RU2754240C1 - Method and system for confirming transactions using a randomly generated graphical key - Google Patents

Abstract

FIELD: electronic transactions.SUBSTANCE: invention relates to a method and system for confirming transactions using a randomly generated graphical key. In the method, a unique symmetric key is obtained on at least one user device and the server; a user request for an online transaction is generated; the received request is processed on the server, while during this processing, a transaction confirmation session is created on at least one user device; an initiating message is generated on the server; transmit the said initiating message during the said transaction confirmation session to the user’s device; in response to the received initiating message, a one-time symmetric key is generated on the user’s device and the server based on the said symmetric unique key; a random graphic key is generated on the user’s device and the server in the form of a graphic image based on the generated one-time symmetric key; user input of the generated graphic key is recognized in the transaction confirmation session; a comparison is performed on the server of the entered graphic key on the user’s device with the key formed on the basis of a one-time key; and transaction confirmation based on the results of the comparison of graphic keys is performed.EFFECT: increased security of transactions.20 cl, 13 dwg

Description

FIELD OF TECHNOLOGY

This decision relates to the field of computer data processing, in particular to information security methods for confirming transactions carried out on the Internet.

LEVEL OF TECHNOLOGY

A widely known solution for confirming online transactions on the Internet is a method of obtaining randomly generated one-time codes or passwords (English OTP - One Time Password // https://en.wikipedia.org/wiki/One-time_passvord). Such codes, as a rule, are transmitted to the user device used to confirm the transaction, for example, when buying goods online, and are used in two-factor authentication technology when making online payments using the 3D-Secure protocol (https: // en.wikipedia.org / wiki / 3-D_Secure).

The main disadvantage of this approach is their low resistance to phishing and social engineering approaches, in cases where the code can be intercepted or dictated by the user, for subsequent input by cybercriminals.

The existing prior art proposes a number of solutions in which it is proposed to move away from the standard digital sequence OTP and replace them with graphical representations, for example, use an image as an additional factor, which is assigned by the user as the second authentication factor and is associated with his login. Such a solution is described in the application US 20200167622 A1 (Mastercard International Inc, May 28, 2020).

Another approach described in US patent 10,778,450 B1 (Wells Fargo Bank NA, 09/15/2020) is to use gestures, each of which is assigned a unique sequence of characters, for the subsequent use of the gesture as a second authentication factor.

Another approach, presented in the application US 20140223190 A1 (SoftLayer Technologies Inc, 08/07/2014), is to generate a code for entering a web resource, while the code is generated on the basis of a random sequence of numbers associated with the positions of their representation with the user's PIN-code.

The closest in concept to the claimed solution is the method described in the application US 20080098464 A1 (Authernative Inc, 04.24.2008). In the known method, a random code is generated for authorizing a user, which is generated based on the field in which the rows and columns contain numbering, which is used to highlight the transaction confirmation cells based on the numbers of the generated one-time password, which must subsequently be specified by the user.

The solutions known from the prior art have a common drawback in that they do not offer the principle of generating a completely graphical random key, which is generated on the user's device and entered by him in various ways to confirm the session of an online transaction, which makes it possible to exclude the possibility of its interception or message by the user to hackers. since the fixation of the code entry process is a factor in the confirmation of the transaction.

SUMMARY OF THE INVENTION

The claimed invention is aimed at solving a technical problem, which consists in creating an effective method for the secure execution of online transactions.

The technical result is to increase the security of online transactions confirmation by generating a random graphic key based on one-time passwords generated in the transaction confirmation session.

The claimed technical result is achieved by a method of confirming transactions using a randomly generated graphic key, containing the stages at which:

get a unique key on at least one device of the user and the server;

form a user request for an online transaction;

process the received request on the server, during which a transaction confirmation session is created on at least one user device;

generating an initiating message on the server;

transmitting said initiating message during said transaction confirmation session to the user's device;

in response to the received trigger message, generating a one-time key on the user's device and on the server based on said unique key;

generating on the user's device and the server a random graphic key in the form of a graphic image based on the generated one-time key;

recognize user input of the generated graphic key in the transaction confirmation session;

the server compares the entered graphic key on the user's device with the key generated on the basis of the one-time key; and

confirm the transaction based on the comparison of the pattern keys.

In one of the particular embodiments of the method, the pattern is generated from a character sequence of a unique key.

In another particular embodiment of the method, the unique key is transmitted by quantum key distribution.

In another particular embodiment of the method, the unique key is transmitted by a post-quantum key distribution algorithm.

In another particular embodiment of the method, the trigger message is transmitted to the user's device via SMS or Push notification.

In another particular embodiment of the method, the graphic code is a two-dimensional, three-dimensional, or pseudo-three-dimensional image.

In another particular embodiment of the method, the graphic code is entered by gesture input in the transaction confirmation session.

In another particular embodiment of the method, the graphic code is entered by the trajectory of the finger movement on the touch screen.

In another particular embodiment of the method, the graphic code is entered using the movement of the pointer in the web form.

In another particular embodiment of the method, the transaction confirmation session is a 3D Secure session.

In another particular embodiment of the method, the graphical code is entered by capturing it and moving it to the session confirmation area.

In another particular embodiment of the method, the three-dimensional or pseudo-three-dimensional image is made with the possibility of its rotation in the graphical user interface.

The claimed technical result is also achieved through a transaction confirmation system using a randomly generated graphic key, which contains

at least one user device configured to obtain a unique key;

generating a request for an online transaction;

sending the generated request to the payment system server;

a server configured to obtain a unique key symmetric with the key received by the user's device;

receiving a request to confirm an online transaction;

formation of an online transaction confirmation session;

moreover

when processing the received request, a transaction confirmation session is created on the server on the corresponding user device, during which an initiating message is generated on the server to confirm the transaction;

transmitting said initiating message during said transaction confirmation session to the user's device;

in response to the received triggering message by the user's device, generating a one-time key on the user's device and the server based on said unique key;

generating on the user's device and the server a random graphic key in the form of a graphic image based on the said one-time key;

recognize user input of the generated graphic key in the transaction confirmation session;

the server compares the graphic key entered on the user's device with the graphic key generated on the basis of the one-time key; and

confirm the transaction based on the comparison of the pattern keys.

In one of the particular examples of the implementation of the system, the graphic key is formed from the digital sequence of a one-time key through the formation of pixel coordinates.

In another particular example of the system implementation, a unique key is transmitted by means of a quantum key distribution or a post-quantum key distribution algorithm.

In another particular example of the system implementation, the initiating message is transmitted to the user's device via SMS or Push notification.

In another particular example of the implementation of the system, the graphic code is a two-dimensional, three-dimensional, or pseudo-three-dimensional image.

In another particular example of the implementation of the system, the graphic code is entered by gesture input into the transaction confirmation session, by moving the pointer in the web form, or by grabbing it and moving it to the session confirmation area.

In another particular example of the system implementation, the transaction confirmation session is a 3D Secure session.

In another particular example of the implementation of the system, the three-dimensional or pseudo-three-dimensional image is made with the possibility of its rotation in the graphical user interface.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 illustrates an example of a device interaction system in the claimed solution.

FIG. 2 illustrates a flowchart of the method.

FIG. 3A illustrates the graphical interface of a user device when initiating a transaction on the network.

FIG. 3B - 3G illustrate examples of generating and using a pattern in the graphical user interface.

FIG. 4A illustrates an example of generating pattern keys based on portions of a unique key.

FIG. 4B 4C illustrate examples of forming a graphic key in conjunction with a one-time password.

FIG. 5 illustrates a schematic diagram of a computing device.

CARRYING OUT THE INVENTION

FIG. 1 shows an example of the architecture of a general system (100) containing a number of devices necessary to implement the claimed solution. The system (100) includes a device (110) for generating a unique symmetric key K1, which is transmitted via a data network (150) to a user device (120) and a server (130) providing transaction confirmation. The user device (120) can be any computing device that provides the execution of a transaction request on the Internet and the ability to confirm it using a graphical user interface (GUI). Such devices can be, for example, a smartphone, tablet, smart wearable device (smart watch), personal computer (PC), laptop, game console, smart TV (smart TV), etc. Obviously, taking into account the development of the current state of the art and known approaches, a device (120) can be understood as a bundle of several computing devices, for example, a smartphone and a PC, that provide receiving, processing and displaying data necessary to implement functions within the framework of the claimed solution.

The server (130) is a computing device or server cluster that provides the necessary communication protocols and the execution of computational operations necessary to confirm transactions initiated by the user device (120). The server (130) may be associated with the payment system or be a payment server (or part of it) associated with the banking system processing payment information from the user device (120). The server (130) can be directly part of the banking infrastructure, or it can be a virtual server for the implementation of the functionality for the implementation and conduct of transactions.

The data transmission network (150) is any suitable type of information exchange network organized by one or more known data exchange protocols, for example, the network (150) can be WAN, LAN, WLAN, PAN, Internet information network, Intranet, etc.

The unique key K1 generated by the device (110) is a cryptographic symmetric key and is transmitted simultaneously to the system participants (100) participating in the transaction confirmation process, in particular, the device (120) and the server part (130). The generation and transmission of the K1 key can be carried out using existing certified methods, using quantum key distribution (QKD) by directly connecting the device to a key generation device (software), or a post-quantum key distribution algorithm.

FIG. 2 is a flowchart of a method (200) for confirming transactions using a randomly generated graphic key. In the first step (201), a unique key K1 is generated by the device (110), which is subsequently transmitted in step (202) over the network (150) to the user's device (120) and the server (130) associated with the system for confirming transactions available to the user. devices (120). Available transaction confirmation systems can be selected based on the issuer of the user's bank cards, or the protocol for confirming transactions on the Internet, for example, 3D-Secure.

To link the key K1 on the side of the user device (120) and the server (130), standard methods known from the prior art are used, for example, the formation of a link table on the server side with binding by the user card number, device identifier (MAC address), user login, biometric information, etc. The user can be pre-registered in the application installed on the device (120) designed to generate graphic keys and use them in a transaction confirmation session on the Internet.

At step (203), the user, using the device (120), initiates a transaction on the web resource, for example, as shown in FIG. 3A. The user, through the GUI (300) displayed on the screen of the device (120), performs standard actions for selecting a product on an online resource (website or application), selects the type of payment, for example, online payment using a bank card, Google Pay, Samsung Pay , Apple Pay and any other payment method using a bank card or its digital token. Transaction confirmation is activated by interaction with the GUI item (301).

After the user interacts with the element (301), a transaction confirmation session is activated at step (204), during which a channel is formed for exchanging messages in the part of the transaction authentication between the user device (120) and the server (130). Session activation should be understood, in particular, the transmission of a request containing the purchase amount, merchant data and a user ID associated with the payment system for transferring funds to the merchant. Also, other additional information can be used.

When the transaction confirmation session is activated at step (204), the server (130) generates and transmits a random initiating message (310) to the user's device (120), which is transmitted via the selected data transmission channel (for example, SMS, PUSH notifications, e-mail, application to display the code, etc.).

Upon receipt of the initiating message (310) by the user device (120) during the activated session on the server (130) and directly on the device (120) at step (205), a symmetric one-time key or password (310) is generated. The one-time key (3101) shown in FIG. 4B can be a numeric, alphabetic, symbolic sequence, or combinations thereof. The key (3101) is generated based on the unique key K1, which was previously transmitted to the devices (120, 130) participating in the transaction confirmation session. Key generation (3101) can be carried out by using a pseudo-random function (a function that varies greatly when one bit at the input changes and has a uniform distribution of results), using the initiating message as input and the key K1 or its part selected in accordance with the initiating message.

Also, a time window can be activated on the server (130) to confirm the transaction and authenticate the user. The time range for user authentication of the transaction may be displayed on the interface (300) of the user device (120).

FIG. 3B shows an example of the execution of step (206), which generates a graphic key (3031) based on the generated one-time key (3101). Through the corresponding part, for example, the window (302) of the graphical interface (300), the user of the device (120) can be informed about the activation of the process of generating the graphical key (3031), which is subsequently displayed in a special area or window (303) of the interface (300).

The formation of the graphic key (3031) occurs simultaneously on the user's device (120) and the server (130) during an activated authentication session, which will subsequently make it possible to compare the key entered by the user of the device (120) and the display of the key generated on the server (130) in during the transaction confirmation session. As shown in FIG. 3B, the generated graphic key (3031) is to be reproduced by the user of the device (120) at step (207) in the corresponding confirmation area (304) displayed in the interface (300). It should be noted that it should be obvious to a person skilled in the art that the term "reproduce", within the framework of the use of graphical interfaces, has a broad interpretation based on the capabilities of devices and software implemented by them, in particular, providing interaction using gesture playback, movement interface elements by means of their drag-n-drop, drawing using a touch screen using a finger, a stylus, drawing with a cursor in a web form, etc.

As shown in this example, the pattern (3031) represents several geometrically primitives, for example, round elements, which are generated in a random order, but with a predetermined sequence of their connection via the interface (300) in the corresponding field (304). The sequence of connecting the key elements (3031) is shown as an example by arrows of the direction of their connection in the field (3031). The server (130) also generates a similar key with a given sequence of its generation.

In the example of FIG. 3B, the field (304) displays similar geometric shapes of the key (3031), which the user must reproduce in a predetermined sequence, forming a response image (3041) of the graphic key. It should be noted that the presented example with round elements forming the key (3031) is only a particular example, not limiting the use of any other geometric shapes (circle, ellipse, square, triangle, etc.) or graphic elements.

As mentioned above, the input of the image (3041) of the pattern (3031) in the field (304) can be performed by one of a variety of available means, for example, by direct contact with the touch screen, as shown in FIG. 3B, in which the user connects graphic portions of an image (3041) with lines or with an input device such as a touch pen or mouse when the device (120) does not include a touch display. In the example shown in FIG. 3B, the circular graphic elements of the key (3031) can be fixed in the interface area (304), allowing them to be used as reference points and connected by touching and swiping across the screen of the device (120), which facilitates the creation of an image and does not reduce the overall efficiency of the proposed method ( 200).

In the process of connecting picture elements (3041), a possible error in the repetition of the connections of the key (3031), which may occur when the user interacts with the touch screen, is also taken into account. The straight line example shown is not intended to be exhaustive and may use any shape of connecting line, such as arcuate, wavy, angular, zigzag, and the like.

FIG. 3D shows an example of reproducing the image (3041) of the graphic key (3031) on an external device (121), for example, a PC, which is connected by a data transmission channel, for example, a direct connection via cable or via the Internet, Wi-Fi, etc. In this case, the device (120) acts as a means for generating and displaying a key (3031), and the input is performed directly on the device (121) by displaying a corresponding area or field (304) thereon to form an image (3041). Image input (3041) into the specified area can also be carried out using the available input means of the device (121), for example, by means of a touch screen or a web form cursor using an appropriate input means (mouse, trackball, touchpad, etc.).

FIG. 3D - 3D shows an alternative example of reproduction and subsequent use for authentication of a pattern (3031). In this example, which is similar in its functional part to the example shown in FIG. 3B - 3D, the absence of a given pattern of connections of the key element (3031) during its formation is revealed. The graphic key (3031) is randomly generated in the area (303) in the form of an integral graphic figure of a random shape, which the user of the device (120) transfers using the capture in the graphic interface (300) to the area (304). The capture of the key (3031) can be carried out in any suitable way, allowing it to be implemented on the corresponding device (120), for example, using a touch screen or a cursor using the input means mentioned above.

The implementation of the example with the external device (121) in FIG. 3G in this case is provided by means of technologies that make it possible to form a single workspace for file exchange between devices (120, 121), for example, a smartphone (120) and a PC (121). Such technologies can be an application for displaying the interface (300) of the device (120) in the interface of the device (121), for example, the MirrorLink application, Samsung Dex, MirrorCast, AirDrop, using the deployment of a virtual machine, etc. Any suitable method can be used to exchange files from the device interface (120) to the device interface (121).

After the image (3041) has been entered into the field (304) by any of the above methods, at step (208), the image (3041) is mapped to the graphic key (3031) on the server side (130). In the case of a successful check, in particular, the coincidence of the sequence and trajectories of the elements, or the general image of the image (3041), the authentication of the user of the device (120) is considered passed, and the transaction at step (209) is executed. Otherwise, if the sequence of connections of the key (3031) does not match, or the overall graphical execution of the image (3041) does not correspond to the key (3031), including partially taking into account the graphical reproduction error, then the transaction is rejected at step (210). The user of the device (120) is notified by generating a corresponding message in the interface (300) about the status of the transaction confirmation.

FIG. 4A shows an example of generating various pattern keys (3031) based on the unique key K1. Key generation (3031) can take various graphical representations, for example, generated based on machine learning algorithms. An example of such an approach is the Text2img neural network algorithm (DeepAi // https://deepai.org/machine-learning-model/text2img). however, other approaches can be used to convert a character sequence to a graphical representation.

FIG. 4B shows an example of generating a pattern (3031) based on the elements of the unique key K1, which are selected using a one-time key (3101). The graphic keys (3031) are formed from the elements of the sequence of characters that make up the unique key K1. Key elements K1 corresponding to characters from the one-time key (3101) can be one or more characters. The symbolic sequence of the key K1 can fit into the window (303) for generating a graphic key (3031) for the corresponding generation of key elements (3031), for example, circular areas connected to form a final image (3041) for confirming the transaction. The placement of the symbols of the K1 key sequence or a part of the sequence sufficient to form the key graphic image (3031) can be attached to the pixel grid of the area interface (303), which makes it possible to form coordinates at each point and bind the corresponding graphic parts to them that form the final representation of the key ( 3031).

FIG. 4B shows an example of creating a pattern key (3031) without binding to anchor points, which can be used to directly reproduce the key by hand, for example, using gesture input in area (304). The key generation principle is similar to the example in FIG. 4B with the difference that the points at which a random graphic image is created for its subsequent repetition in the transaction confirmation session are determined. The reproduction of the image (3041) is performed in the field (304) using the input means supported by the device (120).

The graphic key (3031) can also be a 3D or pseudo-3D image that can be rotated using manipulations in the interface (300). In this example, the user does not need to directly reproduce the key (3041) itself, for example, drawing it or connecting the elements of the key (3031), but, in particular, needs to rotate the generated image (3031) to the desired angle or move the image in the area (3041), in such a way that it coincides with the presented example and from a given angle in area (303). This approach can use the technologies disclosed in US patent 9064104 B2 (BlackBerry Ltd, 06/23/2015). The window (303) can form a background containing a two-dimensional and / or three-dimensional image, relative to which a graphic key (3031) is displayed with the desired type of its placement for confirming the transaction. The user in the window (304) must repeat this input by placing the image (3041) in the same way.

FIG. 5 shows a general example of a computing device (400), for example, a computer, server, laptop, smartphone, etc., which can be used to fully or partially implement the claimed method (200). In the general case, the device (400) contains components such as: one or more processors (401), at least one random access memory (402), persistent data storage (403), input / output interfaces (404), I / In (405), networking tools (406). The processor (401) of the device performs the basic computational operations necessary for the operation of the device (400) or the functionality of one or more of its components. The processor (401) executes the necessary computer readable instructions contained in the main memory (402).

Memory (402), as a rule, is made in the form of RAM and contains the necessary program logic that provides the required functionality. The data storage medium (403) can be performed in the form of HDD, SSD disks, raid array, network storage, flash memory, optical information storage devices (CD, DVD, MD, Blue-Ray disks), etc. The tool (403) allows perform long-term storage of various types of information, for example, the history of processing requests (logs), user IDs, camera data, images, etc.

Interfaces (404) are standard means for connecting and working with computing devices. Interfaces (404) can represent, for example, USB, RS232, RJ45, LPT, COM, HDMI, PS / 2, Lightning, Fire Wire, etc. The choice of interfaces (404) depends on the specific implementation of the device (400), which can be a personal computer, mainframe, server cluster, thin client, smartphone, laptop, etc., as well as connected third-party devices.

As means of I / O data (405) can be used: keyboard, joystick, display (touch screen), projector, touchpad, mouse, trackball, light pen, speakers, microphone, etc.

Networking means (406) are selected from a device that provides network reception and transmission of data, for example, Ethernet card, WLAN / Wi-Fi module, Bluetooth module, BLE module, NFC module, IrDa, RFID module, GSM modem, etc. The tool (406) provides the organization of data exchange via a wired or wireless data transmission channel, for example, WAN, PAN, LAN, Intranet, Internet, WLAN, WMAN or GSM, quantum data transmission channel, satellite communications, etc. ... The components of the device (400) are usually interfaced through a common data bus.

In the present application materials, the preferred disclosure of the implementation of the claimed technical solution has been presented, which should not be used as limiting other, particular embodiments of its implementation, which do not go beyond the scope of the claimed scope of legal protection and are obvious to specialists in the relevant field of technology.

Claims (47)

1. A method of confirming transactions using a randomly generated graphic key, containing the stages at which: - get a unique symmetric key on at least one user device and a server; - form a user request for an online transaction; - process the received request on the server, while in the course of this processing create a transaction confirmation session on at least one user device; - form an initiating message on the server; - transmitting said initiating message during said transaction confirmation session to the user's device; - in response to the received initiating message, a one-time symmetric key is generated on the user's device and on the server based on the said symmetric unique key; - generate on the user's device and the server a random graphic key in the form of a graphic image based on the generated one-time symmetric key; - recognize the user input of the generated graphic key in the transaction confirmation session; - comparison of the entered graphic key on the user's device with the key generated on the basis of the one-time key is carried out on the server; and - confirm the transaction based on the comparison of the graphic keys. 2. The method according to claim 1, wherein the pattern is generated from a character sequence of a unique key. 3. The method of claim 2, wherein the unique key is transmitted by quantum key distribution. 4. The method of claim 2, wherein the unique key is transmitted by a post-quantum key distribution algorithm. 5. The method according to claim 1, wherein the trigger message is transmitted to the user's device via SMS or Push notification. 6. The method of claim 1, wherein the graphics code is a two-dimensional, three-dimensional, or pseudo-three-dimensional image. 7. The method according to claim 1, wherein the graphic code is entered by gesture input in the transaction confirmation session. 8. The method of claim 7, wherein the graphical code is inputted by a finger trajectory across the touch screen. 9. The method according to claim 1, wherein the graphical code is entered by movement of the pointer in the web form. 10. The method according to claim 1, wherein the transaction confirmation session is a 3D Secure session. 11. The method of claim 1, wherein the graphic code is entered by capturing it and moving it to the session confirmation area. 12. The method of claim 6, wherein the three-dimensional or pseudo-three-dimensional image is rotatable in a graphical user interface. 13. A system for confirming transactions using a randomly generated graphic key containing at least one user device configured to: obtaining a unique symmetric key; generating a request for an online transaction; sending the generated request to the payment system server; server capable of: obtaining a unique key symmetric with the key received by the user's device; receiving a request to confirm an online transaction; formation of an online transaction confirmation session; moreover when processing the received request on the server, a transaction confirmation session is created on the corresponding user's device, during which: form on the server an initiating message to confirm the transaction; transmitting said initiating message during said transaction confirmation session to the user's device; in response to the receipt of the trigger message by the user's device, generating a one-time symmetric key on the user's device and the server based on said unique symmetric key; generating on the user's device and the server a random graphic key in the form of a graphic image based on the mentioned one-time symmetric key; recognize user input of the generated graphic key in the transaction confirmation session; the server compares the pattern entered on the user's device with the pattern generated on the basis of the one-time symmetric key; and confirm the transaction based on the comparison of the pattern keys. 14. The system of claim. 13, in which the graphic key is formed from the digital sequence of the one-time key through the formation of pixel coordinates. 15. The system of claim 14, wherein the unique key is transmitted via a quantum key distribution or post-quantum key distribution algorithm. 16. The system of claim 13, wherein the trigger message is transmitted to the user's device via SMS or Push notification. 17. The system of claim 13, wherein the graphic code is a two-dimensional, three-dimensional, or pseudo-three-dimensional image. 18. The system according to claim 13, in which the graphic code is entered by gesture input in the transaction confirmation session, by moving the pointer in the web form or by capturing it and moving it to the session confirmation area. 19. The system of claim 13, wherein the transaction confirmation session is a 3D Secure session. 20. The system of claim 17, wherein the three-dimensional or pseudo-three-dimensional image is rotatable in a graphical user interface.

Images