TWI394420B - Ip address secure multi-channel authentication for online transactions - Google Patents
Ip address secure multi-channel authentication for online transactions Download PDFInfo
- Publication number
- TWI394420B TWI394420B TW98129595A TW98129595A TWI394420B TW I394420 B TWI394420 B TW I394420B TW 98129595 A TW98129595 A TW 98129595A TW 98129595 A TW98129595 A TW 98129595A TW I394420 B TWI394420 B TW I394420B
- Authority
- TW
- Taiwan
- Prior art keywords
- authentication
- user
- server
- browser program
- application server
- Prior art date
Links
Description
本發明涉及IP位址安全多通道認證方法,更具體地說,涉及用於使用應用伺服器和認證伺服器的用戶的多因素認證方法。 The present invention relates to an IP address secure multi-channel authentication method, and more particularly to a multi-factor authentication method for users using an application server and an authentication server.
包括金融交易和其他機密交易的線上交易長期被應用于允許兩方進行商務活動。在典型的線上交易中,用戶(例如像銀行客戶)使用電腦上的用戶端瀏覽器來與應用伺服器(例如像由銀行操作的銀行業務(banking)伺服器)建立一個會話並實現所希望的交易(例如像將金錢從一個帳戶轉移到另一個帳戶)。因為線上交易經常通過網際網路來進行,而網際網路是由路由器、服務器、中繼線等組成的全球公共網路,所以安全總是首要問題。 Online transactions, including financial transactions and other classified transactions, have long been used to allow both parties to conduct business activities. In a typical online transaction, a user (such as a bank customer) uses a client browser on the computer to establish a session with an application server (such as a banking server operated by a bank) and achieve the desired Transactions (such as transferring money from one account to another). Because online transactions are often carried out over the Internet, which is a global public network of routers, servers, trunks, etc., security is always a top priority.
線上交易安全的風險包括未經授權的第三方可能能夠獲得認證資訊(例如用戶標識和密碼),而且隨後可能能夠進行對用戶不利的欺詐交易的風險。例如,如果從任意電腦登錄到銀行只需要用戶標識和密碼,那麼獲取用戶的用戶標識和密碼的第三方將可以從任何地方登錄並執行用戶可以執行的任意交易,例如包括在未經授權的第三方的控制下將金錢轉移到一個帳戶。 The risk of online transaction security includes the possibility that an unauthorized third party may be able to obtain authentication information (such as a user identification and password) and may subsequently be able to conduct fraudulent transactions that are unfavourable to the user. For example, if you log in to a bank from any computer and only need a user ID and password, a third party that obtains the user's user ID and password will be able to log in from anywhere and perform any transaction that the user can perform, for example, including unauthorized access. Transfer money to an account under the control of the three parties.
用戶標識和密碼的竊取可以通過例如木馬(通常是指駐留于用戶端的應用程式,所述應用程式在用戶標識和密碼被用戶鍵入時監聽用戶標識和密碼並將所述用戶標識和密碼轉發給欺詐者)的技術來實 現。另一種技術涉及網路仿冒(phishing)。在示例網路仿冒的情景中,用戶可能接收一封電子郵件,其具有請求用戶登錄聲稱屬於一個用戶之前與其進行過商務活動的商人的網站(例如,XYZ銀行)的消息。所述電子郵件包含要由用戶啟動的鏈結。如果用戶啟動由網路仿冒電子郵件提供的鏈結,那麼一個網站被呈現給用戶,所述網站具有與真網站(例如,XYZ銀行)幾乎相同的外觀和感覺。然而,該網站實際上屬於欺詐者。用戶輸入到模仿真網站的外觀和感覺的欺詐者的網站中的資訊將被記錄,並隨後被用於對用戶實施欺詐。舉例說明,欺詐者可以利用所輸入的用戶標識和密碼來登錄用戶的帳戶並執行未經授權的金錢轉移。 The theft of the user's identity and password can be by, for example, a Trojan (usually an application residing on the client) that listens for the user ID and password and forwards the user ID and password to the fraud when the user ID and password are typed by the user. Technology) Now. Another technique involves phishing. In the example of a phishing scenario, a user may receive an email with a message requesting the user to log in to a website (eg, XYZ Bank) of a merchant who has previously engaged in a business activity with a user. The email contains a link to be initiated by the user. If the user initiates a link provided by a phishing email, then a website is presented to the user, which has almost the same look and feel as a real website (eg, XYZ Bank). However, the site is actually a fraudster. The information in the fraudster's website that the user enters into the look and feel of the mock simulation website will be recorded and subsequently used to commit fraud to the user. For example, a fraudster can use the entered user ID and password to log in to the user's account and perform an unauthorized money transfer.
一種防止像木馬或網路仿冒這樣的欺詐的方法涉及使用第二因素認證,其中認證需要附加資訊。由於起第一認證因素的作用的用戶標識/密碼,應用伺服器(例如,銀行應用)也需要基於正用於訪問的裝置或用戶擁有的硬體的附加認證。例如,第二因素認證可能需要硬體權標(token)或ATM卡。軟體也可以被用作第二因素認證。 One method of preventing fraud such as Trojans or phishing involves the use of second factor authentication, where authentication requires additional information. Due to the user identification/password acting as the first authentication factor, the application server (eg, banking application) also needs additional authentication based on the device being used for access or the hardware owned by the user. For example, a second factor authentication may require a hardware token or an ATM card. Software can also be used as a second factor authentication.
上面提到的僅僅觸及一些寬泛的類別的線上交易風險。還有當前存在的其他風險,但它們是公知的並且在此將不作過多的說明。此外,技術被不斷地發展以防止線上欺詐。相應地,欺詐者不斷發展技術以戰勝包括認證方案在內的新實現的安全措施。 The above mentioned only touches on the online trading risks of some broad categories. There are other risks that currently exist, but they are well known and will not be explained too much here. In addition, technology is constantly evolving to prevent online fraud. Accordingly, fraudsters continue to develop technology to overcome new security measures, including authentication schemes.
鑒於當前存在的和/或回應於安全措施而顯現出來的交易風險,需要改進的認證技術。 Improved authentication techniques are needed in view of the transaction risks that currently exist and/or appear in response to security measures.
因此,本發明提供用於使用應用伺服器和認證伺服器的用戶的多因素認證的方法,來解決上述問題。 Accordingly, the present invention provides a method for multi-factor authentication of a user using an application server and an authentication server to solve the above problem.
根據本發明的一個方面,提供用於使用應用伺服器和認證伺服器的用戶的多因素認證的電腦實現方法,所述用戶與所述應用伺服器和所述認證伺服器相互作用,所述用戶利用用戶瀏覽器程式與所述應用伺服器和所述認證伺服器中的至少一個進行通信,所述方法包括:利用所述應用伺服器使用第一因素認證證書認證所述用戶;從所述應用伺服器向所述認證伺服器提供所述用戶之第一源IP位址,其中該第一源IP位址係為所述用戶向所述認證伺服器提交所述認證請求時與所述第一因素認證證書一併傳送的關聯資訊;指示所述用戶在所述用戶瀏覽器程式和所述認證伺服器之間建立獨立通信通道以執行附加認證;比較所述第一源IP位址和與利用所述獨立通信通道的、從所述用戶到所述認證伺服器的通信相關聯的第二源IP位址;以及如果所述第一源IP地址與所述第二源IP地址不匹配,則所述用戶的認證失敗。 According to an aspect of the present invention, there is provided a computer implemented method for multi-factor authentication of a user using an application server and an authentication server, the user interacting with the application server and the authentication server, the user Communicating with at least one of the application server and the authentication server using a user browser program, the method comprising: authenticating the user with a first factor authentication certificate using the application server; from the application Providing, by the server, the first source IP address of the user to the authentication server, where the first source IP address is when the user submits the authentication request to the authentication server Correlation information transmitted by the factor authentication certificate; instructing the user to establish an independent communication channel between the user browser program and the authentication server to perform additional authentication; comparing the first source IP address and utilization a second source IP address of the independent communication channel associated with communication from the user to the authentication server; and if the first source IP address and the first If the two source IP addresses do not match, the authentication of the user fails.
根據本發明的另一方面,提供用於使用應用伺服器和認證伺服器的用戶的多因素認證的電腦實現方法,所述用戶利用用戶瀏覽器程式與所述應用伺服器和所述認證伺服器中的至少一個相互作用,所述方法包括:從所述應用伺服器接收與從所述用戶瀏覽器程式到所述應用伺服器的認證請求相關聯的第一源IP位址;從所述用戶瀏覽器程式接收請求以利用獨立通信通道來在所述用戶瀏覽器程式和所述認證伺服器之間執行附加認證,所述獨立通信通道與被用於在所述應用伺服器和所述認證伺服器之間進行通信的通信通道獨立;比較所述第一源IP位址和與在所述認證伺服器和所述用戶瀏覽器程式之間執行所述附加 認證的所述請求相關的第二源IP位址;以及如果所述第一源IP地址與所述第二源IP地址不匹配,則所述用戶的認證失敗。 According to another aspect of the present invention, there is provided a computer implemented method for multi-factor authentication of a user using an application server and an authentication server, the user utilizing a user browser program with the application server and the authentication server At least one of the interactions, the method comprising: receiving, from the application server, a first source IP address associated with an authentication request from the user browser program to the application server; from the user The browser program receives the request to perform additional authentication between the user browser program and the authentication server using an independent communication channel, the independent communication channel being used in the application server and the authentication server The communication channel for communication between the devices is independent; comparing the first source IP address and performing the addition between the authentication server and the user browser program The second source IP address associated with the request for authentication; and if the first source IP address does not match the second source IP address, the authentication of the user fails.
現在將參照如附圖中所舉例說明的幾個實施例來詳細描述本發明。在下面的描述中,為了提供對本發明的全面理解而詳盡地解釋大量的具體細節。然而對本領域技術人員來說顯而易見的是,可以實踐本發明而不用這些具體細節中的某些或全部。在其他情況下,為了避免不必要地使本發明模糊不清,沒有詳細地描述公知的處理步驟和/或結構。 The invention will now be described in detail with reference to a few embodiments illustrated in the accompanying drawings. In the following description, numerous specific details are set forth in the However, it will be apparent to those skilled in the art that the present invention may be practiced without some or all of these specific details. In other instances, well known process steps and/or structures have not been described in detail in order to avoid unnecessarily obscuring the invention.
以下描述各種實施例,包括方法和技術。應該記住,本發明也可以涵蓋包括存儲用於執行創造性技術的實施例的電腦可讀指令的電腦可讀介質的製造產品。例如,電腦可讀介質可以包括半導體、磁、光磁、光或者其他形式的用於存儲電腦可讀代碼的電腦可讀介質。進一步地,本發明還可以涵蓋用於實踐本發明的實施例的裝置。這種裝置可以包括專用於和/或可編程用於執行與本發明實施例有關的任務的電路。這種裝置的例子包括在適當編程情況下的通用電腦和/或專用計算設備,並且可以包括適合於與本發明實施例有關的各種任務的電腦/計算設備和專用/可編程電路的組合。 Various embodiments are described below, including methods and techniques. It should be borne in mind that the present invention may also encompass an article of manufacture comprising a computer readable medium storing computer readable instructions for performing embodiments of the inventive techniques. For example, a computer readable medium can comprise a semiconductor, magnetic, magneto-optical, optical, or other form of computer readable medium for storing computer readable code. Further, the invention may also encompass apparatus for practicing embodiments of the invention. Such a device may include circuitry dedicated to and/or programmable for performing tasks related to embodiments of the present invention. Examples of such devices include general purpose computers and/or special purpose computing devices in the context of proper programming, and may include a combination of computer/computing devices and special/programmable circuits suitable for the various tasks associated with embodiments of the present invention.
在多通道認證方案中,用戶不僅需要訪問應用伺服器(例如,上面提到的XYZ銀行),還需要為了認證自己的目的在獨立通信上訪問認證伺服器。簡單來說,多通道認證方案包含三方:用戶、應用伺服器和認證伺服器。 In the multi-channel authentication scheme, the user not only needs to access the application server (for example, the XYZ bank mentioned above), but also needs to access the authentication server on the independent communication for the purpose of authenticating himself. Simply put, a multi-channel authentication scheme consists of three parties: the user, the application server, and the authentication server.
總的來說,用戶首先登錄應用伺服器(例如,XYZ銀行)並建立 他的第一因素認證證書(例如,用戶標識和密碼)。一旦滿足第一因素認證證書,應用伺服器就聯繫認證伺服器來確定用戶是否是多通道認證服務的訂戶。如果用戶是多通道認證服務的訂戶,那麼認證伺服器(經由應用伺服器)給用戶提供HTML指令,來指示用戶的用戶端瀏覽器(例如,使用AJAX技術)建立與認證伺服器的獨立通信通道。在該獨立通信通道中的通信可以通過使用將如稍後討論的加密技術來使其安全。在該獨立第二通道上的用戶的瀏覽器和認證伺服器之間的安全通道執行附加認證。 In general, the user first logs in to the application server (for example, XYZ Bank) and creates His first factor authentication certificate (for example, user ID and password). Once the first factor authentication certificate is met, the application server contacts the authentication server to determine if the user is a subscriber to the multi-channel authentication service. If the user is a subscriber to the multi-channel authentication service, the authentication server (via the application server) provides the user with an HTML command to instruct the user's client browser (eg, using AJAX technology) to establish an independent communication channel with the authentication server. . Communication in this independent communication channel can be made secure by using an encryption technique that will be discussed later. Additional authentication is performed on the secure channel between the user's browser and the authentication server on the separate second channel.
在一個實施方案中,用戶端瀏覽器和認證伺服器都知道一個共用秘密。所述共用秘密的一部分在這裏被稱為“已知事實”或KF,其為認證伺服器和用戶端瀏覽器兩者所知。所述已知事實可以是由認證伺服器和用戶端瀏覽器彼此都指明為“已知的”任意資料、資訊或事實。例如,已知事實可以是由商人指明為用於附加認證的共用秘密的某特殊資料欄位(例如,帳號或電話號碼)。 In one embodiment, both the client browser and the authentication server know a common secret. A portion of the shared secret is referred to herein as a "known fact" or KF, which is known to both the authentication server and the client browser. The known fact may be any material, information or fact that is indicated as "known" by the authentication server and the client browser. For example, the known fact may be a special data field (eg, an account number or a phone number) that is indicated by the merchant as a shared secret for additional authentication.
在認證伺服器和用戶端瀏覽器之間的認證是一種雙向加密認證。如果用戶端瀏覽器可以利用共用秘密(其為認證伺服器和用戶端瀏覽器兩者所知)向認證伺服器驗證自己,並且如果認證伺服器可以利用共用秘密向用戶端瀏覽器驗證自己,那麼認證被認為是成功的。為了交流所述已知事實,通過在用戶最初向多通道認證系統註冊時的啟動過程(用於每個裝置的一次性處理)。 Authentication between the authentication server and the client browser is a two-way encryption authentication. If the client browser can authenticate itself to the authentication server using the shared secret (which is known to both the authentication server and the client browser), and if the authentication server can authenticate itself to the client browser using the shared secret, then Certification is considered successful. In order to communicate the known facts, a startup process (one-time processing for each device) when the user initially registers with the multi-channel authentication system.
期間利用帶外(out-of-band)通信通道(例如,電子郵件、電話等)增強安全性。例如,電子郵件可以被發送給用戶來將對於用戶的已知事實的字母數位串提供給用戶,以將所述用戶綁定到他的證書。 Security is enhanced during out-of-band communication channels (eg, email, phone, etc.). For example, an email may be sent to the user to provide an alphanumeric string of known facts to the user to the user to bind the user to his certificate.
儘管多通道認證技術可以提供針對某些形式的安全風險的附加安全措施,但是被稱為中間人(man-in-the-middle,MITM)的攻擊形式已經帶來了挑戰。中間人攻擊指的是欺詐者使用連接到用戶端並連接到應用伺服器的裝置,通過中繼請求和回應,來竊取資料和/或裝作代表用戶端瀏覽器以實現欺詐的目的。換句話說,中間人裝置可以看到所有的通信(traffic)並執行可以由用戶端瀏覽器所執行的大部分或所有的動作,例如包括修改SSL協定資訊。 While multi-channel authentication technology can provide additional security measures for some form of security risk, the form of attack known as man-in-the-middle (MITM) has presented challenges. A man-in-the-middle attack refers to a fraudster using a device connected to the client and connected to the application server to relay data and/or pretend to act on behalf of the client browser for fraud purposes by relaying requests and responses. In other words, the intermediary device can see all the traffic and perform most or all of the actions that can be performed by the client browser, including, for example, modifying the SSL protocol information.
