WO2009041804A2 - Secure instant messaging - Google Patents

Secure instant messaging Download PDF

Info

Publication number
WO2009041804A2
WO2009041804A2 PCT/MY2008/000114 MY2008000114W WO2009041804A2 WO 2009041804 A2 WO2009041804 A2 WO 2009041804A2 MY 2008000114 W MY2008000114 W MY 2008000114W WO 2009041804 A2 WO2009041804 A2 WO 2009041804A2
Authority
WO
WIPO (PCT)
Prior art keywords
user
client
random number
instant messaging
secure
Prior art date
Application number
PCT/MY2008/000114
Other languages
French (fr)
Other versions
WO2009041804A3 (en
WO2009041804A8 (en
Inventor
Kang Siong Ng
Chong Seak Sea
Azhar Abu Talib
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2009041804A2 publication Critical patent/WO2009041804A2/en
Publication of WO2009041804A3 publication Critical patent/WO2009041804A3/en
Publication of WO2009041804A8 publication Critical patent/WO2009041804A8/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates generally to transmission of electronic message over communication network, more particularly to an instant messaging system.
  • Electronic message communication is an essential and popular communication tool for the masses.
  • Electronic message which can be transmitted and displayed immediately, or popularly known as instant messaging, allows at least two people to exchange messages in real time.
  • Each instant messaging provider usually uses a particular protocol and user interface.
  • Instant messaging covers text chat, voice chat and video chat.
  • a method to provide security to electronic message is to encrypt the message before transmission.
  • Such encryption uses popular security protocol such as secure socket layer (SSL) or transport layer security (TLS).
  • SSL provides security measures to validate a particular website and to create an encrypted connection.
  • TLS uses a public key to authenticate user and network.
  • An attempt to authenticate a user involves a smart card in a messaging network wherein a secret algorithm and secret key are stored on the smart card.
  • a network component transfers a random number to the smart card to get a response signal from the smart card which is used for authentication.
  • Another secure instant messaging embodiment uses at least a certificate authority to issue a security certificate to a user that binds the user to a public key which is used by other users to encrypt and decrypt messages.
  • the above-mentioned embodiments usually involve a user to provide identity and password to use a secure website. It is a hassle, for a user who uses various secure website, to remember every password to each website.
  • the present invention is conceived to provide a setup to allow instant messaging users to login securely using a smart card which uses digital certificate for authentication.
  • a user can login to a server to be a client using smart card.
  • Fig. 1 illustrates a block diagram of secure instant messaging setup according to the present invention.
  • FIG. 1 there is illustrated an embodiment of the present invention for secure instant messaging.
  • a user can use a smart card 32a to identify and authenticate the user.
  • a connection is than established with security protocol between client 31a to client 31b, and client 31a to server 21.
  • the smart card 32a has digital certificate as a security tool which is unique to each user.
  • the smart card is used to login as a client 31a.
  • the client can network with other clients and server. During login, the digital certificate will identify the user and create connections to other clients and server.
  • Secure instant messaging (IM) server software 21 runs on computer 20.
  • User Vs computer 30a is installed with IM client software 31a.
  • User 1 uses smart card 32a which interfaces with secure IM client software 31a.
  • Smart card 32a contains user digital certificate and private key associated with the digital certificate.
  • User 1 uses secure IM client software 31a to login to the secure IM server software 21 via digital certificate based on mutual authentication.
  • Secure IM server 21 generates a random number, n and sends it to secure IM client 31a.
  • the random number, n is sent to smart card 32a and encrypted using the private key in the smart card 32a.
  • the encrypted random number together with the user digital certificate retrieved from the smart card 32a is sent back to the secure IM server 21.
  • the encrypted random number is decrypted using the public key extracted from the user digital certificate by the secure IM server 21.
  • the decrypted random number should be exactly the same number as the original random number, n. This proves that user 1 possesses the private key associated with the user digital certificate presented to the server. Credential information regarding user 1 is retrieved from the user digital certificate. This information is verified with the registered user database software 11 running on another computer 10.
  • both user 1 and user 2 When both user 1 and user 2 have login to the system and they have given the necessary authorization to secure IM server 21 to disclose respective IP (internet protocol) addresses of their computers, in this case, 30a and 30b; both user 1 and user 2 can retrieve the IP address from secure IM server 21 through the respective client 31a and 31b. Once the computer IP address is retrieved, data or messages can be exchanged between user 1 and user 2 directly.
  • User 1 can send data to user 2 by encrypting the data with public key by database 11.
  • User 2 can decrypt the message with its private key to retrieve the message.
  • Breakdown detection server software 51 runs on another computer 50.
  • This breakdown detection server 51 constantly retrieves information from database 11 to determine the list of users and their respective IP addresses of the computers that are online.
  • the breakdown detection server 51 sends request to the respective secure IM clients that are online. If the secure IM client does not respond within a specific time interval, the breakdown detection server 51 updates the database to indicate that the user associated with that IP address is not valid and set the status in the database to be offline. No further breakdown detection request will be sent until the user logs into to the secure IM server 21 to change the user online status in the database 11.
  • the present invention has a simple setup of secure instant messaging by validating a user's identification with a smart card.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A setup for secure instant messaging allowing a user to use a smart card (32a) to authenticate its identification is described. A server (21) generates a random number and a network sends the random number to a user's client (31a). The smart card (32a) stores a unique private key for each user and encrypts the random number with a user's private key. A database (11) provides a public key. The server (21) decrypts the random number with the public key, compares the decrypted number with the random number, whereby same number validates the users identity to establish a secure connection between validated user's client and server, allowing a user to log onto a secure instant messaging network. A user can also retrieve peer user's internet protocol and public key to establish a client-to-client connection, where the data communicated between them can be encrypted using the peer's public key and can only be decrypted using the user's private key stored in the user's smart card (32a). A breakdown detection feature is also described.

