FR2825489A1 - Method for secure individual authentication of connection to Internet/intranet server, comprises choice between CD and resident operating program and use of mouse/screen password procedure - Google Patents

Abstract

The method is supported by a non-rewritable CD and a choice is made between the resident operating program and the external proprietor program according to whether the resident program is administered or non-administered. The commencement of the confidential session is controlled by a password procedure which uses the mouse and random screen panels containing the totality of possible characters Independent claims are also included for the following: A movable support such as a CD to effect the stages of the method. A computer program for the various stages of the method

Description

<Desc / Clms Page number 1>

The present invention is an improvement brought to patent application No. 0011954 (INPI), and relates to an individual, secure, nomadic electronic identification process, intended to authenticate the author of a connection to an INTERNET site from any PC xx86 type machine, with a level of security and confidentiality not achieved to date by any other process.

In the current state of the art, the solutions proposed are of several types: - Software devices with asymmetric or symmetrical keys - Hardware devices of the jungle type - Mixed fogidet / material devices! smart card or smartcard type - Mixed software / hardware devices such as CD recognition.

1 / Software devices with asymmetric or symmetrical keys.

In such devices, the user is identified by the presence, on the hard drive of the machine he is using, of a qualified authentication certificate assigned by an authorized trusted third party authority, generally claiming the use of a passphrase (long password).

The drawbacks of such devices reside in the persistence of specific information (in particular the certificate) on the hard disk of the machine used after the end of the connection session, as well as the vulnerability of the pass phrase.

sur Ja machine ou à distance par l'introduction de troyens puis d'être installés sur une autre machine en vue d'un usage frauduleux. Indeed, the certificate consists of one or more elements, files and / or records, especially in the Windows registry. These elements, like any element present on a hard disk, are likely to be copied fraudulently without the knowledge of the user, by direct manipulation

on the machine or remotely by introducing trojans and then being installed on another machine for fraudulent use.

In addition, the passphrase, however long and complex it is, is vulnerable to manipulation of davit keyioggers monitoring applications widely offered in fiber use on the INTERNET.

fraudeur, ou encore expédié automatiquement par Email à sa destination, la totalité des saisies effectuées au clavier pendant une période donnée pouvant couvrir plusieurs jours. Such applications have the effect of collecting in a text file, removed from the machine by the

fraudster, or sent automatically by Email to his destination, all of the keystrokes made during a given period which may cover several days.

Finally, the permanent presence of such applications (certificates) on the machine used presents a vulnerability to fraudulent modifications aimed at modifying the behavior of said applications. In other words, even if such applications are entrusted with monitoring and controlling the health of the machine used, such functionalities could easily be fraudulently deactivated without the knowledge of the authorized user.

est évident que si un certificat pouvait être installé sur n'importe quelle machine, il n'y aurait aucune garantie que l'utilisateur est réellement la personne habilitée. On the other hand, intrinsically, a certificate installed on one machine cannot be used on any other without reinstallation, which is generally complex because it is allegedly secure. he

It is obvious that if a certificate could be installed on any machine, there would be no guarantee that the user is really the authorized person.

Finally, the entry point to the INTERNET network is left to the free choice of the user, creating a risk of questionable paths to the server.

<Desc / Clms Page number 2>

 2 / Dungle-type hardware devices Such devices, consisting of a plug applied to one of the machine's output connectors, parallel or serial connector, USB connector, etc. support specific information sent to the machine at the request of '' an application residing on the hard disk (such as a certificate).

It is therefore an improvement made to type 1 / devices, but which still include the vulnerabilities linked to the permanent presence of the application core on the machine's hard disk.

Furthermore, compatibility with the extremely diverse fleet of machines is absolutely not guaranteed. It is very common for such devices to be faulted by a particular machine configuration.

The very design of such devices does not allow them to be active, since they cannot include complex software sequences embedded on the key. That is to say that their role is limited to answering a query, but in no case can it extend to the triggering of complex software operations. In other words, a control of the state of sanitation of the O. S.

(Operating System) of the machine is not within the reach of such devices.

3 / Mixed software / hardware devices such as smart cards or smart cards.

Such devices have characteristics similar to those of the previous type.

The remarks concerning type 2 devices / also apply.

On the other hand, these devices require the use of particular readers, resulting in additional cost and a limitation of use to specially equipped machines.

Such a solution therefore has no nomadic character.

4 / Mixed software / hardware devices such as recognition CDs.

Such devices using a burned CD, interrogated during a connection session by the connection application or a JAVA applet coming from the server, can be an improvement to type 1 / devices, and have in particular the advantage of nomadism, because they work on any machine with a conventional CD player.

However, in the current state of the art, the behavior of such devices is either limited to the response to a request from the machine, and does not allow the control and monitoring of the salubrity of the machine used, or claims direct launch of an application without installation on hard disk, with possible deletion at the end of the session of Internet consultation files (Internet temporary files in particular). However, nothing in this case is provided in case the session ends abnormally, and the files consulted generally remain intact. Furthermore, the word processing work possibly carried out during the protected session is not deleted.

Finally, the passphrases used are subject to the same vulnerabilities as seen previously, namely: possibility of fraudulent recovery by keyloggers%.

On the other hand, the access point to the INTERNET network generally depends on the remote access configuration previously carried out on the machine used. In case a connection is created by

<Desc / Clms Page number 3>

 subscription or prepaid card, this connection is not deleted after the session and disturbs the operation of subscriptions previously installed on the host machine.

The method according to the invention: It is characterized by a set of devices which resolve the weaknesses previously mentioned.

The method according to the invention is supported by a CD, removable, non-rewritable medium, usable on any machine of the PC xx86 type having a current CD player.

The only insertion of the CD into the drive automatically triggers, according to the means offered by the BIOS and the commonly implemented operating systems, a series of software operations whose purpose is either to prepare a use of the operating system (OS) to a confidential session, that is to close the session of the operating system in service on the machine used, to then launch an operating system. specific to and residing on the CD, which will not be installed on the hard drive. This owner's O. S. engraved on the CD, cannot be the subject of any fraudulent alteration insofar as the support used is not rewritable. It is not installed on the hard disk, and can be used directly from the CD.

The choice between resident OS or proprietary external OS is made according to the nature of the resident operating system: -If the resident system is unmanaged (of the Windows 95/98, Millenium or XP home-trademarks Microsoft type) the application prepares the session by the temporary installation on the hard disk (the time of the session) of a mini program intended to be executed automatically when the host machine is restarted to complete the deletion of the passage, then neutralize itself.

 If the resident system is of the administered type (Microsoft Windows NT / 2000 / XP registered trademarks), the application identifies the connection characteristics of the host machine in the registry and the specific files, then creates a temporary text file on the hard drive. After which, a loadlin type routine. exe is launched in order to stop the O. S. resident and launch the proprietary operating system directly from the CD.

The opening of the confidential session is subject to a particular password entry device, described below. This password is completely unrelated to any passwords for accessing the various sites accessed.

In addition, the entry point on the INTERNET network can be created specifically automatically on the machine used to obtain a specific temporary entry, which will be deleted from the machine used at the end of the session. This entry point can be created in particular from the characteristics of a standard type prepaid code card. The creation of this temporary remote access connection is carried out in such a way that it circumvents the barriers posed by possible binding subscriptions present on the host machine (a good example of binding subscription is given by AOL-registered trademark-in since it is usually not possible to install a competitor's subscription after this one ...), and that, once the session is over, it does not disturb the proper functioning of said subscriptions. To do this,

<Desc / Clms Page number 4>

 all the characteristics of the subscription (s) present are memorized before the creation and the setting of the temporary connection, with a view to being reinstalled at the end of the session.

