JP2003504773A - Method and system for authenticating a mobile communication device - Google Patents

Abstract

(57) Abstract In a method and system for authenticating a mobile communication device (115), a code word is generated in a computer system (101) and the code word is transmitted to the device (115). Upon receiving the code word, the device automatically generates a code message using the code word and sends the code message to a computer system. If the computer system authenticates the code message, it sends data to the device from the computer system. In a preferred embodiment, the device sends the code message using Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Program (SMTP). This is an advantage because firewalls only pass traffic using such protocols. Therefore, the security provided by the firewall is not reduced. Using such methods and systems, several different types of authenticated data transmissions can be made. For example, automatic transmission of data such as e-mail (e-mail), and easy-to-use login on a secure network such as a bank or many applications that require or desirable user authentication.

Description

Detailed Description of the Invention

TECHNICAL FIELD The present invention relates to a method and apparatus for authenticating a mobile communication device. In detail,
The present invention relates to a transmission system for transmitting data between a computer system and a mobile communication device, and a method for authenticating a mobile communication device to a computer system.

BACKGROUND OF THE INVENTION AND PRIOR ART Many data communication applications require the transmission of data between a computer system inside a firewall and a mobile customer outside the firewall. One example of such an application is when a customer or user connects to a bank to conduct a financial transaction. In such cases, it is of course important that the user be able to authenticate himself in order to secure the financial transaction system. Another example of such an application is when a company sends a message to an employee. In such cases, it is important to send the information in a secure manner to the correct address.

Therefore, it is important to provide a secure method of authenticating customers. However, it is also desirable that the authentication procedure be easy for the user to use. International patent application WO 97/08906 describes a system and host device for sending electronic mail. This device uses short text messages (SMS) to send electronic mail (email) to mobile stations.

SUMMARY An object of the present invention is to provide a method and system for authenticating a mobile telecommunication device, and to an authenticated mobile telecommunication device from a computer system or to a computer from an authenticated device. To send data to the system.

These objectives are met by methods and systems that perform the following steps: (I) generating a code word in the computer system and transmitting it to the device, (II) receiving the code word at the device, and (III) generating a code in the device based on the received code word. Generating a message in a predetermined manner, (IV) sending the code message from a device to a computer system, (V) checking the code message using the code word, (VI) the code If the computer system confirms that the message is correct, send the data from the computer system to the device.

Up to step (V), the computer system will use the information used in the authentication procedure (eg codeword and the message "You have an email").
But the device does not yet access the data in the computer system. Preferably, the computer system produces a random code word.
Preferably, when the computer system sends the code word to the device in step (I), the computer system uses the predetermined address of the device. Further, the generation of the code message in step (III) is performed by encrypting the received code word, preferably using the device's unique encryption key. If step (VI) confirms that the code message is correct, the device address for data transmission is authenticated.

In the preferred embodiment, the device is a hypertext transfer protocol (HTTP).
) Or the Simple Mail Transfer Protocol (SMTP) to send the code message. Firewalls are designed to pass traffic using such protocols. In other words, the security provided by the firewall is not reduced. Also preferably, in step (VI) the computer system sends the data to the address of the device that sent the code message. For example,
The computer system retrieves the sender address of the mobile communication device and sends the data to this address. This address may be different from the address to which the codeword was sent.

Using such methods and systems, several different types of authenticated data transmission can be made. For example, automatic transmission of data such as e-mail (email), easy login on secure networks such as banks and many other applications where authenticated transmission is required or desirable. The system and method described herein also facilitates authentication from the user's perspective. That is, there is no need to provide a one-time password generator on the customer side of the system. Because random code words are generated on the computer system side of this system.

DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 shows a schematic diagram of a system for automatically sending e-mail or other data using an Internet connection. This system is a computer system 10.
1, the computer system 101 may comprise a number of different computers and other devices. The computer system 101 of FIG.
The system includes an electronic mail (Email) server 103 connected to a local area network (LAN) 107 of the system 101. The server 103 is a computer
Processes electronic mail (email) in the system 101. The computer system 101 also includes an authentication server 105. The authentication server 105 is the LAN 107
And a communication device 1 for sending a message outside the computer system 101.
08 and connect to.

The entire computer system 101 is within firewall 109, for example. The only way to send data from outside the firewall 109 to the computer system 101 is through the firewall 109. Firewall 1
09 only passes data traffic that arrives in HTTP or SMTP format. The mobile communication device 115 is outside the firewall. The firewall connects to the Internet 111, which connects to a number of Internet Service Providers (ISPs) 113. Internet services
The provider 113 provides an interface through which the mobile communication device 11
Various devices such as 5 can be connected to the Internet.

FIG. 4 is a flow chart showing various steps performed when authenticating mobile communication device 115 and initiating data transmission from computer system 101 to mobile communication device 115 within the system shown in FIG. is there. At step 401, when the first event occurs, such as an email (addressed to the user of device 115) arriving at email server 103 of computer system 101, computer system 101 authenticates to device 115. To prepare for the specified transmission. That is, computer system 101 automatically sends data (in this case, an email) for a customer that resides within the computer system and is currently outside computer system 101 (and thus outside firewall 109).

At step 403, the system 101 generates a random code word. The code word is generated by the authentication server 105. In step 405, the communication device 10
The code word generated by the authentication server 105 is sent via 8 to the device 115, for example by sending a short message service (SMS) message. The authentication server uses a predetermined address of the user (SMS number in this case). In step 407, the device 115 receives the codeword from the computer system 101. In response to this receipt, in step 409, the device automatically connects to the Internet Service Provider (ISP) 113. ISP1
Upon connecting to 13, the device 115 receives an Internet Protocol (IP) address from the ISP 113 in step 411. The device also generates a code message in step 414 based on the received code word.

When the device receives the IP address, an email server is provisioned in the device at step 413. Next, in step 415, the email is sent to the authentication server 105 of the computer system. The email from the device 115 to the authentication server 105 is
Through the firewall 109 via the ISP 113 and the Internet 111,
Further, it is transmitted via the LAN 107. The email from device 115 to authentication server 105 includes at least a code message. The code message is preferably generated by encrypting the received codeword using a unique encryption key. More specifically, the code message is generated by encrypting the code word and a part of the encryption key.

In the preferred embodiment, the email from the device to the authentication server 105 is SMTP.
Alternatively, it is transmitted using the HTTP protocol. Because the firewall 10
9 is designed to pass only such data traffic. Therefore, the firewall 109 can maintain a high level of security. The SMTP protocol is preferably used since only one socket is required to connect. At step 417, the authentication server receives the code message from the device. Then, in step 419, the code word is retrieved from the received email. Decryption is required if the codeword is encrypted. Then in step 421,
Check if the transmitted codeword matches the retrieved codeword.

If the retrieved codeword and the transmitted codeword do not match, the session ends in step 423. However, in the preferred embodiment, computer system 101 may then continue its attempts to establish an authenticated connection to device 115. If the retrieved codeword matches the codeword originally sent to device 115, the authentication server knows that it is the correct device. The authentication server then knows where to send the data (in this case an email).
At step 425, the sending server 105 copies the data from the email server and sends the email to the device 115 using the device's IP address. The data to be transmitted is preferably encrypted using the device 115's unique encryption key.

FIG. 2 illustrates another system for automatically sending email or other data using packet data transmission. The system shown in FIG. 2 is similar to the system shown in FIG. However, it uses packet data network 112 rather than ISP 113 to send data between computer system 101 and device 115. Of course, the Internet may be used for transmission between computer system 101 and packet data network 112. FIG. 5a is a flow chart showing the steps taken when authenticating a mobile communication device within the system shown in FIG. The flow chart of FIG. 5 is similar to the flow chart of FIG.
Transmission from 15 to the computer system 101 takes place via the packet data network 112.

