FI110150B - Procedure for sending identification and verification data of data network resource users to data network resource - Google Patents

Description

110150

A method for transmitting identification and authentication information of a cyber resource towards a cyber resource

The invention relates to a method 5 for transmitting identification and authentication information of a user of a network resource in the direction of the network resource according to the preamble of claim 1.

The invention also relates to a method according to the preamble of claim 15 for encrypting identification and authentication data of a user of a network resource.

Such methods are used when logging in to specific network resources, such as network applications, for specific users. Targeted network applications include e-mail services and other applications that include user-specific features and settings. Also, network cache resources that appear to all users alike are allocated to a limited set of users.

In accordance with the prior art, the user of the network resource can be identified and authenticated by the user name I »and the password entered by the user and received by the network resource. Each user account is assigned a corresponding password · · · “··. The data network resource or its associated network application receives * * · * · ♦ 'username and password. After that, the password users are compared · ;; | * 20 IDs to match the specified password. If the password matches the specified password, »·» »the user is considered authenticated. Alternatively, the user name and password may be * »provided to the network resource and / or to the application running on it by an intermediary application configured to operate between the user and the network resource or network application running on the network resource. In this case, the username-password pair 25 is stored in a proxy application.

* · · »* '*»

A disadvantage of the prior art is that in order to log in to a network resource that is »» * targeted by a user name and password, the user of the network resource * · «t ,, ..; you will need to remember and enter both your username and password. This is a hassle for the user, especially if he has access to a large number of networked information resources with a password and 2 110150 usernames. For ease of remembering, the user may be assigned the same or otherwise consistent username and password for multiple network resources. This poses a security risk because the person who may receive this information will have easier access to all the cyber resources protected by this information. Alternatively, when using a relay application, it is required that at least one user-specific user ID-password pair is stored on the relay application. In such a case, sensitive data had to be disseminated to additional network resources and computing resources, such as memory and processor time, would be required to maintain this information in a sufficiently secure manner on the proxy application 10.

The object of the invention is to solve the problems of the prior art described above and to this end to provide a completely new type of method for transmitting identification and authentication information of a user of a network resource in the direction of the network resource.

The invention is based on the fact that the switching application encrypts the user name, password and key code received from the direction of the client interface 15. The relay application then sends the encrypted data to the client interface as part of the middleware level address of the application, for example a specific URL. When using a network resource, the relay application receives a middleware address and a separate key code from the direction of the client interface. A separate key code can be received e.g.

* * t •. · 20 form functions or may be included as a separate part of the same address where identification and authentication information is transmitted. The relay application converts the encrypted key code contained in the separate key code and the received middleware level address into a comparable format and performs the comparison. If the received separate key code matches the encrypted key code, the relay application sends ... 25 usernames and passwords per data network resource.

Specifically, for the method of the invention, a network resource: · To send user identification and authentication information in the direction of the network resource,

I »« I

: * ''; characterized by what is set forth in the characterizing part of claim 1.

I · I

3, 110150

The method for encrypting the identification and authentication data of a user of a network resource according to the invention, in turn, is characterized by what is disclosed in the characterizing part of claim 15.

The invention provides considerable advantages. Signing up for cyber resources, such as 5 cyber services, requires less effort on the part of the user, since the user can log on to dedicated cyber resources that are protected by usernames and passwords without having to remember and enter usernames and passwords. In this case, the user must enter the bookmark and key code that they have received from the relay application. By means of the invention, a user, such as an entity connected to a data network by means of WAP terminal 10, can authenticate, i.e., identify, multiple network resources using a single key code without similar security risk associated with setting uniform user names and passwords for multiple network resources. In this case, it is also unnecessary for the mediation application to have 15 user-password pairs or parts thereof that allow access to the network resources, so that they do not require any computing resources to maintain them. The protected network resources receive the traditional type of credentials and still do not need to save this information to the proxy application. In this case, sensitive information will not be saved by additional network resources. ·. available. Further, knowing the key code alone does not allow access to protected network resources unless the traditional credentials known as ;. encrypted as desired by the relay application.

