EP4420298A1 - System for authentication and authentication method - Google Patents

System for authentication and authentication method

Info

Publication number
EP4420298A1
EP4420298A1 EP22801536.8A EP22801536A EP4420298A1 EP 4420298 A1 EP4420298 A1 EP 4420298A1 EP 22801536 A EP22801536 A EP 22801536A EP 4420298 A1 EP4420298 A1 EP 4420298A1
Authority
EP
European Patent Office
Prior art keywords
key
excitation
authentication
properties
response profile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP22801536.8A
Other languages
German (de)
French (fr)
Inventor
Dimitris Syvridis
Marialena AKRIOTOU
Christos VEINIDIS
Konstantinos KRILAKIS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eulambia Advanced Technologies Ltd
Original Assignee
Eulambia Advanced Technologies Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eulambia Advanced Technologies Ltd filed Critical Eulambia Advanced Technologies Ltd
Publication of EP4420298A1 publication Critical patent/EP4420298A1/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G02OPTICS
    • G02FOPTICAL DEVICES OR ARRANGEMENTS FOR THE CONTROL OF LIGHT BY MODIFICATION OF THE OPTICAL PROPERTIES OF THE MEDIA OF THE ELEMENTS INVOLVED THEREIN; NON-LINEAR OPTICS; FREQUENCY-CHANGING OF LIGHT; OPTICAL LOGIC ELEMENTS; OPTICAL ANALOGUE/DIGITAL CONVERTERS
    • G02F1/00Devices or arrangements for the control of the intensity, colour, phase, polarisation or direction of light arriving from an independent light source, e.g. switching, gating or modulating; Non-linear optics
    • G02F1/35Non-linear optics
    • G02F1/355Non-linear optics characterised by the materials used
    • G02F1/3551Crystals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]

Definitions

  • the present invention is related to an authentication system and a method suitable to authenticate a user.
  • the invention refers to an authentication system and a method suitable to authenticate a user using physical unclonable means.
  • the invention refers also to an authentication system and a method suitable to authenticate a user that allows physical access to a space, such as room, safe, etc.
  • US 2006/0095773 describes an authentication system, and an authentication method in which is applied an emission-angle dependent light emitting system and a corresponding emission-angle dependent light detector.
  • the disclosed system heavily relies on beam steering schemes for the generation of unique challenges, thus compromising system’s resilience to mechanical vibrations.
  • WO 2005/059629 describes an optical method and a system for detection of a speckle pattern and defines criteria to determine the size of pixels of a detector that will give rise to detection of all relevant bits, i.e. the pixels are small enough, without too much redundancy i.e., the pixels are large enough.
  • EP 2693685 describes a system and method for verifying challenge - response pairs.
  • the principle of operation resides in the quantum properties of a few-photon emitter, a challenge creating system and a photon counting detector.
  • WO 2007/046037 describes a system and method of an optical scatterbased PUF system that separates the detecting elements from the PUF specimen thus allowing speckle size optimization, offering resilience against playback attacks.
  • WO 2019/021206 describes a system and a method for generating one or more challenge-response pairs, which employs a photonic or an optical Physical Unclonable Function - o-PUF - specimen.
  • the propagation of the optical challenge through the o-PUF specimen generates an optical response that in combination with the optical challenge is a unique pair suitable for authentication and cryptographic key generation.
  • An object of the invention is to provide a system and method suitable for authentication, which offers high level of reproducibility, i.e. it produces identical results under same circumstances.
  • a further object of the invention is system and method suitable for authentication, which offers high level of unclonability, i.e. it uses physical means to allow access that cannot be copied or reproduced.
  • a further object of the invention is a system and method suitable for authentication, which may be used to allow physical access through a barrier to authorized users.
  • a further object of the invention is a method for the enrolment of a user to an authentication system and a system for such purpose.
  • the invention is defined in the independent claims. It defines a method for the authentication of the user and the enrolment of a user to a secure system that requires authentication to enter.
  • the system may be a virtual space or a physical space, for example a building or a safe.
  • the invention further defines a system that can de used for the authentication and the enrolment of a user.
  • the depended claims define features that offer further advantages when combined with the features of the claims from which they depend.
  • a method of authentication uses two replaceable keys that are assigned to a user, i.e. a first key and a second key, and comprises the following method steps: a) presenting the first key, having a first input, b) reading the first input, c) generating an excitation light-beam having a set of excitation properties depended on the first input, d) presenting the second key, e) emitting the excitation light-beam on the second key, f) detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam, g) comparing the response profile with a pre-recorded response profile that is associated to the set of excitation properties and h) signalling the authentication considering the comparing of the response profile with the prerecorded profile.
  • enrolment of a user to an authentication system uses two replaceable keys assigned to the user, i.e. a first key and a second key, and comprises the following method steps: a) presenting the first key, having a first input, b) reading the first input, c) generating and storing to a memory module a set of excitation properties depended on the first input, d) presenting the second key, e) generating and emitting on the second key an excitation light-beam having said set of excitation properties, f) detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam, g) generating a digital key that corresponds to the response profile, h) storing the digital key to the memory module and associate the digital key with the set of excitation properties.
  • An authentication system comprises: a) input means configured to receive a first key assigned to a user, having a first input, b) a light source communicating with the input means configured to emit a light-beam with a set of excitation properties depended on the first input, c) a receptacle for a real-time replaceable second key, d) a detector configured to detect an optical response with a response profile, generated by the second key upon emission of the light-beam, e) a memory module storing pairs, each pair including a prerecorded set of excitation properties and a pre-recorded response profile and f) processing module configured to compare the response profile with a pre-recorded response profile that is associated with the set of excitation properties.
  • the keys are presented by the user in real-time, i.e. during the authentication or enrolment process
  • the authentication method, the enrolment method to an authentication system and the authentication system is used for the authentication of a user whenever is needed. They may be used to provide access to a virtual space, or physical access of the user into a space.
  • the authentication system and the respective method use two independent keys in cascade.
  • the first key is the challenge creating key and the second key is the response creating key.
  • a key reader reads the input provided by the first key and the system generates an excitation light-beam having a set of excitation properties depending on that input.
  • the light-beam is directed to the second key, which generates an optical response with a response profile.
  • the system has means, such as software means, which compares the response profile with a pre-recorded profile that is associated to the user and based on the comparison it signals authentication or non-authentication of the user.
  • the use of two keys, with one key producing data that is used by the second key provides a secure, reliable and unreplicable combination for the authentication of a user. Both keys are replaceable so that any user has his/her own keys that presents to the system in real-time, i.e. during the authentication or enrolment process.
  • the comparison of the two profiles i.e. the response profile and the prerecorded profile may be performed by any digital or numerical representation of the profiles.
  • the digital or numerical representation of the response profile is designated as the authentication key.
  • the excitation properties may include at least one or more of the following properties i) spatial profile, i.e. the spatial arrangement of components of the lightbeam, ii) one or more emission properties, i.e. wavelength, frequency, intensity, phase, polarizarion of the light beam.
  • Generating the set of excitation properties may be done by selecting a set of excitation properties from a batch of sets of pre-defined sets of excitation properties, preferably uncorrelated excitation properties. A user may be assigned with one or more than one sets of excitation properties.
  • the invention suggests the use of an optical disordered medium as a key, in particular as the second key.
  • the use of such a medium is performed by the emission of a light-beam with a set of pre-determined properties on the optical disordered medium, the interaction of the light-beam with the optical randomly disordered medium so as to create an optical response with a response profile and the reading of the response profile by a detector.
  • An authentication system that embodies the invention takes the advantages of the interaction between a light intensity pattern and the second key.
  • the output of the system is a highly complex speckle pattern with high entropy.
  • the system supports a large number of Challenge-Response Pairs (Abbr.: CPR) for almost unlimited key generation.
  • the second key may be any means that supports optical scattering with linear properties, for example an optical diffuser glass, or non-linear properties or both.
  • the first key may be a biometric element, such as an eye, fingerprint etc., a key-card, a voice instruction, a code, an optical disordered means or any other means and the corresponding first input may be a biometric pattern, an image, an analogue or a digital signal, a numerical string etc.
  • the first input is processed to transform it to a digital input data that is used for the configuration of the excitation properties of the excitation light-beam.
  • the system may include excitation means other than the light source.
  • the system and the method may employ hashing algorithm that maps slightly different responses from the same challenge to the unique output.
  • Hashing algorithm is employed in one or two phases; the enrolment and the authentication.
  • the former corresponds to the first time that a challenge is applied whereby the output string is generated along with a set of helper-data.
  • the helper-data may be used for processing the response profile.
  • the p-PUF lock has a fingerprint reader and a photonic core and utilizes the intrinsic uniqueness of an Optical Randomly Disorder Medium (abb.: ORDIM), i.e. the second key.
  • ORDIM Optical Randomly Disorder Medium
  • the combination offers further significant advantages over conventional biometric and mechanical locks and increases the overall resilience of the photonic lock to playback attacks and counterfeiting.
  • ORDIM Optical Randomly Disorder Medium
  • each user Upon the installation of the p-PUF lock, each user receives an unreplicable ORDIM token.
  • the user uses the p-PUF lock system for the first time he or she performs his/her enrolment to the system. Thus, combining his/her fingerprint with his/her personal token a unique response is created.
  • Such a p-PUF lock is a two-factor authentication module and is based on a photonic technology for shielding the physical access to virtual spaces or hard targets such as restricted areas or critical infrastructures.
  • the user Upon any following request for entrance the user employs his/her p- PUF card combined with his/her biometric characteristic, for example fingerprint, eye or other. If the response from the p-PUF lock is matched with the corresponding response created during the user enrolment phase, access is permitted and the authentication phase is completed. In any other case, the entrance into the restricted area is prohibited.
  • the method or the system of the invention may be used to control the physical access of an authorized person to a restricted area.
  • a standalone p-PUF lock may be externally attached to a lock of a partition, for example the lock of a door.
  • Such a system may be also employed in parallel with an existing access control mechanism, without affecting its performance, for security enhancement.
  • System to control the physical access as well as systems used in general, for authentication may be configured to use a biometric feature of the user, for example a fingerprint or eye, as the challenge creating key.
  • a p-PUF lock that combines the use of a biometric feature, such as fingerprint, reader and a photonic mechanism that utilizes the intrinsic uniqueness of an ORDIM, offers significant advantages over conventional biometric and mechanical locks and increases the overall resilience of the photonic lock to playback attacks and counterfeiting.
  • This lock is a two-factor authentication module and is based on a photonic technology for shielding the physical access to restricted areas or critical infrastructures.
  • the invention further suggests the use of an optical randomly disordered medium as a key that provides physical access to a space.
  • the use of an optical disordered medium includes the emission of a light-beam with a set of pre-determined properties on the optical disordered medium, the interaction of the light-beam with the optical disordered medium so as to create an optical response with a response profile and the reading of the response profile by a detector.
