WO2008128528A2 - Codage à l'épreuve des écoutes et des manipulations pour comptes en ligne - Google Patents
Codage à l'épreuve des écoutes et des manipulations pour comptes en ligne Download PDFInfo
- Publication number
- WO2008128528A2 WO2008128528A2 PCT/DE2008/000688 DE2008000688W WO2008128528A2 WO 2008128528 A2 WO2008128528 A2 WO 2008128528A2 DE 2008000688 W DE2008000688 W DE 2008000688W WO 2008128528 A2 WO2008128528 A2 WO 2008128528A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- image
- client
- server
- buttons
- characters
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C5/00—Ciphering apparatus or methods not provided for in the preceding groups, e.g. involving the concealment or deformation of graphic data such as designs, written or printed messages
Definitions
- the PIN / TAN, PIN / iTAN, HBCI-1, HBCI-2, and Security Token methods do not protect against man-in-the-middle attacks.
- the encryption of the connection eg SSL
- the malware does not protect safely, because the malware can turn on even before the start of the connection encryption and perform the manipulation even before the connection encryption (or in the other direction: after the connection decryption) ,
- the server creates for each client a set of sub-secret images, which he names and stores (e.g., numbers). He then prints these images on clear transparencies, additionally prints their respective name (number) visibly on them, and physically sends these transparencies, e.g. by mail, to the client. Initially, all of these partial secret images have the status "unused", which can later change to "used up”. This status is managed by the server.
- Client X now has these slides and wants to send the server a secret message of n characters (example: he wants to send him an 8-digit bank code). To do this, he contacts the server online via the computer network on his computer and presents himself to the server as Client X.
- malware on the computer of the client or in the computer network can not provide any information about the transmitted text: the malware would have to spy on the launched slide, which is not possible.
- the screen of the client can either be a screen of a computer or a screen of a mobile terminal, in particular a display of a mobile phone (FIG. 7).
- Another advantage consists in relatively low production costs, since this only the corresponding films have to be produced and printed, no expensive devices are necessary.
- Fig. 3 Interception-proof exchange of information with repetition of symbols, example: Entering a bank code with 8 digits.
- Fig. 4 Interception-proof exchange of information in which no repetitions of symbols occur, example: PIN entry (assumption: only PINs without numerical repetition are assigned)
- Fig. 5 Counterfeit-proof confirmation of a transfer including a TAN (which can then be entered in plain text on the keyboard). It is important for anti-counterfeiting security that the information is not in a fixed location, e.g. In Figure B, the numbers displayed are horizontally randomly offset.
- Fig. 6 Tamper-proof online confirmation of debits via visual cryptography.
- Fig. 7 Tamper-proof online confirmation of debits via visual cryptography on a mobile device.
- Fig. 8 Secure transmission of general text, including repetition of characters.
- the bank server generates a lot of sub-secret images for the bank customer X, numbers them, stores them, and sends them printed out on slides to the bank customer by mail (in much the same way as TAN lists are sent).
- the customer will receive a PIN as with the PIN / TAN procedure, assuming that no digit appears twice in the PIN (the number of options is still enough to make it futile to guess the PIN).
- the bank server receives the digit sequence 05296. Because the bank server itself has created the original image with the exchanged numbers and remembered the exchange, he can now conclude directly from the fact that by the mouse clicks the number sequence 41629 was entered , He compares this number sequence with the PIN for bank customer X (which of course is also stored). If that was the correct PIN, bank customer X will get access to the account.
- the bank server writes this information to a black and white image.
- he does not write every single piece of information to a fixed point in the picture, but only to a certain defined area of the picture.
- he writes a randomly generated number sequence ("TAN") in a certain specified area of the image. He remembers this TAN. Then he takes an unused foil and Borcherti 14
- Bank customer X places the corresponding slide on the partial secrecy screen and sees the transfer data confirmed again, see Fig. 5B. If the data is correct, he types in the displayed TAN in clear text in a designated input field and sends it to the bank server.
- the bank server compares the transmitted number with the previously assigned TAN. If both agree, he releases the transfer.
Abstract
La présente invention concerne un procédé de codage à l'épreuve des écoutes et des manipulations pour des comptes en ligne, en particulier pour des services bancaires en ligne, ce procédé faisant appel à la cryptographie visuelle. Selon ce procédé, une première image secrète partielle est générée sur un film par le serveur selon le procédé de la cryptographie visuelle. Par ailleurs, une deuxième image secrète partielle présentant des boutons de commande pourvus de caractères selon le principe aléatoire est générée par le serveur et affichée sur l'écran du client, ces boutons de commande pouvant être activés à l'aide de la souris. Lors de l'étape suivante, le film et l'écran sont superposés par le client de sorte que les deux images secrètes partielles produisent l'image des boutons de commande cliquables pourvus de caractères. Le client peut ensuite entrer une série de n caractères par l'intermédiaire de n clics de souris sur les boutons de commande pourvus de caractères. Les informations indiquant quels boutons de commande ont été activés par le client et dans quel ordre ces boutons ont été activés sont transmises au serveur et la série de caractères entrée est reconstruite dans le serveur.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE200710018802 DE102007018802B3 (de) | 2007-04-20 | 2007-04-20 | Abhör- und manipulationssichere Verschlüsselung für Online-Accounts |
DE102007018802.3 | 2007-04-20 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2008128528A2 true WO2008128528A2 (fr) | 2008-10-30 |
WO2008128528A3 WO2008128528A3 (fr) | 2009-06-11 |
Family
ID=39646328
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2008/000688 WO2008128528A2 (fr) | 2007-04-20 | 2008-04-19 | Codage à l'épreuve des écoutes et des manipulations pour comptes en ligne |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE102007018802B3 (fr) |
WO (1) | WO2008128528A2 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2339507A1 (fr) | 2009-12-28 | 2011-06-29 | Softkinetic | Procédé de détection et localisation de tête |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102007052734B4 (de) | 2007-06-27 | 2010-12-30 | Universität Tübingen | Vorrichtung und Verfahren zur abhör- und manipulationssicheren Verschlüsselung für Online-Accounts |
DE102007043843A1 (de) | 2007-07-21 | 2009-01-22 | Borchert, Bernd, Dr. | Abhörsichere Verschlüsselung für Online Accounts |
DE102008053219A1 (de) | 2008-02-05 | 2009-08-06 | Borchert, Bernd, Dr. | Fälschungssichere Online Transaktionen via Cardano Verschlüsselung |
DE102008056605A1 (de) | 2008-11-10 | 2010-05-12 | Borchert, Bernd, Dr. | Fälschungssichere Online Transaktionen via Linien-Permutationen |
DE102008061233A1 (de) | 2008-12-09 | 2010-06-10 | Borchert, Bernd, Dr. | Bild-Passwörter als Phishing-Schutz |
DE102008062872A1 (de) | 2008-12-17 | 2010-06-24 | Universität Tübingen | Verfahren und System zur bidirektionalen, abhör- und manipulationssicheren Übertragung von Informationen über ein Netzwerk sowie Dekodiereinheit |
DE102009007277A1 (de) | 2009-02-03 | 2010-08-05 | Borchert, Bernd, Dr. | Fälschungssichere Online Transaktionen |
DE102009024893B4 (de) | 2009-06-15 | 2020-09-03 | Giesecke+Devrient Mobile Security Gmbh | Verfahren zum sicheren Anzeigen von Anzeigedaten |
DE102009033919A1 (de) | 2009-07-20 | 2011-01-27 | Giesecke & Devrient Gmbh | Sicheres Anzeigen von Nutzdaten auf einem Telekommunikationssendgerät |
DE102009033918B4 (de) | 2009-07-20 | 2024-01-25 | Giesecke+Devrient ePayments GmbH | Sicheres Anzeigen von Nutzdaten auf einem Telekommunikationsendgerät |
EP2325805B1 (fr) * | 2009-10-29 | 2013-08-28 | Deutsche Telekom AG | Procédé et système de contrôle d'autorisation |
DE102010035017A1 (de) * | 2010-08-20 | 2012-02-23 | Giesecke & Devrient Gmbh | Verifikation von Sicherheitselementen mit Fenster und weiterer Information |
US9367842B2 (en) | 2012-06-12 | 2016-06-14 | Square, Inc. | Software pin entry |
DE102013002184A1 (de) | 2013-02-06 | 2014-08-07 | Florian Thie | Computerimplementiertes Verfahren zum Verschlüsseln von Daten |
US9773240B1 (en) | 2013-09-13 | 2017-09-26 | Square, Inc. | Fake sensor input for passcode entry security |
US9613356B2 (en) * | 2013-09-30 | 2017-04-04 | Square, Inc. | Secure passcode entry user interface |
US9558491B2 (en) * | 2013-09-30 | 2017-01-31 | Square, Inc. | Scrambling passcode entry interface |
US9928501B1 (en) | 2013-10-09 | 2018-03-27 | Square, Inc. | Secure passcode entry docking station |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1472584B1 (fr) * | 2002-01-17 | 2005-11-30 | Koninklijke Philips Electronics N.V. | Dialogue d'entree de donnees securise par cryptographie visuelle |
US20060020559A1 (en) * | 2004-07-20 | 2006-01-26 | Scribocel, Inc. | System for authentication and identification for computerized and networked systems |
US20060177060A1 (en) * | 2003-07-21 | 2006-08-10 | Koninklijke Philips Electronics N.V. | Image alignment |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2003209956A1 (en) * | 2002-04-08 | 2003-10-20 | Koninklijke Philips Electronics N.V. | Device for reconstructing a graphical message |
WO2004081767A1 (fr) * | 2003-03-11 | 2004-09-23 | Koninklijke Philips Electronics N.V. | Procede et systeme permettant de composer des messages a distance |
DE10326462A1 (de) * | 2003-06-12 | 2005-01-05 | Deutsche Telekom Ag | Bereitstellen von Teilschlüsseln eines durch visuelle Kryptographie verschlüsselten Ereignisses |
-
2007
- 2007-04-20 DE DE200710018802 patent/DE102007018802B3/de not_active Revoked
-
2008
- 2008-04-19 WO PCT/DE2008/000688 patent/WO2008128528A2/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1472584B1 (fr) * | 2002-01-17 | 2005-11-30 | Koninklijke Philips Electronics N.V. | Dialogue d'entree de donnees securise par cryptographie visuelle |
US20060177060A1 (en) * | 2003-07-21 | 2006-08-10 | Koninklijke Philips Electronics N.V. | Image alignment |
US20060020559A1 (en) * | 2004-07-20 | 2006-01-26 | Scribocel, Inc. | System for authentication and identification for computerized and networked systems |
Non-Patent Citations (1)
Title |
---|
PIM TUYLS ET AL: "Visual Crypto Displays Enabling Secure Communications" INTERNET CITATION, [Online] XP002298807 Gefunden im Internet: URL:BOPPARD> [gefunden am 2004-10-01] * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2339507A1 (fr) | 2009-12-28 | 2011-06-29 | Softkinetic | Procédé de détection et localisation de tête |
WO2011080280A1 (fr) | 2009-12-28 | 2011-07-07 | Softkinetic | Procédé de reconnaissance de tête |
Also Published As
Publication number | Publication date |
---|---|
DE102007018802B3 (de) | 2008-08-28 |
WO2008128528A3 (fr) | 2009-06-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102007018802B3 (de) | Abhör- und manipulationssichere Verschlüsselung für Online-Accounts | |
DE102007052734B4 (de) | Vorrichtung und Verfahren zur abhör- und manipulationssicheren Verschlüsselung für Online-Accounts | |
DE60211841T2 (de) | Vorrichtung zur Aktualisierung und zum Entzug der Gültigkeit einer Marke in einer Infrastruktur mit öffentlichen Schlüsseln | |
DE69828971T2 (de) | Symmetrisch gesichertes elektronisches Kommunikationssystem | |
DE3841393C2 (de) | Zuverlässiges System zur Feststellung der Dokumentenechtheit | |
DE60019432T2 (de) | Eine technik, um einen parameter, wie z.b. eine prüfsumme, durch ein primitiv zu erzeugen, welche elementare register-operationen verwendet | |
DE102007043843A1 (de) | Abhörsichere Verschlüsselung für Online Accounts | |
DE3319919A1 (de) | Schutzsystem fuer intelligenz-karten | |
DE60303034T2 (de) | Methode und verfahren zur fälschungsresistenten visuellen verschlüsselung | |
EP1180276A1 (fr) | Procede de verification de l'integrite et de l'auteur de textes et de codage et decodage de ces textes | |
EP1152379A2 (fr) | Procede permettant a un acquereur de demander l'execution d'une obligation liee a une carte, et permettant a l'emetteur de reconnaitre cette obligation | |
DE102008053219A1 (de) | Fälschungssichere Online Transaktionen via Cardano Verschlüsselung | |
DE102005008610A1 (de) | Verfahren zum Bezahlen in Rechnernetzen | |
DE102008061233A1 (de) | Bild-Passwörter als Phishing-Schutz | |
EP2894811B1 (fr) | Procédé de sécurisation d'authenticité, d'intégrité et d'anonymat d'un appariement de données, en particulier lors de la présentation de l'appariement de données sous forme d'un code optique bidimensionnel | |
DE102009024893B4 (de) | Verfahren zum sicheren Anzeigen von Anzeigedaten | |
DE10114157A1 (de) | Verfahren zur rechnergestützten Erzeugung von öffentlichen Schlüsseln zur Verschlüsselung von Nachrichten und Vorrichtung zur Durchführung des Verfahrens | |
DE3905703C2 (de) | Verfahren zur elektronischen Signatur | |
WO2015185552A1 (fr) | Procédé de transmission sécurisée d'informations chiffrées | |
DE102008037794A1 (de) | Einmalpasswort-Generator | |
DE102007046102B4 (de) | Verfahren zum Schutz vor Veränderung von Daten und zur Authentifizierung des Datensenders bei der Datenübertragung durch Verwendung von Verschlüsselungsverfahren, bei denen mit Kenntnis von verschlüsselten und unverschlüsselten Daten andere Daten nicht mehr als zufällig richtig verschlüsselt werden können. | |
WO1999057688A1 (fr) | Procede pour l'authentification de documents | |
EP1487141B1 (fr) | Préparation de portions de clé d'une valeur encryptée par cryptographie visuelle | |
DE102010031960A1 (de) | Lichtbrechungs-Kryptographie | |
DE102015012211B3 (de) | Verfahren zur sicheren Übermittlung von verschlüsselten Informationen |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08757970 Country of ref document: EP Kind code of ref document: A2 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 08757970 Country of ref document: EP Kind code of ref document: A2 |