The preferred operating environment for the invention are mobile stations. They typically have a small ;;; screen and a small keyboard, which makes it difficult for the user to enter user names and passwords. The invention can be used as an intermediate application between a mobile station and a data network resource, whereby the mobile station user can store it! ! select a bookmark and enter a separate key code to log in to the desired cyber resource. If a telecommunications terminal, such as a WAP terminal, is stolen, there is no · ;;; a significant risk to the user, because access to network resources requires a "* key code input from the telecommunications terminal. The invention can be authenticated by the user

v '30, that is, it authenticates itself to cyber resources with its unique key code, such as WapPIN

by entering their code. Suitable network resources include, for example, '' HTTP Basic 4 110150

WAP pages protected by an AuthenticatiorT password and an IMAP4 (email) service. The invention can also be used in other environments, such as a workstation connected to a TCP / IP network.

The invention will now be described, by way of example, with reference to the accompanying drawing.

Figure 1 illustrates one method of transmitting a network resource user identification and authentication information in the direction of a network resource according to the invention, wherein the network resource is accessed from a client interface by a relay application.

Figure 1 has the following numbered elements: 10 The client interface 10 is an interface to a packet switched communications network, e.g., a WAP mobile communication interface.

| The information network resource 11 is a data network resource operable in a packet switched communication network that is assignable to at least one identifiable and verifiable information network user. For example, such a network resource may be an email service set up for 15 WAP interfaces. The network resource is set to boot in response to the receipt of the correct username and password.

• * Gateway 12 is an ···· application program set up to work on a packet data network, and is configured to pass the correct username-password pair 'to a network resource in response to a specific character it receives.

20 bookmark) and key code.

The OTA server 13 (Over The Air) is a proxy that converts an HTTP-GET parameter or parameters of an HTML page to a format that can be received by the client interface 10. For example, this format can be: SMS short message format.

• · · · ;;; 25 There is a gateway 14 between the client interface 10 and the proxy application 12, such as a WAP ·; * Gateway, which takes care of the necessary protocol conversions between the client interface head *. · · Network and the TCP / IP network.

5, 110150

In the method of Figure 1, the following steps are performed. Step 101 is performed to register the network user to the network resource (11).

101) Registering the network user as a user of the network resource 11, i.e., allocating the network resource 11 to a particular user-password pair.

In this case, a WML or HTML-based login form is placed on a server operating on the data network, where the network resource 11 is located and / or set to start. User login and password entry holes are set on the login form. For example, the user name and password can be an IMAP4 user name and 10 associated passwords.

Steps 102 to 103 of the method are performed to encrypt the identity and authentication information of the user of the network resource.

102) Receiving by a proxy application 12 a particular username-password pair and 15 from the WapPIN client interface 10 through gateway 14, and in response to the received username, password, and WapPIN code, encrypts the content of the username and password using a particular encryption algorithm. In this case, · · can be used as the WapPIN encryption key. WapPIN is encrypted with a specific · · · ...: one-way encryption algorithm, such as unix crypt ().

103) Include the username, password and in the HTTP-GET method parameter

WapPIN encrypted. For example, a URL like this might take the form: '": http://wap.kone.net/login?pin=Ehuw&user=QyweI03872&pwd=uwdjkw.

Sending the HTTP-GET method from the relay application 12 to the client interface 10: either way (103a) or way (103b-c). If the login form: 25 is a WML form then a (103a) WML page is sent to the client interface 10. The URL of this page contains the HTTP-GET method in the parameter: ''; username, password and WapPIN code encrypted.

L, If the login form is an HTML form and the client interface has a ,, ..: WAP terminal connected, then (103 a-b) 30 is sent via OTA server 13 to the client interface 10 via a short message that the WAP browser can interpret as a specific 611150 bookmark. The bookmark contains the username, password and WapPIN encrypted in the HTTP-GET method. An HTML page can also be submitted as such if the client interface 10 is able to recognize its URL.

Steps 104 to 107 are performed to send user identification and authentication information to the network resource (11) in the direction of the network resource.

104) Receiving, via a proxy application 12 from the direction of the client interface 10, through gateway 14, a substantial bookmark.

105) In response to the received bookmark, a WML form with a WapPIN code input slot is sent from the relay application 12 to the client interface 10. The form has a field that asks for the user's WapPIN code. In addition, the form contains the encrypted username, password and WapPIN code as hidden fields.