因此,即使使用多通道認證方案,在用戶端瀏覽器成功地實現與認證伺服器的附加認證之後,也仍然可能洩露機密的通信,因為中間人裝置嵌入在用戶端瀏覽器和應用伺服器(例如,XYZ銀行)之間的通信中。在本發明的一個或多個實施例中,提出了IP位址安全多通道認證(IPAS-MCA)技術和裝置。一般而言,AS-MCA技術檢測在用戶端瀏覽器和應用伺服器之間用於通信的IP源位址與在安全認證通道上的在用戶端瀏覽器和認證伺服器之間用於通信的源IP位址是否相同。如果兩個IP位址不同,則懷疑有未被授權的中間人裝置,並且認證將失敗。 Therefore, even with the multi-channel authentication scheme, after the client browser successfully implements additional authentication with the authentication server, it is still possible to disclose confidential communication because the intermediary device is embedded in the client browser and the application server (for example , XYZ Bank) in the communication between. In one or more embodiments of the invention, an IP Address Secure Multi-Channel Authentication (IPAS-MCA) technique and apparatus is presented. In general, the AS-MCA technology detects the IP source address used for communication between the client browser and the application server and the communication between the client browser and the authentication server on the secure authentication channel. Whether the source IP address is the same. If the two IP addresses are different, an unauthorized intermediary device is suspected and the authentication will fail.
參考附圖和下述的討論,可以更好地理解本發明的特徵和優點。圖1示出了典型的多通道認證方案,其中用戶端瀏覽器102利用應用伺服器104和認證伺服器106兩者來進行認證。首先,用戶端瀏覽器102聯繫應用伺服器104以請求認證(130)。在這一階段,像傳統上那樣,認證一般使用用戶標識和密碼組合。如果根據用戶標識/密碼認為用戶是有效用戶,則確定用戶端瀏覽器102的用戶是否是多通道認證系統的訂戶。可以由認證伺服器106通過例如針對它的訂戶資料庫 核對用戶的身份(其被應用伺服器104轉發(132)到認證伺服器106)來做出決定。 The features and advantages of the present invention are better understood by reference to the appended claims. FIG. 1 illustrates a typical multi-channel authentication scheme in which a client browser 102 utilizes both the application server 104 and the authentication server 106 for authentication. First, the client browser 102 contacts the application server 104 to request authentication (130). At this stage, as is traditionally used, authentication typically uses a combination of user identification and password. If the user is considered to be a valid user based on the user identification/password, it is determined whether the user of the client browser 102 is a subscriber of the multi-channel authentication system. The subscriber database can be passed by the authentication server 106, for example The identity of the user is checked (which is forwarded (132) by the application server 104 to the authentication server 106) to make a decision.
如果確定用戶是多通道認證系統的訂戶,那麼為了執行進一步的認證的目的,認證伺服器106經由應用伺服器104來向用戶端瀏覽器102發送(134)指令(例如以HTML代碼的形式)以指示用戶端瀏覽器102建立與認證伺服器106的安全通信通道。 If it is determined that the user is a subscriber of the multi-channel authentication system, the authentication server 106 sends (134) instructions (eg, in the form of HTML code) to the client browser 102 via the application server 104 for the purpose of performing further authentication to indicate The client browser 102 establishes a secure communication channel with the authentication server 106.
利用由認證伺服器106提供的指令(其被經由應用伺服器104發送給用戶端瀏覽器102),用戶端瀏覽器102接著建立到認證伺服器106的安全通信通道(136A/136B)。經由安全通信通道,用戶端瀏覽器102和認證伺服器106可以執行進一步的認證。認證一般是雙向的,用戶端瀏覽器向認證伺服器驗證自己,反之亦然。 Using the instructions provided by the authentication server 106 (which is sent to the client browser 102 via the application server 104), the client browser 102 then establishes a secure communication channel (136A/136B) to the authentication server 106. The client browser 102 and the authentication server 106 can perform further authentication via the secure communication channel. Authentication is generally two-way, and the client browser authenticates itself to the authentication server and vice versa.
一般說來,附加認證可能需要只有用戶知道的和/或對於向多通道認證系統註冊為屬於用戶並被授權執行交易的通信裝置特定的資訊。因此,即使用戶標識和密碼被竊取,欺詐者仍然不能完成認證,因為與認證伺服器的附加認證需要對於用戶和/或被授權的用戶裝置特定的附加資訊。 In general, additional authentication may require information that is only known to the user and/or that is specific to the communication device that is registered with the multi-channel authentication system as belonging to the user and authorized to perform the transaction. Thus, even if the user identification and password are stolen, the fraudster cannot complete the authentication because the additional authentication with the authentication server requires additional information specific to the user and/or the authorized user device.
圖2示出了中間人裝置110的存在,所述中間人裝置110已經由欺詐者為了對用戶實施欺詐的目的而實現。通常,欺詐者試圖誘使用戶基於某個藉口來進行到中間人裝置110的連接。一旦基於某個似乎真實的藉口進行了連接,欺詐者的中間人裝置110接著就代表用戶的瀏覽器102提供到應用伺服器104的連接,欺詐者的中間人裝置110位於在用戶端瀏覽器裝置102和應用伺服器104之間的通信中間。因此,在用戶端瀏覽器連接中間人裝置之後,所述中間人裝置接著連接 到應用伺服器,就像兩個連接一樣。每個連接都具有來自于請求方的源IP位址。 Figure 2 illustrates the presence of a middleman device 110 that has been implemented by a fraudster for the purpose of fraudulent purposes to a user. Typically, the fraudster attempts to trick the user into making a connection to the intermediary device 110 based on an excuse. Once connected based on some seemingly real excuse, the fraudster's intermediary device 110 then provides a connection to the application server 104 on behalf of the user's browser 102, the fraudster's intermediary device 110 being located at the client browser device The communication between 102 and the application server 104 is intermediate. Therefore, after the client browser connects the intermediary device, the intermediary device is then connected. To the application server, just like two connections. Each connection has a source IP address from the requester.
因為中間人裝置中繼在用戶端瀏覽器和認證伺服器之間的消息,所以瀏覽器102的第一因素認證(利用用戶的用戶標識和密碼)將會成功。此外,在獨立安全通道上的瀏覽器102和認證伺服器106之間的第二因素認證也將會成功。那麼,洩露了在用戶端瀏覽器102和應用伺服器104之間的任意後續通信,並且因為中間人裝置110幾乎可以代表用戶端瀏覽器102執行任意動作,例如包括SSL協定資訊修改,所以欺詐的風險仍然存在。 Because the intermediary device relays messages between the client browser and the authentication server, the first factor authentication of the browser 102 (using the user's user identification and password) will succeed. In addition, the second factor authentication between the browser 102 and the authentication server 106 on the independent secure channel will also be successful. Then, any subsequent communication between the client browser 102 and the application server 104 is revealed, and because the intermediary device 110 can perform almost any action on behalf of the client browser 102, including, for example, SSL protocol information modification, fraudulent The risk still exists.
圖3示出了根據本發明一個實施例的IP位址安全多通道認證(IPAS-MCA)的示意圖。在圖3的實例中,描述了IPAS-MCA技術的步驟,儘管在圖3的實例中不存在欺詐的中間人裝置。這裏,存在中間人裝置的情況將聯繫的圖4進行討論。 3 shows a schematic diagram of IP Address Secure Multi-Channel Authentication (IPAS-MCA) in accordance with one embodiment of the present invention. In the example of FIG. 3, the steps of the IPAS-MCA technique are described, although in the example of FIG. 3 there is no fraudulent intermediary device. Here, the case where there is a middleman device will be discussed in connection with FIG.
回來參照圖3,首先用戶端瀏覽器302聯繫(330)應用伺服器304以請求認證。在這一階段,認證一般又使用常規的用戶標識和密碼組合。此外,應用伺服器304也注意接收的分組(package)的源IP位址。記錄所述源IP位址。在圖3的實例中,因為沒有中間人裝置,所以源IP位址將是用戶端瀏覽器302的IP地址。 Referring back to Figure 3, first the client browser 302 contacts (330) the application server 304 to request authentication. At this stage, authentication typically uses a conventional combination of user identification and password. In addition, application server 304 also pays attention to the source IP address of the received packet. Record the source IP address. In the example of FIG. 3, since there is no intermediary device, the source IP address will be the IP address of the client browser 302.
如果根據第一因素認證用戶被認為是有效用戶,則確定用戶端瀏覽器302的用戶是否是多通道認證系統的訂戶。可以由認證伺服器306通過例如針對它的訂戶資料庫核對用戶的身份(其被應用伺服器304轉發(332)到認證伺服器306)來做出決定。此外,由應用伺服器304記錄的源IP位址資訊被傳遞(332)到認證伺服器306。 If the authenticated user is considered to be a valid user based on the first factor, it is determined whether the user of the client browser 302 is a subscriber of the multi-channel authentication system. The decision may be made by the authentication server 306 by, for example, checking the identity of the user for its subscriber profile (which is forwarded (332) by the application server 304 to the authentication server 306). In addition, source IP address information recorded by application server 304 is passed (332) to authentication server 306.
如果確定用戶是多通道認證系統的訂戶,那麼為了執行進一步的認證的目的,認證伺服器306經由應用伺服器304來向用戶端瀏覽器302發送(334)指令(例如以HTML代碼的形式),以指示用戶端瀏覽器302建立與認證伺服器306的安全通信通道。 If it is determined that the user is a subscriber of the multi-channel authentication system, the authentication server 306 sends (334) instructions (eg, in the form of HTML code) to the client browser 302 via the application server 304 for purposes of performing further authentication, to The client browser 302 is instructed to establish a secure communication channel with the authentication server 306.
利用由認證伺服器306提供的指令(其被經由應用伺服器304來發送給用戶端瀏覽器302),用戶端瀏覽器302接著(使用例如AJAX技術或相似的技術)建立(336A/336B)到認證伺服器306的通信通道。經由該附加通信通道,用戶端瀏覽器302和認證伺服器306可以執行進一步的認證。 Utilizing the instructions provided by authentication server 306 (which is sent to client browser 302 via application server 304), client browser 302 then (using, for example, AJAX technology or similar techniques) establish (336A/336B) to The communication channel of the authentication server 306. Through the additional communication channel, the client browser 302 and the authentication server 306 can perform further authentication.
一般說來,附加認證可能需要只有用戶知道的和/或對於向多通道認證系統註冊為屬於用戶並被授權執行交易的通信裝置特定的資訊。如所提到的那樣,即使洩露了用戶標識和密碼,欺詐者仍然不能完成認證,因為與認證伺服器的附加認證需要對於用戶和/或被授權的用戶裝置特定的附加資訊。 In general, additional authentication may require information that is only known to the user and/or that is specific to the communication device that is registered with the multi-channel authentication system as belonging to the user and authorized to perform the transaction. As mentioned, even if the user identification and password are compromised, the fraudster cannot complete the authentication because the additional authentication with the authentication server requires additional information specific to the user and/or the authorized user device.
此外,認證伺服器306檢查來自從用戶端瀏覽器302接收到的資料分組的源IP位址,以確定在用戶端瀏覽器302和認證伺服器306之間的安全通信會話中,在從用戶端瀏覽器302接收到的資料分組中的IP位址是否與由應用伺服器304轉發的IP地址(其反映在用戶端瀏覽器302和應用伺服器304之間的第一因素認證期間由應用伺服器304所接收的資料分組中的源IP位址)相匹配。如果這兩個IP地址匹配,則將像圖3的實例中的情況那樣,因為沒有中間人裝置,所以認證被認為是成功的。 In addition, the authentication server 306 checks the source IP address from the data packet received from the client browser 302 to determine that the secure communication session between the client browser 302 and the authentication server 306 is in the secondary user. Whether the IP address in the data packet received by the browser 302 and the IP address forwarded by the application server 304 (which is reflected by the application server during the first factor authentication between the client browser 302 and the application server 304) The source IP address in the data packet received by 304 matches. If the two IP addresses match, then as in the case of the example of Figure 3, the authentication is considered successful because there is no intermediary device.
圖4示出了根據本發明一個實施例的IP位址安全多通道認證 (IPAS-MCA)的示意圖。在圖4的實例中,中間人裝置420欺騙性地插入在用戶端瀏覽器402和應用伺服器404之間的通信流中。一般說來,中間人裝置420可以首先使用例如像網路仿冒這樣的技術來建立與用戶端瀏覽器402的通信,以哄騙用戶端瀏覽器402的用戶相信用戶端瀏覽器402的用戶正在與應用伺服器404進行通信。一旦建立了用戶端瀏覽器402和中間人裝置420之間的通信,則中間人裝置420聯繫應用伺服器404並打開一個通信通道。 4 illustrates IP address secure multi-channel authentication in accordance with one embodiment of the present invention. Schematic diagram of (IPAS-MCA). In the example of FIG. 4, the intermediary device 420 is fraudulently inserted in the communication stream between the client browser 402 and the application server 404. In general, the intermediary device 420 can first establish communication with the client browser 402 using techniques such as phishing to fool the user of the browser browser 402 to believe that the user of the browser browser 402 is working with the application. The server 404 communicates. Once communication between the client browser 402 and the intermediary device 420 is established, the intermediary device 420 contacts the application server 404 and opens a communication channel.
在用戶端瀏覽器402和應用伺服器404之間的後續通信由中間人裝置420中繼。 Subsequent communication between the client browser 402 and the application server 404 is relayed by the intermediary device 420.
應用伺服器404請求用戶端瀏覽器402的認證,而所述請求被中間人裝置420中繼到用戶端瀏覽器402。如所提到的那樣,在這一階段,像傳統上那樣,認證一般再次使用用戶標識和密碼組合。在中間人裝置420中繼所述請求之後,用戶端瀏覽器402以用戶標識/密碼組合來回應所述請求。中間人裝置420將用戶標識/密碼中繼到應用伺服器404。 The application server 404 requests authentication of the client browser 402, and the request is relayed by the intermediary device 420 to the client browser 402. As mentioned, at this stage, as is traditionally the authentication typically uses the user identification and password combination again. After the intermediary device 420 relays the request, the client browser 402 responds to the request with a user identification/password combination. The intermediary device 420 relays the user identification/password to the application server 404.
應用伺服器404還注意接收到的分組的源IP位址。因為資料分組從中間人裝置420到達,所以記錄了與中間人裝置420相關聯的源IP位址。 The application server 404 also notices the source IP address of the received packet. Since the data packet arrives from the intermediary device 420, the source IP address associated with the intermediary device 420 is recorded.
如果根據用戶標識/密碼組合用戶被認為是有效用戶,則確定用戶端瀏覽器402的用戶是否是多通道認證系統的訂戶。可以由認證伺服器406通過例如針對它的訂戶資料庫核對用戶的身份(其被應用伺服器404轉發(432)到認證伺服器406)來做出決定。此外,將由應用伺服器404記錄的源IP位址資訊(在該實例中其反映來自於通信 430B的中間人裝置420的IP位址)傳遞(參見引用箭頭432)到認證伺服器406。 If the user is considered to be a valid user based on the user identification/password combination, it is determined whether the user of the client browser 402 is a subscriber of the multi-channel authentication system. The decision may be made by the authentication server 406 by, for example, checking the identity of the user for its subscriber profile (which is forwarded (432) by the application server 404 to the authentication server 406). In addition, the source IP address information to be recorded by the application server 404 (in this example it is reflected from the communication) The IP address of the middleman device 420 of 430B is passed (see reference arrow 432) to the authentication server 406.
如果確定用戶是多通道認證系統的訂戶,那麼為了執行進一步的認證的目的,認證伺服器406經由應用伺服器404來向用戶端瀏覽器402發送(434A)指令(例如以HTML代碼的形式)以指示用戶端瀏覽器402建立與認證伺服器406的安全通信通道。這些指令由中間人裝置420中繼(434B)到用戶端瀏覽器402。 If it is determined that the user is a subscriber of the multi-channel authentication system, the authentication server 406 sends (434A) an instruction (eg, in the form of an HTML code) to the client browser 402 via the application server 404 for the purpose of performing further authentication to indicate The client browser 402 establishes a secure communication channel with the authentication server 406. These instructions are relayed (434B) by the intermediary device 420 to the client browser 402.
利用由認證伺服器406提供的指令(其被經由應用伺服器404發送給用戶端瀏覽器402),用戶端瀏覽器402接著建立到認證伺服器406的通信通道(436A/436B)。經由該通信通道,用戶端瀏覽器402和認證伺服器406可以執行進一步的認證。注意,來自於認證伺服器406的指令可以包括中間人裝置420不能回應的問詢(challenge)/回應,因為中間人裝置420不具有共用秘密。在這種情況下,中間人裝置420將來自於認證伺服器406的指令傳遞到用戶端瀏覽器402,以允許用戶端瀏覽器402回答所述問詢/回應。用戶端瀏覽器402接著按照指示來建立與認證伺服器406的通信通道。 Using the instructions provided by the authentication server 406 (which is sent to the client browser 402 via the application server 404), the client browser 402 then establishes a communication channel (436A/436B) to the authentication server 406. Through the communication channel, the client browser 402 and the authentication server 406 can perform further authentication. Note that the instructions from the authentication server 406 may include a challenge/response that the intermediary device 420 cannot respond to because the intermediary device 420 does not have a shared secret. In this case, the intermediary device 420 passes the instructions from the authentication server 406 to the client browser 402 to allow the client browser 402 to answer the query/response. The client browser 402 then establishes a communication channel with the authentication server 406 as instructed.
此外,認證伺服器406檢查來自從用戶端瀏覽器402(來自於由附圖標記436A所指定的通信)接收到的資料分組的源IP位址,以確定在用戶端瀏覽器402和認證伺服器406之間的安全通信會話中,在從用戶端瀏覽器402接收到的資料分組中的IP位址是否與由應用伺服器404轉發的IP地址(其反映在用戶端瀏覽器402和應用伺服器404之間的第一因素認證期間由應用伺服器404所接收(430B)的資料分組中的源IP位址)相匹配。 In addition, the authentication server 406 checks the source IP address from the data packet received from the client browser 402 (from the communication specified by reference numeral 436A) to determine the client browser 402 and the authentication server. In the secure communication session between 406, whether the IP address in the data packet received from the client browser 402 and the IP address forwarded by the application server 404 are reflected in the client browser 402 and the application server The first factor authentication between 404 matches the source IP address in the data packet received (430B) by the application server 404.
因為由應用伺服器404記錄並傳遞到認證伺服器406的IP位址反映中間人裝置420的IP位址,所以該IP位址與用戶端瀏覽器的IP位址不匹配,所述用戶端瀏覽器的IP地址由認證伺服器406從用戶端瀏覽器402和認證伺服器406之間的通信中獲得。在這種情況下,認證將失敗。 Because the IP address recorded by the application server 404 and passed to the authentication server 406 reflects the IP address of the intermediary device 420, the IP address does not match the IP address of the client browser, which is browsed by the client. The IP address of the device is obtained by the authentication server 406 from communication between the client browser 402 and the authentication server 406. In this case, the authentication will fail.
如從上述內容中所能理解的那樣,本發明的實施例通過進一步實現針對中間人攻擊的防護,擴展了多通道認證技術所提供的安全性。如果用戶標識/密碼組合被竊取,那麼多通道認證方案可以阻止欺詐者的後續認證,因為欺詐者不可能擁有在獨立安全通道上的第二認證所需的資訊(無論是由用戶明確地提供還是由用戶通過其執行線上交易認證的授權的通信裝置自動地提供)。更重要地,如果中間人裝置被欺騙性地插入在用戶端瀏覽器和應用服務器之間的通信路徑中,則IPAS-MCA技術可以通過比較IP位址來檢測這種欺詐的中間人裝置的存在並阻止認證和後續的欺詐交易。 As can be appreciated from the above, embodiments of the present invention extend the security provided by multi-channel authentication techniques by further implementing protection against man-in-the-middle attacks. If the user identification/password combination is stolen, the multi-channel authentication scheme can prevent subsequent authentication by the fraudster because the fraudster cannot have the information needed for the second authentication on the independent secure channel (whether it is explicitly provided by the user or Automatically provided by the communication device through which the user performs authorization for online transaction authentication). More importantly, if the intermediary device is fraudulently inserted into the communication path between the client browser and the application server, the IPAS-MCA technology can detect the presence of such a fraudulent intermediary device by comparing the IP addresses. And prevent authentication and subsequent fraudulent transactions.
這裏通過引用合併的進一步資訊由這裏的權利要求來提供。 Further information herein incorporated by reference is provided by the claims.
雖然已經根據幾個優選實施例來描述了本發明,但仍存在落入本發明範圍內的修改、置換和等效物。也應該注意到,存在許多可供選擇的實施本發明的方法和裝置的替代方法。雖然這裏提供了多個實例,但是其意圖是:這些實例關於本發明是說明性的而非限制性的。 Although the invention has been described in terms of several preferred embodiments, modifications, substitutions and equivalents are possible within the scope of the invention. It should also be noted that there are many alternative ways of implementing the methods and apparatus of the present invention. Although a plurality of examples are provided herein, it is intended that the examples are illustrative and not restrictive.
102‧‧‧用戶端瀏覽器 102‧‧‧User Browser
104‧‧‧應用伺服器 104‧‧‧Application Server
106‧‧‧認證伺服器 106‧‧‧Authentication server
302‧‧‧用戶端瀏覽器 302‧‧‧User Browser
304‧‧‧應用伺服器 304‧‧‧Application Server
306‧‧‧認證伺服器 306‧‧‧Authenticated server
332‧‧‧來自於330通信的IP地址 332‧‧‧IP address from 330 communication
402‧‧‧用戶端瀏覽器 402‧‧‧User Browser
404‧‧‧應用伺服器 404‧‧‧Application Server
406‧‧‧認證伺服器 406‧‧‧Authenticated server
432‧‧‧來自於430B通信的IP地址 432‧‧‧IP address from 430B communication
圖1示出了典型的多通道認證方案,其中用戶端瀏覽器利用應用伺服器和認證伺服器兩者來進行認證。 Figure 1 illustrates a typical multi-channel authentication scheme in which a client browser utilizes both an application server and an authentication server for authentication.
圖2示出了中間人(man-in-the-middle)裝置的存在,所述中間 人裝置已經由欺詐者為了對用戶實施欺詐的目的而實現。 Figure 2 shows the presence of a man-in-the-middle device, the middle The human device has been implemented by the fraudster for the purpose of committing fraud to the user.
圖3示出了根據本發明一個實施例的IP位址安全多通道認證(IPAS-MCA)情景的示意圖。 3 shows a schematic diagram of an IP Address Secure Multi-Channel Authentication (IPAS-MCA) scenario in accordance with one embodiment of the present invention.
圖4示出了根據本發明一個實施例的藉以挫敗中間人攻擊的IP位址安全多通道認證(IPAS-MCA)情景的示意圖。 4 shows a schematic diagram of an IP Address Secure Multi-Channel Authentication (IPAS-MCA) scenario whereby a man-in-the-middle attack is defeated in accordance with one embodiment of the present invention.
102‧‧‧用戶端瀏覽器 102‧‧‧User Browser
104‧‧‧應用伺服器 104‧‧‧Application Server
106‧‧‧認證伺服器 106‧‧‧Authentication server
Claims (20)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW98129595A TWI394420B (en) | 2009-09-02 | 2009-09-02 | Ip address secure multi-channel authentication for online transactions |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW98129595A TWI394420B (en) | 2009-09-02 | 2009-09-02 | Ip address secure multi-channel authentication for online transactions |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201110652A TW201110652A (en) | 2011-03-16 |
| TWI394420B true TWI394420B (en) | 2013-04-21 |
Family
ID=44836339
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW98129595A TWI394420B (en) | 2009-09-02 | 2009-09-02 | Ip address secure multi-channel authentication for online transactions |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI394420B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060041755A1 (en) * | 2000-09-05 | 2006-02-23 | Netlabs.Com,Inc. | Multichannel device utilizing a centralized out-of-band authentication system (COBAS) |
| US20060200855A1 (en) * | 2005-03-07 | 2006-09-07 | Willis Taun E | Electronic verification systems |
| TW200929988A (en) * | 2007-12-25 | 2009-07-01 | Tatung Co | Method for verifying server end apparatus |
-
2009
- 2009-09-02 TW TW98129595A patent/TWI394420B/en not_active IP Right Cessation
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060041755A1 (en) * | 2000-09-05 | 2006-02-23 | Netlabs.Com,Inc. | Multichannel device utilizing a centralized out-of-band authentication system (COBAS) |
| US20060200855A1 (en) * | 2005-03-07 | 2006-09-07 | Willis Taun E | Electronic verification systems |
| TW200929988A (en) * | 2007-12-25 | 2009-07-01 | Tatung Co | Method for verifying server end apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201110652A (en) | 2011-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8156335B2 (en) | IP address secure multi-channel authentication for online transactions | |
| TWI436627B (en) | Method and apparatus for authenticatiing online transactions using a browser | |
| JP4861417B2 (en) | Extended one-time password method and apparatus | |
| JP5619007B2 (en) | Apparatus, system and computer program for authorizing server operation | |
| US9294288B2 (en) | Facilitating secure online transactions | |
| US8751801B2 (en) | System and method for authenticating users using two or more factors | |
| US20050021975A1 (en) | Proxy based adaptive two factor authentication having automated enrollment | |
| CN105357186B (en) | A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism | |
| US20080022085A1 (en) | Server-client computer network system for carrying out cryptographic operations, and method of carrying out cryptographic operations in such a computer network system | |
| JP4698751B2 (en) | Access control system, authentication server system, and access control program | |
| US20110022841A1 (en) | Authentication systems and methods using a packet telephony device | |
| TW201305935A (en) | One time password generation and application method and system using the same | |
| US20110022844A1 (en) | Authentication systems and methods using a packet telephony device | |
| TWI394420B (en) | Ip address secure multi-channel authentication for online transactions | |
| US20040010723A1 (en) | Network security method | |
| WO2010070456A2 (en) | Method and apparatus for authenticating online transactions using a browser | |
| TWI778319B (en) | Method for cross-platform authorizing access to resources and authorization system thereof | |
| Müller | Authentication and Transaction Security in E-business | |
| KR101584219B1 (en) | Authentication method, digital system, and authentication system thereof | |
| Choukse et al. | An intelligent anti-phishing solution: password-transaction secure window | |
| CN117396866A (en) | Authorized transaction escrow service | |
| CN110704834A (en) | Digital certificate authentication method using cryptography | |
| CN103188216A (en) | Method, service terminal and system using identification for network interaction service | |
| TW201012165A (en) | Login authorization system and method | |
| Williams | Online Business Security Technologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |