EP4107706A1 - Verfahren und system zur kontaktlosen authentifizierung - Google Patents

Verfahren und system zur kontaktlosen authentifizierung

Info

Publication number
EP4107706A1
EP4107706A1 EP21703477.6A EP21703477A EP4107706A1 EP 4107706 A1 EP4107706 A1 EP 4107706A1 EP 21703477 A EP21703477 A EP 21703477A EP 4107706 A1 EP4107706 A1 EP 4107706A1
Authority
EP
European Patent Office
Prior art keywords
user
control device
access control
server
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21703477.6A
Other languages
English (en)
French (fr)
Inventor
Thomas Fleury
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Imprimerie Nationale
Original Assignee
Imprimerie Nationale
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Imprimerie Nationale filed Critical Imprimerie Nationale
Publication of EP4107706A1 publication Critical patent/EP4107706A1/de
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00563Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys using personal physical data of the operator, e.g. finger prints, retinal images, voicepatterns
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00571Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00896Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses
    • G07C9/00904Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses for hotels, motels, office buildings or the like

Definitions

  • the invention relates to a method of contactless authentication of a person or an individual. For example, it finds its application to control access to a secure area. It can be used for validating transactions.
  • patent application WO 2004/100083 describes an authentication system which uses an authentication card in which biometric data is stored.
  • Patent FR 2922672 discloses a method and a contactless biometric authentication system.
  • the authentication system comprises one or more personal authentication devices, a terminal equipped with biometric means generating biometric information of a user, wireless communication means.
  • the personal authentication device includes a memory for storing the biometric data of the holder of the personal authentication device.
  • biometric information is broadcast to multiple personal authentication devices, resulting in limited security.
  • the biometric data comparison device is located in each of the personal authentication devices, which leads to a high cost of the personal device. This allows in particular to increase security in the step of authenticating a person.
  • the idea of the present invention is to provide an authentication system and method in which the biometric data is not located centrally, but at the level of the user device.
  • the invention relates to an authentication system for one or more users comprising an authentication server, at least one access control device characterized in that:
  • a user is equipped with a mobile terminal comprising:
  • a wireless communication means configured to exchange information according to a short-range protocol with the access control device and a wireless communication means configured to exchange information according to a long-range protocol with the server,
  • a processor configured to generate an Rq authentication request to the authentication server
  • a database comprising biometric data
  • Said authentication server comprises:
  • a database containing, for a given user, an identifier and access rights
  • a processor configured to generate an authentication token following an authentication request sent by the user, said token containing the identity of an access control device, a hazard, the rights of the user, his signature generated by a private key,
  • An access control device comprises:
  • a device for acquiring biometric data A device for acquiring biometric data
  • a processor configured to compare captured biometric data with biometric data supplied with an authorization token issued by the server and generate an access authorization or access denial signal
  • the access control device may include a fingerprint sensor and / or a camera configured to acquire the characteristics of a face.
  • Short-range communication means use, for example, a proximity communication protocol without contact of Bluetooth type or in the near field NFC or the HTTP / HTTPS protocol.
  • the user has a smart phone, such as a smartphone, or is equipped with a smart card having the appropriate functions.
  • the invention also relates to a method for authenticating one or more users equipped with a mobile terminal in which biometric data are stored, within an infrastructure comprising at least one server, a control device. access transmitting a signal containing its identifier, a random number, characterized in that it comprises at least the following steps:
  • a user's mobile terminal picks up the signal sent by the access control device and sends a signed authentication request to the server,
  • the server on receipt of the Rq request verifies that said user is authorized to enter the area controlled by the access control device, by comparing a user identifier contained in the request with stored access rights,
  • the server When the user is not authorized, then the server generates a non-authorization signal,
  • the server When the user is authorized, the server generates an access authorization token containing the identity of the access control device, the challenge, the user's rights, his signature generated by a private key , and transmits the authorization token to the user,
  • the access control device can generate a signal to control the opening of a gate fitted to the access control device.
  • An access control device can also capture an image of a face and display that image on a screen by adding a valid or invalid tag.
  • Figure 1 an example of an authentication system according to the invention
  • Figure 2 an operating diagram of the method according to the invention.
  • the example is given in the context of an access control infrastructure which includes, for example, several access control devices, a server and several users.
  • the infrastructure can perform authentication of one individual or multiple individuals in parallel.
  • the following detailed example concerns the authentication of a single individual, or of a group of individuals when they are checked one by one.
  • the communication means implemented in the infrastructure are wireless communication means, at short range between a user and an access control device and at longer range between a user and an authentication server . They allow contactless exchange of information between the various players in the system.
  • an authentication system 1 comprises an access control device 2, for example an access door to a controlled space.
  • the access control device 2 comprises a biometric reader 3, a processor 4, a non-permanent memory (temporal the time of data processing) 5, a communication module 6 and possibly a display device 7 of the result obtained from the comparison of acquired biometric data and reference biometric data.
  • the biometric reader 3 is for example configured to acquire a fingerprint.
  • the processor will be configured to extract minutiae from the image resulting from the acquisition of a fingerprint and compare it with the data transmitted by the user.
  • This reader could also be a camera when the biometric control is based on facial recognition.
  • the processor will then be configured to perform facial recognition by comparison with the facial data contained in the authentication request sent by the user.
  • This reader can also be configured for iris recognition or for voice recognition using the cepstral parameters.
  • biometric data The choice of biometric data will depend on the application and the number of users to be authenticated.
