WO2006024991A1 - A method and system of authenticating access to a domain using a user identify card - Google Patents

A method and system of authenticating access to a domain using a user identify card Download PDF

Info

Publication number
WO2006024991A1
WO2006024991A1 PCT/IB2005/052773 IB2005052773W WO2006024991A1 WO 2006024991 A1 WO2006024991 A1 WO 2006024991A1 IB 2005052773 W IB2005052773 W IB 2005052773W WO 2006024991 A1 WO2006024991 A1 WO 2006024991A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication data
domain
identity card
card
user
Prior art date
Application number
PCT/IB2005/052773
Other languages
French (fr)
Inventor
Sjoerd Zwart
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2006024991A1 publication Critical patent/WO2006024991A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/12Card verification

Definitions

  • the present invention relates to a method and system of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on the identity card.
  • the authentication data pair consists of first and second authentication data, wherein the first authentication data uniquely identify a user or a group of users and the second authentication data uniquely identify the identity card. In order to access the domain the authentication data pair must match with authorized authentication data pairs within the domain.
  • Identity cards such as smart cards have become more and more common over the past years. What characterizes these cards is that they are provided with an embedded computer chip that can be either a microprocessor with internal memory or a memory chip alone. Therefore, one can say that smart card is an active device or a small computer which enables giving only the information that is required for the specific service at the time the smart card is presented. Also, with smart card-based systems there is no technical requirement to have a central database system that observes all requests for services. An example of applications where smart cards are used is within the financial sector, telecommunications, transit, healthcare and secure identification. There are numerous government identification systems (ID) implemented worldwide which use smart card combined with a biometric technology such as photo and fingerprint. Obviously, it is essential that high security level of such cards is maintained.
  • ID government identification systems
  • This identification number may e.g. define the domain, which could comprise license or certificate to access devices or content data within the domain.
  • the problem with prior art identity cards is that only one identification number is used to authenticate the identity card. Therefore, if the identity card is e.g. lost, the manufacturer of the card must, in order to prevent an illegal user of the card to access the domain by using this card, revoke the card and thereby the license to access devices or content data within the domain. Also, the situation may occur that the owner of the card notifies that he/she has lost the card. The manufacturer of the card could then make an identical copy of the user-identity card, i.e. create a clone of the card. The problem may then occur that the user can misuse this situation by e.g. giving someone outside his family a copy of the card.
  • the present invention relates to a method of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, the method comprising the steps of:
  • the domain may comprise e.g. one or more device, or one or more apparatus, or one or more user, or content data or a combination thereof.
  • said second authentication data comprises a serial number of said user identity card.
  • the identity card can be uniquely identified in a very easy way. Also, it can be very easy to distinguish which of e.g. two identity cards is illegal and legal, having the same first authentication data but a different serial numbers.
  • the serial number may comprise the number of produced cards. Assuming the serial number comprises the number of produced cards, it is obvious that the identity card having the higher serial number is newer, and therefore the valid one.
  • the authentication data pair stored on said identity card may be updated by updating said second authentication data.
  • the authenticating access of the identity card to said domain may easily be updated since the update requires only the update of said second authentication data, e.g. said serial number. Therefore, the license of the card to e.g. content, devices or apparatuses in a domain does not have to be defined again, or regenerated by the license provider when e.g. the user of the card has lost the card and has purchased a new one.
  • the present invention relates to a computer readable medium having stored therein instructions for causing a processing unit to execute said method.
  • the present invention relates to a system for authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, comprising
  • an identity card reader for reading said authentication data pair stored on said identity card
  • a processor for comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain
  • the present invention relates to an identity card to be used for authenticating access to a domain using a user identity card
  • said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card
  • said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain
  • authenticating said access to said domain comprises:
  • an identity card which can as an example be a smart card, comprising an authentication data pair which uniquely identifies the identity card. Therefore, if the identify card is lost or stolen, the authentication data pair may be updated by updating only the said second authentication data.
  • the identity card may, besides said memory, further comprise a processor and may further be adapted to communicate in a wireless way, e.g. via near field communication.
  • figure 1 illustrates a flow chart of an embodiment of authenticating access to a domain using a user identity card
  • figure 2 shows a flow diagram of an embodiment of updating an authentication data stored on the identity card
  • figure 3 shows a system for authenticating access to a domain using a user identity card.
  • Figure 1 illustrates a flow chart of an embodiment of authenticating access to a domain using a user identity card (ID-card), wherein the ID-card comprises an authentication data pair stored on said identity card.
  • the authentication data pair consists of first and second authentication data, the first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying the identity card.
  • the domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to the domain.
  • the domain may comprise on or more devices, or one or more apparatus, or one or more user, or content data or a combination thereof.
  • the first authentication data comprises user identification number (User-ID) and the second authentication data comprises a serial number of the identity card.
  • the authentication data pair stored on the ID-card must be read (R) 101, e.g. by a ID-card reader, and compared to authorized authentication data pairs stored in the domain (C) 103. If there is a match (M?) 105 between the authentication data pair on the identity card and the authorized authentication data pairs in the domain the user card the access to the domain is authorized (A_D) 107. Otherwise, an access to the domain is rejected (R_D) 109. Therefore, in order to access the domain, both the authentication data, i.e. the user-ID and the serial number, must match with a corresponding authentication data within the domain.
  • a rejection to access the domain may therefore be based on that the serial number stored on the ID-card does not matching with the pre-stored serial numbers within the domain, although the User-ID matches. This could be the case where an illegal user makes an attempt to illegally use the ID-card, but wherein the legal user has revoked the old ID-card by changing the serial number. This will be discussed in more details in Fig. 2.
  • FIG. 2 shows a flow diagram of an embodiment of updating an authentication data pair stored on an ID-card.
  • This can be necessary if the ID-card has e.g. been stolen or the user has lost the ID-card.
  • R_ID_C old authentication data
  • the user is subsequently provided with a new ID-card (N_ID_C) 203.
  • N_S_Nr new serial number
  • N_S_Nr new serial number
  • the new ID-card is already provided with a serial number, e.g. one indicating the number of the produced ID-cards of this type.
  • the authentication data pair is updated (U_ID) 207 having the same User-ID but a different serial number.
  • U_ID User-ID
  • the identification of authorized authentication data pairs in the domain must be updated in accordance with the updated authentication data pair on the ID-card. This could be done by the user itself when accessing for the first time the domain after obtaining the new ID-card along with the updated authentication data.
  • the larger serial number (assuming that the serial number comprises the number of produced cards which accordingly increases) could be used as an indicator that the new ID-card is the valid one.
  • the first User-ID comprises "Jonssonl2345” and the serial number "123". If the authentication data on the new ID-card has been updated with a new serial number "598" (still using User-ID "Jonssonl2345”), the higher serial number would suggest that the new ID-card is valid because it is newer.
  • A_ID e.g. a domain compliant first device
  • the first device could be adapted to inform e.g. other devices within the same domain about the new authentication data.
  • the device within the domain (or apparatus, data base etc. comprised in the domain) could also be informed about the new authentication data for the new ID-card via a central server, e.g. where the new ID- card was purchased.
  • a central server e.g. where the new ID- card was purchased.
  • the ID- card is provided with a new authentication data as described previously, comprising said User-ID and said serial number, which are stored on the ID-card.
  • These authentication data are then defined in the authentication data within the domain. This could be done when the user enters the domain for the first time or by a central server.
  • FIG. 3 shows a system for authenticating access to a domain using a user identity card (ID-card) 305, wherein the identity card comprises a memory 307 for storing authentication data pair consisting of said first and second authentication data 306, 308.
  • ID-card user identity card
  • the identity card comprises a memory 307 for storing authentication data pair consisting of said first and second authentication data 306, 308.
  • SAC secure authentication channel
  • a processor 310 in the domain-compliant device 317 compares the User- ID 306 and the serial number 308 on the ID-card 305 to authorized authentication data pairs 311, 313, which are stored in the domain-compliant device 317. If there is a match between the authentication data pair 306, 308 stored on the ID-card 305 and those within the domain- compliant device 317, the user can, using said ID-card, access the domain-compliant device 317.
  • compliant devices are portable MP3 player, an internet radio device, a storage container, DVD player, hard disc recorder and TV.
  • the domain-compliant device 317 may request another domain-compliant device 319 to access content on said device 319, also through SAC. During the request, the domain-compliant device 317 sends its own identity and the user identity 306, 308 to the other compliant device 319. This domain-compliant device 319 will use this information (certificate of the user identity card and of the device 317) for the authentication process, i.e. to compare the User-ID 306 and the serial number 308 with the authorized authentication data pairs 311, 313, which are stored in the domain-compliant device 319.

Abstract

The present invention describes a method and a system of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, the method comprising the steps of: - reading said authentication data pair stored on said identity card, - comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain, -authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.

Description

A method and system of authenticating access to a domain using a user identify card
FIELD OF THE INVENTION
The present invention relates to a method and system of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on the identity card. The authentication data pair consists of first and second authentication data, wherein the first authentication data uniquely identify a user or a group of users and the second authentication data uniquely identify the identity card. In order to access the domain the authentication data pair must match with authorized authentication data pairs within the domain.
BACKGROUND OF THE INVENTION
Identity cards such as smart cards have become more and more common over the past years. What characterizes these cards is that they are provided with an embedded computer chip that can be either a microprocessor with internal memory or a memory chip alone. Therefore, one can say that smart card is an active device or a small computer which enables giving only the information that is required for the specific service at the time the smart card is presented. Also, with smart card-based systems there is no technical requirement to have a central database system that observes all requests for services. An example of applications where smart cards are used is within the financial sector, telecommunications, transit, healthcare and secure identification. There are numerous government identification systems (ID) implemented worldwide which use smart card combined with a biometric technology such as photo and fingerprint. Obviously, it is essential that high security level of such cards is maintained.
When the smart cards are used to enter a domain they are identified through a unique identification number stored on the card. This identification number may e.g. define the domain, which could comprise license or certificate to access devices or content data within the domain.
The problem with prior art identity cards is that only one identification number is used to authenticate the identity card. Therefore, if the identity card is e.g. lost, the manufacturer of the card must, in order to prevent an illegal user of the card to access the domain by using this card, revoke the card and thereby the license to access devices or content data within the domain. Also, the situation may occur that the owner of the card notifies that he/she has lost the card. The manufacturer of the card could then make an identical copy of the user-identity card, i.e. create a clone of the card. The problem may then occur that the user can misuse this situation by e.g. giving someone outside his family a copy of the card.
OBJECT AND SUMMARY OF THE INVENTION
It is the object of the present invention to solve the above-mentioned problems.
According to a first one aspect the present invention relates to a method of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, the method comprising the steps of:
- reading said authentication data pair stored on said identity card, - comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain,
- authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain. Thereby, due to the combination of said first and second authentication data each card has its own identity. It is therefore prevented that more than one card can be used at the same time. The domain may comprise e.g. one or more device, or one or more apparatus, or one or more user, or content data or a combination thereof.
In an embodiment, said second authentication data comprises a serial number of said user identity card.
Thereby, the identity card can be uniquely identified in a very easy way. Also, it can be very easy to distinguish which of e.g. two identity cards is illegal and legal, having the same first authentication data but a different serial numbers. As an example, the serial number may comprise the number of produced cards. Assuming the serial number comprises the number of produced cards, it is obvious that the identity card having the higher serial number is newer, and therefore the valid one.
In an embodiment, the authentication data pair stored on said identity card may be updated by updating said second authentication data. Thereby, the authenticating access of the identity card to said domain may easily be updated since the update requires only the update of said second authentication data, e.g. said serial number. Therefore, the license of the card to e.g. content, devices or apparatuses in a domain does not have to be defined again, or regenerated by the license provider when e.g. the user of the card has lost the card and has purchased a new one. According to a second aspect the present invention relates to a computer readable medium having stored therein instructions for causing a processing unit to execute said method.
According to a third aspect the present invention relates to a system for authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, comprising
- an identity card reader for reading said authentication data pair stored on said identity card, a processor for comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain,
- means for authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.
According to a fourth aspect the present invention relates to an identity card to be used for authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, wherein authenticating said access to said domain comprises:
- reading said authentication data pair stored on said identity card,
- comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain, - authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.
Thereby, an identity card, which can as an example be a smart card, is provided comprising an authentication data pair which uniquely identifies the identity card. Therefore, if the identify card is lost or stolen, the authentication data pair may be updated by updating only the said second authentication data. The identity card may, besides said memory, further comprise a processor and may further be adapted to communicate in a wireless way, e.g. via near field communication.
BRIEF DESCRIPTION OF THE DRAWINGS
In the following preferred embodiments of the invention will be described referring to the figures, where figure 1 illustrates a flow chart of an embodiment of authenticating access to a domain using a user identity card, figure 2 shows a flow diagram of an embodiment of updating an authentication data stored on the identity card, and figure 3 shows a system for authenticating access to a domain using a user identity card.
DESCRIPTION OF PREFERRED EMBODIMENTS
Figure 1 illustrates a flow chart of an embodiment of authenticating access to a domain using a user identity card (ID-card), wherein the ID-card comprises an authentication data pair stored on said identity card. The authentication data pair consists of first and second authentication data, the first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying the identity card. The domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to the domain. The domain may comprise on or more devices, or one or more apparatus, or one or more user, or content data or a combination thereof. In one preferred embodiment the first authentication data comprises user identification number (User-ID) and the second authentication data comprises a serial number of the identity card. In order to access the domain using the ID-card, the authentication data pair stored on the ID-card must be read (R) 101, e.g. by a ID-card reader, and compared to authorized authentication data pairs stored in the domain (C) 103. If there is a match (M?) 105 between the authentication data pair on the identity card and the authorized authentication data pairs in the domain the user card the access to the domain is authorized (A_D) 107. Otherwise, an access to the domain is rejected (R_D) 109. Therefore, in order to access the domain, both the authentication data, i.e. the user-ID and the serial number, must match with a corresponding authentication data within the domain. A rejection to access the domain may therefore be based on that the serial number stored on the ID-card does not matching with the pre-stored serial numbers within the domain, although the User-ID matches. This could be the case where an illegal user makes an attempt to illegally use the ID-card, but wherein the legal user has revoked the old ID-card by changing the serial number. This will be discussed in more details in Fig. 2.
Figure 2 shows a flow diagram of an embodiment of updating an authentication data pair stored on an ID-card. This can be necessary if the ID-card has e.g. been stolen or the user has lost the ID-card. To avoid that another user can use the ID-card illegally, it is necessary to revoke the old authentication data (R_ID_C) 201. This could be done e.g. by the user itself or by him requesting the manufacturer or the seller of the card to revoke the old authentication data. The user is subsequently provided with a new ID-card (N_ID_C) 203. In order to update the authentication data on the new ID-card a new serial number is used (N_S_Nr) 205, and stored along with the old User-ID on the new ID-card. In one embodiment the new ID-card is already provided with a serial number, e.g. one indicating the number of the produced ID-cards of this type. Now, the authentication data pair is updated (U_ID) 207 having the same User-ID but a different serial number. When the user wants to access the domain using the new ID-card with the new authentication data pair, the identification of authorized authentication data pairs in the domain must be updated in accordance with the updated authentication data pair on the ID-card. This could be done by the user itself when accessing for the first time the domain after obtaining the new ID-card along with the updated authentication data. As an example, when the user wants to access the domain using the ID-card, then the larger serial number (assuming that the serial number comprises the number of produced cards which accordingly increases) could be used as an indicator that the new ID-card is the valid one. As an example, the first User-ID comprises "Jonssonl2345" and the serial number "123". If the authentication data on the new ID-card has been updated with a new serial number "598" (still using User-ID "Jonssonl2345"), the higher serial number would suggest that the new ID-card is valid because it is newer. Now, when the new authentication data have been authenticated (A_ID) 209 by e.g. a domain compliant first device (see Fig. 3), the first device could be adapted to inform e.g. other devices within the same domain about the new authentication data. The device within the domain (or apparatus, data base etc. comprised in the domain) could also be informed about the new authentication data for the new ID-card via a central server, e.g. where the new ID- card was purchased. If the user is interested in purchasing a new ID-card for a first time, the ID- card is provided with a new authentication data as described previously, comprising said User-ID and said serial number, which are stored on the ID-card. These authentication data are then defined in the authentication data within the domain. This could be done when the user enters the domain for the first time or by a central server. Figure 3 shows a system for authenticating access to a domain using a user identity card (ID-card) 305, wherein the identity card comprises a memory 307 for storing authentication data pair consisting of said first and second authentication data 306, 308. If the owner of the card wants e.g. to access the domain-compliant device 317, which is within the domain 302, a secure authentication channel (SAC) 315 is setup between the ID-card 305 and the domain-compliant device 317. This may be done e.g. by sending the public key and the certificate for the ID-card 305 to the domain-compliant device 317. This is to enable the authentication data pair 306, 308 to be passed to the domain-compliant device 317 in a secure way. Subsequently, a processor 310 in the domain-compliant device 317 compares the User- ID 306 and the serial number 308 on the ID-card 305 to authorized authentication data pairs 311, 313, which are stored in the domain-compliant device 317. If there is a match between the authentication data pair 306, 308 stored on the ID-card 305 and those within the domain- compliant device 317, the user can, using said ID-card, access the domain-compliant device 317.
An example of such compliant devices is a portable MP3 player, an internet radio device, a storage container, DVD player, hard disc recorder and TV.
It may be possible that the domain-compliant device 317 may request another domain-compliant device 319 to access content on said device 319, also through SAC. During the request, the domain-compliant device 317 sends its own identity and the user identity 306, 308 to the other compliant device 319. This domain-compliant device 319 will use this information (certificate of the user identity card and of the device 317) for the authentication process, i.e. to compare the User-ID 306 and the serial number 308 with the authorized authentication data pairs 311, 313, which are stored in the domain-compliant device 319. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word 'comprising' does not exclude the presence of other elements or steps than those listed in a claim. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A method of authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, the method comprising the steps of:
- reading said authentication data pair stored on said identity card,
- comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain,
- authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.
2. A method according to claim 1, wherein said second authentication data comprises a serial number of said user identity card.
3. A method according to claim 1 or 2, wherein the authentication data pair stored on said identity card may be updated by updating said second authentication data.
4. A computer readable medium having stored therein instructions for causing a processing unit to execute the method according to claims 1-3.
5. A system for authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, comprising
- an identity card reader for reading said authentication data pair stored on said identity card,
- a processor for comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain, -means for authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.
6. An identity card to be used for authenticating access to a domain using a user identity card, wherein said user identity card comprises an authentication data pair stored on said identity card, said authentication data pair consisting of first and second authentication data, said first authentication data uniquely identifying a user or a group of users and said second authentication data uniquely identifying said identity card, and wherein said domain comprises an identification of authorized authentication data pairs which can be used for obtaining authorized access to said domain, wherein authenticating said access to said domain comprises:
- reading said authentication data pair stored on said identity card,
- comparing said authentication data pair on said identity card with said authorized authentication data pairs in said domain, - authorizing access to said domain if said comparison results in a match between said authentication data pair on said identity card and at least one of said authorized authentication data pairs in said domain.
PCT/IB2005/052773 2004-08-30 2005-08-24 A method and system of authenticating access to a domain using a user identify card WO2006024991A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP04104146 2004-08-30
EP04104146.8 2004-08-30

Publications (1)

Publication Number Publication Date
WO2006024991A1 true WO2006024991A1 (en) 2006-03-09

Family

ID=35149112

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2005/052773 WO2006024991A1 (en) 2004-08-30 2005-08-24 A method and system of authenticating access to a domain using a user identify card

Country Status (1)

Country Link
WO (1) WO2006024991A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2454792A (en) * 2007-11-13 2009-05-20 Vodafone Plc Controlling user access to multiple domains on a terminal using a removable storage means
JP2011138493A (en) * 2009-12-02 2011-07-14 Canon Software Inc Authentication system, management device, and processing method and program therefor

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0467534A2 (en) * 1990-07-20 1992-01-22 Vodafone Limited Telecommunication network
WO1997037506A1 (en) * 1996-03-29 1997-10-09 Telecom Securicor Cellular Radio Limited Telecommunications system
EP1176844A2 (en) * 2000-07-25 2002-01-30 Vodafone Limited Telecommunication systems and methods
WO2002071723A1 (en) * 2001-02-08 2002-09-12 Telefonaktiebolaget Lm Ericsson (Publ) Authenticaton and authorisation based secure ip connections for terminals
WO2004035321A1 (en) * 2002-10-15 2004-04-29 Digimarc Corporation Identification document and related methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0467534A2 (en) * 1990-07-20 1992-01-22 Vodafone Limited Telecommunication network
WO1997037506A1 (en) * 1996-03-29 1997-10-09 Telecom Securicor Cellular Radio Limited Telecommunications system
EP1176844A2 (en) * 2000-07-25 2002-01-30 Vodafone Limited Telecommunication systems and methods
WO2002071723A1 (en) * 2001-02-08 2002-09-12 Telefonaktiebolaget Lm Ericsson (Publ) Authenticaton and authorisation based secure ip connections for terminals
WO2004035321A1 (en) * 2002-10-15 2004-04-29 Digimarc Corporation Identification document and related methods

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2454792A (en) * 2007-11-13 2009-05-20 Vodafone Plc Controlling user access to multiple domains on a terminal using a removable storage means
EP2063378A2 (en) 2007-11-13 2009-05-27 Vodafone Group PLC Telecommunications device security
EP2063378A3 (en) * 2007-11-13 2009-11-11 Vodafone Group PLC Telecommunications device security
GB2454792B (en) * 2007-11-13 2012-11-28 Vodafone Plc Telecommunications device security
JP2011138493A (en) * 2009-12-02 2011-07-14 Canon Software Inc Authentication system, management device, and processing method and program therefor

Similar Documents

Publication Publication Date Title
US11562363B2 (en) Hardware and token based user authentication
KR101378504B1 (en) Privacy enhanced identity scheme using an un-linkable identifier
US9489503B2 (en) Behavioral stochastic authentication (BSA)
US8561174B2 (en) Authorization method with hints to the authorization code
US20060206723A1 (en) Method and system for integrated authentication using biometrics
US7287165B2 (en) IC card, portable terminal, and access control method
US20040006699A1 (en) Secure token access distributed database system
JP2002373029A (en) Method for preventing illegal copy of software by using ic tag
US8352582B2 (en) Temporal proximity to verify physical proximity
JP2000215172A (en) Personal authentication system
CN101355556A (en) Authentication information processing device, authentication information processing method, storage medium, and data signal
US20080028475A1 (en) Method For Authenticating A Website
US20160283944A1 (en) Method and apparatus for personal virtual authentication and authorization using digital devices and as an alternative for chip card or smart card
US20190132312A1 (en) Universal Identity Validation System and Method
CN108256302A (en) Data Access Security method and device
US11449631B2 (en) Electronic device for managing personal information and operating method thereof
US20080282343A1 (en) Digital Rights Management Using Biometric Data
JP2005208993A (en) User authentication system
KR20040082674A (en) System and Method for Authenticating a Living Body Doubly
WO2006024991A1 (en) A method and system of authenticating access to a domain using a user identify card
RU2573235C2 (en) System and method for checking authenticity of identity of person accessing data over computer network
KR20200013494A (en) System and Method for Identification Based on Finanace Card Possessed by User
JP2004280245A (en) Information record carrier, password input system, and authentication system
EP3757922A1 (en) Electronic payment system and method and program using biometric authentication
KR101613664B1 (en) Security system reinforcing identification function on the electronic business using certificate

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase