WO2008084435A1 - Arrangement de sécurité - Google Patents

Arrangement de sécurité Download PDF

Info

Publication number
WO2008084435A1
WO2008084435A1 PCT/IB2008/050040 IB2008050040W WO2008084435A1 WO 2008084435 A1 WO2008084435 A1 WO 2008084435A1 IB 2008050040 W IB2008050040 W IB 2008050040W WO 2008084435 A1 WO2008084435 A1 WO 2008084435A1
Authority
WO
WIPO (PCT)
Prior art keywords
hash value
user data
computer system
primary
security arrangement
Prior art date
Application number
PCT/IB2008/050040
Other languages
English (en)
Inventor
Martin Dippenaar
Original Assignee
Martin Dippenaar
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Martin Dippenaar filed Critical Martin Dippenaar
Publication of WO2008084435A1 publication Critical patent/WO2008084435A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data

Definitions

  • the present invention relates to a security arrangement.
  • the present invention relates to a security arrangement using two-factor authentication.
  • Passwords are widely used in industry to control authorised access to electronic media, such as access to computer programs or Internet websites, e.g. Internet banking websites.
  • electronic media such as access to computer programs or Internet websites, e.g. Internet banking websites.
  • the user must enter his login identification and his secret password. These are then checked against entries in a secure database by the program/website and access is only allowed if the login identification and password correctly correlate with the database entries.
  • Such use of a login identification and password to control authorised access is known as one-factor authentication.
  • One-factor authentication provides relatively weak protection as it relies on the user keeping his login identification and password secret. Should the user divulge his login identification and password to a third party they will be able to access the relevant program/website as if they were the user.
  • An alternative, improved authentication is two-factor authentication. This uses a combination of two independent factors selected from the following three options: biometrics or something you are (e.g. a fingerprint); knowledge or something you know (e.g. passwords); and possession or something you have (e.g. smart card).
  • Key-logging software is available that can be installed on computers as so-called spy-ware to log any keystrokes that are entered into a computer via a keyboard.
  • Such software which is often secretly installed by criminals on computers in public places such as in Internet cafes, allows a third party to secretly record a user's login identification and password, which is then later used to the detriment of the user. This is thus a relatively easy method of breaking one-factor authentication.
  • a security arrangement includes:
  • encryption means being adapted to encrypt the first user data to generate a primary hash value
  • a data storing means adapted to store second user data
  • authentication means being adapted to compare the primary hash value with the second user data
  • access control means being adapted to allow access to the computer system if the primary hash value correlates to the second user data and further being adapted to deny access to the computer system if the primary hash value does not correlate to the second user data.
  • a security arrangement includes:
  • encryption means being adapted to encrypt the first user data to generate a primary hash value and a secondary hash value
  • a data storing means adapted to store second user data
  • authentication means being adapted to compare the primary hash value with the second user data
  • access control means being adapted to allow access to the computer system if the primary hash value correlates to the second user data and further being adapted to deny access to the computer system if the primary hash value does not correlate to the second user data;
  • identification means being adapted to generate an identification hash value for comparison with the secondary hash value.
  • the secondary hash value and the identification hash value may be based on the primary hash value.
  • the security arrangement may include communication means for communicating the identification hash value to a user of the electronic device by display on a website or by text message to a mobile telephone.
  • the electronic device may be a mobile telephone or a PDA device.
  • the electronic device may be disconnected from the Internet or any other computer network.
  • the first and second user data may be a user login name and a user password.
  • the primary hash value, the secondary hash value and the identification hash value may include a date/time value.
  • the date/time value may be calculated as a difference from a fixed absolute date/time.
  • the date/time value may be calculated using the universal time code.
  • the primary hash value may be valid only for a predetermined time interval from the date/time value.
  • the primary hash value may include a key number associated with the electronic device.
  • the primary hash value may be valid only for a single use.
  • the primary hash value may be stored by the computer system in the data storing means.
  • the data storing means may be a database or any other persistence store mechanism.
  • the second user data may include a token.
  • the token may be a hash key or other retrievable data pertaining to the user data.
  • a method of authenticating access to a computer system includes the steps:
  • Figure 1 a flow diagram of an encryption program for use in a security arrangement according to the invention.
  • Figure 2 a flow diagram of an authentication program for use in a security arrangement according to the invention.
  • a security arrangement in accordance with the invention includes a form of two-factor authentication using a mobile electronic device and a secret password.
  • the electronic device can be a mobile telephone or a PDA (personal digital assistant) and is preferably not connected to any computer network or the Internet.
  • the electronic device is used to generate a hash value, which is a meaningless number generated from a coded data item or its key.
  • a computer program is installed on the electronic device and the operation of the program is illustrated by the flow diagram, generally indicated by reference numeral 10, shown in Figure 1.
  • first user data consisting of a user identity and a password is entered into the computer program via a keypad on the electronic device.
  • a second step 14 the computer program generates hash numbers for each letter or number in the user identity and password as well as a further hash number associated to the current date/time programmed into the electronic device.
  • the date/time hash number can be based on the universal time code so that the hash number is not affected by any international time zones.
  • a summation of these individual hash numbers is then made to obtain a primary hash value.
  • the computer program subsequently in a similar manner generates a secondary hash value using the primary hash value in combination with the originally entered password and the universal time code. Both the primary and the secondary hash values are displayed on a screen of the electronic device in step 16.
  • FIG. 1 a flow diagram for the user authentication on a computer system is shown, generally indicated by reference numeral 18.
  • the computer system is associated with a data storing means, such as a database 20 or other persistence store mechanism, in which the user has previously stored his user identification, password and a token.
  • the primary hash value displayed in step 16 is entered into the computer system (step 22), e.g. onto the webpage to which access is desired.
  • the computer system then processes 24 the user identification, password and token stored in the database 20 to determine any and all possible primary hash values that may be valid and subsequently determines by comparison (step 26) whether the primary hash value is authentic and valid. Due to the time element contained within the primary hash value, any validity determination can be restricted to a desired time frame window after the primary hash value was generated.
  • step 28 If it is determined that the primary hash value is not one of the possible valid permutations and is thus invalid, access to the computer system is denied (step 28).
  • step 30 a further check is conducted (step 30) to ensure that the relevant primary hash value has not been previously used or stored in the database 20. If the primary hash value has been previously used, then again access to the computer system is denied (step 28).
  • Access to the computer system is allowed (step 32) should it be determined that the primary hash value is valid and is being used for the first time.
  • the primary hash value is then stored in the database 20 for use in future validity determinations.
  • the computer system Once the computer system has identified and validated the primary hash value, it then in step 34 generates an identification hash value from the primary hash value in combination with the user identification, password and token stored in the database 20.
  • the identification hash value is communicated to the user, either by displaying it on the webpage being viewed or by sending an SMS message to the users mobile phone. The user is then able to compare the identification hash value with the secondary hash value displayed on the screen in step 16 to ensure that he has gained access to the desired computer system and has not been diverted to another computer system.
  • the primary hash value can optionally include a key number associated with the electronic device itself, such as a serial number or registration thereof, which number is also previously stored in the database 20.
  • the authentication of the user on the computer system uses a two-factor approach as it requires both a knowledge factor (the password) and a possession factor (the electronic device).
  • the same security arrangement can be used for any type of secure Internet transaction such as credit card purchases and merchant payment transactions, or even for other applications such as access to buildings, venues and virtual private networks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention porte sur un arrangement de sécurité utilisant un dispositif électronique d'authentification pour obtenir l'accès à un système informatique. Le dispositif électronique comporte un moyen de saisie de données permettant d'accepter de premières données d'utilisateur, qui sont ensuite chiffrées pour produire des valeurs de hachage primaires et secondaires 5 présentées sur un écran. La valeur de hachage primaire est saisie dans le système informatique, qui la compare alors à de deuxièmes données d'utilisateur précédemment stockées dans un moyen de stockage de données. L'accès au système informatique est autorisé si la valeur de hachage primaire se corrèle avec les deuxièmes données d'utilisateur, mais est refusée dans le cas contraire. Le système informatique produit finalement une valeur de hachage d'identification que l'on compare à la valeur de hachage secondaire pour identifier le système informatique au dispositif électronique.
PCT/IB2008/050040 2007-01-08 2008-01-08 Arrangement de sécurité WO2008084435A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA200700191 2007-01-08
ZA2007/00191 2007-01-08

Publications (1)

Publication Number Publication Date
WO2008084435A1 true WO2008084435A1 (fr) 2008-07-17

Family

ID=39608408

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/050040 WO2008084435A1 (fr) 2007-01-08 2008-01-08 Arrangement de sécurité

Country Status (1)

Country Link
WO (1) WO2008084435A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102009008854A1 (de) * 2009-02-13 2010-08-19 Giesecke & Devrient Gmbh Sicherung von Transaktionsdaten
CN103413104A (zh) * 2013-08-09 2013-11-27 北京旋极信息技术股份有限公司 一种交易敏感信息的处理方法及处理装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5661807A (en) * 1993-07-30 1997-08-26 International Business Machines Corporation Authentication system using one-time passwords
US20060083228A1 (en) * 2004-10-20 2006-04-20 Encentuate Pte. Ltd. One time passcode system
US20060136739A1 (en) * 2004-12-18 2006-06-22 Christian Brock Method and apparatus for generating one-time password on hand-held mobile device
US20060174113A1 (en) * 2003-04-01 2006-08-03 Zahari Azman B H System for secure communication
US20060294023A1 (en) * 2005-06-25 2006-12-28 Lu Hongqian K System and method for secure online transactions using portable secure network devices

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5661807A (en) * 1993-07-30 1997-08-26 International Business Machines Corporation Authentication system using one-time passwords
US20060174113A1 (en) * 2003-04-01 2006-08-03 Zahari Azman B H System for secure communication
US20060083228A1 (en) * 2004-10-20 2006-04-20 Encentuate Pte. Ltd. One time passcode system
US20060136739A1 (en) * 2004-12-18 2006-06-22 Christian Brock Method and apparatus for generating one-time password on hand-held mobile device
US20060294023A1 (en) * 2005-06-25 2006-12-28 Lu Hongqian K System and method for secure online transactions using portable secure network devices

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102009008854A1 (de) * 2009-02-13 2010-08-19 Giesecke & Devrient Gmbh Sicherung von Transaktionsdaten
CN103413104A (zh) * 2013-08-09 2013-11-27 北京旋极信息技术股份有限公司 一种交易敏感信息的处理方法及处理装置
CN103413104B (zh) * 2013-08-09 2016-02-03 北京旋极信息技术股份有限公司 一种交易敏感信息的处理方法及处理装置

Similar Documents

Publication Publication Date Title
US8997177B2 (en) Graphical encryption and display of codes and text
CA2649015C (fr) Systeme d'authentification d'image et de securite
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
AU2011201164B2 (en) Methods and Systems for Authenticating Users
US8079082B2 (en) Verification of software application authenticity
CA2417770C (fr) Systeme de signature numerique avec certification d'authentiticite
US8732477B2 (en) Graphical image authentication and security system
RU2742910C1 (ru) Обработка закодированной информации
EP3090377B1 (fr) Procédé et appareil pour fournir une authentification basée sur un score côté client
WO2019059964A1 (fr) Système et procédé de génération de jeton d'autorisation et de validation de transaction
US10050958B2 (en) Validating biometrics without special purpose readers
US20030163738A1 (en) Universal password generator
Abhishek et al. A comprehensive study on multifactor authentication schemes
CN108684041A (zh) 登录认证的系统和方法
TW201544983A (zh) 資料通訊方法和系統及客戶端和伺服器
US10264450B2 (en) Authentication method using ephemeral and anonymous credentials
CA2611549C (fr) Methode et systeme permettant d'obtenir une ouverture de session protegee au moyen de mots de passe a usage unique
US20160021102A1 (en) Method and device for authenticating persons
WO2008084435A1 (fr) Arrangement de sécurité
US20020073345A1 (en) Secure indentification method and apparatus
Mohanty et al. Nfc featured triple tier atm protection
Certic The Future of Mobile Security
KR20050071391A (ko) 다양한 실명일련번호 체계에 지원하는 등급별 권한부여실명인증 시스템
KR101632582B1 (ko) 랜덤키가 포함된 패스워드를 이용한 사용자 인증 방법 및 시스템
MORAKINYO A secure bank login system using a multi-factor authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700215

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700215

Country of ref document: EP

Kind code of ref document: A1