  • the communication module 6 is a wireless communication module which is suitable for proximity communications. It makes it possible to broadcast a signal containing in particular an identifier ID S c A and a hazard or challenge. The challenge is unpredictable and emitted over a very short given period of time, chosen so as to allow a user to trigger the authentication process. The very short period of time is chosen mainly to compensate for a clock synchronized on the SCA (time verification) and not to replay the authentication request at the level of the SCA.
  • the communication protocol may be the NFC contactless proximity protocol, acronym for “Near Field Communication”, the wifi protocol, Bluetooth, etc.
  • the access control device 2 to a protected or secure area is, for example, equipped with a "gate" 8 which receives an opening order from the processor after data processing and authentication of the user.
  • the access control device 2 can also be equipped with a display screen which can display a person's face and the authentication result.
  • the authentication system comprises a server 10 comprising a processor 11 configured to process an authentication request Rq sent by a user, a database 12 containing for a user, the identifier of the portal ID S c A and its rights of access to protected secure spaces by access gates, long-range communication means 13, in order to dialogue and exchange information with the user.
  • These means of communication use, for example, the HTTP / HTTPS protocol.
  • An application 14 executed on the processor 11 makes it possible in particular to process an authentication request Rq sent by the user in order to return an authentication token J.
  • the authentication token contains the challenge generated by the access control device.
  • a site or an area will be defined by a set of access gates or SCA. Access to a zone by a user must make the link between the user identifier and the authorized access points (list of SCA identifiers).
  • a user wishing to authenticate in the system is equipped with a mobile terminal 16.
  • the mobile terminal 16 includes a biometric database 17, a processor 18 configured to process the signal transmitted by the access control device , short-distance communication means 19a for exchanging information with the terminal 2 and long-range communication means 19b for exchanging information with the server.
  • the biometric data will be signed by a trusted third party authority, such as a government accredited company.
  • the mobile terminal is for example a smart phone or "smartphone", a tablet, a smart card, or any other equivalent device.
  • FIG. 2 describes an example of the operation of the system according to the invention.
  • the access control device 2 continuously transmits a signal comprising its identifier ID S CA and a challenge “n”, a random number which has a validity period T over a short period, 210.
  • the challenge is generated. known to those skilled in the art and will not be detailed.
  • a new challenge is generated.
  • the challenge n or hazard consists of the following elements:
  • An identifier which references the access control device 2 in an infrastructure comprising several control terminals A public key of RSA or ECDSA type, under the control of the access control device (the private key is embedded in a secure element),
  • the challenge is accessible by all systems capable of capturing it via a nearby communication channel: Bluetooth / iBeacon, NFC, ultrasound.
  • the user's mobile terminal captures the signal S (IDSCA, n), 220, and sends an authentication request Rq to the server 10, 221.
  • the Rq authentication request comprises the following elements:
  • the identifier ID S CA of the access control device
  • the SSCA signature of the access control device 2 is the SSCA signature of the access control device 2.
  • the authentication request R q is signed using a private key of RSA or ECDSA type (Elliptic Curve Digital Signature Algorithm) under the control of the user and embedded in a secure element of the mobile terminal of the user.
  • the secure element can be a SIM card, a secure memory area, etc.
  • the Rq authentication request is received, 230, by the authentication server 10 which verifies:
  • the SSCA signature of the access control device which authenticates the latter within the access control infrastructure, 231,
  • the signature S Rq of the authentication request in order to authenticate the user on the system, 232,
  • the server can emit a signal, 234, indicating the denial of access to the user.
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • the user receives the authentication token J and will transmit the authentication token and biometric data to the access control device, 241.
  • the user's mobile terminal has in memory, biometric data which are encrypted using a symmetric key of AES (Advanced Encryption standard) type known to the infrastructure, and to the control device. access, and which are signed by a trusted authority,
  • AES Advanced Encryption standard
  • the mobile terminal application generates a random AES session key which it encrypts with the public key of the access control device,
  • the application encrypts the biometric data encrypted using the session key
  • the mobile user terminal 16 transmits via the short-range communication means to the access control device 2 the following elements:
  • the access control device 2 receives these elements 250 and simultaneously, 251, captures at least one biometric data of the user to be authenticated.
  • the user's access rights to this one zone by means of the authentication token J generated by the authentication server, the biometric data being provided with the token, That the biometric data acquired at the level of the access control device and stored temporally are identical to the biometric data contained in the access request sent by the user.
  • the access control device When the biometric data does not match, the access control device will emit an access denial signal, 253.
  • the access control device emits an authorization signal, 254.
  • This signal can take different forms.
  • the AES key is deployed in the SCA, remotely or locally, by the operator of the SCA.
  • the authorization signal may include the display on a screen 7 (FIG. 1) with a label allowing passage, for example a V in green for the validity of the passage. .
  • the authorization denial signal could be in the form of a red cross displayed on the user's face.
  • the signal S pas sage allows the opening of the gate 8 (FIG. 1) and the access of the user to the secure zone.
  • the signal can simply be the command that activates the unlocking of the gate or the access door.
  • the access control device is, for example, a turnstile for access to a secure site, an airport gate, a device for controlling access to means of payment, etc.
  • control device When the infrastructure must make it possible to authenticate several people in parallel, the control device will be equipped with several devices for reading biometric data, several fingerprint readers, several cameras, and the processors will be chosen to process in parallel the different data acquired on several devices. Authentication can also use several biometric parameters of the fingerprint type, facial recognition, for example, mentioned above.
  • the access control device can be autonomous and does not need to be connected to a server or to a clock, because it uses a hazard or challenge having a limited duration in time.
  • the access control device stores the biometric data for processing and not permanently.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Collating Specific Patterns (AREA)
  • Telephonic Communication Services (AREA)
EP21703477.6A 2020-02-17 2021-02-10 Verfahren und system zur kontaktlosen authentifizierung Pending EP4107706A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR2001539A FR3107384A1 (fr) 2020-02-17 2020-02-17 Procédé et système d’authentification sans contact
PCT/EP2021/053212 WO2021165120A1 (fr) 2020-02-17 2021-02-10 Procede et systeme d'authentification sans contact

Publications (1)

Publication Number Publication Date
EP4107706A1 true EP4107706A1 (de) 2022-12-28

Family

ID=70738688

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21703477.6A Pending EP4107706A1 (de) 2020-02-17 2021-02-10 Verfahren und system zur kontaktlosen authentifizierung

Country Status (3)

Country Link
EP (1) EP4107706A1 (de)
FR (1) FR3107384A1 (de)
WO (1) WO2021165120A1 (de)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060018839A (ko) 2003-05-08 2006-03-02 코닌클리즈케 필립스 일렉트로닉스 엔.브이. 인증 카드, 인증 시스템 및 거래 수행 방법
FR2922672B1 (fr) 2007-10-19 2011-01-21 Auchan France Systeme d'authentification biometrique sans contact et procede d'authentification
KR102326174B1 (ko) * 2015-11-23 2021-11-16 주식회사 슈프리마 비콘 신호를 이용하여 도어 출입을 관리하기 위한 방법 및 시스템
US10755500B2 (en) * 2017-11-06 2020-08-25 Moca System Inc. Access control system and access control method using the same
FR3079653B1 (fr) * 2018-03-29 2022-12-30 Airtag Procede de verification d'une authentification biometrique

Also Published As

Publication number Publication date
WO2021165120A1 (fr) 2021-08-26
FR3107384A1 (fr) 2021-08-20

Similar Documents

Publication Publication Date Title
EP3494553B1 (de) Verfahren und system für automatisiertes physikalisches zugangskontrollsystem mit biometrischer erkennung gemeinsam mit etikettauthentifizierung
US8473748B2 (en) Mobile device-based authentication
US8380637B2 (en) Variable fractions of multiple biometrics with multi-layer authentication of mobile transactions
JP2020064664A (ja) アクセス制御される環境へのアクセスを認可するためのシステム及び方法
JP5890033B2 (ja) 虹彩イメージを用いたセキュリティの強化された施錠装置
US20170180361A1 (en) Mobile device-based authentication with enhanced security measures providing feedback on a real time basis
US20120159599A1 (en) Personalized Multifunctional Access Device Possessing an Individualized Form of Authenticating and Controlling Data Exchange
EP2048814A1 (de) Verfahren zur biometrischen Authentifizierung, entsprechendes Computerprogramm, entsprechender Authentifizierungsserver, entsprechendes Endgerät und tragbares Objekt
JP2006146914A (ja) バイオセンサを有するidカード及びユーザー認証方法
JP2011165102A (ja) 生体認証システムおよび携帯端末
RU2596587C2 (ru) Устройство мобильной связи
US11960587B2 (en) Methods, systems and computer program products for monitoring or controlling user access at a point-of-service
WO2020221938A1 (fr) Procédé de connexion sécurisée à un service web embarqué et dispositif correspondant
WO2021165120A1 (fr) Procede et systeme d'authentification sans contact
EP3757832B1 (de) System und verfahren zur fernauthentifizierung einer person in besitz eines ausweises durch einen dritten
EP1802026A2 (de) Verfahren zur Freigabe einer Ressource mittels einer kontaktlosen Vorrichtung
AU2022263770B2 (en) Method for controlling a smart card
EP4070520A1 (de) Verfahren und system zur reibungslosen identifizierung einer person
FR3105534A1 (fr) Procédé et système de partage de données d’authentification pour un contrôle d’accès et effacement des données après utilisation
FR3131404A1 (fr) Procede d’authentification par voie optique et dispositifs associes

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220818

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)