  • Figure 1 presents schematically an authentication system according to the invention
  • FIG. 2 presents schematically another embodiment of an authentication system according to the invention
  • Figure 3 presents schematically the generation of the speckle pattern
  • FIG. 4 presents a sequence diagram of an authentication procedure according to the invention
  • Figure 5 presents a sequence diagram of an enrolment procedure of a user according to the invention.
  • FIG. 1 presents schematically an embodiment of a photonic PUF-lock of the invention.
  • the embodiment has a key reader 10, which is the input means for a replaceable first key 70, a processing module 25, a photonic core 20 and a secure memory module 26.
  • the photonic core 20 includes a light source, which has a laser 35 and excitation means 38 and which creates a light-beam 32, a replaceable receptacle 40 for the token 80, which is an optical speckle generator - or second key - 80, an image acquisition system 50, such as a camera.
  • the key reader 10 may be a card reader, code reader, for example keyboard, biometric key reader or any other means configured to receive input by a user. Once the user presents a first key having a first input, the key reader 10 reads the first input and creates digital input data that is based thereon.
  • Some examples employ fingerprint readers that are capable for rapid identification with high accuracy and provide additional functionalities like fingerprint recording, image processing, feature extraction, template generation, template storage, fingerprint matching and searching.
  • the false acceptance rate of such readers may be less than 0.001 % whereas the false rejection rate may be around 0.1 %. Such properties augment the inherent security features that the physical access control unit possess.
  • the light source has a coherent light source, i.e. laser 35, and excitation means 38.
  • the light source generates a light-beam 32.
  • the excitation means 38 is configured to provide the light-beam 32 that is emitted from the light source 35 with a set of excitation properties, considering the input of the first key.
  • the modified light-beam 32 is projected to the token 80 placed at the receptacle 40, see also Figure 3.
  • the light source does not have distinct excitation means and the set of excitation properties are provided by laser 35 considering the input of the first key.
  • the set of excitation properties are provided by both the laser 35 and the excitation means 38, see for example Figure 1.
  • the processing module 25 controls the peripheral opto-electronic components of the photonic core 20, performs image processing and digital processing for the extraction of the authentication keys and generates notifications, events and alerts.
  • the processing module 25 includes processing means that is configured to receive input data form the key readeFr 10, and has means to transform the input data to a two-dimensional array, which subsequently is fed to the excitation means 38.
  • the means that transforms the input data to a two-dimensional array includes software means, hardware means or a combination thereof.
  • the excitation means 38 provides the light-beam emitted by the laser 25 by modifying its spatial profile to a spatially modulated non-uniform light-beam or otherwise a bundle of light-beams spatially arranged according to the two-dimensional array.
  • the arrangement of spatially modulated non-uniform light-beam 32 corresponds to the digital input from the key reader 10.
  • the light source does not have distinct excitation means and the excitation properties, i.e. frequency, wavelength, polarization, intensity, phase, spatial profile are provided to the laser beam 32 when emitted by the laser 35.
  • the set of excitation properties are provided by both the laser 35 and the excitation means 38.
  • the light-beam 32 with the set of excitation properties illuminates the Optical Randomly Disorder Medium, which is a physical unclonable optical token 80.
  • the ORDIM In response to the incident light-beam 32, the ORDIM generates an optical speckle pattern with a response profile.
  • the processing means 25 is also configured to receive the optical speckle pattern form the photonic core 20, and to produce a unique digital key upon which, the p-PUF lock signals the authentication or no-authentication.
  • the authentication system includes a memory module 26 that stores data associated with each user.
  • the memory module 26 stores the first input, the set of excitation properties associated with that input and the authentication key.
  • the memory module 26 may also store other data that are used during authentication, such as helper-data that are generated and/or recorded during the enrolment phase and are used during authentication.
  • the memory module 26 can be located locally or placed remotely from the other components of the p-PUF lock in a secure environment. In some embodiments the memory module 26 may be located arranged both locally and remotely. Preferably communication of the memory module 26 and the p-PUF lock is effected with a secure communications line.
  • the token - ORDIM - 80 is the unclonable physical medium that provides the p-PUF lock’s source of entropy.
  • a corresponding output i.e. the response
  • a response profile i.e. a complex continuous picture with random optical intensity, as depicted in Figure 3.
  • Each response is determined by the complex optical transfer function of the particular ORDIM 80, and by the set of properties of the light-beam 32.
  • Each ORDIM 80 being a randomly disordered medium, cannot be replicated.
  • the recorded speckle pattern undergoes a hashing procedure and mapped to a unique bit-string output.
  • the challenge-response combinations which correspond to the set of excitation properties of the light beam 32 and the response profile of the optical speckle respectively, form unique Challenge-Response Pairs (abb.: CRPs). These unique CRPs are used for authentication.
  • the token 80 may be a linear scatterer such as diffusion glass. It may include complex materials based on quantum dots or complex photonics nanostructures, for example e.g. photonics crystals, fluorescent dyes embedded in polymers, etc.
  • the ORDIM has a surface, where the light-beam falls, which is larger than 5 mm 2 .
  • User authentication is performed whenever a user attempts to gain access to a restricted space or a high-security room.
  • the user asks for authentication by the p-PUF lock and the system notifies the operator for the entrance request. Then, the user is asked to present the first key, in order to validate it with the corresponding first key that the user entered during the enrolment phase. If these two keys, i.e. scanned and enrolled, are matched the system is activated and the second stage of the authentication procedure will be initiated.
  • the p-PUF lock generates an event when the fingerprint of the user is valid and an alert after a specific number of unsuccessful attempts, for example three, to inform the operator, about the current status in order to act accordingly based on the internal security procedures.
  • the p-PUF lock notifies the user to insert her/his token 80, if the token 80 had not been inserted before by the user.
  • the key reader 10 reads the first key, it forwards the input data obtained to the processing module 25 or directly to the photonic core 20, which generates a light-beam 32 with a set of properties associated with the first key.
  • the light-beam 32 illuminates the ORDIM 80.
  • the output of the ORDIM 80 is the optical speckle pattern acquired by the camera 50.
  • the digital output of the camera 50 is used by the processing module 25 to generate the authentication key, optionally using the helper-data generated during the enrolment phase and associated that user.
  • the authentication key is compared with the corresponding key that was generated during the enrolment phase and stored in the memory module. Authentication or non-authentication is determined on the basis of the result of the comparison of the two keys.
  • the messages created by the p-PUF module during authentication may be followed by date and time information and archived within the system, so as to be accessed as historical data. Storing the excitation properties and the response profile is effected via corresponding digital representations thereof.
  • the p-PUF authentication system In order for a user of the p-PUF authentication system to authenticate a user, he/she has to be enrolled in the authentication system through his/her first key and his/her personal ORDIM token 80.
  • the p-PUF lock asks for the user’s first key, which in turn will be stored encrypted in the local or the remote memory module 26.
  • the p-PUF lock notifies the user to insert her/his token 80, if the token 80 had not been inserted before by the user.
  • the authentication system When the user presents the token 80, the authentication system generates an authentication key, employing a key extraction algorithm, optionally with helper-data that will be used for upon any future user attempts for entrance.
  • the first key and the respective helper-data are assigned to the user and are stored to the memory module 26.
  • One user may be associated with one or more excitation profile.
  • the number of tokens 80 in a system may be predefined considering the number of users that will be enrolled.
  • the user presents a first key, having a first input.
  • the first key may be a biometric element, a key-card, a voice instruction, a code or any other means and the corresponding first input may be a biometric pattern, an image, an analogue or a digital signal, a digital string etc.
  • the processing module 25 generates a set of excitation properties that depends on the first input, optionally by corresponding the first input to one out of a pre-defined set of excitation properties
  • the camera 50 detects an optical response with a response profile, generated by the token 80 upon emitting the light-beam 32
  • the response profile is processed with hashing algorithms, error correction codes and encryption algorithms to generate helper-data, which are stored in the memory module 26
  • the processing module 25 generates a digital authentication key that corresponds to the response profile
  • the pre-defined a set of excitation properties may be selected from a set of preferably uncorrelated pre-defined sets of excitation properties that are stored in the system.
  • One user may be assigned with one or more of pre-defined set of excitation properties. In some examples the user is assigned with a specific number of sets of excitation properties. In the latter case the system uses each set of excitation properties only once or more than once. If the system uses each set of excitation properties only once, the system authorizes the user as many times as the number of sets of excitation properties assigned to him/her.
  • the generation of the uncorrelated pre-defined sets of excitation properties follows a procedure that is underlined by the comparison of the pixels of each two profiles. Correlation or non-correlation is assessed on the basis of the correlation coefficient, for example by considering the percentage of identical pixels of the excitation properties over the total number of pixels of the excitation properties.
  • the procedure includes the detection of the relations between two pixels, at the same position (i,j) in the two images.
  • the potential relations are four: a) the two pixels are black, b) the (i,j) pixel of the first image is black and the (i, j) pixel of the second image is white; c) the (i, j) pixel of the first image is white and the pixel of the second image is black; d) the two pixels are white.
  • the challenges are uncorrelated only if the number of the white pixels at the same (i, j) belongs to a specific number range. The limits of this range are written as a function of statistical quantities of the images, such as the mean intensity, the standard deviation of the intensity, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Nonlinear Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Chemical & Material Sciences (AREA)
  • Crystallography & Structural Chemistry (AREA)
  • Optics & Photonics (AREA)
  • Collating Specific Patterns (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)

Abstract

The authentication system and method use two independent keys in cascade. The first is the challenge creating key and the second is the response creating key. A key reader reads the input provided by the first key and the system generates an excitation light-beam having a set of excitation properties depending on that input. The light-beam is directed to the second key, which generates an optical response with a response profile. The system has software means, which compares the response profile with a pre-recorded profile associated to the user and based on the comparison it signals authentication or non-authentication of the user. The use of two keys, with one producing data that is used by the second provides a secure, reliable and unreplicable combination for the authentication of a user. Both keys are replaceable so that any user has his/her own keys that presents to the system in real-time.

Description

SYSTEM FOR AUTHENTICATION AND AUTHENTICATION METHOD
[00001] The present invention is related to an authentication system and a method suitable to authenticate a user. In particular, the invention refers to an authentication system and a method suitable to authenticate a user using physical unclonable means. The invention refers also to an authentication system and a method suitable to authenticate a user that allows physical access to a space, such as room, safe, etc.
[00002] Optical Physical Unclonable Functions like systems have been introduced in the works of [Pappu, R.: Physical One-Way Functions. PhD thesis, MIT (2001); Pappu, R., Recht, B., Taylor, J., Gershenfeld, N., Physical One-Way Functions, Science 297, pp. 2026-2030 (2002)]. This initial work has been followed by similar approaches that consisted in speckle detection in randomly arranged materials like plain paper [Buchanan, J. D. R., Cowburn, R. P., Jausovec, A., Petit, D., Seem, P., Xiong, G., Atkinson, D., Fenton, K., Allwood, D.A., Bryan, M. T., Forgery: ‘fingerprinting’ documents and packaging, Nature, Brief Communications 436, pg. 475 (2005)], silica diffusers [Ruhrmair, Ulrich, et al. "Revisiting Optical Physical Unclonable Functions." IACR Cryptology ePrint Archive 2013 (2013): 215.] or monitoring phosphor patterns [Chong, C. N., Jiang, D., Zhang, J., Guo, L., Anticounterfeiting with a random pattern, SECURWARE 2008, pp. 146-153, IEEE, Los Alamitos (2008)]. More advanced optical techniques include surface random distribution plasmon resonances [Smith, A. F., Patton, P. & Skrabalak, S. E. Plasmonic Nanoparticles as a Physically Unclonable Function for Responsive AntiCounterfeit Nanofingerprints. Adv. Funct. Mater. 26, 1315-1321 (2016)].
[00003] US 2006/0095773 describes an authentication system, and an authentication method in which is applied an emission-angle dependent light emitting system and a corresponding emission-angle dependent light detector. The disclosed system heavily relies on beam steering schemes for the generation of unique challenges, thus compromising system’s resilience to mechanical vibrations.
[00004] WO 2005/059629 describes an optical method and a system for detection of a speckle pattern and defines criteria to determine the size of pixels of a detector that will give rise to detection of all relevant bits, i.e. the pixels are small enough, without too much redundancy i.e., the pixels are large enough.
[00005] EP 2693685 describes a system and method for verifying challenge - response pairs. In this case, the principle of operation resides in the quantum properties of a few-photon emitter, a challenge creating system and a photon counting detector.
[00006] WO 2007/046037 describes a system and method of an optical scatterbased PUF system that separates the detecting elements from the PUF specimen thus allowing speckle size optimization, offering resilience against playback attacks.
[00007] WO 2019/021206 describes a system and a method for generating one or more challenge-response pairs, which employs a photonic or an optical Physical Unclonable Function - o-PUF - specimen. The propagation of the optical challenge through the o-PUF specimen generates an optical response that in combination with the optical challenge is a unique pair suitable for authentication and cryptographic key generation.
[00008] An object of the invention is to provide a system and method suitable for authentication, which offers high level of reproducibility, i.e. it produces identical results under same circumstances. A further object of the invention is system and method suitable for authentication, which offers high level of unclonability, i.e. it uses physical means to allow access that cannot be copied or reproduced. A further object of the invention is a system and method suitable for authentication, which may be used to allow physical access through a barrier to authorized users. A further object of the invention is a method for the enrolment of a user to an authentication system and a system for such purpose.
[00009] The invention is defined in the independent claims. It defines a method for the authentication of the user and the enrolment of a user to a secure system that requires authentication to enter. The system may be a virtual space or a physical space, for example a building or a safe. The invention further defines a system that can de used for the authentication and the enrolment of a user. The depended claims define features that offer further advantages when combined with the features of the claims from which they depend.
[00010] According to the invention, a method of authentication uses two replaceable keys that are assigned to a user, i.e. a first key and a second key, and comprises the following method steps: a) presenting the first key, having a first input, b) reading the first input, c) generating an excitation light-beam having a set of excitation properties depended on the first input, d) presenting the second key, e) emitting the excitation light-beam on the second key, f) detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam, g) comparing the response profile with a pre-recorded response profile that is associated to the set of excitation properties and h) signalling the authentication considering the comparing of the response profile with the prerecorded profile. [00011] According to the invention, of enrolment of a user to an authentication system uses two replaceable keys assigned to the user, i.e. a first key and a second key, and comprises the following method steps: a) presenting the first key, having a first input, b) reading the first input, c) generating and storing to a memory module a set of excitation properties depended on the first input, d) presenting the second key, e) generating and emitting on the second key an excitation light-beam having said set of excitation properties, f) detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam, g) generating a digital key that corresponds to the response profile, h) storing the digital key to the memory module and associate the digital key with the set of excitation properties.
[00012] An authentication system according to the invention comprises: a) input means configured to receive a first key assigned to a user, having a first input, b) a light source communicating with the input means configured to emit a light-beam with a set of excitation properties depended on the first input, c) a receptacle for a real-time replaceable second key, d) a detector configured to detect an optical response with a response profile, generated by the second key upon emission of the light-beam, e) a memory module storing pairs, each pair including a prerecorded set of excitation properties and a pre-recorded response profile and f) processing module configured to compare the response profile with a pre-recorded response profile that is associated with the set of excitation properties. The keys are presented by the user in real-time, i.e. during the authentication or enrolment process
[00013] The authentication method, the enrolment method to an authentication system and the authentication system is used for the authentication of a user whenever is needed. They may be used to provide access to a virtual space, or physical access of the user into a space.
[00014] The authentication system and the respective method use two independent keys in cascade. The first key is the challenge creating key and the second key is the response creating key. A key reader reads the input provided by the first key and the system generates an excitation light-beam having a set of excitation properties depending on that input. The light-beam is directed to the second key, which generates an optical response with a response profile. The system has means, such as software means, which compares the response profile with a pre-recorded profile that is associated to the user and based on the comparison it signals authentication or non-authentication of the user. The use of two keys, with one key producing data that is used by the second key provides a secure, reliable and unreplicable combination for the authentication of a user. Both keys are replaceable so that any user has his/her own keys that presents to the system in real-time, i.e. during the authentication or enrolment process.
[00015] The comparison of the two profiles, i.e. the response profile and the prerecorded profile may be performed by any digital or numerical representation of the profiles. The digital or numerical representation of the response profile is designated as the authentication key.
