GB2501069A - Authentication using coded images to derive an encrypted passcode - Google Patents

Authentication using coded images to derive an encrypted passcode Download PDF

Info

Publication number
GB2501069A
GB2501069A GB201206036A GB201206036A GB2501069A GB 2501069 A GB2501069 A GB 2501069A GB 201206036 A GB201206036 A GB 201206036A GB 201206036 A GB201206036 A GB 201206036A GB 2501069 A GB2501069 A GB 2501069A
Authority
GB
United Kingdom
Prior art keywords
authentication
application
passcode
server
smartphone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB201206036A
Other versions
GB201206036D0 (en
Inventor
Rob Macgregor
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PIREAN SOFTWARE LLP
Original Assignee
PIREAN SOFTWARE LLP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PIREAN SOFTWARE LLP filed Critical PIREAN SOFTWARE LLP
Priority to GB201206036A priority Critical patent/GB2501069A/en
Publication of GB201206036D0 publication Critical patent/GB201206036D0/en
Publication of GB2501069A publication Critical patent/GB2501069A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • User Interface Of Digital Computer (AREA)
  • Telephone Function (AREA)

Abstract

A method for authentication or step-up authentication as part of a login process for a graphical or web-based application comprises a server component and a smartphone application ("app"). The server component generates a random challenge 1 which is displayed in a graphical form to the end user, encoded in a quick response code image. A compatible smartphone which has the smartphone application installed is used to scan the quick response code 2. The smartphone application generates a passcode 3 from the challenge using a unique key, which the user inputs into the form 4. At the same time, the server carries out the same passcode generation using the unique key, and compares the result to the input received from the user 5. A positive comparison results in successful authentication. The method is intended to minimise the impact of keylogging or man-in-the-middle attacks.

Description

QRyptoLogin This invention relates to a method for authentication or step-up authentication to login into a web-based or other graphical application using a OR Code and Smartphone.
When a computer user wants to login to a web based application it requires, in majority of cases, a username and password approach with no external methods for authentication.
However, the use of the conventional method for a computer user to login with a username and password leads to a number of security issues. If while a computer user is logging in someone is looking over their shoulder or recording from CCTV the username and password is compromised.
Furthermore, with the increase amount of malware and viruses there are programs which record computer user keystrokes without the computer user knowledge. This renders secure https sites to encrypt data giving the computer user the false impression that what they type is encrypted and secure. To overcome these issues, the present invention proposes an authentication system in which a server issues a random challenge in the form of a string of 32 random characters. This challenge is encoded in a Quick Response (OR) code image displayed on a web page or other graphical interface.
The client is a smartphone application which contains a key unique to the user and shared with the server. On scanning the OR code, the challenge is encrypted using the unique key and a mathematical digest is calculated, resulting in a 4-8 digit passcode which the user enters in the web page or graphical interface. On entering the generated passcode, the server performs a similar mathematical digest to check that the results match and, if matched, the authentication process is deemed successful.
The unique l28bit key is set on the smartphone during initial registration. The key is progressed each time the application is used, as follows: the current key is combined with the just-processed challenge to generate a next key in the sequence. In this way, even if the same challenge is issued the resulting passcode will be different.
The smartphone application is provided in versions for iphone, Android and Blackberry, but the algorithm is portable to any device with a camera and suitable processing capability.
The server application is written in Java and can reside on any platform that is able to support a J2EE-compliant server.
The invention is described with reference to the accompanied drawing in Figure 1, which shows an overview of the authentication process.

Claims (5)

  1. (Ia iins 1. An authentication application system which generates a unique shared key for a user when first registering to use the smartphone application that is only shared with the server application.
  2. 2. An authentication application system which according to claim 1, issues a random challenge in the form of a string of 32 to encode the challenge in a Quick Response (OR) code image displayed by the application server on a web page or other graphical interface, the image also includes the required length of the passcode.
  3. 3. An authentication application system according to claim 2, in which the smartphone application that contains a unique shared key scans the OR code and the mathematical algorithm in the smartphone application encrypts the key using the AES cipher and then performs a hashing function to generate a passcode of the required length, this is entered in the server application in web page or graphical interface.
  4. 4. An authentication application system according to claim 3, in which the smartphone application does not need to communicate with any network or server to successfully perform the passcode generation process.
  5. 5. An authentication application system according to claim 4, in which the identical encryption and hashing function is performed by the server application and compared to the entered passcode to identify and verify the user and if confirmed the user is successfully authenticated.
GB201206036A 2012-04-04 2012-04-04 Authentication using coded images to derive an encrypted passcode Withdrawn GB2501069A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB201206036A GB2501069A (en) 2012-04-04 2012-04-04 Authentication using coded images to derive an encrypted passcode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB201206036A GB2501069A (en) 2012-04-04 2012-04-04 Authentication using coded images to derive an encrypted passcode

Publications (2)

Publication Number Publication Date
GB201206036D0 GB201206036D0 (en) 2012-05-16
GB2501069A true GB2501069A (en) 2013-10-16

Family

ID=46160324

Family Applications (1)

Application Number Title Priority Date Filing Date
GB201206036A Withdrawn GB2501069A (en) 2012-04-04 2012-04-04 Authentication using coded images to derive an encrypted passcode

Country Status (1)

Country Link
GB (1) GB2501069A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2509045A (en) * 2012-07-26 2014-06-25 Highgate Labs Ltd Generating a device identifier by receiving a token from a server, signing a request including the token with a private key and verifying the request
CN104618401A (en) * 2015-03-10 2015-05-13 四川省宁潮科技有限公司 Real-name system-based wifi one-key logging method
US9990489B2 (en) 2014-02-21 2018-06-05 Liveensure, Inc. System and method for peer to peer mobile contextual authentication
CN108667813A (en) * 2018-04-18 2018-10-16 珠海横琴盛达兆业科技投资有限公司 Net system method in a kind of login based on small routine
CN108694429A (en) * 2018-05-11 2018-10-23 张玉 A kind of generation method of Quick Response Code and recognition methods
US10251057B2 (en) 2016-08-29 2019-04-02 International Business Machines Corporation Authentication for device connection using visible patterns
GB2597675A (en) * 2020-07-29 2022-02-09 Canon Europa Nv Mobile app login and device registration

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009056897A1 (en) * 2007-10-30 2009-05-07 Telecom Italia S.P.A Method of authentication of users in data processing systems
US7578436B1 (en) * 2004-11-08 2009-08-25 Pisafe, Inc. Method and apparatus for providing secure document distribution

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7578436B1 (en) * 2004-11-08 2009-08-25 Pisafe, Inc. Method and apparatus for providing secure document distribution
WO2009056897A1 (en) * 2007-10-30 2009-05-07 Telecom Italia S.P.A Method of authentication of users in data processing systems

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2509045A (en) * 2012-07-26 2014-06-25 Highgate Labs Ltd Generating a device identifier by receiving a token from a server, signing a request including the token with a private key and verifying the request
US9990489B2 (en) 2014-02-21 2018-06-05 Liveensure, Inc. System and method for peer to peer mobile contextual authentication
CN104618401A (en) * 2015-03-10 2015-05-13 四川省宁潮科技有限公司 Real-name system-based wifi one-key logging method
US10251057B2 (en) 2016-08-29 2019-04-02 International Business Machines Corporation Authentication for device connection using visible patterns
CN108667813A (en) * 2018-04-18 2018-10-16 珠海横琴盛达兆业科技投资有限公司 Net system method in a kind of login based on small routine
CN108694429A (en) * 2018-05-11 2018-10-23 张玉 A kind of generation method of Quick Response Code and recognition methods
CN108694429B (en) * 2018-05-11 2021-03-02 张玉 Two-dimensional code generation method and identification method
GB2597675A (en) * 2020-07-29 2022-02-09 Canon Europa Nv Mobile app login and device registration
GB2597675B (en) * 2020-07-29 2022-10-05 Canon Europa Nv Mobile app login and device registration

Also Published As

Publication number Publication date
GB201206036D0 (en) 2012-05-16

Similar Documents

Publication Publication Date Title
AU2021202620B2 (en) Method of using one device to unlock another device
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US9378352B2 (en) Barcode authentication for resource requests
US10645577B2 (en) Enhanced secure provisioning for hotspots
US10516536B2 (en) Method and apparatus for logging into medical devices
US8156333B2 (en) Username based authentication security
US9338164B1 (en) Two-way authentication using two-dimensional codes
JP6399382B2 (en) Authentication system
US20160205098A1 (en) Identity verifying method, apparatus and system, and related devices
GB2501069A (en) Authentication using coded images to derive an encrypted passcode
US11544365B2 (en) Authentication system using a visual representation of an authentication challenge
US20170085561A1 (en) Key storage device and method for using same
US20180062863A1 (en) Method and system for facilitating authentication
WO2014146446A1 (en) Method, client and system of identity authentication
JP2013509840A (en) User authentication method and system
US9942042B1 (en) Key containers for securely asserting user authentication
US10798068B2 (en) Wireless information passing and authentication
CN104202163A (en) Password system based on mobile terminal
CN103701787A (en) User name password authentication method implemented on basis of public key algorithm
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN106953731B (en) Authentication method and system for terminal administrator
WO2017029708A1 (en) Personal authentication system
JP2013134530A (en) Authentication system, authentication method, and authentication program
WO2018033016A1 (en) Method and system for authorizing conversion of terminal state
KR101535980B1 (en) Password security system for providing input of random characters and method thereof

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)