106) Receiving a WapPIN from another direction of the client interface 10 in another form 15, such as plain language. Run the WapPIN in the second form under the control of the relay application 12 through a one-way encryption algorithm and compare it with the one received in a given bookmark. WapPIN code.

'(107) If the codes are identical or otherwise correspond as desired, ί; * '* · 20 encrypted usernames and passwords are opened using, for example, a WAPpin in another format as the decryption key, whereupon the username and password are decrypted in another form. The relay application 12 then transmits the username and password in the second format to the network. '!! resource 11, thereby helping to identify and authenticate the user of the network resource.

Another form of username and password is a format that can be interpreted by the network resource 11 when it receives ..,.: The username and password through the relay application 12 in the other form.

110150 The switching application 12 can send the address of the client interface 10 in the source address field, thereby setting the communication between the client interface 10 and the network resource 11 so that it does not pass through the switching application 12. Alternatively, the proxy application 12 may relay all or part of the communication between the client interface 10 and the proxy application 12. The method may also be implemented by the transmission application 12 transmitting the user name and password in one form in the direction of the client interface 10, after which the network resource 11 receives the user name and password in the second form from the direction of the client interface 10.

Indeed, the invention can be utilized in transmitting identification and authentication information of a network resource user in the direction of the network resource 11. In such a method, the following operations are performed: Initially, the broker application 12 receives the client identification data, the authentication information and the first key code transmitted from the direction of the client interface 10. This information is each encrypted in the first format upon receipt.

The form and encryption of the authentication information, the authentication information and the first key code may then be similar or different depending on the application. Thus, for example, the encryption of the first form of identification information can be done by a different algorithm than e.g. the encryption of the first key code. Receiving data • · • '.' middleware level in the address field.

«· · 20 - In addition to the authentication information, the authentication information and the first key code, a second key code is also received. The second key code is in a format different from the encrypted first format of the first key code, e.g., in a suitable t »: '' ': unencrypted format.

- The first key code and the second key code are then converted »-! _ 25 in a comparable format and comparing the codes with each other.

• | · - If the codes match, the identification and authentication data is decrypted.

The authentication and authentication data are then converted from an encrypted first format. ·: ·. in another form. This second form may be, for example, a suitable form, the unencrypted form or the encrypted form defined for the exchange of information with the network resource 11.

110150 - After the conversion, the identification and authentication information is sent in the direction of the network resource 11 in this other form, which the network resource 11 is capable of interpreting upon receipt from the information network (after any transformation caused by the transmission path).

Solutions other than those described above may also be contemplated within the scope of the invention. The relay application may, for example, restrict access to the network resource 11 based on a key code such as a WapPIN code.

If necessary, the constraint can also take advantage of any additional amount attached to the WapPIN code, such as bookmarked information. When restricting access permissions 10, the usernames and passwords required by the network resource 11 need not be changed to permanently or temporarily deny access to the network resource 11 to any of the network clients, but the access to the network resource may be restricted by a relay application based on WapPIN code.

Thus, from another client interface, the network resource 11 can still be used even after the restriction. However, in this case, care must be taken that the proxy application 12 does not allow too many key-codes to be secretly encrypted from the direction of the same terminal. In this way, gaining access to the network resource 11 by correctly guessing the WapPIN code is sufficiently unlikely. The HTTP-GET parameter can also pass information identifying the network ··· 20 resource 11 or the encryption algorithm used. This can be used to control; ' · ': Proxy application 12 to use a particular encryption algorithm on a case-by-case basis or to register for a particular cybersecurity resource 11. Using multiple encryption algorithms can:: also reduce the possibility of correctly deciphering or guessing key code and encryption logic.

The invention can also be applied in such a way that the user using the network resource through the client interface through the intermediary application does not even know the user names and passwords in plain language. In this case, for example, the company may assign a single username-y to its employees! access to the network resource behind the password pair, for example ':' for temporary use such that each user has his own key code. This eliminates the need to change the 30 corporate usernames and passwords once 9 110150 users are terminated. Access can be terminated by a proxy application by blocking access to the network resource by a specific user bookmark and WapPIN.

The following describes what is meant by certain terms in this patent application.

Network resource refers to a subscriber interface connected to a data network, a terminal device 5 connected thereto, an application program running on the data network or an instance thereof.

By storing a proxy application, it is meant that the proxy application, with its own functionality, is able to retrieve the stored data of the proxy application when needed.

Middleware-level addresses refer to the names and addresses of the network resource, such as a URL, comparable to the protocol layers 4 through 7 of the ISO OSI model.

WapPIN is a code or other set of digits or other string associated with a specific user, Wap terminal or subscriber line when the Wap terminal starts up.

15 A key code is a string that can be encrypted by a particular one-way encryption algorithm into a form from which it cannot be uniquely deduced. '.: Without using the encryption algorithm or knowing its features.

; ·. Authentication information is information in digital form which, upon receipt of a sufficient amount of information, the network resource is set to identify its user.

Authentication information is information in digital form that, when received sufficiently, the cyber resource is configured to authenticate the identified user.

: Computing resources means hardware and software capable of:: processing information in digital form, processing time of such hardware and software, and working time of: 25 persons using such hardware and software.

Claims (16)

10 110150 A method for transmitting authentication and authentication information of a user of a network resource to the network resource (11), characterized by receiving (104) from the direction of the client interface (10) by the proxy application (12) a second key code in a form different from the encrypted first form of the first key code, - converting (106) the first key code and the second key code into a comparable format, - comparing (106) the first key code to the second key code, decrypting (106) identification and authentication data, and converting the authentication and authentication data from the encrypted first »· ''. * to a shape other than form, and j ':'. transmitting (106) identification and authentication information in the direction of the network resource (11); '' ': In a format different from the encrypted first format. I I · Method according to Claim 1, characterized in that the authentication and> authentication data contain a substantial part of the password. : 1 "; Method according to one of Claims 1 to 2, characterized in that the identification. ·>, And the authentication information contains the user ID to a significant extent. 25 Π 110150 Method according to one of Claims 1 to 3, characterized in that the second key code is a first key code in a second form. Method according to one of claims 1 to 4, characterized in that WapPIN is used as the 5 key code. Method according to one of claims 1 to 5, characterized in that the identification and authentication information (104) is received in encrypted form in the middleware level address field as part of the URL. 10 Method according to one of claims 1 to 6, characterized in that the second key code is received in another form by means of a WML or HTML form. Method according to one of Claims 1 to 6, characterized in that the second key code 15 is received in the address field of the middleware address. • »«> I « Method according to one of Claims 1 to 8, characterized in that the relay application (12) is configured to interpret the definition included in the address field, such as its URL, received from the client interface (10) as a network address or name of a data network resource (11). Method according to one of Claims 1 to 9, characterized in that the relay application (12) is configured to select the encryption or decryption algorithm it uses; * 'in response to the address field it receives, such as the definition included in the URL. 25 12 110150 Method according to one of Claims 1 to 10, characterized in that the address of the client interface (10) is transmitted from the relay application (12) to the network resource (11) as a sender address. A method according to any one of claims 1 to 11, characterized by: - receiving (102), from the direction of the client interface (10), authentication and authentication information containing the user ID and the associated password, and a key code, - encrypting (102) ) authentication and authentication information and key code, and 10. transmitting (103) the authentication and authentication information and key code encrypted in the direction of the client interface (10) as part of the middleware level address of the relay application (12), such as a specific URL. A method according to claim 12, characterized by transmitting (103) in the direction of the client interface (10) encrypted authentication and authentication information, such as a username, password and key code, embedded in an HTTP-GET or HTTP-POST method parameter. . Method according to one of Claims 1 to 13, characterized in that the identification and authentication information to be transmitted and / or received in the address field of the middleware level address I * ·, t: 20 is received (102) from the direction of the OTA server and / or transmitted (103). · * In the direction of the OTA server. ; : 25 13 110150 A method for encrypting user authentication and authentication information of a network resource, characterized by: - receiving (102) an authentication application (12) from the direction of the client interface (10) to obtain authentication and authentication information containing a user ID and a related password; 102) identification and authentication information and key code, and transmitting (103) the identification and authentication information and key code encrypted in the direction of the client interface (10) as part of the middleware level address of the relay application (12), such as a specific URL. 10 The method of claim 15, characterized by: - receiving, from the direction of the client interface (10), the network address and / or name of the network resource (11), and - transmitting (103) the network address and / or name 15 of the network resource (11) (10) as part of the middleware level address of a proxy application (12), such as a specific URL. 14 110150