Also in this case, since the device is already connected to the mobile network, the packet data network is used to transmit the code word when transmitting the code word.
The word can be sent to a predetermined address of the device. The code word can be included in the data packet and transmitted. FIG. 5b is a flowchart illustrating yet another method of authenticating a mobile communication device, similar to the method described above with respect to FIG. 5a. The difference between the flowchart of FIG. 5a and the flowchart of FIG. 5b is that in the former, the authentication server retrieves the code word (step 419 of FIG. 5a) and compares it with the code word, whereas in the latter, the authentication server uses the code message. Is taken (step 418 of FIG. 5b) and compared to the code message that it generated using the same code message generation algorithm as the device.

Upon receiving the code word, in step 414, the device uses the code word as input data for the code message generation algorithm to generate a code message. The system then authenticates the device at step 420 using the same code message generation algorithm as the device. At the time between receiving the code word in step 407 and sending the email in step 415, the device will proceed to step 41.
Generate a code message at 4. At the time between the generation of the code word of step 403 and the comparison of the code message of step 321, the authentication server generates the code message of step 420. FIG. 3 shows an outline of a system for automatically authenticating a device by connecting to the Internet. The system used here may be similar to the system shown in FIG. The system shown in FIG. 3 also includes a financial transaction server 104 connected to the LAN 107.

FIG. 6 is a flow chart showing the steps performed when authenticating device 115 to computer system 101 in the system shown in FIG. If the user of device 115 wishes to authenticate for some reason (eg, to conduct a financial transaction within financial transaction server 104 using a secure connection), the user authenticates an email requesting authentication from device 115 at step 400. Send to the server 105.
The e-mail including the information for identifying the user (for example, the user ID) is ISP113,
It is transmitted to the authentication server 105 via the LAN 107 via the Internet 111 and the firewall 109.

At step 402, computer system 101 receives the request. In step 403, the authentication server 105 generates a code word (specifically, a random code word) in response to this request. Next, in step 405, the system 10
1 is, for example, a short message service (SMS) via the communication device 108.
) Send the codeword to device 115 by sending a message.
The computer system sends the code word to the device 115 at a predetermined address. The computer system 101 obtains a (predetermined) address using the identification information received from the user and the stored address list. In another preferred embodiment, a random codeword is sent over the Internet to a server or the like,
This server sends the SMS to the device 115.

At step 407, the device 115 receives the code word from the computer system 101 and generates a code message. At step 415, in response to this receipt, the device automatically sends a second e-mail containing the code message to the authentication server 105 of the computer system. Device 115 to authentication server 105
The second e-mail is sent via the ISP 113, the Internet 111, the firewall 109, and the LAN 107. It should be noted that unlike the authentication procedure described with respect to Figures 1 and 4, the device 115 does not need to set up a new connection to the Internet when sending an email containing a code message. This is because the internet connection is already set up when sending the first email in step 400. However, of course, if so, the device may be reconnected to the Internet when the code word is received in step 407.

The email from the device 115 to the authentication server 105 includes at least a code message. Code message generation is preferably performed using a unique encryption key. More specifically, the code message is generated by encrypting the code word and a part of the encryption key. In the preferred embodiment, the email from device 115 to authentication server 105 is S.
Send using MTP or HTTP protocol. This is because the firewall 109 is designed to pass only such data traffic. Therefore, the firewall 109 can maintain a high level of security. Since only one socket is needed to connect, preferably SMP
T protocol is used.

At step 417, the authentication server receives the email from the device. Next, in step 419, the codeword is retrieved from the received email, for example by retrieving and decrypting the code message. Next, in step 421, it is checked whether the transmitted code word and the received code word match. If the retrieved codeword and the transmitted codeword do not match, the session ends in step 423. However, in the preferred embodiment, computer system 101 returns a message to the device telling the device user that access has been denied and the user may try to connect again if the user so desires. If the retrieved codeword matches the codeword originally sent to device 115, the authentication server knows that it is the correct device. This allows
At step 425, the customer can initiate a transaction with server 104.

Device 115 may be any type of mobile communication device capable of receiving and transmitting data. The device is therefore a mobile telephone, a computer including a wireless modem,
Or a combination thereof (eg, a handheld computer including an embedded mobile phone). In order for device 115 to operate properly, it must be loaded with a suitable program with which it can communicate using the methods described above. The functions required for the device to operate in this way can of course be implemented in hardware. Software or hardware support for this authentication method is also provided in the computer system. The system described with respect to FIGS. 3 and 6 can be used for other types of transactions besides financial transactions. Therefore, the system can be used in many applications that require rapid and secure device authentication. Examples of such applications include bookmaking transactions, ticket reservation transactions, purchases or sales of goods, and the like.

Finally, Appendix 1-12 provides a list of computer programs that implement various procedural steps in software. Appendix 1-6 provides a listing of programs that represent the procedural steps in a computer system in the C ++ language. For example, "lumpio" in Appendix 5-6 deals with encoding and decoding. Appendix 7-12 provides a list of certain procedural steps within the customer or device. For example, see “pu” in Appendix 7-8.
“Shnot” initiates a connection when it receives an SMS using the function “DoConnect”. The “client” in Appendix 11-12 uses the functions “lumpIO_fputs” and “lumpIO_fgets” for decryption and encryption, and the function “send_file” for sending mail. Using the method and system described above, several different types of authenticated data transmission can be made. For example, automatic transmission of data such as email (email), easy login on secure networks such as banks and many applications that require or desire authentication.

[0026]

[0027]

[0028]

[0029]

[0030]

[0031]

[0032]

[0033]

[0034]

[0035]

[0036]

[0037]

[0038]

[0039]

[0040]

[0041]

[0042]

[0043]

[0044]

[0045]

[0046]

[0047]

[Brief description of drawings]

The present invention will now be described in detail by way of non-limiting example with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of a system for automatically sending e-mail or other data using the Internet.

FIG. 2 is a schematic diagram of a system for automatically sending email or other data using a packet data network.

[Figure 3]   1 is a schematic diagram of a system for automatically authenticating a device through an internet connection.

FIG. 4 is a flow chart showing steps performed when authenticating a mobile communication device and starting data transmission in the system shown in FIG. 1.

5a is a flow chart showing the steps performed when authenticating a mobile communication device and initiating data transmission in the system shown in FIG. 2. FIG.

5b is a flow chart showing the steps performed when authenticating a mobile communication device and initiating data transmission in the system shown in FIG.

FIG. 6 is a flow chart showing steps performed when authenticating a mobile communication device in the system shown in FIG. 3.

─────────────────────────────────────────────────── ─── Continued front page    (81) Designated countries EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, I T, LU, MC, NL, PT, SE), OA (BF, BJ , CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, GM, K E, LS, MW, MZ, SD, SL, SZ, TZ, UG , ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, BZ, C A, CH, CN, CR, CU, CZ, DE, DK, DM , DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, K E, KG, KP, KR, KZ, LC, LK, LR, LS , LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, NO, NZ, PL, PT, RO, R U, SD, SE, SG, SI, SK, SL, TJ, TM , TR, TT, TZ, UA, UG, UZ, VN, YU, ZA, ZW F-term (reference) 5B085 AE04 AE09                 5J104 AA07 KA02 PA01 PA07                 5K067 AA32 BB04 BB21 CC04 CC08                       DD17 DD53 EE02 EE10 EE16                       HH22 HH23 HH36 [Continued summary] Use on a secure network such as applications For example, Sui login.

Claims (22)

[Claims] 1. A method of authenticating a mobile device for transmitting data to the mobile device from a computer system comprising at least one computer, comprising: (I) a code word to be transmitted to the device. Generating in the system and transmitting the code word to a predetermined address of the mobile device, (II) receiving the code word at the device, (III) based on the received code word And (IV) sending the code message from the device to the computer system, (V) checking the code message using the code word, VI) Pre-data if the computer system confirms that the code message is correct. A method of authenticating a mobile device, the method comprising: transmitting from a computer system to the device. 2. The step (III) comprises the step of encrypting the received codeword with a unique encryption key.
A method of authenticating a mobile device as described. 3. A method for authenticating a mobile device as claimed in any of claims 1-2, characterized in that it comprises the step of initiating authentication from the mobile device by sending an authentication request to the computer system. 4. A method of authenticating a mobile device as claimed in any of claims 1-2, characterized by initiating authentication from the computer system to send data such as email to the mobile device. . 5. The method of claim 4, wherein steps (I)-(VI) are performed automatically. 6. The step (IV) sends the code message with a sender address, retrieves the sender address for steps (V) and (VI), and sends the data to this address in step (VI). Method for authenticating a mobile device according to any of the claims 1-5, characterized by transmitting. 7. A hypertext transfer protocol (HTTP) or a simple mail transfer protocol (S) for sending the code message of step (IV).
Method for authenticating a mobile device according to any of claims 1-6, characterized in that it uses MTP). 8. A method for authenticating a mobile device according to any of claims 1-7, characterized in that in step (I) a random code word is generated. 9. A system comprising a mobile communication device and a computer system comprising at least one computer for authenticating the mobile device for transmitting data from the computer system to the mobile device. Means for generating a code word and transmitting the code word to a predetermined address of the device; means for checking a code message using the code word; Means for sending data from the computer system to the device if the computer system confirms that the code message is correct; the mobile device; means for receiving the code word; A predetermined code message based on the received code word Means for generating by method; means for transmitting the code message to the computer system;
A system for authenticating a mobile device, comprising: 10. The means for generating the code message comprises means for encrypting the code word with a unique encryption key.
A system for authenticating a mobile device according to claim 9. 11. A system for authenticating a mobile device according to any of claims 9-10, characterized in that the device comprises means for initiating the authentication procedure. 12. The computer system according to claim 9, further comprising means for automatically starting an authentication procedure when the computer system receives data to be transmitted to the device. A system for authenticating a mobile device according to any one of 1. 13. The means for sending the code message to the computer system is Hypertext Transfer Protocol (HTTP) or Simple.
13. A mail transfer protocol (SMTP) is used, according to claim 9-12.
A system for authenticating a mobile device according to any one of 1. 14. A system for authenticating a mobile device according to any of claims 9-13, characterized in that said computer system comprises means for randomly generating said code word. 15. A computer system, means for generating a code word and transmitting the code word to a predetermined address of the device; and means for checking a code message using the code word. And the code
A system for authenticating a mobile device for transmitting data from a computer system, the means comprising transmitting data to the device if the computer system confirms that the message is correct. A means for receiving the code word; a means for generating a code message in a predetermined method based on the received code word; a means for transmitting the code message to the computer system; Means and
A mobile communication device. 16. A mobile communication device comprising: means for receiving a code word; means for generating a code message in a predetermined manner based on the received code word; and the code message as described above. A system for authenticating a mobile communication device for transmitting data from a computer system including the mobile communication device, comprising: means for transmitting to the computer system, the system comprising at least one computer. Means for generating the code word and transmitting the code word to a predetermined address of the device; means for checking a code message using the code word; If the computer system confirms that it is correct, the data is The computer system according to claim, and means for transmitting to the device from the computer system. 17. A computer program product for authenticating a mobile device, comprising the steps of: (I) receiving a code word and at least temporarily storing the code word; II) generating a code message in a predetermined manner based on the code word, and (III) transmitting the code message from the mobile device to a computer system and transmitting data from the computer system. A computer program product comprising computer readable code for causing a mobile communication device to perform a step of authenticating to a mobile communication device. 18. A computer program product for authenticating a mobile device comprising the steps of: (I) generating a code word; (II) said code to a predetermined address of the mobile device. Start sending the word,
(III) receiving a code message, (IV) checking the code message using the code word,
(V) A computer program product comprising computer readable code for causing a computer system to perform the steps of: transmitting data to the mobile device if the code message is confirmed to be correct. 19. A computer readable code for driving said computer to retrieve the sender address of said code message received in step (III) and initiate data transmission to this address in step (V). 19. A computer program product according to claim 18, characterized in that it comprises: 20. Computer according to any of claims 18-20, characterized in that it comprises computer readable code for driving the computer to generate a random code word in step (I). -Program product. 21. A computer program, stored on a data carrier, for carrying out the steps carried out in a computer system in accordance with the method of any of claims 1, 4, 5, 6 or 8. A computer program capable of. 22. A computer program, which is stored on a data carrier and is capable of performing the steps carried out in the device according to the method of claim 1.