FR2993424A1 - Method for supplying identification data of user that is to be applied to smart phone, involves supplying identification data to service platform for user identification via mobile telecommunication network by secure element - Google Patents

Abstract

The method involves obtaining an identification data (DI1) stored on an electronic identification medium (5) that is provided with a communication module in close field. The identification data is transmitted by the communication module that is in close field to a terminal (6) such as smart phone. The data is transmitted with a secure element (SIM-6) via a physical interface. The identification data is supplied to a service platform (3) for user identification (U) via a mobile telecommunication network (NW) by the secure element. Independent claims are also included for the following: (1) a computer program comprising instructions for performing a method for supplying identification data (2) a computer readable recording medium with instructions for performing the method for supplying identification data (3) a terminal (4) a service platform (5) a user identification system.

Description

BACKGROUND OF THE INVENTION The invention relates to the general field of telecommunications. It relates more particularly to the identification of a user in the context, for example, of an electronic transaction carried out remotely. By electronic transaction is meant here any agreement between at least two parties, made via a telecommunications network, such as the Internet, a local computer network, or a mobile telecommunications network. Electronic remote transactions are becoming more and more common, especially in the areas of e-commerce (eg for the purchase of goods), banking (eg for money transfer) or telecommunications services. (eg for subscription to services). These transactions often use remote payment methods. However, we are witnessing today an upsurge of fraudulent uses of these means of payment and in particular the means of payment based on the use of a bank card (eg identity theft). To limit these frauds, security solutions for credit card transactions have been put in place by merchant sites and banks. Visa and Mastercard have developed a secure payment protocol on the Internet, called 3D-Secure, to limit the risk of fraud on the Internet related to attempts to impersonate.

This protocol aims more particularly to ensure, during an online payment using a bank card, that it is used by its holder. To this end, during the payment, in addition to the number of the credit card, its expiry date and the three digits of the security code printed on the back of the credit card, the user is asked to enter a password. past. This password can be static (it can be for example the date of birth of the user) for a "simple" identification of the user, or on the contrary to be generated dynamically and transmitted to the user via email or via SMS on his mobile terminal, for a "strong" identification of the user. Such a dynamically generated password is also known as OTP (One Time Password). However, this solution, whether based on the use of a static or dynamic password, has flaws. Indeed, with the advent of social networks, the date of birth of the user is no longer in itself a secret and can be easily usurped. Moreover, today we are witnessing the development of malicious software (or malware in English) acting at the application level, to retrieve the SMS sent to the user, and therefore the password contained in this SMS. Such software can be easily installed on the mobile terminal of the user without his knowledge. There is therefore a need for a mechanism for securely identifying the holder of a means of remote payment and not having the aforementioned drawbacks.

OBJECT AND SUMMARY OF THE INVENTION The invention responds in particular to this need by proposing a method of providing, to a service platform, identification data of a user, intended to be implemented by a terminal capable of communicating. on a mobile telecommunications network, this terminal being provided with a near-field communication module and a secure element connected via a physical interface, the method comprising: a step of obtaining, by the near-field communication module, terminal, user identification data stored on an electronic identification medium provided with a near field communication module; a step of transmission, by the near field communication module of the terminal, of the identification data obtained to the secure element of the terminal, via the physical interface; and a step of providing, by the secure element of the terminal, via the mobile telecommunications network, identification data to the service platform for identification of the user. The invention also relates to a method for identifying a user by a service platform comprising: a step of receiving first user identification data stored on an electronic identification medium provided with a communication module in the near field, these first data being supplied to the service platform by a terminal via a mobile telecommunications network in accordance with a method of provision according to the invention; a step of comparing the first identification data with second identification data; and depending on the result of the comparing step, a step of identifying the user. The invention also relates to a method of identifying a user by a terminal able to communicate on a mobile telecommunications network, comprising: a step of obtaining, by a near-field communication module equipping the terminal, first data identification of the user stored on an electronic identification medium provided with a near-field communication module; a step of transmission, by the near-field communication module of the terminal, of the first identification data obtained to a secure element of the terminal, via a physical interface connecting the near-field communication module and the secure element of the terminal; a step of comparing, by the secure element, first identification data with second identification data obtained from a service platform via the mobile telecommunications network; and - depending on the result of the comparison step, a step of identifying the user.

Preferably, the second identification data come from a trusted authority. It is therefore reliable identification data whose veracity is recognized. The invention therefore proposes an identification of a user involving a tripartite system comprising: an electronic identification support of the user, such as an electronic identity card or an electronic passport, provided with means of communication in the near field; a mobile terminal, provided with a secure element, such as a subscriber identity card (eg Subscriber Identity Module (SIM) card or Universal Subscriber Identity Module (USIM)) enabling the terminal to communicate on the mobile telecommunications network to which it is subscribed, and means of communication in the near field to communicate with the electronic identification medium, these means being connected to the secure element by a physical interface; and a service platform, associated with the electronic transaction for which user identification is required, which enables completion of the user identification in order to finalize the transaction and with which the mobile terminal exchanges data. identification (first or second identification data in the sense of the invention), via the mobile telecommunications network with which it is a subscriber. The mobile telecommunications network is for example a GSM mobile network (Global Mobile System), UMTS (Universal Mobile Telecommunications System), LTE (Long-Term Evolution), etc. The actual identification of the user can be performed by the secure element of the mobile terminal or by the service platform. To identify a user, the invention advantageously relies on three essential points involving the different entities of this tripartite system, namely: the use of the electronic identification medium to provide reliable identification data of the user (ie certified by the trusted authority that issued this medium (eg the State for an identity card or electronic passport)), and its placement according to the invention, close to the mobile terminal of the user, so as to transmit to him, through a communication in the near field, the identification data it contains; transferring the identification data received by the communication module in the near field of the mobile terminal to a secure element of this terminal, such as its subscriber identity card, via a physical interface; and using the mobile terminal telecommunications network to securely transmit these identification data to the service platform for user identification, or alternatively, to securely receive identification data of the user. the service platform preferably from a trusted authority, who will then be confronted with the identification data obtained from the electronic medium for identification of the user by the terminal. It is indeed known that mobile telecommunications networks generally implement strong security procedures in order to protect the data exchanged on these networks. The combination of these three points in accordance with the invention makes it possible to have a strong and secure identification of the user, and thus to limit frauds linked to the usurpation of the user's identity during electronic transactions. Indeed: the use of near-field communications between the user's electronic identification medium and his mobile terminal makes it possible to ensure the physical presence of the electronic identification medium near the mobile terminal of the user : thanks to this proximity, it limits the risk of interception by a third party of the identification data of the user without his knowledge; the use of a physical interface between the near-field communication module and the secure element of the terminal, as opposed to a software or protocol interface, makes it possible to prevent the user's identification data from being raised to the level application and can be intercepted via malicious software installed on the mobile terminal (the identification data is transferred according to the invention at the level of the physical layer); lastly, the use of a telecommunications network (in this case, the mobile network of the terminal), for the exchanges between the terminal and the data services platform enabling the identification of the user, makes it possible to benefit from telecommunications network (eg encryption of data on the radio channel, network authentication of the subscriber identity card used by the terminal to connect to the network, etc.) and thereby ensure the protection and integrity of the identification data exchanged between the terminal and the service platform In a preferred embodiment of the invention, the secure element of the terminal is a subscriber identity card allowing the terminal to communicate on the network telecommunications, such as a SIM or USIM card. Such a card provides, in a manner known per se, a secure storage and execution environment, and is already present in the mobile terminal, since it is required to enable it to communicate on the mobile telecommunications network. The use of the subscriber identity card associated with the mobile telecommunications network as a secure element thus makes it possible to limit the costs associated with the implementation of the invention, as well as the necessary transformations to be made to the mobile terminal to enable the mobile phone to be used. identification of the terminal according to the invention.

In a particular embodiment, the physical interface between the secure element and the near-field communication module of the terminal is a SWP (Single Wire Protocol) interface.

In this way, the implementation of the invention is further simplified since it uses an existing and mature interface, which also has the advantage of using only one contact on the subscriber identity card. . As a variant, other physical interfaces may be envisaged, such as for example an I2C (Inter-Integrated Circuit) physical interface or a Serial Peripheral Interface (SPI) physical interface, known to those skilled in the art. In a particular embodiment of the invention, the method of identifying the user by the terminal further comprises a step of providing the result of the step of identifying the user to the service platform.

When a third party entity (such as a payment gateway for example) is causing or is waiting for the user's identification, the service platform can thus provide proof of identification of the user to that user. third party entity. For the purposes of the invention, an identification proof means any means attesting that a user identification procedure has been conducted, regardless of its result (in other words, the first and second data identifying or not coinciding), or any means that the user has been positively identified (that is, means issued only when the first and second identification data coincide). This embodiment then allows the service platform or the third party entity in connection with the service platform to accept or reject the electronic transaction based on the result of the identification of the user. Similarly, in a particular embodiment of the invention, the method of identifying the user by the service platform further comprises a step of providing a user identification proof to an entity third. The identifier of the user on the mobile telecommunications network (typically the telephone number associated with the security element of the mobile terminal) thus enables the platform to communicate with the mobile terminal of the user, and on the other hand to question the authority of trust. In a particular embodiment, the various steps of the method of providing and / or the different steps of the identification methods according to the invention are determined by instructions of computer programs. Consequently, the invention also relates to a computer program on an information medium, this program being capable of being implemented in a mobile terminal or more generally in a computer, this program comprising instructions adapted to the setting implement steps of a method of providing or a method of identification by a terminal as described above. The invention also relates to a computer program on an information medium, this program being capable of being implemented in a service platform or more generally in a computer, this program comprising instructions adapted to the implementation steps of a method of identification by a service platform as described above. These programs can use any programming language, and be in the form of source codes, object codes, or intermediate codes between source codes and object codes, such as in a partially compiled form, or in any other desirable shape. The invention also relates to a computer-readable information medium, comprising instructions of a computer program as mentioned above. The information carrier may be any entity or device capable of storing the program. For example, the medium may comprise storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or a magnetic recording medium, for example a diskette (floppy disc) or a disk hard. On the other hand, the information medium may be a transmissible medium such as an electrical or optical signal, which may be conveyed via an electrical or optical cable, by radio or by other means. The program according to the invention can be downloaded in particular on an Internet type network. Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the method in question.

