FR2944400A1 - METHOD OF AUTHENTICATING A SERVER FROM A USER OF A MOBILE DEVICE - Google Patents

Abstract

The invention relates to a method for authenticating a user having a mobile device with a server, comprising: receiving (20) by the server an authentication request request; Sending (22) in response by the server of an image in the form of a matrix of pixels containing an encrypted code in the pixels, the code comprising at least one time stamp value; • reception (24) of the image by the mobile device and extraction (26) by the latter of the code; Generation (28) by the mobile device of a one-time password based on at least the code and a secret code held by the user; • reception (30) by the server of the one-time password; and • validating (32) the password if it has been received at least a predetermined time with respect to the time stamp value, is consistent with the code and at least corresponds to the user authenticating.

Description

METHOD FOR AUTHENTICATION FROM A SERVER BY A USER OF A MOBILE DEVICE

The present invention relates to a method of authenticating a user to a server, the user being in possession of a mobile device. It also relates to a mobile device and a server as well as computer program products operating thereon and implementing the method. The traditional processes of securing access to networks (corporate network, Internet, etc.) consist in validating the identity of a user by using an identifier and a password. This identification is entered on the user terminal, computer or other mobile device (mobile phone, PDA ...) and then circulates on private and / or public communication networks to the information system that authorizes or denies access. This classic authentication quickly showed its limits. Its main weakness lies in the ease with which it can be bypassed: • password copied on paper, • trivial password chosen by users, • password (and sometimes identical identifier) for all services . In addition, various techniques are widespread and constantly evolving to recover these two pieces of information: • an increase in the number of phishing e-mails that contain false hypertext links to, for example, direct bank customers to fake banking web sites. • With keyloggers, Trojans and other spyware implanted surreptitiously into the victim's computer, sensitive user permissions are collected and forwarded to fraudsters.

The rapid progression of the implementation of public access points using wireless communications (cybercafés, train stations, hotels, airports, etc.) increases the risks of user identity theft even more Business staff is now mobile, with a large number of employees who have access to the corporate network from these places or their homes, putting at risk confidential data. The weaknesses of these traditional processes have led to the development of enhanced authentication methods, which involve software and / or hardware solutions. These enhanced methods use a protocol for exchanging data between a security server and the user, a protocol according to which a new one-time password (OTP) is generated for a limited duration of use. whenever a user is authenticated. It is then impossible to reuse the same password during a subsequent authentication. The technology used involves a dynamic change of passwords for each authentication session. It allows user authentication because the generated password is the only user who has a physical device that generates the password. The technology is based on a secret key that exists only in two places: on the user's physical device and on the security server. This secret key can not be captured because it never travels between the security server and the user.

This secret key is used to calculate the passwords to be used to authenticate the user when needed. The calculation is based on time (A) and / or event (B): (A): This technology is based on a real-time clock that is used to generate a unique password. The hardware device automatically generates new passwords with a determined frequency (for example every 60 seconds), using the value of the clock at time t in order to calculate at each connection a unique password. (B): This technology is based on a mechanism, which allows the generation of a unique password for each session. The hardware device then generates a new password only when an event occurs - for example the user presses a button on his key or other hardware device. Whenever the event takes place a counter is incremented and a well-defined algorithm will calculate a one-time password. The specificity of these methods is that they use password generating means in the user; these means are • either purely software, when an application is installed on the user's terminal, it is called software tokens the disadvantage of this method is that the user can connect only on the terminal equipped with the 'application. • Either hardware, when using physical tokens such as smart card, keys with screen, USB sticks, including an algorithm generating a new alphanumeric password with a constant time interval, security grids comprising a double-entry array of which the coordinates (abscissa / ordinate) of the security code change with each connection request. These solutions allow a user to connect from any terminal but require the permanent possession of a dedicated hardware device with the associated risks (loss, deterioration ...). In addition, these solutions require time or event synchronization between the server and the user's password generating means. It would therefore be advantageous to have a strong authentication method by the use of a one-time password which does not have the drawbacks mentioned above, such as the acquisition of a specific device, the locking of access on a given terminal and / or the management of the synchronization. To solve one or more of the aforementioned drawbacks, a method of authenticating a user with a server, said user being in possession of a mobile device, comprises: • reception by the server of a request request of a authentication; Sending in response by the server an image in the form of a matrix of pixels containing an encrypted code in said pixels, said code comprising at least one time stamp value; • reception of the image by the mobile device and extraction by it of said code; • generation by the mobile device of a one-time password based on at least said code and a secret code held by the user; • reception by the server of said one-time password; and • validating said password if it has at least been received within a predetermined time with respect to the time stamp value, is in accordance with the code and at least corresponds to the authenticating user. The authentication method thus has the advantage of using the mobile phone as a hardware for generating the password. The use of this equipment is very widespread and allows the use of strong authentication in consumer applications that may require a high level of security of access (banking, medical ...). In addition, advantageously, the mobile device does not need to be synchronized with the server because the image contains internally the data necessary for the limitation of validity of the password. Particular features or embodiments that can be used alone or in combination are: • the image is sent by the server on a screen and the mobile device receives this image via a camera included in the mobile device or the image is sent by the server to the mobile device via the mobile network; • the image has a 2D barcode containing the code or the code is included by a steganography process in the image; • the mobile device having an identification code thereof (IMEI) and / or a user identification code (IMSI), the one-time password is generated based in addition on the mobile device identification code, user identification code, or a combination of both; and • the code further includes a server identifier.

The use of the identification codes contained in the mobile device such as, for example, the IMEI which is a unique identifier of a mobile phone with the GSM or 3G standard, or the IMSI which is an identifier contained in the SIM card of the telephone and in relation with the subscriber makes it possible to reinforce the security by validating that the device which has carried out the calculation of the password is identified. The transmission of a specific key to the server in the encrypted code advantageously makes it possible to make a link between the mobile device and the server without the mobile device having to store a secret key. In a second aspect of the invention, a mobile device 15 comprises: means for acquiring an image comprising a code; Means for extracting said code; • means for entering a secret code; connected to a password calculator based on said code and said secret code. According to a third aspect of the invention, a server comprises: means for receiving a request for authentication of a user and a password for one-time use; A code generator, said code comprising at least one time stamp value; An image generator comprising in its pixels said code; connected to transmission means of said image; Means for validating said one-time password adapted to verify that said password has at least been received within a predetermined time with respect to the time stamp value, complies with the code and corresponds at least to user authentication.

According to a fourth aspect of the invention, a computer program product having program code instructions recorded on a medium readable by a mobile computer, for implementing the steps of a word generation method of single-use password comprising: • reception of the image by the mobile device and extraction of said code; Generating a one-time password based at least on said code and a secret code held by the user; According to a fifth aspect of the invention, a computer program product having program code instructions recorded on a server computer readable medium for implementing the steps of a user authentication method. at said server, said user being in possession of a mobile device, comprising: • receiving an authentication request request; Sending in response an image in the form of a matrix of pixels containing an encrypted code in said pixels, said code comprising at least one time stamp value; Receiving a one-time password based at least on said code and a secret code held by the user; and • validating said password if it has at least been received within a predetermined time with respect to the time stamp value, is in accordance with the code and at least corresponds to the authenticating user. The invention will be better understood on reading the description which follows, given solely by way of example, and with reference to the appended figures in which: FIG. 1 is a schematic view of a system for implementing a embodiment of the invention; FIG. 2 is a flow diagram of an authentication method according to one embodiment of the invention; FIG. 3 is a schematic view of the operation of an authentication on a server implementing the method of FIG. 2; FIG. 4 is a schematic view of examples of display screens generated by the authentication of FIG. 3; FIG. 5 is a schematic view of the operation of an image recognition on a mobile terminal during the execution of the method of FIG. 2; FIG. 6 is a schematic view of the mobile apparatus of FIG. 1; FIG. 7 is a schematic view of the server of FIG. 1; FIG. 8 is a schematic view of transmission of an encoded image in an alternative embodiment; and FIG. 9 is a schematic view of screens of a mobile terminal in another alternative embodiment. With reference to FIG. 1, the one-time password authentication described hereinafter implements a server 1 connected to a user terminal 3 by which a user 5 wishes to access a service controlled by the server 1, and a mobile device 7 owned by the user 5. The mobile device 7 is typically a mobile phone having a keyboard 9, a display screen 11 and a camera 13 for shooting. The server 1 and the mobile device 7 have means, not shown, programmable calculation as well as data storage means and program. The authentication then proceeds as follows, FIG. 2: reception, step 20, by the server 1 of an authentication request request from the user terminal 3; Sending, step 22, in response by the server 1 of an image in the form of a matrix of pixels containing an encrypted code in the pixels of the image, the code including at least one time stamp value, also called timestamp value • reception, step 24, of the image by the mobile device and extraction, step 26, by it of the code; Generation, step 28, by the mobile device of a one-time password based on at least the code and a secret code held by the user; • reception, step 30, by the server of the one-time password; and • validating, step 32, the password if it has at least been received within a predetermined time with respect to the time stamp value, is consistent with the code and at least corresponds to the user authenticating. These steps will now be described in more detail in the context of an embodiment using a 2D barcode as a code support image.

