d'acces biometrique utilisant un terminal de telephonie mobile | |
FR2738934A1 (fr) | Systeme de comptabilisation anonyme d'informations a des fins statistiques, notamment pour des operations de vote electronique ou de releves periodiques de consommation | |
WO2013021107A1 (fr) | Procede, serveur et systeme d'authentification d'une personne | |
WO2020221938A1 (fr) | Procédé de connexion sécurisée à un service web embarqué et dispositif correspondant | |
FR2810822A1 (fr) | Procede d'authentification/identification biometrique securise, module de saisie et module de verification de donnees biometriques permettant de mettre en oeuvre le procede | |
FR2973909A1 (fr) | Procede d'acces a une ressource protegee d'un dispositif personnel securise | |
WO2020260136A1 (fr) | Procédé et système de génération de clés de chiffrement pour données de transaction ou de connexion | |
EP0995172A1 (fr) | Terminal informatique individuel susceptible de communiquer avec un equipement informatique d'une facon securisee, ainsi qu'un procede d'authentification mis en oeuvre par ledit terminal | |
WO2007006771A1 (fr) | Procede et dispositif d'autorisation de transaction | |
EP3757832B1 (fr) | Système et procédé d'authentification d'une personne détentrice d'un titre d'identité à distance par un tiers | |
FR3083627A1 (fr) | Procede de transmission securisee de donnees cryptographiques | |
FR2930830A1 (fr) | Ressource de confiance integree a un dispositif de controle de donnees biometriques assurant la securite du controle et celle des donnees | |
FR2816736A1 (fr) | Procede et installation de securisation de l'utilisation de supports associes a des identifiants et a des dispositifs electroniques | |
WO2013093325A1 (fr) | Dispositif electronique pour le stockage de donnees confidentielles | |
WO2017005644A1 (fr) | Procédé et système de contrôle d'accès à un service via un média mobile sans intermediaire de confiance | |
EP3926499A1 (fr) | Procédé d'authentification d'un utilisateur sur un équipement client avec un système d'archivage sécurisé de justificatifs d'identité | |
EP1802026A2 (fr) | Procédé de déblocage d'une ressource par un dispositif sans contact | |
WO2023170186A1 (fr) | Dispositif portable et autonome de sécurisation de transfert de données et procédé correspondant | |
EP4107706A1 (fr) | Procede et systeme d'authentification sans contact | |
FR2825213A1 (fr) | Systeme d'authentification d'un utilisateur |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20211129 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |