FR2964762A1 - SECURITY AUTHENTICATION METHOD BASED ON CHALLENGE-RESPONSE TYPE OTP - Google Patents

Abstract

A method of generating a unique password for accessing an information processing system (IHS) at a site on an intranet or the Internet, said method comprising the steps of: a ) preparing a password from a seed and a user password; b) a sequence of N hash operations applied to the result of said preparation; c) formatting the result to facilitate its transmission; characterized in that said seed is produced by means of a quantum generator operating on the principle of a photon capable of passing through a semi-reflecting mirror.

Description

l Challenge-Response OTP-based secure authentication method Technical field

The present invention relates to authentication methods and techniques on the Internet, and in particular to a secure authentication method based on OTP of the challenge-response type. State of the art The development of fraud on the Internet network highlights the fundamental issue of security, including that of authentication.

In fact, identity theft is multiplying on the network of networks and fraud is becoming widespread as online transactions and the transmission of sensitive personal information develop.

If the use of the bank card in the traditional trade is protected by the high efficiency of its "chip" associated with the corresponding PIN code, the "game" of the same card on the Internet, without involving the mechanisms of its "chip", exposes it much more significantly to fraud and potential misappropriation.

To fight against online fraud, specialized organizations (CNIL in France, APACS in the United Kingdom, FFIEC in the United States) therefore encourage the use of strong authentication, in which at least two independent factors are controlled to give access to a service, an application or an online payment: on the one hand a couple identifier / password, "what I Mobilegov 45 -2-

know, "on the other hand a material element" what I own "or a biometric element" what I am ". Each of the two (or three) factors must be handled and routed securely.

Strong authentication uses one of two major families of architectures, PKI Public Key Infrastructures or One Time Password (OTP).

OTP-type techniques are subdivided into three families: First, counter-based OTPs have been popular in the past but are now out of date because their efficiency is quite relative.

Then there are time-based, or synchronous, OTPs that are particularly effective but pose many difficulties for authentication system designers, including time synchronization problems between the authentication server and the user's system.

In the third category are the OTPs referred to as CHALLENGE -RESPONSE for establishing a dialogue between the user and the server.

The fundamental principles of the challenge response-based OTP are more particularly described in the normative document RFC 2289 entitled "A One Time Password System".

In this system of the OTP based on challenge / response, the password is no longer chosen by the user but automatically generated by a method of "pre-calculated" (that is to say that one pre-calculates a number of passwords that will be used later).

Figure 1 illustrates the schematic diagram of the OTP generation which, as we recall, is done in three steps: Mobilegov 410 -3- - A preparation that takes into account all the user data: the seed and the password.

- The generation of applying the hash function n times on itself, n being the number of sequences.

- The formatting of the result, which transforms the obtained data of length equal to 64 bits into a password based on ASCII characters, ie readable by the man.

The OTPs are thus calculated from three data which are:

- A public data (word or short sentence for example), chosen by the administrator. This is called seed or seed in English.

- A sequence number: it is a number relative to the connection number or a counter, quite simply. It is this parameter that makes the password unique: The OTP of the connection no. 587 is not the same as the one of the connection no. 586 or 588.

. A user password, known only to him, which will be used to authenticate him. If the user retains the "user password", it is in principle the secure site to which access is requested that provides the seed and the sequence number, these two elements forming, with the identification of the algorithm of hash used, the parameters of the challenge. Therefore, in response to the challenge, which is for example in the form:

otp-md5 498 ge8086 with Mobilegov 4 30 -4-

- otp-md5: indicating that it is an OTP calculated in MD5. - 498: this is the current sequence number. - ge8086: it's the seed.

The user is able to provide the particular element of the generated OTP sequence to validate its authentication, without having to transmit the "user password".

lo The user must calculate the answer to the challenge through a program (eg WinKey). It then sends the result of its calculation to the server. On the server side, the system has a file that contains, for each user, the last valid OTP used for authentication. Since the sequence number decreases with each connection, it suffices for the server to check the validity of the user OTP, to apply the hash function on the last valid OTP stored and to check the result with the new OTP presented by the user.

If the result is correct, the user is presumed to be authenticated. Figure 2 more particularly illustrates a variant which is the OTP Token based on a Challenge / Response mechanism. These tokens use, in addition to the shared secret, a pseudo-random number generated by the authentication server. The client receives this challenge or nonce and responds to it to the server. A PIN code is then used as the second authentication factor. The PIN code can be entered on a mini keyboard. These tokens are defined as so-called asynchronous technology. Challenge-response OTPs are very popular because of the simplicity of their implementation. This technique is however more exposed than that of the time-based OTP.

Mobilegov 4 15 In the years that have passed, efforts have been made to increase the robustness of the password generation system, and correlatively Challenge-Response procedures, with the aim of improving the security of the system. authentication procedures. The aim of the present invention is to propose a definitive solution that makes it possible to significantly increase the security of the OTPs based on challenge-response, and thus to reinforce the robustness of the mechanism that tends to become a leader on the market. 10

SUMMARY OF THE INVENTION The object of the present invention is to propose a mechanism of WBS of the CHALLENGE-RESPONSE type that is particularly robust to the attacks to which it is likely to be exposed.

Another object of the present invention is to provide an authentication method using an authentication server making it virtually impossible to determine the OTP.

A third object of the present invention is to provide a hardware device capable of serving as an authentication web server and having a particularly robust robustness with respect to attempts to defeat a password.

A fourth object of the present invention is to provide an authentication web server 30 for the generation of enhanced challenge response in order to increase the security of one-time passwords.

The invention achieves these goals by means of a method of generating a unique password allowing access to an information processing system (I.H.S.). Mobilegov 45 -6-

to a site on an intranet or the Internet, said method comprising the following steps: a) preparing a password from a seed and a user password; b) a sequence of N hash operations applied to the result of said preparation; c) formatting the result to facilitate its transmission;

The method is characterized in that said seed is produced by means of a quantum generator operating on the principle of a photon capable of passing through a semi-reflecting mirror.

In a particular embodiment, the OTP is generated from digital information (ADNN) generated from a collection of data representative of the hardware components present in the system (IHS) and reported by the system. exploitation, said digital information being the result of a hash on the raw data reported by the operating system.

The invention also makes it possible to produce a device for generating a single pass word comprising: means for preparing a password from a seed provided by a site and a word user password; means for producing a sequence of elementary N hashes applied to the result of the preparation; Means for formatting the result of the hash; said device being characterized in that it comprises a quantum generator for generating said seed.

In a particular embodiment, the device is in the form of a sealed housing incorporating the quantum generator and has a USB connector for direct connection to a computer and communication of the one-time password. Mobilegov 4 Description of the drawings

Other characteristics, purpose and advantages of the invention will become apparent on reading the description and the drawings below, given solely by way of nonlimiting examples. In the accompanying drawings:

FIG. 1 illustrates the basic principle of the generation of a challenge-response OTP. FIG. 2 represents illustrates a variant, namely the OTP Token based on a Challenge / Response mechanism.

Figure 3 illustrates an embodiment of an OTP system according to the present invention.

Figure 4 illustrates an example of a known pseudo-random generator. FIG. 5 illustrates a comparative test of the quality of the random generated by the process according to the invention. FIG. 6 illustrates a particular method advantageously using the quantum seed with reference numerical information such as the digital DNA 25 . -7 Mobilegov 4 15 -8-

Description of a preferred embodiment

On the strength of the success of challenge-response OTPs, the inventors have made an in-depth study of the shortcomings of such an OTP, which, as mentioned above, is tending to become a major process on the market. authentication.

There are many possible attacks on OTPs, but as you read this document, you will understand that the main flaw lies in the generation of lo random numbers. All security is based on the fact that the hacker will not be able to determine the next known number on the server. The other very important flaw is human, in most systems of WBS (RSA for example), the user himself enters the code and this trace is at the origin of possible attacks. Here is the main list of attacks on OTP that can be recorded:

Trojan attack and keylogger It is enough "to put a trojan or keylogger on the post of the user 20 victim, to manage to recover the password of this one.

The skeykeys file If the hacker has his hand on the server, he may exploit a vulnerability. If the file / etc / skeykeys is available to read for the hacker, here is what it finds: login number Hex representation of the answer Date Seed time sequence of the challenge (the last OTP used) Jun xv 5235b 5b3c89552aa09435 25, 05 : 30: 15 victim 985 2001 The hacker then gets the login and the hexa representation of the OTP. With this Mobilegov 4 25 -9-

representation, it can create a tool that will generate the answer to the challenge according to a dictionary or brute force (see below). Attack by sniffing The OTP is sent to the server in the clear. It is therefore possible to recover the answer to the challenge and proceed to a dictionary or brute force attack (see below).

Dictionary Attack The dictionary attack calculates the challenge response based on a number of words previously stored in a large file. These words will be used as the password of the user. If the result of the calculation is identical to the answer of a past challenge, then the word used in the dictionary is the password of the user.

15 Brute force attack, Exactly the same principle as for dictionary attack. It is longer, but it is still possible ... Attack by the middle 20 This attack is for the hacker to have the hand on a machine that transmits the authentication of the session. It is an intermediate machine. In this case, the hacker can listen to the passing frames and identify the challenge and the answer. Again he can use cracking by dictionary or brute force. This method is like sniffing. 25 Spoofinq Attack The spoofing technique, in this case, is to pretend to be the server. It is an attack by the middle (see above), but a little more evolved. Indeed, it is necessary to simulate exactly the behavior of the server. This recovers the counter (sequence number) and the answer to the challenge. It is then possible to exploit this by two different techniques: - Either try to find the user password by dictionary and brute force Mobilegov 4 -10-

- Either the attacker knowingly used a sequence number lower than what the server really wants. In this case, the attacker can then use a number of connections, to the detriment of the user, equal to the difference between the real server sequence number and the wrong sequence number of the attacker. This attack is easily detectable for the victim user because he realizes that the server is not functioning properly. On the other hand, for the hacker, the recovered data are directly exploitable. This attack is so ro to take very seriously, especially since it is not very difficult to implement.

Real Time Fault Attack

There may be a problem in the implementation of an OTP. It is possible that when two logons arrive at the same time on the server, it does not know how to manage them. This is a purely real-time problem. There are then three scenarios: - The server rejects both connections. The attacker has no chance of having access but the user either ... This case is unlikely. - The server accepts a connection (the first arrival in general) and refuses the second. In this case, the hacker has a 50% chance of succeeding. This case is likely through the use of a semaphore. - The server accepts both connections. the hacker is 100% lucky to succeed. This case is unlikely. Attack by Hi-Jackinq

Authentication is done at the time of the connection. After this authentication, there is no other way to check if the authentication is still correct. But it is possible to hijack the TCP / IP communication. It's a Hi-Jacking attack. Once the hijacking is done, the server talks to the hacker, who uses the victim's session. Mobilegov 4 -11-

Main attack: Attack by decomposition of the algorithm that randomizes the randomization This attack is the most used, especially by the Oxid company and CAIN software. This one has indeed shown that the random used by the RSA Secure ID tokens had been calculated.

Thus, by simple recovery of some random sequences, the software CAIN 10 has the capacity to generate the next numbers making completely ineffective the security of RSA Secure ID tokens.

As can be seen in the foregoing discussion, which is by no means exhaustive, but is intended to convey the extent to which OTP processes are exposed to attack by some, even as others have tried to strengthen its robustness.

Indeed, although it should be observed that there is a lot to break, in the criminal enterprise aimed at putting down an OTP process - in particular the PIN, the C / S, pierce the TimeStamp , all the devices developed to resist these attacks are based on the major security: the generation of the random sequences.

It is known that software such as CAIN has already "cracked" the random generation of RSA tokens rendering the security of the system completely obsolete.

The inventors have discovered that it is possible to put an end to the long and incessant march towards the perfectible algorithm allowing better resistance to the attacks than the previous ones have done. Mobilegov 4 - 12 -

To this end, it is suggested to provide the authentication server with a quantum generator to which the generation of the seed (or seed) is entrusted to be incorporated in the challenges.

