WO1999044332A1 - Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication - Google Patents

Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication Download PDF

Info

Publication number
WO1999044332A1
WO1999044332A1 PCT/DE1998/002949 DE9802949W WO9944332A1 WO 1999044332 A1 WO1999044332 A1 WO 1999044332A1 DE 9802949 W DE9802949 W DE 9802949W WO 9944332 A1 WO9944332 A1 WO 9944332A1
Authority
WO
WIPO (PCT)
Prior art keywords
sequence
network
digits
service
authentication
Prior art date
Application number
PCT/DE1998/002949
Other languages
German (de)
English (en)
Inventor
Michael Gundlach
Bernhard Nauer
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to JP2000533979A priority Critical patent/JP2002505552A/ja
Priority to BR9815697-7A priority patent/BR9815697A/pt
Priority to EP98959711A priority patent/EP1058982A1/fr
Publication of WO1999044332A1 publication Critical patent/WO1999044332A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the invention relates to a method for accessing a service in a telecommunications network, for example a private network, an intelligent network or a mobile radio network, from any communication terminal, in which it is necessary to authenticate by entering numerical sequences in order to access to obtain a desired service.
  • a device in a telecommunications network that enables secure authentication of a user to be carried out in the event of a service call.
  • An intelligent network IN is an architecture which makes it possible in a communication network to offer services for participants in this network. These value-added services, as they are also called, offer network operators the opportunity to differentiate themselves from their competitors and to tap additional sources of income.
  • the network operator needs at least one central node (service control point) in its network, which has stored the information necessary for the implementation of the services (storage of the service programs, forwarding to the responsible network node, etc. ).
  • This central node is also called the executing authority.
  • Participants in a communication network can take advantage of interesting new services.
  • One of the more well-known services is so-called credit card calling.
  • the caller is billed for the charges for calls made using his credit card. So that no abuse can be made if, for example, the 2 If the card is lost, in addition to the credit card number, it is also necessary to enter a private personal identification number (PIN) in order to gain access to the service in question.
  • PIN personal identification number
  • Access protection is also available or conceivable with other services, for example with subscribers in a mobile network, a private network or a private virtual network.
  • the authenticating numeric code is entered via the keyboard of the terminal and transmitted transparently (i.e. in plain text) via the lines and switching nodes of the communication network.
  • the object of the invention is to provide a way of making access to services in a telecommunications network more secure.
  • Another parameter is also encoded, which changes each time the sequence of digits is entered again.
  • Each ER Neute encryption process provides therefore a new He ⁇ result.
  • the transmission takes place in the same way as in the previous authentication procedure.
  • the transmitted sequence of digits is then evaluated in the central instance by also calculating a result from the known one-way function, the expected PIN and the parameters supplied and comparing it with the received value.
  • This authentication method is comparatively simple. Encryption methods are known to a person skilled in the art in sufficient quantities. The implementation of the method is only necessary on the user side and at the central instance, the implementation effort is low. An existing database can easily be expanded to include a field for storing the access codes already received.
  • the advantage of the described method lies clearly in the protection of participants.
  • the user has no greater effort than in previous methods, because an access code had to be entered previously.
  • it is effectively prevented that an unauthorized subscriber can make calls at third party costs.
  • This abuse has so far been possible, since when entering the credit card number, for example, it is not a prerequisite that the user also has this credit card. So could 4 Access can be easily achieved by simply observing the number entered including the PIN.
  • the access code By adding one or more changeable parameters, such as an indication of the time of the request, the access code is designed to be bug-proof. An attempt at eavesdropping on the network (on the connecting line, for example) becomes useless because a repeatedly used access code is rejected from the outset.
  • a device is used to encrypt the entered PIN. This device requires an input device (keyboard), similar to that of the communication terminal.
  • the entered sequence of digits is converted in the device by the mathematical one-way function, together with a changeable parameter.
  • the result of the calculation is then translated together with the second parameter in multi-frequency tone dialing and transmitted to the terminal. From there, the transmission takes place to the central instance.
  • Authentication is carried out in the central instance with the received access code.
  • a major advantage of this procedure is the ability to enter the number long before the actual use. At least 'spying' can be effectively prevented by observing the entry of the number.
  • the procedure according to the invention is particularly suitable for certain types of telecommunications networks.
  • the architecture of the intelligent network should be mentioned.
  • the infrastructure required for the process already exists.
  • the VPN the virtual private network, which is also implemented using IN technology.
  • the method is also conceivable in communication networks for mobile radio, here too the user of a device has to authenticate himself.
  • Another option is a time specification, for example a division into a time grid of any type.
  • the central entity can on the one hand check whether the received access code is a current value.
  • the additional transmission of the changeable parameter may not be necessary if the transmitter and receiver are otherwise synchronized in time.
  • Another possibility is the generation of a mathematical series with an initial number n, the subsequent number n2 being able to result from its predecessor number nl in various ways, e.g. B. adding up a fixed value.
  • the first, simpler method is content with an encryption process.
  • the one-way function f is applied to one or more changeable parameters and the PIN, possibly extended by a string known to the DTMF transmitter and the telecommunications service.
  • the result from f (Parameter1, [Parameter2, ...], PIN) is converted into a string of digits and this is then transmitted by the DTMF transmitter.
  • Two-stage encryption is more complex to implement and also requires more computing power for the sender and receiver, but it also offers significantly higher protection.
  • a first encryption step takes place as in the one-step procedure mentioned above.
  • a second pass with a second mathematical algorithm f (which can be identical to the first function f), the result is calculated as follows: f (parameter xl [, parameter x2, ..], f (parameter yl [, Parameters y2], PIN), PIN).
  • a generalized encryption procedure prescribes the multiple use of one or different algorithms, each with the input parameters PIN and additional changeable parameters.
  • the result of the encryption is not a numerical sequence of digits, or the result cannot be transmitted without MVF tones (as with ISDN), the result must still be translated into one before transmission.
  • the authentication procedure checks the transmitted code. This determines whether the subscriber is authorized to access a service. In addition, it can be determined whether the access code authorizing access to the service is being misused. 7
  • the authentication can be carried out as follows:
  • the central instance checks whether the access code sent has already been received once in a predetermined time interval.
  • the central entity calculates the expected access code using the same one-way function and the second parameter contained in the received access code and compares the result with the received one. If the calculated and the received access code match, the authentication is successful. The subscriber is granted access to the desired service.
  • the encryption device may be advantageous to integrate into the communication terminal. So the participant has no second device that can be lost. Transmission errors from the encryption device to the terminal are also avoided.
  • a generator for DTMF tones already present in the terminal can be used and modified if necessary.
  • FIG. 1 shows the generation, transmission and authentication of a one-time access code in an intelligent network
  • FIG. 2 shows the generation of the one-time access code according to ITU X.509, one-step method
  • Figure 3 shows the generation of the one-time access code according to ITU X.509, two-step process.
  • FIG. 1 shows the path of an access key (PIN) from the subscriber to a central instance (SCP) in an intelligent network.
  • PIN access key
  • SCP central instance
  • the PIN After entry into an encryption device (DTMF), the PIN is transmitted to the end device (KE) by means of multi-frequency dialing tones and from there into the communication network to the central entity (SCP).
  • SCP switching centers
  • SSP switching centers
  • the central entity (SCP) checks the access code on the basis of already known data, eg. B. from a database (DB), and the supplied data from the supplied string of digits. After calculating the expected access code and comparing it with the received one, a feedback is made as to whether the transmitted access code is correct and therefore the access of the participant is permitted or not.
  • FIG. 2 and FIG. 3 schematically show the generation of an access code which is to be transmitted to the central entity via the network.
  • This requires a symmetrical key (PIN), which is known to the subscriber and to the central entity that carries out authentication.
  • PIN symmetrical key
  • the PIN itself is not transmitted unencrypted.
  • two variable parameters are encrypted here, a time specification (time, time ') and a random number.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé permettant d'avoir accès, à partir d'un terminal de télécommunication quelconque, à un service dans un réseau de télécommunication, que ce soit un réseau intelligent, un réseau privé ou un réseau de radiotéléphonie mobile. Selon ce procédé, il est nécessaire de s'authentifier par entrée d'une série de chiffres pour avoir accès au service souhaité. En outre, l'invention concerne un dispositif, faisant partie d'un réseau de télécommunication, qui permet d'effectuer une authentification sûre d'un utilisateur dans le cas d'un appel de service.
PCT/DE1998/002949 1998-02-27 1998-10-02 Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication WO1999044332A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2000533979A JP2002505552A (ja) 1998-02-27 1998-10-02 通信ネットワークにおけるサービスへのアクセスを保証するための方法及び装置
BR9815697-7A BR9815697A (pt) 1998-02-27 1998-10-02 Processo e dispositivo para a segurança do acesso a um serviço em uma rede de telecomunicações
EP98959711A EP1058982A1 (fr) 1998-02-27 1998-10-02 Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19808523.0 1998-02-27
DE19808523 1998-02-27

Publications (1)

Publication Number Publication Date
WO1999044332A1 true WO1999044332A1 (fr) 1999-09-02

Family

ID=7859237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DE1998/002949 WO1999044332A1 (fr) 1998-02-27 1998-10-02 Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication

Country Status (4)

Country Link
EP (1) EP1058982A1 (fr)
JP (1) JP2002505552A (fr)
BR (1) BR9815697A (fr)
WO (1) WO1999044332A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2805422A1 (fr) * 2000-02-18 2001-08-24 Florence Louise Marcelle Morin Dispositif autonome et independant pour fournir un code de transaction ephemere en vue d'achats par carte a puce, configurable pour une seule carte a puce
FR2806229A1 (fr) * 2000-03-13 2001-09-14 Mathieu Schnee Procede d'interaction ou de transaction entre un utilisateur et un fournisseur de produits ou de services et systeme pour la mise en oeuvre de ce procede
JP4841790B2 (ja) * 2000-03-22 2011-12-21 フランス・テレコム 不正行為に対する保護のための暗号通信方法
CN102930434A (zh) * 2001-07-11 2013-02-13 格马尔托股份有限公司 访问虚拟运营商提供的方法及相应的芯片卡

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4814718B2 (ja) * 2006-07-28 2011-11-16 株式会社リコー 認証制御方法及び認証制御プログラム
EP2058498B1 (fr) 2007-11-09 2013-07-10 Continental Automotive GmbH Procédé pour la détermination de la température du carburant dans un système d'injection dans un rail commun

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2701181A1 (fr) * 1993-02-01 1994-08-05 Goreta Lucas Jeu par téléphone utilisant un objet intégrant un système de synthèse de fréquence vocale (DTMF) et de code crypté comme clef d'entrée et d'identification.
US5363449A (en) * 1993-03-11 1994-11-08 Tandem Computers Incorporated Personal identification encryptor and method
DE4325459A1 (de) * 1993-07-29 1995-02-09 C2S Gmbh Cryptografische Siche Tongeber mit Identifikations- und Authentisierungs-Einrichtung
FR2753860A1 (fr) * 1996-09-25 1998-03-27 Fintel Sa Procede et systeme pour securiser les prestations de services a distance des organismes financiers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2701181A1 (fr) * 1993-02-01 1994-08-05 Goreta Lucas Jeu par téléphone utilisant un objet intégrant un système de synthèse de fréquence vocale (DTMF) et de code crypté comme clef d'entrée et d'identification.
US5363449A (en) * 1993-03-11 1994-11-08 Tandem Computers Incorporated Personal identification encryptor and method
DE4325459A1 (de) * 1993-07-29 1995-02-09 C2S Gmbh Cryptografische Siche Tongeber mit Identifikations- und Authentisierungs-Einrichtung
FR2753860A1 (fr) * 1996-09-25 1998-03-27 Fintel Sa Procede et systeme pour securiser les prestations de services a distance des organismes financiers

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"AUTHENTICATION WITH STORED KP AND DYNAMIC PAC. OCTOBER 1982", IBM TECHNICAL DISCLOSURE BULLETIN, vol. 25, no. 5, October 1982 (1982-10-01), pages 2358 - 2360, XP002031269 *
HOLLOWAY C J ET AL: "EMPLOYING ONE-WAY FUNCTION METHODS FOR PIN VERIFICATION AND COMPOSITE KEY GENERATION IN ELECTRONIC FUNDS TRANSFER SYSTEMS", INTERNATIONAL DATA SECURITY CONFERENCE, 18 February 1985 (1985-02-18), pages 1 - 17, XP002031268 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2805422A1 (fr) * 2000-02-18 2001-08-24 Florence Louise Marcelle Morin Dispositif autonome et independant pour fournir un code de transaction ephemere en vue d'achats par carte a puce, configurable pour une seule carte a puce
FR2806229A1 (fr) * 2000-03-13 2001-09-14 Mathieu Schnee Procede d'interaction ou de transaction entre un utilisateur et un fournisseur de produits ou de services et systeme pour la mise en oeuvre de ce procede
JP4841790B2 (ja) * 2000-03-22 2011-12-21 フランス・テレコム 不正行為に対する保護のための暗号通信方法
CN102930434A (zh) * 2001-07-11 2013-02-13 格马尔托股份有限公司 访问虚拟运营商提供的方法及相应的芯片卡
CN102930434B (zh) * 2001-07-11 2016-08-10 格马尔托股份有限公司 访问虚拟运营商提供的方法及相应的芯片卡

Also Published As

Publication number Publication date
EP1058982A1 (fr) 2000-12-13
JP2002505552A (ja) 2002-02-19
BR9815697A (pt) 2000-11-14

Similar Documents

Publication Publication Date Title
DE69215818T2 (de) Verfahren zur sicheren Zugangskontrolle
DE69926977T2 (de) Anruferidentifizierungsauthentisierung und Leitweglenkung als Antwort hierauf
DE69736384T2 (de) Verwaltung von authentifizierungsschlüsseln in einem mobilen kommunikationssystem
DE69534012T2 (de) Authentifizierungsverfahren für mobile Kommunikation
DE19722424C1 (de) Verfahren zum Sichern eines Zugreifens auf ein fernab gelegenes System
DE69933012T2 (de) Verfahren zur dynamischen aktualisierung von einheitskryptoschlüsseln in einem zellularen telefonsystem
DE69828686T2 (de) System zur verwaltung von dienstdaten in fernmeldesystemen
DE69730240T2 (de) Authentifizierungsverfahren für zugangskontrollsystem und/oder für zahlungssystem
DE69931344T2 (de) Nachrichtenverarbeitungsverfahren und system in einem telekommunikationssystem
EP0802690A1 (fr) Dispositif de commande pour un réseau intelligent
DE69839090T2 (de) Verfahren um einen service in einem daten-kommunikations-system in anspruch zu nehmen und daten-kommunikations-system
DE3410937A1 (de) Verfahren zum erkennen der unerlaubten benutzung einer indentifizierung
WO1999044332A1 (fr) Procede et dispositif pour la securisation de l'acces a un service dans un reseau de telecommunication
EP0896770A2 (fr) Procede d'ecoute d'une ligne de telecommunications
EP1112666B1 (fr) Procede de renforcement de la securite de procedures d'authentification dans des systemes radiomobiles numeriques
DE19821584A1 (de) Verfahren zur Übernahme von Anrufsgebühren in einzelnen Verbindungen sowie Telefonnetz und Endgerät
DE69830526T2 (de) Verbesserte Sicherheit in zellulären Telefonen
EP1161850A1 (fr) Procede de distribution de cles a des abonnes de reseaux de communication
EP1014733B1 (fr) Procédé d'écoutes légales d'un abonné dans un réseau intelligent
DE69729037T2 (de) Billiges, automatisches und transparentes Zugriffverfahren und Protokoll für Telekommunikationsdienste-Anbieter über ISDN
DE69634425T2 (de) Kommunikationsadressierungsnetzwerk und endgerät dafür
EP1314296B1 (fr) Procede pour la securite d'un complement de service internet
DE10033289A1 (de) Netzwerkmanagement-Server
DE19720274A1 (de) Kommunikationssystem, Verfahren und Verarbeitungseinrichtung zum Vermitteln von Anrufen über ein zwischen zwei lokalen Netzen angeordnetes Übertragungsnetz
DE69829118T2 (de) Validierung von anrufenden teilnehmern

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): BR JP US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 1998959711

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 09623037

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 1998959711

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 1998959711

Country of ref document: EP