The mobile device 7 includes a mobile application that can be installed on the various mobile phones on the market and capable of image processing. The application is thus available on different software platforms used by mobile phone manufacturers such as, for example, J2ME, WM, Symbian, MacOs and BREW.

The mobile application for generating the unique password is included in a 2D barcode image reader and uses a tag contained in the barcode to launch a one-time password generation interface. The mobile application performs the following steps: • shooting the image of the 2D barcode; • decoding the barcode; • detection of the tag in the data resulting from the decoding; • interpretation of the data according to the tag; • display of an interface for entering the password; • generation of the one-time password using the password and barcode data • display of the password on the mobile screen The mobile application can be installed on a mobile phone by positioning on a server WAP a page with the link to the file to download, specific to each phone. Another solution is to load and install the application directly via the USB cable or via Bluetooth. On the server, FIG. 3, a server application, for example written in PHP, is capable of generating encrypted 2D bar codes 40.

Classically, there are two widely used types of 2D barcodes: Datamatrix or QR code. The Datamatrix has the advantage of being easy to read and to compress data easily. The QR code has the advantage of guaranteeing the reading of codes on Asian mobiles.

The 2D barcode 40 contains a code 42 which is a hash value of a secret key SK of the server and a timestamp data Ts. The latter is, for example, on a Unix / Linux server the Epoch time of the system clock. As a reminder, the Epoch time corresponds to the number of milliseconds elapsed since January 11, 1970.

The hash is performed by one of the many known hash functions such as MD5, SHA-1 or HMAC. Thus, upon receipt of an authentication request, the server presents the user with an access authorization window 44 comprising the 2D barcode, a countdown 46 indicating the validity period of the 2D barcode. and a form 48 comprising a user identification field ID 50 and a field 52 for entering the one-time password Pwd. The server also contains an application 54 capable of verifying the one-time passwords and a database 56 for archiving the authentication data of the users. The interaction with the database is performed by standard SQL queries to maintain applications independent of the type of database used. Using stored procedures can increase the level of security, but at the expense of a link from the application to a specific database. The application 54, upon receipt of the identification and password fields of the form 48 verifies: • that the password corresponds to the code contained in the 2D barcode; • receipt has taken place within the validity window; • that the identifier and the password correspond indicating that the user has used his personal secret code.

This validation is typically performed by performing the same calculations as the mobile terminal based on the data contained in the database 56, identifier and secret code of the user, and the encrypted code in the 2D barcode.

If, for any reason, the user does not enter the data in the expected validity time window, FIG. 4, the authorization window 44 is replaced by a window 60 indicating that the validity period has expired and that a new code will be generated. At the level of the user, FIG. 5, the latter, via the camera integrated in his telephone, will read the generated 2D code transmitted by the server and which is displayed on the screen of his computer. The mobile application then presents a screen 72 indicating that it has acquired the code. She then presents him with an entry screen 74 enabling him to enter his personal secret code. Given the keyboards of current phones, this secret code is composed of a series of numbers but this is not limiting as the new generations of mobile phones offer keypads more and more ergonomic and providing a game full alphanumeric characters. The mobile application then displays on a screen 76 the one-time password generated according to an algorithm based on the following parameters: • the data encrypted in the 2D barcode, namely the unique key of the server SK and the data of d temporal stamp Ts; The secret code provided by the user which is also saved in the database 56 of the server; Thus, the mobile device comprises, FIG. 6: means for acquiring an image comprising a code, such as the camera 13; Code extraction means 60; Means 9 for entering a secret code; connected to a password calculator 62 based on the code and the secret code. And the server 1 comprises: means 70 for receiving a user authentication request and a one-time password; A code generator 72, the code comprising at least one time stamp value; An image generator 76 comprising in its pixels the code; connected to means 78 for transmitting the image; Means for validating the one-time password adapted to verify that the password has at least been received within a predetermined time with respect to the time stamp value, is in accordance with the code and corresponds at least to user authentication. In a first variant, the one-time password is generated by the mobile application also using the International Mobile Equipment Identity (IMEI) number, which is also stored in the mobile database. data 56 from the server. This IMEI number is a unique number assigned to each mobile phone and is stored in a database generally managed by operators and used particularly to fight against theft.

The password validation server application then also integrates the IMEI number contained in the database 56 among the calculation parameters. Integration into the IMEI authentication process of the mobile phone minimizes the risk of identity theft in the event of loss or theft. Indeed, the mobile operators then disable the operation of the device stolen or lost on call. In a second variant, the IMEI number may be replaced by the International Mobile Subscriber Identity (IMSI) number, which is a subscriber identification number contained in the smart card integrated into the mobile telephone. , smart card also called SIM card (Subscriber Identity Module).

The use of IMEI and IMSI numbers can be combined to further enhance the security of authentication. In a third variant, the image of a 2D barcode is replaced by any image in which the encrypted code is inserted by steganography. The pixels of the image are thus modified without this necessarily being visible by the human eye while being detectable by a suitable recognition algorithm. In a fourth variant, FIG. 6, the image is not transmitted via the authentication terminal and an image is taken by the mobile phone's camera, but it is sent directly to the mobile phone 7 via the telephone network, for example in the form of a Multimedia Message Service (MMS) or by using the possibilities of access to the internet of the mobile phone such as the WAP protocol. FIG. 7 illustrates a combination of the third and fourth variants in the form of a succession of screens of the mobile telephone 7. The screen 80 illustrates the reception of an image containing the server code and the encrypted time stamp value. by steganography in its pixels. The screen 82 corresponds to the entry of the secret code of the user, once the application installed on the mobile phone 7 has decrypted the values contained in the image. And the screen 84 corresponds to the display screen for the one-time password to be provided to the authentication form. The invention has been illustrated and described in detail in the drawings and the foregoing description. This must be considered as illustrative and given by way of example and not as limiting the invention to this description alone. Many alternative embodiments are possible. For example, and in particular, the method can provide the usual management techniques of authentication failures such as, for example, the blocking of the account after a predetermined number of consecutive failures accompanied or not, a recovery procedure / unblocking the account.

In the claims, the word comprising does not exclude other elements and the indefinite article one / one does not exclude a plurality.

Claims (8)

REVENDICATIONS1. A method of authenticating a user to a server, said user being in possession of a mobile device, comprising: receiving (20) by the server an authentication request request; Sending (22) in response by the server of an image in the form of a matrix of pixels containing an encrypted code in said pixels, said code comprising at least one time stamp value; • reception (24) of the image by the mobile device and extraction (26) by it of said code; • generation (28) by the mobile device of a one-time password based on at least said code and a secret code held by the user; • reception (30) by the server of said one-time password; and • validating (32) said password if it has at least been received within a predetermined time with respect to the time stamp value, is consistent with the code and corresponds at least to the user authenticating. 2. Method according to claim 1, characterized in that the image is sent by the server on a screen and the mobile device receives this image via a camera included in the mobile device. 3. Method according to claim 1, characterized in that the image is sent by the server to the mobile device via the mobile telephone network. 4. Method according to claims 2 or 3, characterized in that the image comprises a 2D barcode containing the code. 5. Method according to claims 2 or 3, characterized in that the code is included by a method of steganography in the image. 6. Method according to any one of the preceding claims, characterized in that the mobile device comprising an identification code thereof (IMEI) and / or a user identification code (IMSI), the A one-time password is generated based in addition on the mobile device identification code, the user identification code, or a combination of both. 7. Method according to any one of the preceding claims, characterized in that said code further comprises an identifier of said server. Mobile apparatus comprising: acquisition means (13) for an image comprising a code; Extraction means (60) for said code; Means for inputting (9) a secret code; connected to a password calculator (62) based on said code and said secret code. 12. Mobile device according to claim 8, characterized in that it further comprises a storage memory of an identification code of said mobile device (IMEI) and / or a user identification code (IMSI). said calculator being adapted to further calculate the password from said mobile device identification code, said user identification code, or a combination of both. 13. Server comprising: means for receiving (70) a request for authentication of a user and a password for one-time use; A code generator (72), said code comprising at least one time stamp value; An image generator (76) comprising in its pixels said code; connected to means (78) for transmitting said image; means for validating (79) said one-time password adapted to verify that said password has at least been received within a predetermined time with respect to the timestamp value, conforms to the code and at least matches the authenticating user. A computer program product having program code instructions recorded on a device readable by a mobile computer, for carrying out the steps of a one-time password generation method comprising: • receiving the image by the mobile device and extracting said code; Generating a one-time password based at least on said code and a secret code held by the user; A computer program product having program code instructions recorded on a server computer readable medium for implementing the steps of a method of authenticating a user with said server, said user being possession of a mobile device, comprising: • receiving an authentication request request; Sending in response an image in the form of a matrix of pixels containing an encrypted code in said pixels, said code comprising at least one time stamp value; Receiving a one-time password based at least on said code and a secret code held by the user; and • validating said password if it has at least been received within a predetermined time with respect to the time stamp value, is in accordance with the code and at least corresponds to the authenticating user.