Correlatively, the invention also aims at each element of the tripartite system for identifying a user. Thus, the invention also provides a terminal capable of communicating over a mobile telecommunications network and comprising: a near-field communication module; - a secure element; and a physical interface connecting the near-field communication module and the secure element; and wherein: the near field communication module of the terminal is configured to obtain first user identification data stored on an electronic identification medium provided with a near field communication module, and transmit these first identification data obtained to the secure element via the physical interface; and the secure element of the terminal is configured to compare the first identification data with second identification data obtained from a service platform via the mobile telecommunications network, and depending on the result of this comparison, to identify the user. The invention also relates to a terminal capable of communicating over a mobile telecommunications network and comprising: a near-field communication module; - a secure element; and a physical interface connecting the near-field communication module and the secure element; and wherein: the near field communication module of the terminal is configured to obtain user identification data stored on an electronic identification medium provided with a near field communication module, and to transmit the identification data obtained at the secure element via the physical interface; and the secure element of the terminal is configured to provide, via the mobile telecommunications network, the identification data to a service platform for identification of the user. The invention also provides a service platform comprising: means for receiving first user identification data stored on an electronic identification medium provided with a near-field communication module, these first data of identification being provided to the service platform, via a mobile telecommunications network, by a terminal according to the invention; means for comparing the first identification data with second identification data; and user identification means activated according to the result of the comparison performed by the comparison means. Furthermore, the invention aims at a system for identifying a user comprising: a service platform; a user identification medium provided with a near-field communication module, and on which are stored first identification data of the user; a terminal capable of communicating over a mobile telecommunications network and according to the invention. In a particular embodiment, the service platform of the identification system is in accordance with the invention.

The service platform, the terminals and the identification system according to the invention have the same advantages as the supply and identification methods described above. It can also be envisaged, in other embodiments, that the supply method, the identification methods, the terminals, the service platform and the identification system according to the invention present in combination all or some of the characteristics above.

BRIEF DESCRIPTION OF THE DRAWINGS Other features and advantages of the present invention will emerge from the description given below, with reference to the accompanying drawings which illustrate embodiments having no limiting character.

In the figures: FIG. 1 schematically represents an identification system, a mobile terminal and a service platform according to the invention, in their environment, in a first embodiment of the invention; FIGS. 2A and 2B respectively represent the hardware architecture of the service platform and the mobile terminal of FIG. 1; FIG. 3 represents, in the form of a flow chart, the main steps of a method for providing identification data according to the invention, when implemented, in the first embodiment, by the mobile terminal of FIG. Figure 1; FIG. 4 represents, in the form of a flow chart, the main steps of an identification method according to the invention, when they are implemented, in the first embodiment, by the service platform of FIG. 1 ; FIG. 5 schematically represents an identification system, a mobile terminal and a service platform according to the invention, in their environment, in a second embodiment of the invention; FIG. 6 represents the hardware architecture of the mobile terminal of FIG. 5; and FIG. 7 represents, in the form of a flow chart, the main steps of a method of identifying a user according to the invention, when they are implemented, in the second embodiment, by the terminal. mobile of Figure 2.

DETAILED DESCRIPTION OF THE INVENTION FIG. 1 represents, in its environment, an identification system 1 according to the invention, in a first embodiment. In the example described here, the identification of a user U is contemplated during an electronic transaction initiated remotely by the user U with a service provider SP (not shown in FIG. 1) offering a commercial service. electronic. Such identification may be necessary, in particular when the user U pays the service provided by the service provider SP, using a bank card. Indeed, as described above, the remote payment by credit card is subject to many frauds: it is therefore, for the service provider SP, to ensure by the implementation of the invention, that the U user who uses the credit card for the payment of the benefit, is the owner, that is, to identify the user U as the owner of the credit card used to pay the benefit. For this, the service provider uses a so-called payment gateway 2, in charge of managing the payment stage of the service. Of course, this example is given for illustrative purposes only, and the invention applies in other contexts (eg banking transactions, registration to a service, etc.) in which it seeks to identify a user of safe way to limit frauds related to identity theft. Thus, for example, the invention can also be applied in a context of dematerialization of user registrations with a service provider such as for example a telecommunications operator, in order to simplify the identification of users while ensuring that this identification is reliable.

In the first embodiment described here, the payment gateway 2 is advantageously in contact with a trusted authority called identity center 4, able to provide on request, reliable identification data (ie, secure) concerning the owner of the payment gateway. 'a bank card determined. Such an identity center is known per se and will not be described in more detail here.

In the example envisaged here, the identity center 4 is an entity (eg a server) managed by the bank of the owner of the bank card used for the payment of the transaction. This entity stores, in association with the credit card information, identification data relating to the owner of this card and other information such as, for example, his mobile phone number.

According to the invention, in order to carry out the identification of the user U, the identification system 1 is based on a service platform 3 according to the invention, to which the payment gateway 2 for identification is addressed. the user U. The service platform 3 has in the first embodiment described here, the hardware architecture of a computer, as shown schematically in Figure 2A.

It comprises in particular a processor 3A, a random access memory 3B, a read-only memory 3C, a nonvolatile 3D flash memory, and 3E communication means with other entities via one or more telecommunications networks. Thus, the communication means 3E here comprise a module (such as a network card) enabling the service platform 3 to communicate and exchange data with the payment gateway 2 (the service platform 3 and the payment gateway 2 may be located in the same network or connected to different networks), as well as a module enabling it to communicate on a mobile telecommunications network NW. The mobile telecommunications network NW is for example here a UMTS mobile network, as defined by the 3GPP standard. In known manner, such a network advantageously provides the implementation of various procedures to secure the exchange of data (i.e. communications) on the network. It should be noted that no limitation is strictly attached to the nature of the mobile network NW, as long as it is secured by appropriate procedures (data encryption, user authentication, etc.). It can thus be, in a variant, an Evolved Packet Core (EPC) type mobile network, a second generation mobile network such as a GSM network, General Packet Radio Service (GPRS) or Enhanced Data Rates (EDGE) network. for GSM Evolution), etc.

The ROM 3C service platform 3 is a recording medium according to the invention, readable by the processor 3A and on which is recorded a computer program according to the invention, including instructions for execution steps of a user identification method according to the invention, described later with reference to FIG.

According to the invention, the identification of a user is performed by relying on identification data stored on an electronic identification medium assigned to the user. Thus, the identification system 1 also comprises, to perform the identification of the user U, an electronic identification support 5 assigned to the user U, on which are stored, in a secure space, data of DM identification relating to the user U, such as, for example, his surname, first name, date and place of birth, the number of the electronic identification medium, etc. More precisely, in the example envisaged here, the electronic identification support 5 is an electronic identity card or eID (electronic IDentity), as described in the technical specifications document published by the GIXEL group (Groupement des Industries de the interconnexion, electronic components and subassemblies), and entitled "European Card for Electronic Services (e-Services) and Electronic Identity (e-ID) Applications", v1.0.1, March 21, 2008. It comprises an electronic circuit equipped with near-field communications means also known as Near Field Communication (NFC) communication means.

These communication means are composed, in known manner, of a near field communication module or NFC module, which is associated with an antenna for establishing a contactless communication with another NFC entity also equipped with communication means. near field, and located near the electronic support 5. Thus, in particular and in accordance with the invention, it is expected that the electronic medium 5 communicates with a near field communications module equipping a mobile terminal 6 of the user U, to allow identification of the user U in response to an identification request from the payment gateway 2 on behalf of the service provider SP. The terminal 6 of the user U is for example here a smart phone also known as a "smartphone", equipped with an NFC communications module and a SIM-6 subscriber identity card, such as a SIM card or a USIM card, allowing him to communicate on the NW mobile network.

In a manner known per se, the SIM-6 card constitutes a secure storage and execution element, which contains, among other things, various information related to the user and his subscription to the mobile telecommunications network NW, and allows the terminal 6 to connect to the NW mobile network.

This subscriber identity card is associated with an identifier of the user U on the mobile telecommunications network NW, denoted ID (U), which in this case is the telephone number or number MSISDN (Mobile Station Intergrated). Digital Network Services) of user U on the NW mobile network. No limitation is however attached to the nature of the mobile terminal 6 of the user U since it is equipped with a near-field communication module, a secure element and is able to communicate on a network mobile telecommunications. The mobile terminal 6 here has the hardware architecture of a computer, as shown schematically in Figure 2B. It comprises in particular a processor 6A, a random access memory 6B, a read-only memory 6C, a non-volatile flash memory 6D, means 6E for near-field communication, enabling it to interrogate in particular the electronic identification medium 5, as well as 6F communication means on the NW mobile telecommunications network, including the SIM-6 subscriber identity card. The NFC communication means 6E and the subscriber identity card SIM-6 (that is, the secure element of the terminal 6) are connected, in the first embodiment, via a physical interface 6G. of SWP (Single Wire Protocol) type as described in specification document TS 102 613 published by the ETSI (European Telecommunications Standard Institute). As a variant, other physical interfaces may be implemented between the NFC communication means 6E and the SIM-6 card, such as for example an I2C physical interface or a physical SPI interface. In a known manner, such an interface makes it possible to transport the data at the level of the physical layer (i.e. the data do not go back to the application level), as opposed to a protocol or software interface.

It should be noted that for the implementation of the invention, one can, alternatively, consider a secure element on the terminal 6 separate from the SIM-6 card of the user U, ensuring that it is connected via a physical interface and not a protocol or software interface to the NFC 6E communications means of the terminal 6. The read-only memory 6C of the terminal 6 constitutes a recording medium in accordance with the invention, readable by the processor 6A and on which is recorded a computer program according to the invention, comprising instructions for performing the steps of a method of providing identification data according to the invention, now described with reference to Figure 4.

We will now describe, with reference to FIGS. 3 and 4, the main steps of a method for identifying a user and a method for providing identification data as implemented in the first embodiment. respectively by the service platform 3 and the terminal 6, to allow identification of the user U during an electronic transaction with the service provider SP. It is assumed that this electronic transaction is initiated by the user U by connecting, for example with his mobile terminal 6, to a website of the service provider SP, and that the user U indicates to the service provider SP wishing to pay the benefit offered during this transaction using a credit card.

The user U is then redirected to a secure page hosted by the payment gateway 2 to identify himself and provide the information on his credit card to make his payment, for example his credit card number. In the first embodiment described here, the payment gateway 2, upon receipt of this information, queries the identity center 4 (possibly via a server of the bank of the owner of the payment card used), in order to obtain identification data DI2 relating to the owner of the payment card used by the user U. This interrogation is performed using the credit card information provided by the user U (eg credit card number), through a REQ request sent by the payment gateway 2 to the identity center 4.

It should be noted that other parameters can be used to interrogate the identity center 4, since they allow to unambiguously identify with the identity center 4 the owner of the credit card used for payment. In response to this interrogation, the payment gateway 2 receives the identification data DI2 and in the first embodiment described here, a mobile phone number registered by the owner of the payment card. The identification data DI2 constitute second identification data within the meaning of the invention. They are supposed to reliably establish the identity of the owner of the credit card used for payment. They may include, but are not limited to, the name and surname of the owner of the credit card, the date and place of birth, the number of the electronic identity card, etc., in other words, any type of information that can be used to identify ambiguity the identity of the owner of the credit card. In the example described here, it is assumed that the mobile phone number received from the identity center 4 corresponds to the telephone number ID (U) of the user U on the mobile telecommunications network NW.

As a variant, the mobile telephone number ID (U) of the user U on the mobile telecommunications network NW can be obtained by the payment gateway 2 by inviting, via the secure page, the user U to provide the number of mobile phone he wishes to use for his identification. This variant can also be implemented if the owner of the payment card has not entered a mobile phone number with his bank (and therefore the identity center 4). The payment gateway 2 then sends a request REQ-identification ID of the user U to the service platform 3 comprising the identification data DI2 and the telephone number received from the identity center 4. On receipt of the REQ-ID request (step E10), the service platform 3 stores the identification data DI2 in its non-volatile memory 3D, in association with the telephone number ID (U) of the user U (step E20). Then, in the first embodiment described here, it sends a CMD-ID command to the terminal 6, via the telecommunication network NW using the identifier ID (U), so that it activates its means of communications in the field. near to read and capture the DI1 data, stored on the electronic identity card 5 (step E30). This command CMD-ID comprises an invitation message for the user U of the terminal 6, for example displayed on the screen of the terminal 6, inviting him to place his mobile terminal 6 near his card. electronic identity 5, in order to allow the NFC communication means 6E of the terminal 6 to communicate with the NFC communication means of the electronic identity card 5. It should be noted that, in the first embodiment described here, if the telephone number provided by the identity center 4 to the payment gateway 2 does not correspond to a telephone number used by the user U (as for example here to its identifier ID (U) on the telecommunications network NW ), the command CMD-ID does not reach up to the user U: the identification procedure of the user U can not be completed and ends abruptly and the user U n ' is not identified as the owner the credit card used for payment.

In an alternative embodiment, when the user U uses a device other than the terminal 6 to perform his electronic transaction (such as for example a computer), the message inviting the user U to place his terminal near his card d electronic identity 5, can be sent to this device and display for example on its screen. In another variant, the activation of the near-field communication means of the terminal 6 can be triggered by the user U, for example via a suitable menu of the terminal 6 or by pressing a button of the terminal 6 provided for this purpose . On receipt of the command CMD-ID (and therefore the invitation message) by the communication means 6F of the terminal 6 (step F10), the user U places his terminal 6 near or on his electronic identity card 5.

The NFC communication means 6E then obtain the user identification data DI1 U stored on the electronic identity card 5 (first identification data within the meaning of the invention), by communicating with the NFC communication means of the card 5 in a manner known per se (step F20).