On the other hand, the software operations launched include a verification of the integrity of the RAM as well as a verification that the TCP / IP ports of the machine are not under abnormal control. Furthermore, if the application is running under resident O. S., the registry of the resident system is configured to prevent consultation of the CD from a machine on a network other than the host machine.

Under O. S. resident as under O. S. owner, a proprietary browser, itself residing on the CD and not installed nor residing on the hard disk of the machine is then launched.

plusieurs milliers de caractères, protégé contre l'analyse comparative, de façon telle que la possession éventuelle de plusieurs de ces fichiers uniques ne permette pas d'identifier une quelconque algorithmie, ressemblance ou différence répétitive. Then, the identification of the user is determined from a specific, unique file, from

several thousand characters, protected against comparative analysis, in such a way that the possible possession of several of these unique files does not make it possible to identify any repetitive algorithm, resemblance or difference.

This unique strong identification file is, of course, neither installed nor resident on the hard drive.

It should be noted that the strong identification of the user can be constituted in various ways, qualified certificate, identifier of indefinite length, graphic file, or others ...

Thus, none of the information specific to the identification of the user is installed on the hard drive, and does not give rise to any temporary file whatsoever, and cannot be subject to fraudulent recovery after departure. of the user.

Password entry device according to the invention: One of the weaknesses of the existing solutions identified above relates to the fact that any keyboard entry is liable to fraudulent recovery by spying on the keytogger keyboard, by TEMPEST effect of monitoring '' electromagnetic emissions, or even in public places, by keypad surveillance camera.

Also, the input device according to the invention does not use the keyboard, but only the mouse pointer.

The application developed for the needs of the device successively displays on the screen a number of panels equal to the number of characters in the password.

Each of its panels is positioned randomly on the screen, waiting for a click-mouse, then disappears to make room for the next.

Each of these panels shows all of the possible characters, for example alphabetic characters in lower case, alphabetic characters in upper case and numbers from 0 to 9.

In this way, we can even consider creating passwords designed as sequences of graphic symbols.

Thus, the only events that a keyboard spy application could detect would be limited to click-mouse at an insignificant location on the screen, insofar as the panels appear at

<Desc / Clms Page number 5>

 random locations and that the O. S. being the owner, it is not possible to reconstruct the display logic, which is itself random.

In order to strengthen the defenses of the password identification device, each of the characters thus entered graphically is included in a control loop of several thousand characters, provided with a non-bypassable delay of several seconds.

It is therefore not possible to envisage a break-in by systematic interrogation: for a password of 5 alphanumeric characters, upper and lower case, the number of combinations is close to a billion, and a total exploration time amounting to several hundred years, whatever the computing power of the machine used ...

In addition, this sulky questioning makes it possible to combat the response time comparison techniques, character by character, sometimes used for cracking.

In a particular application of the method according to the invention, called Stealth Remote Access:
The support CD is in business card format, not rewritable, and can be used in any CD or platter CD player.

 An O. S., designed specifically for the application, is resident on the CD and works directly from the CD, if there is a managed operating system on the machine.

 The password entry device includes the randomly positioned display of 5 successive tables of alphanumeric characters (upper case, lower case and numbers).

- The password entry device selects the characters sent by the user by mouse click, without taking the keyboard into account.

 The password control device has a time delay of 5 seconds before confirming or invalidating the entry.

 The password control device manages a loop of 10,000 successive checks, among which are embedded the checks of the 5 characters entered.

 The INTERNET session launch application creates, on the machine used, the configuration of a remote access point thanks to the characteristics of a prepaid INTERNET access card on a specific call number.

 - The INTERNET session launch application includes integrity checking functionalities aimed at ensuring that the machine memory is not corrupted, and that the TCP / IP access ports are not abnormally used. Part of the functionality on the CD is obtained, in particular, by automatic secure connection to one or more sites specializing in anti-virus treatment.

 - The application for launching the Internet session directly opens the home page of a publisher / advertiser site.

 Closing an INTERNET session causes the erasing of the configuration of the remote access connection possibly installed during the session opening and the reinstallation of the parameters of the priority connection previously present on the host machine. Furthermore, in the case of operation under resident O. S., the erasure of the traces of passage is selective: only

<Desc / Clms Page number 6>

 Internet files, history, etc., consulted during the session are deleted, to the exclusion of all other files consulted previously during the session. On the other hand, operations outside the Internet (copy and paste, clipboard, word processing) are also taken into account in the management of erasures. finally the utility originally installed to correct an abnormal interruption of the session is deleted.

Said utility ensures, in the event of an accidental stop during a session, the same functionalities as described above.

Industrial applications: The method according to the invention, in addition to its obvious advantage in the field of personalizing the use of collective machines, such as the creation of constant personalized environments on public machines such as cyber cafes and direct (direct) addressing marketing) of prospects new to the Internet, provides unparalleled security in the field of authentication of Internet service users, and naturally finds many applications in sectors requiring strong identification and easy to use.

In particular, online services from banks, tax administration (VAT declarations, among others), information providers, newsletters, online administrative services, etc.

A particularly interesting application concerns the electronic signature, the legal definition of which stipulates that it must be able to be protected by the signatory against any use by third parties.

Indeed, qualified electronic certificates, devices currently admitted as capable of fulfilling the functions of electronic signature cannot be validly protected against any use by third parties, since they reside on the user's hard drive and can be pirated, and the exponential development of the number of people connected to INTERNET creates every day additional and new risks of amateur, mercenary, and even institutional hacks of all nations.

Claims (7)

CLAIMS * * * 1 / Nomadic method of individual authentication of connection to an INTERNET server using a PC of type xx86, and running directly from the removable medium from a current or proprietary operating system (OS), characterized in that it comprises the following stages: - a) installation on the host hard disk of a utility in order to correct the effects of an abnormal break in session. b) detection of the state of the administration mode of the resident operating system - c) launch of a password control device using displays of randomly positioned sets of characters in which it must select, with the mouse, the characters composing the password, and excluding any keyboard input; d) if necessary, memorization of the parameters of a resident connection and generation of the parameters allowing the creation of a temporary remote access connection to the INTERNET, from the simple entry of the characteristics of a prepaid code card or a subscription; e) establishing a connection with one or more specialized sites intended to check the integrity of the memory of the machine used in order to verify that the memory of the PC used is not infected with viruses or trojans; - f) verification that the TCP / IP ports are not requested without authorization; - g) automatic connection or not, to one or more sites requiring identification; h) identification by exchange of messages using one or more encryption methods; - i) erasure of traces of the session and all types of files used during this one, in the event of operation under resident operating system. -}) possible deletion of the temporary connection created and reinstallation of the parameters of the previously resident connection. k) erasure of the session termination correction utility. 2 / A method according to claim 1, characterized in that step b) results in an automatic choice between the option of operating on the resident operating system or the option of operating on the on-board proprietary operating system. . 3 / A method according to claim 1, characterized in that step c) of password control introduces a systematic delay of several seconds before confirming or invalidating the entry. 4 / A method according to claims 1 and 3 characterized in that the password relates only to the operation of the CD and not to any sites accessed. 5 / A method according to claim 1, characterized in that the generation of the connection of step d) does not introduce any disturbance on the subsequent use of the priority connection previously resident. 6 / A method according to claim 1, characterized in that the identification of step h) is based on an identifier burned on the CD, never installed on the host disk. 7 / A method according to claim 1, characterized in that the erasures of step i) do not concern

 only Internet consultation files, but also all other tasks performed during the session. <Desc / Clms Page number 8>  CLAIMS *** 8 / Removable support for carrying out the steps of the method according to claim 1, characterized in that) is not rewritable. 9 / Computer product program including program code instructions stored on a

 support usable in a computer according to claim 81 comprising programming means for carrying out the steps of the method according to claims 1, 2, 3, 4, 5, 6 and 7.