RU2303811C1 - Remote user authentication method and the system for realization of the method - Google Patents

Abstract

FIELD: digital data processing, namely, remote user authentication.

SUBSTANCE: in accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority.

EFFECT: possible passive user authentication mode without usage of hardware.

2 cl, 2 dwg

Description

The invention relates to digital data processing methods that are intended for commercial applications, in particular, to a method for remote authentication of a user who is registered in a corresponding secure system. At the same time, control and analysis of the user’s authority is performed to implement the procedure of his access to the computer network of any protected system.

Closest to the claimed solution for the technical nature and the achieved technical result is:

- The method of remote user authentication described in the remote authentication system according to patent EP 0986209, IPC 7 H04L 9/32, publ. 03/15/2000. This method consists in generating and storing electronic user credentials in the authentication server database, which are compared with the user credentials during the user access procedure to the computer network of the secure system, and based on this comparison, a decision is made about the presence or absence of authority user. In this case, the user’s biometric data is used as electronic user identification data in the form of fingerprints, palm and / or retina information, the data of which is stored in the authentication server database. In addition, typically the authentication server also controls such electronic credentials as the username and password of the user.

- Remote authentication user system according to patent EP 0986209, IPC 7 H04L 9/32, publ. 03/15/2000, contains an authentication server, an application server with which a user access terminal is connected via a secure computer network, while the authentication server contains an access controller, a database of access identifiers, an encryption processing node. The system also includes a device for obtaining biometric user data, which includes a fingerprint receiving unit, a palmprint receiving unit, and a retina information receiving unit.

The main disadvantage of this method of remote authentication of the user and the system for its implementation is that there is an active authentication mode in which there is a significant data flow from the user to the authentication server in the form of information about fingerprints, palm, retina. And this increases the vulnerability of the authentication server due to the fact that an attacker can introduce untruthful information into this stream, including some kind of computer virus.

Another disadvantage of this method and system for its implementation is the decrease in the data transfer rate from the user access terminal to the authentication server and application server due to the fact that there is an increased information flow about fingerprints, palm, retina of the user's eye.

The disadvantage of this method and system for its implementation is the need to use, as well as the high cost of special equipment in the form of hardware nodes for removing biometric information about the user, namely: the retina, fingerprints, palms and the like.

The basis of the invention is the creation of an effective method for remote authentication of a user and a system for its implementation by providing a passive user authentication mode, which thereby sharply reduces the required data flow between the user terminal and the authentication server. It will also reduce the vulnerability of the protected system against the introduction of a computer virus through a data network or other malicious activities. And also will avoid the cost of hardware nodes.

The problem is solved in that according to the method of remote user authentication, which consists in generating and storing electronic user identification data in the authentication server database, which is compared with the user identification information during the user access procedure to the computer network of the protected system and based on this comparison, a decision is made on the presence or absence of authority of the user. At the same time, as the user's electronic identification data, which are generated and stored in the authentication server database, they use the history of the usual procedure for the user to perform actions during the previous procedure for user access to the computer network of the protected system. The history of the usual procedure for performing actions by the user, which is formed and stored in the authentication server database, is analyzed according to essential features before being compared with the user’s identification data, which are taken as the most frequently repeated user actions indicating possible deviations from a certain average value or significant features, which are unchanged each time a user visits the corresponding WEB resource. And user credentials in the authentication server database are constantly updated. In addition, the types, sequence and duration of the actions performed by the user during the previous procedure for user access to the computer network of the protected system are used as the history of the usual order of user actions that is generated and stored in the authentication server database. And as user actions, the history of the usual order of execution of which is formed and stored in the authentication server database during the previous procedure for user access to the computer network of the protected system, they use the time at which the user usually visits the WEB resource, session duration, the order of opening http- pages on the WEB resource, the IP address of the user's computer. An interactive user survey is additionally performed through the authentication server.

The problem is also solved by the fact that the remote user authentication system contains an authentication server, an application server with which a user access terminal is connected via a secure computer network, while the authentication server contains an access identifier database that is configured to store identification data, an access controller, which is configured to compare user credentials stored in a database of access identifiers with ide user authentication data during the user access procedure to the computer network of the protected system. At the same time, the authentication server additionally contains a database of the history of the usual order of performing actions by the user, in which the history data of the usual order of performing actions of the user generated by the access controller is stored, while the access controller is configured with an analysis node of the history of the usual order of performing actions by the user.

Using, in accordance with the method and system for its implementation, as the user's electronic identification data, the history of the usual procedure for performing user actions, the data of which is stored in the corresponding database, during the previous implementation of the procedure for its access to the computer network of the protected system, it is possible to provide a passive user authentication mode . And this allows you to minimize the flow of data, that is, to the necessary, for example, login and password and / or other necessary data that is transmitted from the user to the authentication server. In this case, the user may not know that his credentials are thoroughly checked. All this allows not only to increase the reliability of user authorization checks, but also to reduce the vulnerability of the authentication server from false information during malicious actions, or to reduce the possibility of introducing any computer virus into this data transmission network.

Performing an analysis in accordance with the method and system for analyzing the essential features of the history of the usual procedure for performing user actions, which are generated and stored in the authentication server database, can improve authentication reliability by isolating from all the actions that the user performs, only significant which is most likely by the user.

Performing a constant update of the user's credentials in the database of the authentication server before each implementation of the user access procedure to the computer network of the protected system allows the user to dynamically update the history of the usual procedure for the user to perform actions, which also increases the reliability of checking his credentials.

Using as the history of the usual order of user actions that generate and save in the database of the authentication server, different types of user actions (operations), as well as their sequence and / or the duration of these actions, their combinations can improve the reliability of determining the authenticity of user authorization checks .

The use as the user's actions of the time at which the user usually visits the corresponding WEB resource, the duration of the user's session, the procedure for opening http-pages on this WEB resource, as well as the IP address of the user's computer and their combinations, also improves the reliability of determining the reliability user authorization checks.

Performing an additional interactive survey of the user based on rarely used signs, if there is doubt about the authenticity of checking the user’s authority according to his usual order of actions, allows the service desk to make a more informed decision about the user's access to the computer network of the protected system.

The above confirms the presence of causal relationships between the totality of the essential features of the claimed invention and the achieved technical result.

This set of essential features makes it possible, in comparison with the prototype, to provide a passive user authentication mode for the remote authentication of the user and the system for its implementation. This allows you to reduce the required flow of data from the user to the authentication server to increase the reliability of user credentials verification. It will also reduce the vulnerability of the authentication server from false information during malicious actions, or reduce the possibility of introducing a computer virus into the data transmission network. In addition, this will avoid the cost of hardware nodes to remove biometric information about the user.

According to the author, the claimed technical solution meets the criteria of the invention of "novelty" and "inventive step", because the set of essential features that characterizes the method of remote authentication of the user and the system for its implementation is new and does not follow clearly from the prior art.

The invention is illustrated in the drawing, where Fig.1 shows a structural diagram of a system that is implemented by a method of remote authentication of a user; 2 is a flowchart of an authentication process.

The remote authentication method of the user is carried out in this way.

The user, using the user's access terminal (personal computer, mobile phone, other telecommunication devices), accesses through a computer network some secure system in which he is registered as a user and has certain authority to perform operations, for example: e-commerce system, banking or a financial system, a restricted access database, or an Internet or Intranet system. Each of these secure systems has its own authentication server, which forms and stores, in addition to the necessary data in the form of a login, password, etc., also the user's electronic identification data in the form of a history of the usual order of user actions during the previous implementation of the access procedure in this secure system. When a user contacts his secure system on the Internet at the usual time for him, in which he is registered, he first performs standard, but necessary actions (procedure) for using the WEB resource, visiting http-pages on this WEB resource. The access and analysis controller of the history of the usual order of user actions in the authentication server in passive mode monitors all user actions (the order of actions), that is: the start and end times of the session when the user visits the WEB resource of the protected system; IP address of the host or access terminal of the user from which the user logged into the protected system; record the user visiting each http-page of the corresponding WEB-resource, the addresses of these http-pages; time of entry and exit from each page; duration of use and procedure for opening http pages. All these actions (the order of actions) of the user are compared with similar actions that are stored in the authentication server database in the form of a history of the usual order of actions performed by the user and, if they coincide on essential grounds, the authentication server does not restrict user access to the application server. And in the event of a significant discrepancy on these essential grounds, a ban is issued on the user’s admission to the application server, and such a ban may be issued after the first, second or after the third significant discrepancy. If necessary, after this significant discrepancy, an interactive user survey can be conducted through the authentication server for rarely used to control user attributes, which are stored in the corresponding database of the authentication server.

The data on the history of the usual order of user actions, which are stored in the authentication server database, is constantly updated every time a user accesses it.

The best version of the system, which is implemented by the method of remote authentication of the user, in accordance with Figure 1, contains a secure system 1 in which the user is registered. This secure system 1 has a user access terminal 2, which is connected through a computer network 3 and a WEB server 4 to an authentication server 5, which in turn is connected to an application server 6. The user access terminal 2 is a computer system in the form of a personal computer, which contains an information encryption processing unit 2.1. Authentication server 5 is also a computer system, which includes a controller 5.1 for access and analysis of the history of the usual order of actions performed by the user, a database of 5.2 history data of the usual order of actions performed by the user, base 5.3 of access identifiers (login and password, etc.), processing node 5.4 encryption information. Application server 6 is also a computer system that contains several applications in the form, for example, of a certain amount: WEB resource 1, 6.1 ... WEB resource N, 6.N.

The remote user authentication system works this way.

In accordance with FIG. 2, the user enters into the access terminal 2 of the user, which can be any terminal of the protected system, access identifiers, i.e. your username and password or PIN. At the same time, the user access terminal 2 through the information encryption processing unit 2.1, the computer network 3 and the WEB server 4 are connected to the authentication server 5, by sending him an authentication request and to the application server 6. Further, the user performs the usual and necessary actions for him to visit the 6 applications server WEB-pecypca he chooses, for example, the Privat-24 Internet banking system (www.privar24.ua), open the necessary http-pages on this WEB resource. Moreover, the controller 5.1 access and analysis of the history of the usual order of user actions of the authentication server 5 in the passive (one-way) mode monitors all user actions:

start and end time of the user login session in the Privat-24 system;

IP address of the host from which the user logged into this secure system;

the sequence of user visits of each http-page, the addresses of these pages is recorded; time of entry and exit from each page;

the length of time spent on each page, the execution of operations to carry out the necessary transactions by the user (currency exchange, payment for services, money transfers, etc.).

All these actions or the order of these user actions are compared with the essential features of similar previous actions, the history of the usual order of execution of which is stored in the database 5.2 of the authentication server 5. These essential features are selected and generated by the access controller 5.1 and the history analysis of the usual order of user actions. These essential features are updated in the database 5.2 of the history data of the usual order of user actions and form after each user access to the protected system. The most frequently repeated user actions with the designation of possible deviations from a certain average value or significant features that are unchanged each time the user visits the corresponding WEB resource are taken as these signs. If these compared user actions coincide, the access and analysis controller 5.1 of the usual order of user actions does not restrict the authentication server 5 (lack of restrictions) from the user access to the application server 6. And in case of significant mismatch of the analyzed data, a warning signal is first sent to the authentication server 5, and then, after three or another certain number of warnings, a ban is issued on the access of the user terminal to the application server 6.

The user access terminal 2 can also be made in the form of a workstation, mobile phone, or other similar telecommunication devices made with an encryption node.

Although shown and described as being the best for the practice of the present invention, those skilled in the art will understand that various changes and modifications can be made and elements can be replaced with equivalent ones without departing from the scope of the present invention.

The conformity of the claimed technical solution to the criteria of the invention "industrial applicability" is confirmed by the indicated examples of the remote authentication method of the user and the system for its implementation.

Claims (7)

1. The method of remote user authentication, which consists in generating and storing in the database of the authentication server electronic user identification data, which is compared with the user identification data during the user access procedure to the computer network of the protected system, and based on this comparison, a decision is made about the availability of or lack of authority of the user, characterized in that as the electronic identification data of the user, which form comfort and stored in the authentication server database, use the usual story about performing user actions in a previous implementation of user access procedures in a secure computer network system. 2. The method according to claim 1, characterized in that the history of the usual order of actions performed by the user, which is generated and stored in the authentication server database, is analyzed by comparison with the user’s identification data for essential reasons, which are taken as the most frequently repeated user actions with designation of possible deviations from a certain average value or significant features that are unchanged each time a user visits the corresponding WEB resource a. 3. The method according to any one of claims 1 and 2, characterized in that the user credentials in the authentication server database are constantly updated. 4. The method according to claim 1, characterized in that the types, sequence and duration of the actions performed by the user in the previous implementation of the user access procedure to the computer network protected are used as the history of the usual order of user actions that are generated and stored in the authentication server database system. 5. The method according to claim 4, characterized in that, as a user’s actions, the history of the usual order of execution of which is generated and stored in the authentication server database during the previous implementation of the user access procedure to the computer network of the protected system, use the time that the user usually visits WEB resource, session duration, procedure for opening http-pages on a WEB resource, IP address of a user's computer. 6. The method according to claim 3, characterized in that through the authentication server additionally perform an interactive user survey. 7. A remote user authentication system comprising an authentication server, an application server to which a user access terminal is connected via a secure computer network, wherein the authentication server contains an access identifier database that is configured to store identification data, an access controller that is configured to comparing user credentials stored in the access identifier database with user credentials When performing the procedure for user access to the computer network of a secure system, characterized in that the authentication server additionally contains a database of the history of the usual order of user actions, in which the history data generated by the access controller of the usual order of user actions is stored, while the access controller is configured with an analysis node history of the usual order of user actions.

Images