Due to the proximity of the card 5 with the mobile terminal 6, it can be ensured that the identification data DI1 are not intercepted between these two entities by a third party. Then the NFC communication means 6E transmit the DI1 data thus obtained to the SIM-6 card, via the physical interface SWP 6G (step F30). In this way, the DI1 data is transmitted at the level of the physical layer and does not go back to the application level. It is therefore impossible or almost impossible for malicious software, possibly installed on the mobile terminal 6, to capture this data, which operates only at the application layer of the mobile terminal 6. In the first embodiment described here, the SIM-6 card supplies the identification data DI1 received on the physical interface 6G to the service platform 3 so that it can identify the user U by comparing these data with the identification data DI2 received from the payment platform 2 (in other words from identity center 4) (step F40). For this purpose, it sends a message via the telecommunications network NW to the service platform 3 containing the identification data DI1. The identification data DI1 provided to the service platform 3 thus benefit from the inherent data protection procedures implemented on the mobile telecommunications network NW (notably via the strong encryption procedures provided for on the radio channel of the NW network or the network. authentication of the SIM-6 card of the terminal 6). With reference to FIG. 3, the service platform 3 receives the identification data DI1 via the mobile network NW via its means 3F (step E40), and stores them in its nonvolatile memory 3D in association with the identifier ID (U) of the terminal 6 (step E50). The service platform 3 then compares the identification data DI1 received from the mobile terminal 6 with the data DI2 received from the identity center 4 (in other words, the corresponding fields of each of the data sets DI1 and DI2) (step E60). . If the identification data DI1 and DI2 are identical (answer yes to the test step E70), the service platform 3 identifies the user U (step E80). In other words, the user U who tries to pay for his electronic transaction with the service provider SP using the bank card, is the owner of the credit card declared at the level of the identity center 4. In contrast, if the identification data DI1 and DI2 are different (answer no to the test step E70), the service platform 3 rejects the identification of the user U (step E90). The service platform 3 provides a proof of identification of the user U to the payment gateway 2 informing him of the outcome of this identification (step E100), so that it validates or cancels the payment of the payment. the electronic transaction. In the first embodiment described here, the comparison of the identification data is performed by the service platform 3.

We will now describe, with reference to FIGS. 5 to 7, a second embodiment of the invention in which this comparison is carried out by the secure element itself of the mobile terminal. Thus, FIG. 5 represents, in its environment, an identification system 1 'according to the invention, in this second embodiment. Elements similar to those described for the first embodiment will not be described again in detail. To illustrate this second embodiment, one places oneself in similar hypotheses to the first embodiment: one considers the identification of a user U 'during an electronic transaction initiated remotely by the user U' with a provider SP 'service (not shown) providing an e-commerce service. For this, the service provider SP 'uses a payment gateway 2' similar to the payment gateway 2 described above, in contact with an identity center 4 ', able to provide on request, data of reliable identification (ie safe) regarding the owner of a particular bank card.

The identification system 1 'is based on a service platform 3', which is addressed to the payment gateway 2 'to identify the user U'. The service platform 3 'has, in the second embodiment described here, the hardware architecture of a computer, and comprises a processor, a random access memory, a read only memory, a non-volatile flash memory, as well as means for communication with other entities via one or more telecommunications networks. These means of communication here comprise a module (such as a network card) enabling the service platform 3 'to communicate and exchange data with the payment gateway 2' as well as a module enabling it to communicate over a network of networks. NW 'mobile telecommunications.

The mobile telecommunication network NW 'is for example here a UMTS mobile network, as defined by the 3GPP standard, providing for the implementation of various procedures for securing data exchanges (i.e. communications) on the network. As for the first embodiment, however, no limitation is attached to the nature itself of the mobile network NW.

According to the invention, the identification of a user is performed by relying on identification data stored on an electronic identification medium assigned to the user. Thus, the identification system 1 'also comprises an electronic identification support 5' assigned to the user U ', on which are stored, in a secure space, DM identification data. relating to the user U '.

In the example envisaged here, the electronic identification support 5 'is an electronic identity card eID, comprising an electronic circuit equipped with NFC near-field communications means.

The user U 'also has a mobile terminal 6', which is for example a smartphone or smartphone, equipped with an NFC communications module and a SIM-6 subscriber identity card. '(secure element in the sense of the invention), such as a SIM card or a USIM card, allowing it to communicate on the mobile network NW'.

This subscriber identity card is associated with an identifier of the user U 'on the mobile network NW', denoted ID (U '), which in this case is the MSISDN number of the user U' on the mobile network NW '. The mobile terminal 6 'here has the hardware architecture of a computer, as illustrated schematically in FIG. 6.

It comprises in particular a processor 6A ', a random access memory 6B', a read-only memory 6C ', a non-volatile flash memory 6D', means 6E 'of communication in the near field, enabling it to interrogate in particular the electronic identification medium 5 ', as well as communication means 6F' on the mobile telecommunication network NW ', including the subscriber identity card SIM-6'.

The communication means NFC 6E 'and the subscriber identity card SIM-6' (in other words, the secure element of the terminal 6 ') are connected here via a physical interface 6G' of the SWP type. . The read-only memory 6C 'of the terminal 6 constitutes a recording medium in accordance with the invention, readable by the processor 6A' and on which is recorded a computer program according to the invention, comprising instructions for the execution of the steps of an identification method according to the invention, now described with reference to FIG. 7. FIG. 7 illustrates the main steps implemented in the second embodiment, by the terminal 6 ', for identification. of the user U 'during an electronic transaction with the service provider 2'.

It is assumed that this electronic transaction is initiated by the user U 'by connecting, for example with his mobile terminal 6', on a website of the service provider SP ', and that the user U' indicates to the service provider SP 'want to pay the service offered during this transaction using a credit card. The user U 'is then redirected to a secure page hosted by the payment gateway 2' to identify himself and provide the information on his credit card to make his payment, for example his credit card number. In the second embodiment described here, the payment gateway 2 ', on receipt of this information, queries the identity center 4' (via, for example, a server of the bank of the owner of the payment card used), so that obtain identification data DI2 'relating to the owner of the payment card used by the user U'. This interrogation is carried out using the bank card information provided by the user U '(eg credit card number), by means of a request REQ' sent by the payment gateway 2 'to the bank. identity center 4 '.

In response to this interrogation, the payment gateway 2 'receives the identification data DI2' (second identification data within the meaning of the invention) as well as in the second embodiment described here, a registered mobile phone number. by the owner of the payment card.

In the example described here, it is assumed that the mobile phone number received from the identity center 4 'corresponds to the telephone number ID (U') of the user U 'on the mobile telecommunications network NW'. As a variant, the mobile telephone number ID (U ') of the user U' on the mobile telecommunication network NW 'can be obtained by the payment gateway 2' by inviting, via the secure page, the user U ' to provide the mobile phone number that he wishes to use for his identification. The payment gateway 2 'then sends a user identification request REQ ID' U 'to the service platform 3' comprising the identification data DI2 'and the telephone number ID (U').

In the second embodiment described here, upon receipt of the request REQ-ID ', the service platform 3' sends a command CMD-ID 'to the terminal 6' via the telecommunication network NW 'using the identifier ID (U) ', so that it activates its means of communication in the near field to read and capture DI1' data stored on the electronic identity card 5 '.

In the second embodiment described here, the command CMD-ID 'contains the identification data DI2', in order to limit the exchanges between the service platform 3 'and the terminal 6'. As a variant, the identification data DI2 'can be transmitted to the terminal 6' on the network NW 'in a message distinct from the command CMD-ID'.

The CMD-ID 'command also comprises here an invitation message intended for the user U' of the terminal 6 ', displayed for example on the screen of the terminal 6', inviting him to place his mobile terminal 6 ' close to its electronic identity card 5 ', to allow the NFC communication means 6E' of the terminal 6 'to communicate with the NFC communication means of the electronic identity card 5'.

As a variant, this invitation message may be sent to the device (eg computer) that the user U 'uses to make his payment if it is different from the terminal 6'. On receipt of the command CMD-ID 'and the invitation message by the communication means 6F' of the terminal 6 '(step F10'), the terminal 6 'stores the data DI2' contained in the command CMD-ID 'in its non-volatile memory 6D '(step F20').

The user U 'also places his terminal 6' near or on his electronic identity card 5 '. The NFC communication means 6E 'then obtain the user identification data DIr U' stored on the electronic identity card 5 '(first identification data within the meaning of the invention), by communicating with the means NFC communication of the 5 'card in a manner known per se (step F30'). Then the NFC communication means 6E 'transmit the data DI1' thus obtained to the SIM-6 ', via the physical interface SWP 6G' (step F40 ').

The SIM-6 'of the terminal 6' then compares the data DI1 'with the data DI2' stored in its memory (step F50 '). If the identification data DI1 'and DI2' are identical (yes answer to the test step F60 '), the SIM-6' identifies the user U '(step F70'). In other words, the user U 'who seeks to pay for his electronic transaction with the payment platform 2' using the credit card, is the owner of the credit card declared at the level of the identity center 4 ' . On the other hand, if the identification data DM 'and DI2' are different (answer no to the test step F60 '), the SIM-6' rejects the identification of the user U '(step F80'). The terminal 6 'then provides a proof of identification of the user U' to the service platform 3 'informing him of the outcome of the identification of the user U' (step F90 ').

The service platform 3 'in turn provides the identification of the user U' to the payment gateway 2 'for it to validate or cancel the payment of the electronic transaction. In both embodiments described herein, the identification data exchanged between the mobile terminal and the service platform via the mobile telecommunications network benefits "only" from the security procedures inherent in the mobile network. As a variant, it may be envisaged that additional protection of these data and their integrity is implemented before they are transmitted on the mobile network, using specific security techniques implemented by the mobile terminal and by the service platform. , such as encryption techniques and / or data signing, reinforcing the security procedures inherent to the mobile network. Such techniques are known per se and will not be described in detail here.

Claims (15)

REVENDICATIONS1. Method for providing, to a service platform (3), identification data (DI1) of a user (U) intended to be implemented by a terminal (6) able to communicate on a mobile telecommunications network (NW), this terminal being provided with a near-field communication module (6E) and a secure element (SIM-6) connected via a physical interface (6G), said method comprising: a step of obtaining (F20), by the module (6E) for communication in the near field of the terminal (6), identification data (DI1) of the user (U) stored on an electronic identification medium (5) provided with a near field communication module; a transmission step (F30), by the near-end communication module (6E) of the terminal, of the identification data (DI1) obtained at the secure element (SIM-6) of the terminal, via the physical interface ( 6G); and - a provisioning step (F40), by the secure element (SIM-6) of the terminal, via the mobile telecommunications network (NW), identification data (DI1) to the service platform (3) for identification of the user (U). 2. A method of identifying a user (U ') by a terminal (6') able to communicate on a mobile telecommunications network (NW '), comprising: - a step of obtaining (F30'), by a near-end communication module (6E ') equipping the terminal (6'), first identification data (DI1 ') of the user (U') stored on an electronic identification medium (5 ') provided with a near field communication module; a transmission step (F40 '), by the near-end communication module (6E') of the terminal, of the first identification data obtained to a secure element (SIM-6 ') of the terminal, via a physical interface (6G ') connecting the near-field communication module and the secure element of the terminal; a comparison step (F50 '), by the secure element (SIM-6'), first identification data (DI1 ') with second identification data (DI2') obtained from a service platform ( 3 ') via the mobile telecommunications network (NW'); and - according to the result of the comparison step (F50 ', F60'), an identification step (F70 ') of the user (U'). 3. A method of identifying a user (U) by a service platform (3) comprising: - a step of receiving (E40) first identification data (DI1) from a user (U) stored on a an electronic identification medium (5) provided with a near-field communication module, said first identification data (DI1) being supplied to the service platform (3) by a terminal (6) via a mobile telecommunications network ( NW) according to a supply method according to claim 1; a comparison step (E60) of the first identification data (DI1) with second identification data (DI2); and - depending on the result of the comparing step (E60, E70), an identification step (E80) of the user (U). 4. Method according to any one of claims 1 to 3 wherein the secure element (SIM-6, SIM-6`) of the terminal (6,6 ') is a subscriber identity card allowing the terminal to communicate on the telecommunications network (NW, NW '). 5. Method according to claim 4 wherein the physical interface (6G, 6G ') between the secure element (SIM-6, SIM-6') and the module (6E, 6E ') of communication in the near field of the terminal is a SWP (Single Wire Protocol) interface. The method of claim 2 further comprising a step of providing (F90 ') the result of the step of identifying the user to the service platform (3'). The method of claim 3 wherein the second identification data (DU) is from a trusted authority (4). The method of claim 3 further comprising a step of providing (E100) a proof of identification of the user to a third party. delivery method according to claim 1 or the identification method according to the claim 9. Computer program comprising instructions for performing the steps of 2 or 3 when said program is executed by a computer. A computer-readable recording medium on which a computer program is recorded including instructions for executing the steps of the supply method according to claim 1 or the identification method according to claim 2 or 3. 11. Terminal (6) able to communicate on a mobile telecommunications network (NW) and comprising: - a module (6E) for communication in the near field; a secure element (SIM-6); and a physical interface (6G) connecting the near-field communication module (6E) and the secure element (SIM-6), and wherein: the near-end communication module (6E) of the terminal is configured so that obtaining identification data (DI1) from a user (U) stored on an electronic identification medium (5) provided with a near-field communication module, and transmitting the identification data (DI1) obtained at the secure element (SIM-6) via the physical interface (6G); and - the secure element (SIM-6) of the terminal is configured to provide, via the mobile telecommunications network (NW), the identification data (DI1) to a service platform (3) for identification of the 'user. 12. Terminal (6 ') able to communicate on a mobile telecommunications network (NW') and comprising: - a module (6E ') for communication in the near field; - a secure element (SIM-6 '); and a physical interface (6G ') connecting the near-field communication module (6E) and the secure element (SIM-6'); and wherein: the near field communication module (6E ') of the terminal is configured to obtain first identification data (DI1') of a user (U ') stored on an electronic identification medium (5 ') provided with a near field communication module, and to transmit the first identification data obtained to the secure element (SIM-6') via the physical interface (6G '); and the secure element (SIM-6 ') of the terminal (6') is configured so as to compare the first identification data (DI1 ') with second identification data (DI2') obtained from a platform of services (3 ') via the mobile telecommunications network (NW'), and depending on the result of this comparison, to identify the user (U '). 13. Service platform (3) comprising: receiving means (3E) of a user's first identification data (DI1) (U) stored on an electronic identification medium (5) provided with a data module; communication in the near field, these first identification data (DI1) being supplied to the service platform (3) via a mobile telecommunications network (NW) by a terminal according to claim 10; comparison means (3A) of the first identification data (DI1) with second identification data (DI2); and identification means (3A) of the user (U) activated according to the result of the comparison performed by the comparison means. 14. A user identification system (1,1 ') (U, U') comprising: a service platform (3,3 '); an identification medium (5,5 ') of the user provided with a near-field communication module, and on which are stored first identification data (DI1, DI1') of the user; - A terminal (6,6 ') adapted to communicate on a mobile telecommunications network (NW, NW') and according to claim 11 or 12. claim 11 and said service platform (3) is in accordance with claim 13. 15. System (1) according to claim 14 wherein the terminal (6) conforms to the