Description

SECURE INSTANT MESSAGING
The present invention relates generally to transmission of electronic message over communication network, more particularly to an instant messaging system.
BACKGROUND TO THE INVENTION
Electronic message communication is an essential and popular communication tool for the masses. Electronic message which can be transmitted and displayed immediately, or popularly known as instant messaging, allows at least two people to exchange messages in real time. Each instant messaging provider usually uses a particular protocol and user interface. Instant messaging covers text chat, voice chat and video chat.
However, typical instant messaging has high security risk concern where it is easily exposed to spyware, viruses, Trojans and worms. Instant messaging providers start to introduce security measures with new products to be installed in corporate networks for the purpose of archiving, content-scanning, and security scanning of traffic, moving in and out of the server.
A method to provide security to electronic message is to encrypt the message before transmission. Such encryption uses popular security protocol such as secure socket layer (SSL) or transport layer security (TLS). SSL provides security measures to validate a particular website and to create an encrypted connection. TLS uses a public key to authenticate user and network.
An attempt to authenticate a user involves a smart card in a messaging network wherein a secret algorithm and secret key are stored on the smart card. To authenticate the network, a network component transfers a random number to the smart card to get a response signal from the smart card which is used for authentication.
Another secure instant messaging embodiment uses at least a certificate authority to issue a security certificate to a user that binds the user to a public key which is used by other users to encrypt and decrypt messages. The above-mentioned embodiments usually involve a user to provide identity and password to use a secure website. It is a hassle, for a user who uses various secure website, to remember every password to each website.
SUMMARY OF THE INVENTION
The present invention is conceived to provide a setup to allow instant messaging users to login securely using a smart card which uses digital certificate for authentication. A user can login to a server to be a client using smart card.
It is also an object of the invention to provide a secure means of network connection between client-to-client communication and client-to-server communication.
It is a further object of the invention to provide a break down detection protocol to detect if there is any break down connection between user and server.
BRIEF DESCRIPTION OF THE DRAWING
The present invention will now be described iη greater detail, by way of an example, with reference to the accompanying drawing, in which:
Fig. 1 illustrates a block diagram of secure instant messaging setup according to the present invention.
DETAILED DESCRIPTION OF THE DRAWING
Referring to Fig. 1 , there is illustrated an embodiment of the present invention for secure instant messaging. A user can use a smart card 32a to identify and authenticate the user. A connection is than established with security protocol between client 31a to client 31b, and client 31a to server 21.
The smart card 32a has digital certificate as a security tool which is unique to each user. The smart card is used to login as a client 31a. The client can network with other clients and server. During login, the digital certificate will identify the user and create connections to other clients and server. Secure instant messaging (IM) server software 21 runs on computer 20. User Vs computer 30a is installed with IM client software 31a. User 1 uses smart card 32a which interfaces with secure IM client software 31a. Smart card 32a contains user digital certificate and private key associated with the digital certificate. User 1 uses secure IM client software 31a to login to the secure IM server software 21 via digital certificate based on mutual authentication.
The process will not be described, as follows:
Secure IM server 21 generates a random number, n and sends it to secure IM client 31a. The random number, n is sent to smart card 32a and encrypted using the private key in the smart card 32a. The encrypted random number together with the user digital certificate retrieved from the smart card 32a is sent back to the secure IM server 21. The encrypted random number is decrypted using the public key extracted from the user digital certificate by the secure IM server 21. The decrypted random number should be exactly the same number as the original random number, n. This proves that user 1 possesses the private key associated with the user digital certificate presented to the server. Credential information regarding user 1 is retrieved from the user digital certificate. This information is verified with the registered user database software 11 running on another computer 10. If user 1 is a registered user, than user 1 computer IP address is recorded into database 11. The authentication process for peer user 2 is similar where computer 30b runs secure IM client software 31b that interfaces to smart card 32b which holds user 2's digital certificate and its corresponding private key.
When both user 1 and user 2 have login to the system and they have given the necessary authorization to secure IM server 21 to disclose respective IP (internet protocol) addresses of their computers, in this case, 30a and 30b; both user 1 and user 2 can retrieve the IP address from secure IM server 21 through the respective client 31a and 31b. Once the computer IP address is retrieved, data or messages can be exchanged between user 1 and user 2 directly. User 1 can send data to user 2 by encrypting the data with public key by database 11. User 2 can decrypt the message with its private key to retrieve the message.
A break down detection request is introduced and will now be described. Breakdown detection server software 51 runs on another computer 50. This breakdown detection server 51 constantly retrieves information from database 11 to determine the list of users and their respective IP addresses of the computers that are online. The breakdown detection server 51 sends request to the respective secure IM clients that are online. If the secure IM client does not respond within a specific time interval, the breakdown detection server 51 updates the database to indicate that the user associated with that IP address is not valid and set the status in the database to be offline. No further breakdown detection request will be sent until the user logs into to the secure IM server 21 to change the user online status in the database 11.
Accordingly, the present invention has a simple setup of secure instant messaging by validating a user's identification with a smart card. Although the descriptions above contain many specificities, these should not be construed as limiting the scope of the embodiment but as merely providing illustrations of some of the presently preferred embodiments.

Claims

1. A method of establishing a secure instant messaging system comprising the steps of: providing a random number; sending the random number to a user client (31a); encrypting the random number with a user's private key in a user's smart card (32a); retrieving a public key from a database (11); decrypting the encrypted random number with a public key, comparing the decrypted number with the random number, whereby same numbers validate a users identity, and establishing a secure connection between validated user client (31a) and server (21), whereby a user logs onto a secure instant messaging network.
2. A method of establishing a secure instant messaging system according to claim 1 further comprising the steps of: recording validated user's internet protocol address (30a); allowing validated user to seek peer user's internet protocol address (30b) and public key; encrypting data with public key by user client (31a); decrypting encrypted data with peer user's private key in peers smart card (32b); and establishing a secure connection between validated user's client (31a) and peer client (31b), whereby a user establishes a client-to-client secure instant messaging network.
3. A method of establishing a secure instant messaging system according to claim 1 and claim 2 further comprising the steps of: retrieving internet protocol address of online users; sending a request to every client; and waiting for response from every client within a time frame; whereby, if a client does not respond within the time frame than indicating that user is offline, and if a client responds within the time frame than indicating that user is online.
4. A setup for secure instant messaging comprising: a server (21 ) which generates a random number; a network that sends the random number to a user's client (31a); a smart card (32a) that stores a private key and encrypts the random number with a user's private key; a client (31a) who identifies the user's address; and a database (11) that provides a public key; wherein the server (21) decrypts the random number with the public key, compares the decrypted number with the random number, whereby same number validates the user's identity to establish a secure connection between validated user's client and server, thus allowing a user to log onto a secure instant messaging network.
5. A setup for secure instant messaging according to claim 4 wherein: the server (21) records validated user's internet protocol address in the database, and allows validated user to seek peer user's internet protocol address and public key; and the client (31a) encrypts data with the public key and sends it to peer client (31b) to allow the peer client (31b) to read the data by decrypting the data with private key, whereby a secure client-to-client network is established.
6. A setup for secure instant messaging according to claim 4, further comprising a break down detection server (51), wherein the server (51) retrieves internet protocol address of online users, sends a request to every client, waits for respond from clients within a time frame, whereby if a client does not respond within the time frame than indicating that user is offline, and if a client responds within the time frame than indicating that user is online.
PCT/MY2008/000114 2007-09-26 2008-09-25 Secure instant messaging WO2009041804A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20071621 2007-09-26
MYPI20071621 2007-09-26

Publications (3)

Publication Number Publication Date
WO2009041804A2 true WO2009041804A2 (en) 2009-04-02
WO2009041804A3 WO2009041804A3 (en) 2009-05-22
WO2009041804A8 WO2009041804A8 (en) 2009-07-30

Family

ID=40512039

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2008/000114 WO2009041804A2 (en) 2007-09-26 2008-09-25 Secure instant messaging

Country Status (1)

Country Link
WO (1) WO2009041804A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958969A (en) * 2010-07-28 2011-01-26 中兴通讯股份有限公司 Wireless communication terminal and method thereof for binding with user interface (UI)
US20120047262A1 (en) * 2009-04-27 2012-02-23 Koninklijke Kpn N.V. Managing Undesired Service Requests in a Network
US20170180987A1 (en) * 2015-12-22 2017-06-22 Quanta Computer Inc. Method and system for combination wireless and smartcard authorization
KR101914650B1 (en) 2018-03-13 2018-11-02 주식회사 케이비저축은행 Radio link authenticationsystem and methods using Devices and automationdevices

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11353280A (en) * 1998-06-10 1999-12-24 Hitachi Ltd Identity confirmation method and system by means of encipherment of secret data
KR20020045003A (en) * 2000-12-07 2002-06-19 이계철 Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
KR20050000481A (en) * 2003-06-27 2005-01-05 주식회사 케이티 Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same
US20070088945A1 (en) * 2004-01-16 2007-04-19 Motoji Ohmori Authentication server, method and system for detecting unauthorized terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11353280A (en) * 1998-06-10 1999-12-24 Hitachi Ltd Identity confirmation method and system by means of encipherment of secret data
KR20020045003A (en) * 2000-12-07 2002-06-19 이계철 Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
KR20050000481A (en) * 2003-06-27 2005-01-05 주식회사 케이티 Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same
US20070088945A1 (en) * 2004-01-16 2007-04-19 Motoji Ohmori Authentication server, method and system for detecting unauthorized terminal

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120047262A1 (en) * 2009-04-27 2012-02-23 Koninklijke Kpn N.V. Managing Undesired Service Requests in a Network
US9603022B2 (en) * 2009-04-27 2017-03-21 Koninklijke Kpn N.V. Managing undesired service requests in a network
US11234128B2 (en) 2009-04-27 2022-01-25 Koninklijke Kpn N.V. Managing undesired service requests in a network
CN101958969A (en) * 2010-07-28 2011-01-26 中兴通讯股份有限公司 Wireless communication terminal and method thereof for binding with user interface (UI)
WO2012012964A1 (en) * 2010-07-28 2012-02-02 中兴通讯股份有限公司 Wireless communication terminal and method for binding wireless communication terminal with user interface
CN101958969B (en) * 2010-07-28 2014-02-05 中兴通讯股份有限公司 Wireless communication terminal and method thereof for binding with user interface (UI)
US20170180987A1 (en) * 2015-12-22 2017-06-22 Quanta Computer Inc. Method and system for combination wireless and smartcard authorization
CN106911657A (en) * 2015-12-22 2017-06-30 广达电脑股份有限公司 Combining wireless and the method for smart card login authentication and server and computer-readable recording medium
US10433168B2 (en) * 2015-12-22 2019-10-01 Quanta Computer Inc. Method and system for combination wireless and smartcard authorization
CN106911657B (en) * 2015-12-22 2019-12-10 广达电脑股份有限公司 method and server for login authentication by combining wireless and smart card and readable medium
KR101914650B1 (en) 2018-03-13 2018-11-02 주식회사 케이비저축은행 Radio link authenticationsystem and methods using Devices and automationdevices

Also Published As

Publication number Publication date
WO2009041804A3 (en) 2009-05-22
WO2009041804A8 (en) 2009-07-30

Similar Documents

Publication Publication Date Title
US9871791B2 (en) Multi factor user authentication on multiple devices
US7231526B2 (en) System and method for validating a network session
JP5844001B2 (en) Secure authentication in multi-party systems
US7240214B2 (en) Centrally controllable instant messaging system
AU2007267836B2 (en) Policy driven, credential delegation for single sign on and secure access to network resources
JP5978759B2 (en) Service request apparatus, service providing system, service request method, and service request program
WO2016177052A1 (en) User authentication method and apparatus
US20120284506A1 (en) Methods and apparatus for preventing crimeware attacks
US20190238334A1 (en) Communication system, communication client, communication server, communication method, and program
US20080276309A1 (en) System and Method for Securing Software Applications
WO2015135063A1 (en) System and method for secure deposit and recovery of secret data
EP2572489B1 (en) System and method for protecting access to authentication systems
WO2019110574A1 (en) Methods of secure communication
CN110933078B (en) H5 unregistered user session tracking method
CN111510288B (en) Key management method, electronic device and storage medium
JP2001186122A (en) Authentication system and authentication method
CN110035035B (en) Secondary authentication method and system for single sign-on
WO2009041804A2 (en) Secure instant messaging
CN114363077B (en) Management system based on safety access service edge
CN112035820B (en) Data analysis method used in Kerberos encryption environment
CN105871788B (en) Password generation method and device for login server
WO2012166669A2 (en) Methods and apparatus for preventing crimeware attacks
Liyanage et al. A comprehensive secure email transfer model
TWI856757B (en) Cyber security authentication method for non-internet electronic device
TWI849942B (en) Multi-device multi-factor dynamic strong encryption authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08833184

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08833184

Country of ref document: EP

Kind code of ref document: A2