We thus succeed in definitively and radically substituting a "true" random generator for the pseudo-random generators algorithms that have appeared for years in the OTP systems, and even the most sophisticated ones.

The inventors have found, surprisingly, that the user of such a quantum generator significantly improves the robustness of the OTP system.

By replacing the random numbers generated by mathematical algorithms by random numbers generated on the principle of quantum physics, the dictionary attacks, by brute force, are destroyed by the decomposition of the random algorithm.

The results on the random number generation generated by the random generator makes it possible to protect against the input / output attacks on the conventional randomly presented above. In a particular embodiment, the quantum generator is integrated within a PC card which is disposed within a sealed device in which the authentication web server is installed.

FIG. 5 illustrates the quantum generator test with respect to a more traditional generator, such as a pseudo-random generator (PRNG) shown in FIG. 4 based on a linear congruence X '+ 1 = (aXn + b) mod m, like the function rand () of C, which makes it possible to generate a sequence of apparently random numbers.

More specifically, FIG. 5 illustrates the result of a so-called noise sphere analysis, which shows the quality of the random sequence and makes it possible to visually reveal the gain of robustness brought to the OTP system. In general, the more opaque the center of the sphere, the less the randomness is, and the easier it is to attack by Brute force.

As we can see, the quantum generator makes it possible to obtain a sphere not composed of tasks and especially in the center. Other tests confirm this observation made by the inventors, particularly the Diehard tests, etc., that it is not appropriate here to repeat 10 in the present application.

A more detailed embodiment of an OTP-based authentication system incorporating a quantum generator as proposed herein and illustrated in FIG. 3 is now more fully described.

The OTP system is used in the embodiment described hereinafter to provide protection for the transport of digital reference information, referred to as digital DNA, consisting of a raw data hash representative of the various hardware components of the system. IHS which are reported to the operating system, especially for the purpose of installing drivers.

Thus, ADNN digital information, which already enjoys a high level of protection due to the fact that it is the result of a hash, also takes advantage of the high robustness of the OTP system resulting from the use of the quantum generator 10.

A block 11 then allows the preparation of the first hash that will be used for the generation of the OTP sequence. This preparation consists in concatenating the data coming from the quantum generator and associating them with the digital reference information ADNN, so as to obtain a string of characters which can

Mobilegov 4 -14-

then is the subject of a first hash so as to generate a hexadecimal sequence of fixed length, for example 64 bits.

A block of hash 12 then makes it possible to proceed to an elementary N hash sequences 5, with N corresponding to the number of sequences fixed in the challenge.

In a particular embodiment, the hash is a SHA2 which is much more efficient than an MD4 or MD5 algorithm. Then, a block 13 makes it possible to format the result of the N hash operations, so as to make the result of the OTP easily readable by the user. In a specific embodiment, this block can be reduced to its simplest expression when the OTP is intended to be automatically transmitted to a system in a manner that is transparent to the user. Referring now to FIG. 6, an embodiment is described for illustrating the generation of an OTP advantageously combining quantum seed with this digital reference information that is digital DNA (ADNN ), so as to achieve a particularly secure authentication process between a service provider and a user of the service, connected by a LAN, a WAN or Internet, through a computer or a smartphone (Symbian ®, iPhone®, Android® , Windows Mobile®). In a first enrollment step, the user decides which hardware component will be used as a token, which will authenticate it in a unique manner thereafter. In the embodiment illustrated in FIG. 6, it is proposed to substitute 30 for the conventional method of the identifier / password (Iogin-pw), or to come in addition to this method to significantly strengthen the authentication. of this user by means of a token directly chosen by the user. Mobilegov 4 - 15 -

The method that will be described hereinafter implements three entities, namely a client software running at the user, a website accessible on the intranet or internet, and an authentication server acting as a trusted third party, the three entities that can communicate via secure channels such as Challenge Hardware Authentication Protocol (CHAP), HTTPs, well known to a person skilled in the art and that it is neither necessary nor opportune to develop further.

The method includes an enrollment phase, which will then be followed by an authentication phase.

1. Enrollment.

It is assumed that the user wishes to connect to an Internet site via the internet network and therefore launches his browser software installed in his system. The method therefore starts with a step 10 which is a connection transmitted to the website.

In a step 20, the web site responds, for example by means of a type 200 response defined in RFC2616 relating to the HyperText Transfer Protocol and well known to a person skilled in the art, by means of a web page comprising a plugin or applet java, namely an executable code allowing the execution of the following procedure described below and not beginning to invite the user to submit to a login (login) with a 25-word password (password).

In practice, the answer from step 20 of the website will be able to conform to a wide variety of different situations and protocols. Indeed, in addition to the well known page "200" http protocol, we can consider all the possibilities for opening an authentication page, including CHAP, MSCHAP (the version edited by the American MICROSOFT Corp. .), but also the BASIC and CHALLENGE RESPONSE versions, and also RADIUS (Remote Access Dialin User Service) well known to a person skilled in the art. In a particular embodiment, which is the one chosen by the holder of the present application of Mobilegov 4 -16-

patent, a software kit is proposed to the website publishers for the implementation of the methods described in this application.

The execution of the applet contained in the response received from the website then causes, in a step 30, a collection of data, namely the start of a procedure for detecting the hardware components of the system for the purpose of collecting data. with these components through drivers and reports to the operating system.

In general, one can draw much inspiration from the existing developments in the aforementioned European patent application 04368072.7, which gives examples of components that can be used. As described in this patent application, a large amount of information regarding the various hardware components are reported to the operating system, whether WINDOWS in its various forms (XP, VISTA, WINDOWS 7 .. .) or LINUX etc, especially in order to allow the loading of the necessary drivers to interfacing the operating system with these components. The contribution of the above-mentioned request is to gather this significant information, initially intended for the "internal" operation of the component, with the aim of constituting a unique digital information (ADDN) that can be used to carry out an operation of enhanced authentication.

Thus, in the case of a conventional USB key, it is noted that up to 16 characteristics (the brand, the model, the serial number, the memory size ... etc ...) are accessible to the operating system and can potentially be used for the generation of digital ADNN information. Then, in a step 40, the method proposes to the user the selection of a subset of components identified in step 30 in order to collect the data accessible to the operating system and representative of the subset. of components selected by the user. In one embodiment, the selection of the user is a default option, and the absence of selection by the latter then leads to the generation of a user token integrating Mobilegov 4 -17-

a pre-determined set of hardware components present in the system, or even all components accessible to the operating system.

The user can thus choose his computer as a hardware element or a memory element connected to his computer (a USB key, an MP3 player ...) or a smartphone. This material is the one from which DNA will be extracted from digital ®. The user can combine several physical elements such as his computer and a USB key. He can complete the device with a PIN code to avoid the diversion of his equipment in case of loss or theft. The method then proceeds, in a step 50, to a data processing aimed at concatenating the raw data collected during the previous step in order to generate digital information representative of the hardware components present in the system. The concatenated raw data is then subjected to a hash operation for the purpose of generating numerical reference information, or ADNN referred to as the "digital DNA". This information "the DNA of the digital" results from the transformation, by means of a hash algorithm realized on the string concatenating the various information extracted by the OS of the hardware components. In this respect, we can consider M. Ronald Rivest's MD4 or MD5 algorithms, or the more recent SHA algorithm developed by NIST. The use of the hash algorithm ensures that the raw data used to generate the ADNN information will never be disclosed. The system can perform a raw data quality analysis to determine whether it is satisfactory for use, as some digital components may not have enough unique criteria. Since it can not be traced back to the raw data, the digital information ADNN 30 can be transmitted to the authentication server for storage and subsequent use for verification purposes. Mobilegov 4 -18-

Alternatively, as will be seen now, it will even be possible to dispense with the transmission of the digital reference information "digital DNA", to further increase the safety of the invention.

For this purpose, the method advantageously continues with a step 60 which consists of integrating the digital information ADNN with the generation of a one-time password (OTP), as defined in particular by the standard RFC 2289. For this purpose, the DNAN information is concatenated with a seed provided by the authentication server and the whole is the subject of a series of hash operations in order to generate an OTP.

In a particular embodiment, the digital reference information ADNN is integrated with a seed generated by a quantum generator so as to considerably increase the resistance of the authentication method. In another embodiment, the user's PIN code, a time stamp and the reference digital information corresponding to the authentication server are also integrated in the OTP, together with the quantum hazard. . It remains from this multiple combination a high robustness to the OTP mechanism and, therefore, to the protection of DNAN information.

As can be seen, the method which has just been described with reference to FIG. 1 has the significant advantage, which the known techniques did not allow, of generating a user token since it is the latter which can choose the 25 or components that will be used to generate the ADNN information, which is never transmitted over the network.

This is a considerable advantage of the recommended solution. It is the user who remains in control of defining the material element that he possesses that will be used for the constitution of his ADDN information and, consequently, will authenticate it on the Internet sites. Thus, it is no longer a specific hardware provided by a provider that provides this authentication, but it is anything likely to connect to the computer or the system of the user. Mobilegov 4 - 19 -

The described method also has a decisive advantage over other strong authentication techniques, in particular based on biometrics. Indeed, consumers are still reluctant to see personal data pass through the networks and this concern is perfectly legitimate.

The technique proposed in the present patent application, because it substitutes for the biometric data a much less personal information - the digital DNA - nevertheless makes it possible to ensure high-performance authentication. And that one can easily reset in case of usurpation, unlike biometric data that are immutable.

The enrollment procedure that has just been described can serve as a support for a strong authentication procedure 2. Strong authentication method The implementation of the authentication procedure of the OTP described above (known as OTP user token to express the fact that it is the user who himself defines the hardware component used for authentication) requires the implementation of a specific functionality, and this by means of an appropriate code present in his page d authentication) communicates with the client, itself equipped with software installed only the first time (JAVA applet, ActiveX module, browser plug-in, widget, other ...):

1. An X509v3 certificate allows the user's browser to verify that the server's identity has not been spoofed (for example phishing or phishing attempts). 2. The user clicks on the digital DNA authentication. replaced the "login-password" couple on the site page. It must only enter its identifier and the server checks the consistency between this identifier and its ADNN digital information stored, if any, on the server. He must then indicate his PIN code - optionally depending on the choice of the website concerned - to authenticate. Mobilegov 4 - 20 -

3. The numerical reference information (ADNN or ADN of the Numérique) is calculated, either from the computer itself, by several of the internal components (motherboard, processor, hard disk ...) or from a removable component (USB key)). It is then completed by the PIN entered by the user. s A random (random) generation is used to create the challenge with the server but also the encryption of a capsule designated QKI. This hash [ADNN + random + identifier + (PIN)] then passes to the authentication server via an encrypted tunnel (https). This action is typical of an OTP system. This authentication server will then directly authorize (or not) the connection to the website, or will pass the authorization to another server (Active Directory, LDAP, or Radius). In no case does the client send the password in plain text to the server under https. Mobilegov 4

Claims (4)

REVENDICATIONS1. A method of generating a unique password for accessing an information processing system (IHS) to a site on an intranet or the Internet, said method comprising the steps of: a) preparing a password from a seed and a user password; b) executing a sequence of N hash operations applied to the result of said preparation; c) formatting the result to facilitate its transmission; characterized in that said seed is produced by means of a quantum generator operating on the principle of a photon capable of passing through a semi-reflecting mirror. 2. Method according to claim 1, characterized in that the OTP is generated from digital information (ADNN) generated from a data collection representative of the hardware components present in the system (IHS) and reported by the operating system, said digital information being the result of a hash on the raw data reported by the operating system. 3. Device specially designed for implementing the method according to claim 1, characterized in that it comprises means for generating a unique password comprising: means for preparing a password from a seed provided by a site and a user password; means for producing a sequence of elemental N hashes applied to the result of the preparation; means for formatting the result of the hash; said device being characterized in that it comprises a quantum generator for generating said seed. Mobilegov 4 11 May 2011 5-22- 4. Device specially designed for implementing the method according to claim 2 being in the form of a sealed housing incorporating the quantum generator and provided with a USB connector for direct connection to a computer and the communication of the word of passes for single use. Mobilegov 4 May 18, 2011