FR2923110A1 - Client device e.g. mobile telephone, authenticating method for internet network, involves receiving response message by server device, and continuing communication between server device and client device, if response message is valid - Google Patents

Abstract

The method involves sending a challenge message by a server device using a transport layer security (TLS) protocol, after sending a digital certificate of the server device. The challenge message is received and resolved by a client device. A response message for the challenge is produced and sent via the protocol by the client device. The response message is received by the server device. Communication between the server device and the client device is continued, if the response message is valid.

Description

Advanced secure authentication of a mobile client

The subject of the invention is a method for authenticating a client via the TLS and WTLS protocols. The field of the invention is that of authentication. More particularly, the field of the invention is that of the secure authentication of a client by a server. By secure means here obtaining two guarantees: -authentification of clients and server, ends of the channel through which the data exchanged between the client and the server transit; - securing the data itself against tampering and interception. By server is meant an application implemented by a device connected to a telematic network. The device implementing the server is computer type that is domestic, professional or hardened to obtain a high quality of service. The interesting features of such a device relative to the description of the invention are that said device comprises a microprocessor, a program memory and connection circuits to the telematic network. The program memory then comprises instruction codes corresponding to the server. These instruction codes are executed by the microprocessor which is able to control at least the connection circuits to the telematic network. The server is therefore able to handle requests reaching it in the form of messages formatted according to a protocol via the telematic network. The server is therefore also able to produce response messages to requests received via the telematic network. Typical server examples are servers: - Web, ie servers operating according to the HTTP protocol (hypertext transfer protocol, for hypertext transfer protocol), - messaging, that is to say servers operating according to protocols of the POP, SMTP, IMAP type ... - streaming, that is to say of video broadcasting allowing the diffusion of animated multimedia programs in real time through a telematic network, - application, it that is to say, for example, a so-called dynamic web server 35 capable of performing advanced processing in response to requests received, this list not being of course not exhaustive. By client is meant an application implemented by a device connected to a telematic network. The device implementing the client is of the telephone personal computer type, mobile phone, personal assistant and more generally any device capable of connecting to a telematic network. Such a device comprises a microprocessor and a program memory comprising instruction codes corresponding to the implementation of the client application. The best-known customers are Internet browsers and email clients that connect to web servers and mail servers respectively. In a more general way, we call Client any application capable of communicating with a server. In practice the client and the server are confused with the devices that implement these applications. Thus, in this document, when speaking of an action performed by the client or the server, this is in fact carried out by a microprocessor of a device comprising a program memory in which instructions codes corresponding to the client are recorded. or to the server.

The execution of these instruction codes corresponds to the implementation of the client or the server. In the state of the art the dialogues between a client and a server are well known. The most common of these dialogues is the one that is established between an Internet browser, or simply browser, and a web server. We note here that the envisaged telematic network is the Internet network. In practice, the field of the invention extends to any type of data exchange network that is open, such as the Internet, or closed like a home local area network, an enterprise premises network or a home network. a fixed / mobile telephone operator.

These dialogs allow the deployment of services. This is a provider that offers a service via a server. Among these services we know: - online shops, - thematic portals, for example a general and collaborative encyclopedia, a site specialized in a field of activity, ... - the interfaces of consultation and management of administrative data, among these interfaces are the sites of subscription to a service. this list is not exhaustive either.

To make these services attractive we seek to reassure potential users about their effectiveness and safety. Indeed with the development of Internet-type open networks new types of scams have emerged. One of the most harmful is currently known as phishing. It is for the scammer to imitate a real reputable site and attract users to this site. Users of the real site then believe to be on the usual site when in fact they are in communication with a malicious copy of the real site. All information that users enter then is accessible to the scammer. Less common scams involve intercepting data streams to read content. In this case, it is no longer worth bothering to imitate a site to mislead the user. Another problem that has arisen is the trust that providers can place in their client or, more accurately, the users of their online services who try to become their client but with malicious intent or by usurping an identity. The person whose identity was usurped then files a complaint and wins the case in most cases, which is an injury to the claimant who must compensate the person although the claimant is in good faith. In the state of the art, to solve these security problems service providers deploy their server using secure protocols for authentication of servers and clients, as well as the encryption of exchanged data. The protocols used are then SSL or TLS. These protocols are described by many sources, including for example the Wikipedia online encyclopedia. We recall here the bases of these protocols. The Transport Layer Security (TLS) protocol, formerly known as Secure Socket Layer (SSL), is a secure Internet exchange protocol, originally developed by Netscape (SSL version 2 and 2). SSL version 3). It was renamed Transport Layer Security (TLS) by the IETF in 2001.

The working group corresponding to the IETF has enabled the creation of RFC 2246. There is very little difference between SSL version 3 and TLS version 1 (which corresponds to version 3.1 of the SSL protocol), however enough to make both non-interoperable protocols. However, TLS has implemented an upward compatibility mechanism with SSL. In addition, TLS differs from SSL in symmetric key generation. This generation is more secure in TLS than in SSL v3 since no algorithm step relies solely on MD5 for which some weaknesses in cryptanalysis appeared. By abuse of language, we speak of SSL to denote either SSL or TLS. TLS operates in a client-server mode. It provides four security objectives: - server authentication, - confidentiality of exchanged data (or encrypted session), - integrity of data exchanged, - optionally, client authentication with the use of a digital certificate.

It can be seen that the TLS protocol solves all the problems, provided that the user carries a digital certificate. In the majority of cases, the user authenticates the TLS server to which he connects. This authentication is achieved through the use of an X509 digital certificate issued by a trusted authority (CA). But more and more web applications are now using client-side authentication using TLS. To do this, the client station must also have a certificate. It is then possible to offer mutual authentication between the client and the server. The client certificate can be stored in software format on the client computer or in hardware format (smart card, USB token) to increase the security of the TLS link. This solution makes it possible to offer strong authentication mechanisms. X.509 is a cryptographic standard of the International Telecommunication Union for Public Key Infrastructure (PKI). X.509 establishes, among other things, standard electronic certificate formats and an algorithm for certification path validation.

This standard poses a problem because it assumes that there are as many certificates as there are potential users. Except a certificate is based on: - a certificate authority guaranteeing the validity of the certificate, - an encryption key pair to achieve asymmetric encryption.

These two features are blocking the generalization of this solution to a mobile network with millions of users. Indeed, it would then be necessary to manage a large list of revocations, a so-called CRL list for Certificate Revocation List, for the management of corrupt, pending or invalid certificates. It should also be able to produce as many pairs as users. This is virtually impossible considering means compatible with a commercial exploitation to allow all to adopt this solution. In the invention, these long-standing problems are solved by exploiting a peculiarity of the TLS protocol which then presents in this type of application an unexpected technical effect since, properly used, this characteristic makes it possible not to have to resort to the mechanism of the certificates. to authenticate the client. The invention therefore exploits the possibility offered by the TLS protocol to be able to transmit information at the same time as the server's certificate. Here at the same time it is necessary to understand in the same protocol phase. One consequence of this is that the TLS protocol then makes it possible to perform client authentication that is not based on an X.509-type digital certificate. According to the invention, this information is a challenge that will have to be correctly solved by the client, this correct resolution allowing the authentication of the client by the server. This authentication is therefore performed via the TLS protocol, but without resorting to a client certificate. In practice the challenge is solved by a SIM card (Subscriber Idenrification Module of the device implementing the client). The subject of the invention is therefore a method of authentication, by a first device implementing a server application, of a second device implementing a client application, the first and second devices being connected via a telematic network using the TLS protocol, characterized in that: - after issuing its digital certificate the first device sends, using the TLS protocol, a challenge message, - the second device receives the challenge message, - the second device resolves the challenge message , produces and transmits via the TLS protocol a challenge response message, - the first device receives the response message and, if the response message and validates, continues the communication with the second device. In a variant, the method according to the invention is also characterized in that the challenge message is transmitted via the Handshake sub-protocol of the TLS protocol. In a variant, the method according to the invention is also characterized in that the resolution of the challenge is performed by a microcircuit card embarked by the second device. In a variant, the method according to the invention is also characterized in that the microcircuit card is an international subscriber identification card issued by a telecommunication operator.

In a variant, the method according to the invention is also characterized in that the response message is transmitted via the Handshake sub-protocol of the TLS protocol. The invention will be better understood on reading the following description and reading the figures that accompany it. These are presented as an indication and in no way limitative of the invention. The figures show: FIG. 1: an illustration of means allowing the implementation of the invention. Figure 2: an illustration of steps of the method according to the invention. Figure 1 shows a first device 101 server. The device 101 comprises at least: a microprocessor 102, a certificate memory 103, a program memory 104 and connection circuits 105. The elements 102 to 105 are interconnected via a bus 106. The circuits 105 enable the device 101 to be connected to a telematic network, here the Internet network 107. The circuits 105 provide the interface between the signals received via the network 107 and the signals received via the bus 106. The memory 104 is divided into several zones, each zone 35 comprising instruction codes corresponding to a function of the device 101. 104 comprises at least: a zone 104a corresponding to the implementation of the TLS protocol, a zone 104b corresponding to the implementation of a server application, for example a web server, a zone 104c corresponding to the management of the server. a challenge according to the invention. We talk about the TLS protocol, but we must understand SSL, TLS or equivalent, as every time we talk about TLS and SSL. Figure 1 shows a second device 108 client. The device 108 comprises at least: a microprocessor 109, a program memory 110 and connection circuits 111. The elements 109 to 111 are interconnected via a bus 112. The circuits 111 are equivalent to the circuits 105. They enable the device 108 to be connected to the network 107. The memory 110 is divided into several zones, each zone comprising instruction codes corresponding to a function of the device 108. The memory 110 comprises at least: a zone 110a corresponding to the implementation of the TLS protocol, a zone 110b corresponding to an implementation of a client application, for example a web browser. In our example, it is considered that the device 108 is a mobile device. A mobile device is a device connectable to a mobile telephone network, for example a mobile phone, a personal assistant or a computer comprising a modem enabling it to connect to a mobile telephone network. For the device 108, the circuits 111 are therefore circuits according to one of the mobile telephony standards, whether of the second generation (GSM), the second generation and a half, the third generation (UMTS) or a future generation. . Figure 1 also shows that the device 108 comprises a microcircuit card 112. The microcircuit card 112 comprises at least: a microprocessor 113, a program memory 114 and connection circuits 115. The elements 113 to 115 are interconnected via a bus 116. The memory 114 is divided into several zones, each zone comprising instruction codes corresponding to a function of the card 112. The memory 114 comprises at least: a zone 114a corresponding to the answer to a challenge. FIG. 1 does not illustrate other useful elements of the device 108 such as, inter alia, its input / output peripherals enabling a user to use the device 108. These devices are at least a keyboard and a screen. It is already noted that the invention proposes to perform client authentication, but that the device implementing the client does not include a certificate specific to authentication via the TLS protocol. Figure 2 illustrates a preliminary step 201 in which the client issues a ClientHello message to the server. In practice this action is triggered, for example, by an action of a user of the device 108 causing the implementation of the client 110b. This action is, for example, the activation of a URL (Universal Resource Locator) designating a secure server. Such a URL is in the form: https://mabanque.fr This URL implies that the protocol to use is the https protocol, that is to say the secure http protocol through the SSL / TLS protocol. Activation of this URL causes the client application to execute, which will interpret the link and initiate a dialogue with the server identified by mabanque.fr according to the https protocol. The first message in this dialog is the ClientHello message. This is the initiation of a dialogue according to the HandShake sub-protocol (handshake) of the TLS protocol. The purpose of this protocol is to determine the parameters of a dialog session between a client and a server. In a step 202, the server 104b receives a ClientHello message and responds with a ServerHello message. In a step 203 following step 202 the client 110b receives the response from the server.

The client and server now know that they can understand themselves according to the https protocol, a session is open on both sides. This session is, among other things, a memory resource allocation for saving communication parameters such as encryption keys or states informing about the status of the dialogue. In practice, a message has a header and a body. These are formatted according to a protocol. The header comprises at least: - an identifier of the recipient for routing the message in the network, - an identifier of the sender allowing the recipient to respond thereby becoming a sender, and - a protocol identifier also known as the port identifier name providing information on the processing to be applied to the message. After step 202 the server 104b continues the dialogue by issuing, in a step 204 and to the sender of the ClientHello message a Certificate message. The message Certificate contains the certificate of the server, that is to say the contents of the memory 103. After the step 202 the server 104b continues the dialogue by emitting, in a step 205, according to the invention and to the Transmitter of the message ClientHello a message RAND (random challenge). The RAND message comprises a challenge that will have to be passed by the client 110b so that the dialogue between said client and the server 104b can continue. After the steps 204 and 205, the server 104b continues the dialogue by sending, in a step 206 and to the sender of the ClientHello message, a ServerHelloDone message (the server said hello). This message indicates that the server 104b will not send any more messages and waits for responses from the client 110b. If this wait exceeds a predetermined time then the server 104b resets the session. In this case, to resume the dialogue a customer will have to start again at step 201.

In a step 207 following step 204, the client 110b receives the digital certificate of the device 101 via the Certificate message and uses this digital certificate to: - carry out validity checks of said certificate with a Trust Authority, - secure its subsequent communications with the server 104b.

This security is achieved by encrypting the data using the public key of the certificate, so only a device knowing the private key of the certificate can read this information. In a step 208 following step 205 the client 110b receives the RAND message and stores the content therein. In a step 209 following step 206 the client 110 receives the ServerHelloDone message. After step 209, in a step 210, if the result of step 207 has proved satisfactory, then client 110b tries to resolve challenge 10 received in step 208. The result is satisfactory at least if the certificate submitted is not revoked. In step 210 the microprocessor 109 transmits the contents of the RAND message to the microprocessor 113. The microprocessor 113 then implements the instruction codes of the area 114a to produce the RES content of an SRES message. The RES content is provided to the client 110b which produces the SRES message sent in response to the RAND message. In a step 221 following step 210 the server 104b receives the message SRES is therefore access to the content RES. The RES content is a function F of the contents of the RAND message and of data identifying the SIM card 112. The processing of the SRES message by the server 104b thus makes it possible to authenticate the legitimate bearer of the card 112. The function F is a secret shared by the SIM cards and the server devices involved in the implementation of the invention. In one variant of the invention, the A3 / A8 algorithms which are natively present in a SIM card are used because they are the algorithms used for the authentication of the subscribers in the mobile telephone networks, as defined in the GSM documents. 03.20. In this case, the algorithm A3 is used to produce the RES content using an encryption key produced by the algorithm A8. After step 211, if the SRES message satisfies the server 104b the dialogue continues according to the HandShake sub-protocol by encryption key exchange steps and more generally encrypted message format parameters in order to define according to which encryption the data will be exchanged during the next dialogue.

This handshake ends with a finished message after which the client and server continue the dialogue by applying the parameters determined in the previous steps. The invention is particularly interesting because the sending of the RAND and SRES messages is carried out using the TLS protocol without any need to modify it. There is no impact of deployment on the network or risk of incompatibility. In particular, in a variant these messages can be sent via the sub-protocol Alert (Alerte) not used the TLS protocol to issue asynchronous messages during the handshake. We note here that this is only a possibility, transmission of these messages. Another variant is to use frames. The invention is still interesting because the authentication of the client is linked to a smart card whose reputation for safety is second to none. Such a card is in particular a SIM card distributed by a mobile operator. The impact of the invention on a pre-existing mobile telephony network is therefore minimal. It suffices to adapt the protocol layers of the terminal devices implementing the invention, the rest of the network being already able to route frames according to the TLS protocol.

In the invention, the RAND message replaces the CertificateRequest message usually issued by the server when the server wishes to identify and authenticate the client. This phase is commonly called mutual authentication. The user no longer has to ask (a trusted authority different from his telecommunication operator) and install a certificate on his communication device. An authentication mechanism is provided with its SIM card without the operator producing the card needs to deploy a PKI infrastructure. The invention has been described in connection with a connection of a browser to a web server. Of course, since the SSLITLS protocol can be used by any type of client and server this example of implementation is not limiting of the invention.

Claims (5)

1 - Method of authentication, by a first device implementing a server application, of a second device implementing a client application, the first and second devices being connected via a telematic network using at least the TLS protocol, characterized in that: - after issuing its digital certificate the first device sends, using the TLS protocol, a challenge message, - the second device receives the challenge message, - the second device resolves the challenge message, produces and transmits via the TLS protocol a challenge response message, - the first device receives the response message and, if the response message and validates, continues the communication with the second device. 2 - Process according to claim 1, characterized in that the challenge message is transmitted via the Handshake sub-protocol of the TLS protocol. 3 - Process according to one of claims 1 or 2, characterized in that the resolution of the challenge is performed by a microcircuit card embarked by the second device. 4 - Process according to claim 3, characterized in that the microcircuit card is an international subscriber identification card issued by a telecommunication operator. 5. Process according to one of claims 1 to 4, characterized in that the response message is transmitted via the TLS protocol Handshake sub-protocol.