[00016] The excitation properties may include at least one or more of the following properties i) spatial profile, i.e. the spatial arrangement of components of the lightbeam, ii) one or more emission properties, i.e. wavelength, frequency, intensity, phase, polarizarion of the light beam. [00017] Generating the set of excitation properties may be done by selecting a set of excitation properties from a batch of sets of pre-defined sets of excitation properties, preferably uncorrelated excitation properties. A user may be assigned with one or more than one sets of excitation properties.
[00018] The invention suggests the use of an optical disordered medium as a key, in particular as the second key. The use of such a medium is performed by the emission of a light-beam with a set of pre-determined properties on the optical disordered medium, the interaction of the light-beam with the optical randomly disordered medium so as to create an optical response with a response profile and the reading of the response profile by a detector.
[00019] An authentication system that embodies the invention takes the advantages of the interaction between a light intensity pattern and the second key. The output of the system is a highly complex speckle pattern with high entropy. The system supports a large number of Challenge-Response Pairs (Abbr.: CPR) for almost unlimited key generation.
[00020] The second key may be any means that supports optical scattering with linear properties, for example an optical diffuser glass, or non-linear properties or both.
[00021] The first key may be a biometric element, such as an eye, fingerprint etc., a key-card, a voice instruction, a code, an optical disordered means or any other means and the corresponding first input may be a biometric pattern, an image, an analogue or a digital signal, a numerical string etc. The first input is processed to transform it to a digital input data that is used for the configuration of the excitation properties of the excitation light-beam. To that end the system may include excitation means other than the light source.
[00022] Preferably, to compensate for evaluation noise, which may produce different responses on a single challenge, the system and the method may employ hashing algorithm that maps slightly different responses from the same challenge to the unique output. Hashing algorithm is employed in one or two phases; the enrolment and the authentication. The former corresponds to the first time that a challenge is applied whereby the output string is generated along with a set of helper-data. During authentication the helper-data may be used for processing the response profile.
[00023] In one example the p-PUF lock has a fingerprint reader and a photonic core and utilizes the intrinsic uniqueness of an Optical Randomly Disorder Medium (abb.: ORDIM), i.e. the second key. The combination offers further significant advantages over conventional biometric and mechanical locks and increases the overall resilience of the photonic lock to playback attacks and counterfeiting. Upon the installation of the p-PUF lock, each user receives an unreplicable ORDIM token. When the user uses the p-PUF lock system for the first time he or she performs his/her enrolment to the system. Thus, combining his/her fingerprint with his/her personal token a unique response is created. Such a p-PUF lock is a two-factor authentication module and is based on a photonic technology for shielding the physical access to virtual spaces or hard targets such as restricted areas or critical infrastructures. Upon any following request for entrance the user employs his/her p- PUF card combined with his/her biometric characteristic, for example fingerprint, eye or other. If the response from the p-PUF lock is matched with the corresponding response created during the user enrolment phase, access is permitted and the authentication phase is completed. In any other case, the entrance into the restricted area is prohibited.
[00024] The method or the system of the invention may be used to control the physical access of an authorized person to a restricted area. In an example of such an application, a standalone p-PUF lock may be externally attached to a lock of a partition, for example the lock of a door. Such a system may be also employed in parallel with an existing access control mechanism, without affecting its performance, for security enhancement. System to control the physical access as well as systems used in general, for authentication, may be configured to use a biometric feature of the user, for example a fingerprint or eye, as the challenge creating key. A p-PUF lock that combines the use of a biometric feature, such as fingerprint, reader and a photonic mechanism that utilizes the intrinsic uniqueness of an ORDIM, offers significant advantages over conventional biometric and mechanical locks and increases the overall resilience of the photonic lock to playback attacks and counterfeiting. This lock is a two-factor authentication module and is based on a photonic technology for shielding the physical access to restricted areas or critical infrastructures.
The invention further suggests the use of an optical randomly disordered medium as a key that provides physical access to a space. In some embodiments the use of an optical disordered medium includes the emission of a light-beam with a set of pre-determined properties on the optical disordered medium, the interaction of the light-beam with the optical disordered medium so as to create an optical response with a response profile and the reading of the response profile by a detector.
[00025] The present invention is described in greater detail below, with reference to the following Figures: Figure 1 presents schematically an authentication system according to the invention
Figure 2 presents schematically another embodiment of an authentication system according to the invention
Figure 3 presents schematically the generation of the speckle pattern
Figure 4 presents a sequence diagram of an authentication procedure according to the invention
Figure 5 presents a sequence diagram of an enrolment procedure of a user according to the invention and
[00026] Figure 1 presents schematically an embodiment of a photonic PUF-lock of the invention. The embodiment has a key reader 10, which is the input means for a replaceable first key 70, a processing module 25, a photonic core 20 and a secure memory module 26. The photonic core 20 includes a light source, which has a laser 35 and excitation means 38 and which creates a light-beam 32, a replaceable receptacle 40 for the token 80, which is an optical speckle generator - or second key - 80, an image acquisition system 50, such as a camera.
[00027] The key reader 10 may be a card reader, code reader, for example keyboard, biometric key reader or any other means configured to receive input by a user. Once the user presents a first key having a first input, the key reader 10 reads the first input and creates digital input data that is based thereon. Some examples employ fingerprint readers that are capable for rapid identification with high accuracy and provide additional functionalities like fingerprint recording, image processing, feature extraction, template generation, template storage, fingerprint matching and searching. The false acceptance rate of such readers may be less than 0.001 % whereas the false rejection rate may be around 0.1 %. Such properties augment the inherent security features that the physical access control unit possess. [00028] The light source has a coherent light source, i.e. laser 35, and excitation means 38. The light source generates a light-beam 32. As described below, the excitation means 38 is configured to provide the light-beam 32 that is emitted from the light source 35 with a set of excitation properties, considering the input of the first key. The modified light-beam 32 is projected to the token 80 placed at the receptacle 40, see also Figure 3. According to an alternative arrangement depicted in Figure 2, the light source does not have distinct excitation means and the set of excitation properties are provided by laser 35 considering the input of the first key. In some examples the set of excitation properties are provided by both the laser 35 and the excitation means 38, see for example Figure 1.
[00029] The processing module 25 controls the peripheral opto-electronic components of the photonic core 20, performs image processing and digital processing for the extraction of the authentication keys and generates notifications, events and alerts.
[00030] The processing module 25 includes processing means that is configured to receive input data form the key readeFr 10, and has means to transform the input data to a two-dimensional array, which subsequently is fed to the excitation means 38. The means that transforms the input data to a two-dimensional array includes software means, hardware means or a combination thereof. The excitation means 38 provides the light-beam emitted by the laser 25 by modifying its spatial profile to a spatially modulated non-uniform light-beam or otherwise a bundle of light-beams spatially arranged according to the two-dimensional array. The arrangement of spatially modulated non-uniform light-beam 32 corresponds to the digital input from the key reader 10. According to an alternative embodiment depicted in Figure 2, the light source does not have distinct excitation means and the excitation properties, i.e. frequency, wavelength, polarization, intensity, phase, spatial profile are provided to the laser beam 32 when emitted by the laser 35. In some embodiments the set of excitation properties are provided by both the laser 35 and the excitation means 38. The light-beam 32 with the set of excitation properties illuminates the Optical Randomly Disorder Medium, which is a physical unclonable optical token 80. In response to the incident light-beam 32, the ORDIM generates an optical speckle pattern with a response profile.
[00031 ] Further, the processing means 25 is also configured to receive the optical speckle pattern form the photonic core 20, and to produce a unique digital key upon which, the p-PUF lock signals the authentication or no-authentication.
[00032] The authentication system includes a memory module 26 that stores data associated with each user. The memory module 26 stores the first input, the set of excitation properties associated with that input and the authentication key. The memory module 26 may also store other data that are used during authentication, such as helper-data that are generated and/or recorded during the enrolment phase and are used during authentication. The memory module 26 can be located locally or placed remotely from the other components of the p-PUF lock in a secure environment. In some embodiments the memory module 26 may be located arranged both locally and remotely. Preferably communication of the memory module 26 and the p-PUF lock is effected with a secure communications line.
[00033] The token - ORDIM - 80 is the unclonable physical medium that provides the p-PUF lock’s source of entropy. When the ORDIM 80 is illuminated by the lightbeam 32 with the set of excitation properties, i.e. the challenge, a corresponding output, i.e. the response, is generated, in the form of a speckle pattern with a response profile, i.e. a complex continuous picture with random optical intensity, as depicted in Figure 3. Each response is determined by the complex optical transfer function of the particular ORDIM 80, and by the set of properties of the light-beam 32. Each ORDIM 80, being a randomly disordered medium, cannot be replicated. Optionally, the recorded speckle pattern undergoes a hashing procedure and mapped to a unique bit-string output. The challenge-response combinations, which correspond to the set of excitation properties of the light beam 32 and the response profile of the optical speckle respectively, form unique Challenge-Response Pairs (abb.: CRPs). These unique CRPs are used for authentication.
[00034] The token 80 may be a linear scatterer such as diffusion glass. It may include complex materials based on quantum dots or complex photonics nanostructures, for example e.g. photonics crystals, fluorescent dyes embedded in polymers, etc. In some preferred embodiments the ORDIM has a surface, where the light-beam falls, which is larger than 5 mm2.
[00035] An embodiment of the authentication method is presented in Figure 4. The following paragraph describes the steps of a particular example of authentication, when the first key is a fingerprint and the second key is a ORDIM.
[00036] User authentication is performed whenever a user attempts to gain access to a restricted space or a high-security room. During this phase, the user asks for authentication by the p-PUF lock and the system notifies the operator for the entrance request. Then, the user is asked to present the first key, in order to validate it with the corresponding first key that the user entered during the enrolment phase. If these two keys, i.e. scanned and enrolled, are matched the system is activated and the second stage of the authentication procedure will be initiated. The p-PUF lock generates an event when the fingerprint of the user is valid and an alert after a specific number of unsuccessful attempts, for example three, to inform the operator, about the current status in order to act accordingly based on the internal security procedures. If the user gets identified, the p-PUF lock notifies the user to insert her/his token 80, if the token 80 had not been inserted before by the user. When the key reader 10 reads the first key, it forwards the input data obtained to the processing module 25 or directly to the photonic core 20, which generates a light-beam 32 with a set of properties associated with the first key. The light-beam 32 illuminates the ORDIM 80. The output of the ORDIM 80 is the optical speckle pattern acquired by the camera 50. The digital output of the camera 50 is used by the processing module 25 to generate the authentication key, optionally using the helper-data generated during the enrolment phase and associated that user. The authentication key is compared with the corresponding key that was generated during the enrolment phase and stored in the memory module. Authentication or non-authentication is determined on the basis of the result of the comparison of the two keys. The messages created by the p-PUF module during authentication may be followed by date and time information and archived within the system, so as to be accessed as historical data. Storing the excitation properties and the response profile is effected via corresponding digital representations thereof.
[00037] In order for a user of the p-PUF authentication system to authenticate a user, he/she has to be enrolled in the authentication system through his/her first key and his/her personal ORDIM token 80. The p-PUF lock asks for the user’s first key, which in turn will be stored encrypted in the local or the remote memory module 26. Following the successful first key registration, the p-PUF lock notifies the user to insert her/his token 80, if the token 80 had not been inserted before by the user. When the user presents the token 80, the authentication system generates an authentication key, employing a key extraction algorithm, optionally with helper-data that will be used for upon any future user attempts for entrance. The first key and the respective helper-data are assigned to the user and are stored to the memory module 26. One user may be associated with one or more excitation profile. To enhance the system security, the number of tokens 80 in a system may be predefined considering the number of users that will be enrolled.
[00038] An embodiment of the enrolment procedure is presented in Figure 5. An example of an enrolment procedure contains the following method steps:
• the user presents a first key, having a first input. The first key may be a biometric element, a key-card, a voice instruction, a code or any other means and the corresponding first input may be a biometric pattern, an image, an analogue or a digital signal, a digital string etc.
• the key reader 10 reads the first input
• the processing module 25 generates a set of excitation properties that depends on the first input, optionally by corresponding the first input to one out of a pre-defined set of excitation properties
• the first input or any data corresponding to the first input is stored to the memory module 26 of the authentication system
• the set of excitation properties is stored to the memory module 26
• the user presents the token 80
• the light source 35, 38 emits an excitation light-beam 32 using the set of excitation properties on the token 80
• the camera 50 detects an optical response with a response profile, generated by the token 80 upon emitting the light-beam 32
• the response profile is processed with hashing algorithms, error correction codes and encryption algorithms to generate helper-data, which are stored in the memory module 26
• the processing module 25 generates a digital authentication key that corresponds to the response profile
• the digital key is stored to the memory module 26 and is associated to the first input, for example via the set of excitation properties. [00039] The pre-defined a set of excitation properties may be selected from a set of preferably uncorrelated pre-defined sets of excitation properties that are stored in the system. One user may be assigned with one or more of pre-defined set of excitation properties. In some examples the user is assigned with a specific number of sets of excitation properties. In the latter case the system uses each set of excitation properties only once or more than once. If the system uses each set of excitation properties only once, the system authorizes the user as many times as the number of sets of excitation properties assigned to him/her.
[00040] The generation of the uncorrelated pre-defined sets of excitation properties, i.e. challenges, follows a procedure that is underlined by the comparison of the pixels of each two profiles. Correlation or non-correlation is assessed on the basis of the correlation coefficient, for example by considering the percentage of identical pixels of the excitation properties over the total number of pixels of the excitation properties. The procedure includes the detection of the relations between two pixels, at the same position (i,j) in the two images. The potential relations are four: a) the two pixels are black, b) the (i,j) pixel of the first image is black and the (i, j) pixel of the second image is white; c) the (i, j) pixel of the first image is white and the pixel of the second image is black; d) the two pixels are white. The challenges are uncorrelated only if the number of the white pixels at the same (i, j) belongs to a specific number range. The limits of this range are written as a function of statistical quantities of the images, such as the mean intensity, the standard deviation of the intensity, etc.
[00041] The invention further suggest an authentication method employing a first key and K subsequent keys with K>=2, whereby the first key generates an output signal and each one of the subsequent keys is excited by a signal provided by another key, either the first key or any other of the subsequent keys, and generates an output signal upon excitation, and whereby the output signal of one or more of a) the first key and b) the subsequent keys are compared with pre-recorded corresponding signals to signal authentication or non -authentication.

Claims

1 . Method of authentication using two replaceable keys assigned to a user, i.e. a first key and a second key, comprising the following method steps: presenting the first key, having a first input reading the first input generating an excitation light-beam having a set of excitation properties depended on the first input presenting the second key emitting the excitation light-beam on the second key detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam comparing the response profile with a pre-recorded response profile that is associated to the set of excitation properties and signalling the authentication considering the comparing of the response profile with the pre-recorded profile.
2. Method of authentication according to claim 1 , whereby the first key is a biometric element, such as eye, fingerprint or other.
3. Method of authentication according to claim 1 or claim 2, whereby the second key is an optical randomly disordered medium.
4. Method of authentication according to claim 3, whereby the second key is a diffuser glass.
5. Method of authentication according to any one of claims 1 to 4, whereby the set of excitation properties includes one or more of the following properties i) spatial profile, i.e. the spatial arrangement of components of the light-beam, ii) emission properties, which include one or more of wavelength, frequency, intensity, phase, polarizarion of the light beam.
6. Method of authentication according to any one of claims 1 to 6, comprising processing the response profile with hashing algorithms, to transform the response profile to a digital output.
7. Method of authentication according to claim 7, further comprising retrieving pre-stored helper-data and processing the digital output with the helper-data to transform the response profile to a numeric key.
8. Method to control physical access to a space comprising the method of any one of claims 1 to 8 and providing physical access to the space upon signalling authentication.
9. Method of enrolment of a user to an authentication system using two replaceable keys assigned to the user, i.e. a first key and a second key, that comprises the following steps: presenting the first key, having a first input reading the first input generating and storing to a memory module a set of excitation properties depended on the first input presenting the second key generating and emitting on the second key an excitation light-beam having said set of excitation properties detecting an optical response with a response profile, generated by the second key upon emitting the excitation light-beam generating a digital key that corresponds to the response profile storing the digital key to the memory module and associate the digital key with said set of excitation properties.
10. Method according to claim 9, whereby the first key is a biometric element, such as eye, fingerprint or other.
11. Method according to any one of claims 9 or claim 10, whereby the second key is an optical randomly disordered medium.
12. Method according to claim 11 , whereby the second key is a diffuser glass.
13. Method according to any one of claims 9 to 12, comprising processing the response profile with hashing algorithms and preferably error correction codes and/or encryption algorithms to generate helper-data and storing the helper-data to the memory module.
14. Method according to any one of claims 9 to 13, whereby generating the set of excitation properties is done by selecting a set of excitation properties from a batch of sets of pre-defined sets of excitation properties.
15. Method according to claim 14, whereby the sets of excitation properties within the batch of pre-defined sets of excitation properties are uncorrelated.
16. Method according to claim 14or claim 15, including assigning a userwith more than one sets of excitation properties. 20
17. Authentication system comprising: input means (10) configured to receive a first key assigned to a user, having a first input a light source (35, 38) communicating with the input means (10) configured to emit a light-beam (32) with a set of excitation properties depended on the first input a receptacle (40) for a real time replaceable second key a detector (50) configured to detect an optical response with a response profile, generated by the second key upon emission of the light-beam (32) a memory module (26) storing pairs, each pair including a pre-recorded set of excitation properties and a corresponding pre-recorded response profile key and processing module configured to compare the response profile with a prerecorded response profile that is associated with the set of excitation properties.
18. Authentication system according to claim 17, whereby the input means configured to receive the first key is configured to read a biometric data, such as fingerprint or eye.
19. Authentication system according to claim 17 or claim 18, the light source (35, 38) includes excitation mans (38) configured to modify the excitation properties of the light beam.
20. Authentication system according to any one of claims 17 to 19, including hashing extraction software means configured to process the response profile to transform the response profile to a digital output. 21
21 . Authentication system according to anyone of claim 20, whereby the memory module (26) further includes a pre-recorder set of helper-data and the hashing software means is configured to process the response profile employing said set of helper-data.
22. Authentication system according to any one of claims 18 to 21 , whereby the memory module (26) includes a batch of pre-defined sets of excitation properties and the processing module is configured to select a set of excitation properties from the batch of sets of excitation properties and to associate it with the first input.
23. Apparatus to control physical access to a space comprising a system according to any one of claims 18 to 22 and further comprising a lock and means operating the lock, the means operating the lock being connected to the means configured to compare the response profile with the pre-defined profile.
24. Use of an optical randomly disordered medium as a key that provides physical access to a space employing the apparatus of any one of claims 18 to 23.
25. Use of an optical disordered medium according to claim 25, whereby the use includes the emission of a light-beam with a set of pre-determined properties on the optical disordered medium, the interaction of the light-beam with the optical disordered medium so as to create an optical response with a response profile and the reading of the response profile by a detector.
26. Method of authentication using two independent keys assigned to a user, in cascade, i.e. a first key to configure an optical challenge and a second key that generates an optical response upon receiving the optical challenge, including emitting an excitation light-beam having a set of excitation properties to the second 22 key, whereby the set of excitation properties depends on the first key and generating a digital key using the optical response generated by the second key.
EP22801536.8A 2021-10-21 2022-10-08 System for authentication and authentication method Pending EP4420298A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GR20210100723A GR20210100723A (en) 2021-10-21 2021-10-21 Authentication system and method for authentication
PCT/IB2022/059654 WO2023067430A1 (en) 2021-10-21 2022-10-08 System for authentication and authentication method

Publications (1)

Publication Number Publication Date
EP4420298A1 true EP4420298A1 (en) 2024-08-28

Family

ID=84330412

Family Applications (1)

Application Number Title Priority Date Filing Date
EP22801536.8A Pending EP4420298A1 (en) 2021-10-21 2022-10-08 System for authentication and authentication method

Country Status (3)

Country Link
EP (1) EP4420298A1 (en)
GR (1) GR20210100723A (en)
WO (1) WO2023067430A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GR1010686B (en) * 2023-05-24 2024-05-13 ESA SECURITY SOLUTIONS Ιδιωτική Επιχείρηση Παροχής Υπηρεσιών Ασφαλείας Ανώνυμη Εταιρεία, Integrated incident management system using health and security devices - application thereof to critical infrastructures

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4238356B2 (en) 2002-10-03 2009-03-18 独立行政法人産業技術総合研究所 Authentication system, light emitting device, authentication device, and authentication method
CN100449354C (en) 2003-12-12 2009-01-07 皇家飞利浦电子股份有限公司 A method and apparatus for detection of a speckle based physically unclonable function
CN101124767A (en) * 2004-12-22 2008-02-13 皇家飞利浦电子股份有限公司 Method and device for key generation and proving authenticity
WO2007046037A1 (en) 2005-10-17 2007-04-26 Koninklijke Philips Electronics N.V. Integrated puf
EP2069983A2 (en) * 2006-09-19 2009-06-17 Koninklijke Philips Electronics N.V. Method and apparatus for calculating an index key
EP2693685B1 (en) * 2012-07-30 2017-09-06 Universiteit Twente Quantum secure device, system and method for verifying challenge-response pairs using a physically unclonable function (PUF)
US9762565B2 (en) * 2015-06-26 2017-09-12 Washington State University Spatial-light-modulator-based signatures of intrinsic and extrinsic scattering surface markers for secure authentication
CN107257285B (en) * 2017-07-20 2023-03-10 中国工程物理研究院电子工程研究所 Authentication system based on single photon excitation and optical PUF
GR20170100352A (en) 2017-07-26 2019-04-04 Eulambia Advanced Technologies Μον. Επε Optical physical unclonable function based on a multimodal waveguide
WO2020223588A1 (en) * 2019-05-01 2020-11-05 Ares Technologies, Inc. Systems and methods authenticating a digitally signed assertion using verified evaluators
US20220069990A1 (en) * 2020-06-23 2022-03-03 Clemson University Physical unclonable function from an integrated photonic interferometer
CN113407930B (en) * 2021-07-17 2022-06-21 太原理工大学 Identity verification system based on cavity type photorefractive crystal PUF

Also Published As

Publication number Publication date
WO2023067430A1 (en) 2023-04-27
GR20210100723A (en) 2023-05-10

Similar Documents

Publication Publication Date Title
US11770259B2 (en) System and method for securing a resource
US7711152B1 (en) System and method for authenticated and privacy preserving biometric identification systems
US7809156B2 (en) Techniques for generating and using a fingerprint for an article
EP1520369B1 (en) Biometric authentication system
JP4169790B2 (en) Perform security checks
US6584214B1 (en) Identification and verification using complex, three-dimensional structural features
US6553494B1 (en) Method and apparatus for applying and verifying a biometric-based digital signature to an electronic document
US8347106B2 (en) Method and apparatus for user authentication based on a user eye characteristic
US20020056043A1 (en) Method and apparatus for securely transmitting and authenticating biometric data over a network
CN101903891B (en) Defining classification thresholds in template protection systems
US20030115475A1 (en) Biometrically enhanced digital certificates and system and method for making and using
US7114074B2 (en) Method and system for controlling encoded image production using image signatures
JP2007500910A (en) Method and system for authenticating physical objects
EP1832036A2 (en) Method and device for key generation and proving authenticity
JP2019148930A (en) Two-dimensional code, system and method for outputting two-dimensional code, system and method for reading two-dimensional code, and program
US20030140232A1 (en) Method and apparatus for secure encryption of data
WO2023067430A1 (en) System for authentication and authentication method
US20200234285A1 (en) Offline Interception-Free Interaction with a Cryptocurrency Network Using a Network-Disabled Device
WO2000014716A1 (en) A method of and apparatus for generation of a key
US20240022403A1 (en) Delivering random number keys securely for one-time pad symmetric key encryption
Habibu et al. Developing an algorithm for securing the biometric data template in the database
EP2187338A1 (en) Biometric pseudonyms of a fixed-sized template
JP4355585B2 (en) Personal authentication method, personal authentication system, and optical information recording medium
KR20070109130A (en) Id card and system for certification of id card and method thereof
US20230171116A1 (en) System and Method for Certified Digitization of Physical Objects

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20240502

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR