WO2012127103A1 - Dispositif et procédé d'identification électronique - Google Patents

Dispositif et procédé d'identification électronique Download PDF

Info

Publication number
WO2012127103A1
WO2012127103A1 PCT/FI2012/050236 FI2012050236W WO2012127103A1 WO 2012127103 A1 WO2012127103 A1 WO 2012127103A1 FI 2012050236 W FI2012050236 W FI 2012050236W WO 2012127103 A1 WO2012127103 A1 WO 2012127103A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
user
identification
mobile
arrangement
Prior art date
Application number
PCT/FI2012/050236
Other languages
English (en)
Inventor
Lasse LEPPÄNEN
Cedric Kamtsan
Original Assignee
Dna Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dna Oy filed Critical Dna Oy
Publication of WO2012127103A1 publication Critical patent/WO2012127103A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates generally to electronic identification.
  • the invention relates especially to identification using a mobile certificate.
  • Identification mechanisms can generally be classified in several different categories. According to one definition, so-called weak authentication only is based on one of the following three factors: what the person is, such as his/her fingerprint, iris, voice or dna; what the person knows, such as a password, and what the person has, such as a physical token.
  • An example of weak authentication is authentication based on a user identifier and an identification word or number.
  • Strong authentication is based on at least two different factors. An example thereof is the use of a bankcard by means of an identification number (a card, i.e. a possessed object + a code, i.e. a known thing).
  • the two-factor authentication can be based, for example, on using a public key infrastructure (PKI).
  • PKI public key infrastructure
  • the SOAP Simple Object Access Protocol
  • HTTP HTTP (HyperText Transfer Proto- col) based TUP AS certificate service administered by the Federation of Finnish Fi- nancial Services and implemented by banks was introduced, in its original form, in 2002.
  • an electronic service of a service provider directs the client, for electronic identification, to an online service of an identification service provider, i.e. of the client's own bank.
  • each bank authenticates its own clients through two-factor authentication, in practice by means of a permanent electronic identifier, such as a sequence of numbers, and a one-time password, such as a sequence of numbers, for example.
  • a list of one-time passwords printed on cardboard is mailed to the users.
  • the bank's own services are used in the same way, by means of the above-mentioned user identifier and one-time password.
  • FIG. 1 shows the principles of the use of the TUPAS service.
  • a client 102 contacts an electronic service 106 of a service provider, such as a web shop service, some other commerce service or a government service.
  • the connection is established and protected by means of SSL (Secure Sockets Layer, Transport Layer Security/TLS).
  • SSL Secure Sockets Layer
  • Transport Layer Security/TLS Transport Layer Security
  • the service provider 106 has signed, separately with each bank, a service contract for the introduction of the TUPAS service.
  • the service provider 106 sends the client an identification request containing the details of the event.
  • the existing alternatives for TUPAS identification i.e. links to the different banks' identification services, are displayed to the client.
  • Step 3 the client 102 selects his/her own bank's 104 link associated with a bank-specific, predetermined icon, whereupon a bank-specific identification request containing information about the service provider 106 and the actual service event is sent to the service provided by the bank 104.
  • the bank 104 sends the client 102 an identification request containing, for example, a client identification page with user identifier and password fields to be filled in by the client.
  • the client 102 identifies himself/herself for the bank 104.
  • Step 6 if the identification is successful, the bank 104 sends the client 102 a reply message, i.e. a TUPAS identifier, which the client 102 can accept if he/she so wishes.
  • the identifier is accepted, it is forwarded to the service provider 106 in Step 7.
  • the service provider 106 checks the identifier and attaches it to the ongoing service event. Now, the identification is completed and the service may go on.
  • the individual details of the client contained by the TUPAS identifier may include a social security number and a client code, in a plain or encrypted format, for a private client and a corporate client, respectively.
  • the use of the TUPAS service has, in spite of its few possible advantages, such as terminal independency and a relatively high security level, certain disadvantages that make it more difficult to use it in identification events connected with electronic services. Signing contracts with many different banks is frustrating for service providers and causes, inevitably, unnecessary bureaucracy.
  • bank-specific identification means such as a user identifier and password list.
  • the client may run out of one-time passwords before he/she finally receives an automatically generated, mailed new list triggered by a monitoring logic that his/her bank uses for monitoring the use of passwords.
  • the object of the invention is to at least alleviate one or more of the above- described disadvantages of the state of art in order to facilitate electronic identification for both service providers and clients (users).
  • the object is achieved by means of an arrangement and a method according to the invention.
  • an aspect of the invention describes an arrangement, such as one or more electronic apparatus, for facilitating the electronic identification of a user of an elec- tronic service, such as an online service, comprising processing means for pro- cessing instructions and other data, storage means for storing instructions and other data, as well as data transfer means for transmitting and receiving data, and the arrangement is adapted to
  • the user identifier which is, for instance, an identifier used in TUPAS identification or a mobile station number, from the user
  • the user identifier is a user identifier, such as a mobile station number, used in mobile certification, to
  • a mobile certification request containing the user identifier which preferably is a mobile station number, towards an entity providing mobile certification or at least an interface thereto,
  • the arrangement is adapted to determine, based on the user input, such as said user identifier, an identification technology to be used in the identification of the user, and to carry out, or at least to trigger, an identification using this technology, such as an identification based on mobile certification or an identification according to the electronic identification service, such as the TUPAS service.
  • an identification technology such as an identification based on mobile certification or an identification according to the electronic identification service, such as the TUPAS service.
  • TUPAS service electronic identification service
  • the arrangement is adapted to send said request to the user, including an indication of that the user may, in his/her reply, submit one of at least two different user identifiers each of which is associated with its own kind of identification method.
  • the first identification method can be, for example, an identifica- tion service used by banks, such as TUP AS, or some other electronic identification service which preferably is suitable for identifying online service users, whereas the second one preferably is a mobile identification service, i.e. a mobile certificate service.
  • the request may define an electronic user interface page or view with a separate reply (input) field for each user identifier and or identification service. Alternatively, one field may be shared by several identifiers, but a user-selectable additional attribute, such as an attribute selectable on a scroll list, associates the input identifier with a certain identification service.
  • said arrangement which, for instance, is an identification service arrangement maintained by a bank, is adapted to communicate with a mobile certificate service, such as to send said mobile certification request, substantially through an interface according to ETSI TS 102 204 (MSS, Mobile Signature Service).
  • MSS Mobile Signature Service
  • the second party in the communications can be an interface entity of the mobile certificate service.
  • the arrangement itself can preferably be adapted to implement an interface entity, such as an acquiring entity (AE), to the mobile certificate service (MSSP, Mobile Signature Service Provider).
  • the interface between the acquiring entity and the rest of the mobile certificate service may follow ETSI TS 102 207 (MSS, Specifications for Roaming in Mobile Signature Services).
  • the interface entity can communicate with the mobile certificate service of the user's home operator by roaming, wherein at least one routing entity (RE) may handle the communications between the interface entity and the operator(s).
  • the arrangement itself may include a routing entity (RE) capable of routing traffic between the interface entity and the system of the user's home operator (HMSSP, Home Mobile Signature Service Provider), optionally through visited networks and mobile certificate services.
  • the routing traffic between different mobile communi- cations networks preferably uses an interface according to '207.
  • HTTP connections and messages, SOAP envelopes and/or XML are generally used in the communications between the arrangement and the mobile certificate service.
  • the arrangement is adapted to define, at least partly, a user interface, such as a user interface page and/or view, to the user, the view comprising information dependent on the mobile station number input by the user.
  • the dependency can be based on operator information deriva- ble from the mobile station number input by the user, i.e. the information can be operator-dependent.
  • the information may include commercial information, such as product, service, offer and/or price information on the products and services of said operator or its partners.
  • the information may include information received from the mobile certificate service, such as user identification information.
  • the arrangement is adapted to define, at least partly, a user interface view for the user, the view comprising additional information about the arrangement itself, or about an entity, such as a bank, that administers it, or about a partner of the entity.
  • the additional information may include at least one element selected from a group consisting of: advertisement, contact in- formation, instructions for registering into a service of the entity and/or becoming a client of the entity, and means, such as an activatable icon for registering into a service of the entity and/or becoming a client of the entity.
  • the arrangement can be adapted to visually divide the user interface, which it defines at least partly, into two or more parts, the identification part being visually distinct from at least one other part, such as a commercial part and/or a part with additional information.
  • said determination of an identification technology comprises ah act to check the user identifier submitted by the user. If the identifier is an identifier used in mobile certification, preferably a mobile station number, such as a Mobile Station International ISDN Number (MSISDN), a mobile certification is performed.
  • MSISDN Mobile Station International ISDN Number
  • the identification is carried out as a so-called traditional online service user identification, such as a TUP AS identification, in the inner sys- tern of the arrangement administrator, such as of a bank.
  • the arrangement can be adapted to check the type of the input user identifier in more than one way.
  • a separate input field is assigned to each user identifier type, such as a user identifier of a bank identification service or a mobile station number used by a mobile certificate service, in the user interface.
  • the nature of the identifier and the desired identification procedure is determined by which input field is used.
  • the arrangement can be adapted to read the received user identifier and to determine the nature of the user identifier based on it.
  • the arrangement can analyze the content of the input and identify predetermined features therein, such as a character string, sequence of numbers, the length of the character string or the sequence of numbers, and so on, which features, if found, determine which type the input identifier is and which further actions the arrangement takes in the identification.
  • the arrangement can be adapted to receive additional user-related information in a mobile certification reply or along with it.
  • a mobile certification service and/or some other entity may send the user at least one information element selected from a group consisting of: entire name, last name, one or more first names, client code, address, mail address, e-mail address, nationality, country, social security number and electronic identification number (SATU) of the user.
  • the information can be in a plain or encrypted format.
  • the arrangement according to the invention can be adapted to forward the one or more information elements, such as the name of the user, received from the mobile certificate service in the online user identification service's reply message, such as in a TUP AS reply message, with no change.
  • the arrangement can include other available information in the reply message. This other information can be administered or at least be accessible by the arrangement.
  • the arrangement may examine the available data linked to this name, which, for instance, can be a social security number, and to forward them in said reply message. This is possible, for example, in scenarios in which the arrangement is administered by the bank whose client the user is.
  • the arrangement is adapted to send, in addition to the online user identification service's reply message, such as a TUP AS reply message, supplementary information to the user and/or the provider of the electronic service.
  • This supplementary information can be additional and/or other information as described above and originating from the arrangement itself, a system connected to it and/or the mobile certificate service.
  • the arrangement is adapted to use one or more timers. The timer can define a maximum time for the interval between the transmission of a user identification request and the receipt thereof, or for ex- ample, between the transmission of a mobile certificate request and the receipt of a mobile certificate reply.
  • the arrangement can take predetermined measures, such as to send the user a negative reply message indicating failure.
  • the actual mobile certification is typically carried out by the mobile certificate service between the transmission of the mobile certificate request and the receipt of the mobile certificate reply.
  • the mobile station displays information about the identification to be performed, such as a session identifier associated with the arrangement and/or the electronic service, to the user to allow the user to verify the cause/origin of the identification act, i.e. to associate it with the electronic service of the service provider or the current identification procedure carried out by the arrangement according to the invention.
  • the user is asked for an identification number associated with the mobile certificate which the user then inputs into his/her mobile phone. If the identifi- cation is successful (the identification number is found to be correct), a confirmation message stating this can be sent to the user's mobile phone.
  • Another aspect of the invention describes a method of identifying a user for an electronic service, such as an online service, comprising
  • the user identifier submitted by the user is a user identifier used in mobile certifi- cation, preferably a mobile station number, such as a Mobile Station International ISDN Number (MSISDN),
  • MSISDN Mobile Station International ISDN Number
  • the present invention has a number of different advantages depending on the embodiment of the invention.
  • the invention enables the use of mobile identification in electronic services using TUPAS identification, or other identification suitable for identifying online service users, in the future by converting, for example, a TUPAS identification request into a mobile certificate request and, further, by converting a mobile certificate reply into a TUPAS reply.
  • the arrangement according to the invention can also be seen as a sort of "proxy", i.e. intermediary server.
  • Electronic service providers do not have to modify their existing TUPAS arrangements because the exchange of information between the service providers and the arrangement according to the invention still can be handled as before, according to the TUP AS model.
  • New electronic service providers only have to enable communication and sign a corresponding contract with one TUPAS service provider, because, even if a user of the service is not a client of the chosen TUPAS service provider, which, for instance, is a bank (i.e. able to perform traditional TUPAS identification in the bank's system), the user can still easily proceed with the identification process via the same user interface.
  • the user if the user is a client of the bank, he/she can, alternatively, identify himself/herself by means of his/her mobile certificate, thus avoiding the one-time password list based bank authentication which often is more troublesome.
  • the proposed solution allows the administrator of the arrangement to direct marketing communications towards a new potential clientele (users who are not clients of the administrator which, for instance, is a bank) and to market products and services while the users use the user interface produced by the administrator for mobile certification.
  • the administrator can also charge one or more bodies, such as electrical service providers and mobile certificate service providers (operators), for the provision of mobile certification in order to cover the operation costs.
  • any ad- vertisements displayed in the user interface are also susceptible of being charged for.
  • the term “number” refers to any positive integer starting from the number one (1), such as to the number one, two or three.
  • the term “plurality” refers to any positive integer starting from the number two (1), such as to the number two, three or four.
  • entity refers to a logical and/or physical whole, such as to a functionality and/or element.
  • An entity may include other entities.
  • Figure 1 shows a state-of-art usage scenario for the TUP AS service
  • Figure 2a illustrates an embodiment of the arrangement according to the present invention and a possible usage context thereof
  • Figure 2b illustrates an embodiment of the arrangement according to the present in- vention in which the arrangement implements the functionality of an acquiring entity (AE) of a mobile certificate service;
  • AE acquiring entity
  • Figure 2c illustrates an embodiment of the arrangement according to the present invention in which the arrangement implements the functionalities of an acquiring entity (AE) and a routing entity (RE) of a mobile certificate service;
  • Figure 3 is a message diagram of communications that is possible in the embodiment of Figure 2a.
  • Figure 4 shows an exemplary user interface view in an embodiment of the arrange- ment according to the present invention.
  • Figure 5 is a flow diagram view of an embodiment of the method according to the present invention.
  • Figure 6 is a block diagram of an embodiment of the arrangement according to the present invention, drawn especially from the apparatus aspect.
  • FIG. 2 shows an embodiment of the arrangement according to the invention together with a possible usage context thereof.
  • Different embodiments of the inven- tion will be described below especially in connection with the TUP AS identification service but the invention is also applicable, on a case-by-case basis, in connection with other electronic identification services, preferably identification services intended for users of an online service or online services.
  • the possibility for TUPAS identification provided by an electronic service 202a such as a so-called web-based (WWW) electronic commerce, communications, government or networking service, to its clients, i.e. users 202b of the service, is implemented by means of a TUPAS service provider 204, typically a bank, as described above.
  • WWW web-based
  • the data transfer between the electronic service 202a, the user 202b of the electronic service and the TUPAS service 204 takes place accord- ing to an interface specification 212a of the TUP AS procedure.
  • the user 202b of the electronic service can be connected, by means of his/her terminal, not only to the electronic service 202a itself but also to the TUP AS service provider 204, preferably via the Internet.
  • the electronic service 202a tries to redirect the user 202b, for an identification process, to the TUP AS service 204 over a corresponding link which is service-specific, such as bank-specific, and possibly associated with an icon.
  • the electronic service 202a and its user 202b can be considered to form an entity 202 communicating with the TUP AS service 204.
  • the TUP AS service provider 204 has also signed a contract with a body, such as a mobile operator, maintaining a mobile certificate service 206 for the use of the mobile certificate policy according to the invention.
  • a body such as a mobile operator
  • the user interface of the identification service of the TUPAS service provider 204 which, for instance, is a web-based user interface, includes the possibility for identification along both the TUPAS and the mobile certificate path.
  • the service of the TUPAS service provider 204 has thus been formed into an arrangement according to an embodiment of the present invention.
  • TUPAS identification the actual identification usually takes place inside the service provider's 204 own system which the Figure does not show in more detail.
  • the mobile certificate service 206, 208, 210 instead, can be provided, at last partly, separate from the system of the TUPAS service provider 204 but enabling an opera- tional connection between these.
  • the interface 212b substantially follows ETSI TS 102 204, thus being an interface between the TUPAS service (AP, application provider, in the ETSI standard) and the acquiring entity contained or used by the mobile certificate service 206.
  • Figures 2b and 2c show alternative interface scenarios.
  • the system 204 of the TUPAS service provider is at least operationally connected to a mobile certificate service 206 provided by at least one other entity, such as an operator.
  • Said at least mobile certificate service 206 is able to communicate with mobile certificate services 208, 210 administered by other entities, based on a jointly agreed interface specification 212c, following, for instance, ETSI TS 102 207 concerning signature roaming between different mobile phone networks.
  • the TUPAS service provider avoids the necessity to sign separate contracts or to establish separate connections with each of the mobile certificate services 206, 208, 210.
  • the mobile certificate services 206, 208, 210 each have their own users 206a, 208a, 210a, i.e. operator clients, such as subscribers. Or, to put it in the other way around, the clients each have their own home op- erators.
  • the arrangement 204 substantially carries out the functionality of an acquiring entity AE of a mobile certificate service, and the interface 212c from the acquiring entity AE to- wards the mobile certificate service 206 and its routing entity RE preferably follows Standard '207.
  • the arrangement 204 substantially carries out the functionalities of an acquiring entity AE and a routing entity of a mobile cer- tificate service.
  • the arrangement can optionally communicate with more than one mobile certificate service via the routing entity RE and preferably following Standard '207.
  • a mobile certificate service can communicate with two or more other mobile certificate services operationally directly, without any other mobile certifi- cate services between them.
  • a mobile certificate service can communicate with another mobile certificate service, with at least mobile certificate service between them.
  • Figure 3 is an exemplary view of the communications between the embodiment of the arrangement according to the invention shown in Figure 2a and a mobile certificate service.
  • An electronic service provider 302a sends a user 302b a link which, when activated, redirects 310 the user 302b to a TUPAS identification service extended according to the invention.
  • the TUPAS identification service 304 Upon detecting a need of mobile certification, based on a user input, for example, the TUPAS identification service 304 sends an identification request 312 to a predetermined (based on an agreement between the TUPAS service and a mobile certificate service, for example) first mobile certificate service 306 which, if needed, i.e. when the user is a client of some other certificate service/operator 308, optionally forwards 314 the request to a second mobile certifi- cate service 308 and receives a reply 316 therefrom.
  • a predetermined based on an agreement between the TUPAS service and a mobile certificate service, for example
  • first mobile certificate service 306 which, if needed, i.e. when the user is a client of some other certificate service/operator 308, optionally forwards 314 the request to a second mobile certifi- cate service 308 and receives a reply 316 therefrom.
  • the first mobile certificate service 306 sends the TUPAS service 304 an identification reply 318 replying, according to the TUPAS protocol, to the user 302a, and through him/her and preferably after being accepted by him/her, to the service provider 302a.
  • Messages 312 and 318 preferably follow the specifications of Standard '204.
  • Messages 314 and 316 pref- erably follow the specifications of Standard '207.
  • the messages 312, 314, 316 and 318 preferably would follow the specifications of Standard '207.
  • Figure 4 is a simplified example of a user interface view 401 of an identification service shown to an electronic service user in an embodiment of the arrangement according to the invention.
  • the view 401 may include two or more preferably visually distinct sections 402, 410, 420.
  • the TUP AS identification section 402 covers a user interface required for TUP AS identification, for instance, an option for inputting a user identifier 404 and a password 406, such as input windows/fields.
  • a user interface section 420 for mobile certificate based identification can be provided separate from or integrated with it, with an option 422 for inputting an identi- fier, such as a mobile station number (phone number), required for mobile identification, again as an input window/field, for example.
  • an identi- fier such as a mobile station number (phone number)
  • the nature of the identifier input by the user i.e. the identification method desired by the user
  • the location (input window/field) of the user input which is, for instance, a user identifier, phone number or a confirmation thereof (see the OK input buttons in the Figure).
  • an implementation in which both a TUPAS user identifier and a mobile certification procedure identifier can be input in the same location, such as the same input field, can be used.
  • the nature of the identifier and the desired identification method can be concluded by analyzing the input itself.
  • additional information and/or other additional information can be provided in its own section 410 separate from one or more identification sections 402, 420.
  • the additional information/marketing communications 412 may include instructions fa- cilitating the use of the service, and/or commercial information, for instance, marketing communications, such as advertisements from the administrator of the identification service and/or a partner thereof (advertiser).
  • the additional information/marketing communications 412 may include elements, such as advertise- ments, shown in parallel or, for instance, as a slideshow type presentation changing as scheduled. It is also possible to use audio.
  • the content displayed in section 410 can be defined, at least partly, by the user by using adjustment possibilities offered by button icons or a slide icon, for example.
  • Figure 5 shows a flow diagram of an embodiment of the method according to the present invention.
  • any preparative measures necessary to carry out the method successfully are taken. They can include configuring the arrangement carrying out the method, such as one or more computing devices, and the other elements, as well as establishing any necessary contracts and connections between the different parties, such as an electronic service provider, a TUPAS service provider and a mobile certificate provider.
  • An electronic service user may purchase a terminal, such as a mobile phone with a subscriber identity module (SIM), which is suitable for mobile certification.
  • a terminal such as a mobile phone with a subscriber identity module (SIM), which is suitable for mobile certification.
  • SIM subscriber identity module
  • an identification request as defined in the TUPAS service specifications is received by the arrangement according to the invention with regard to an electronic service.
  • the request is received from a user of the service, but, alternatively, it is technically possible to receive the request directly from the service or some other entity.
  • the user of the electronic service is sent a request, essentially in the form of a WWW page, for example, to input his/her user identifier for identifying the user by means of the arrangement.
  • the connection can be secured using SSL or any other suitable alternative policy.
  • the user identifier which is an online banking system user identifier or a mobile station identifier, such as mobile station number, is received from the user.
  • the identifier is stored, at least temporarily, in a memory provided in the arrangement.
  • MSISDN Mobile Station International ISDN Number
  • Step 512 performs a TUPAS identification or at least triggers (an external entity to perform it) if the determination result at 510 so indicates. Alternatively, it triggers a mobile identification or mobile certification procedure and sends 514 a mobile certification request including a mobile station number towards interface entity of a mobile certification service.
  • a mobile certification is performed. The dotted line indicates that the event typically is at least partly remote with respect to the other method steps which the arrangement according to the invention often carries out by itself.
  • a mobile certification reply such as a positive (identification successful) or negative (identification unsuccessful or not possible) reply with any additional information, is received.
  • a reply message according to the TUPAS service is generated based on the mobile certification reply. If the mobile certification reply indicates that the mobile certification was successful, a TUPAS reply message corresponding to a successful TUPAS identification is preferably generated.
  • the TUPAS reply message referring to a reply message generated 520 based on a mobile certification, or a reply message based on an actual TUPAS identification 512, is sent to the user.
  • the method ends at 524.
  • FIG. 6 is a high-level block diagram of an embodiment of the arrangement 604 according to the invention, drawn especially from the apparatus aspect.
  • the arrangement may include, or it may consist of, one or more computing devices, such as servers and/or general purpose computers, such as desktop computers, and so on.
  • computing devices such as servers and/or general purpose computers, such as desktop computers, and so on.
  • operational connectivity such as wireless or wired connectivity
  • the user interface 614 (UI) components including a display and a keyboard, for example, can be included in the arrangement 604 as integrated, or physically separate or at least separable, components.
  • One possible element 604 to be included in the arrangement 604 which is funda- mental in practical applications is a memory 616 that can be segregated into one or more physical memory chips and/or cards and that may contain, in the form of a computer program/application, for example, a code necessary for the control and function of the arrangement, and, in addition, other data, such as the current settings and user data.
  • the memory 616 may include, for instance, implementations of the ROM (Read Only Memory) and/or RAM (Random Access Memory) type.
  • the memory 616 may refer to a preferably removable memory card/stick, diskette, optical disc, such as CD-ROM, or an integral/removable hard disk.
  • Processing means 610 for instance, a processing/control unit, such as a micro pro- cessor, digital signal processor (DSP), micro controller or programmable logical circuit(s), optionally including a plurality of cooperative or parallel (sub)units, may be required for the actual execution of the application code composed to carry out the functionalities of the arrangement, the code being storable in the memory 616.
  • a processing/control unit such as a micro pro- cessor, digital signal processor (DSP), micro controller or programmable logical circuit(s), optionally including a plurality of cooperative or parallel (sub)units, may be required for the actual execution of the application code composed to carry out the functionalities of the arrangement, the code being storable in the memory 616.
  • Data transfer means 612 for instance, a data interface, such as a wireless transceiver (GSM (Global System for Mobile Communications), WLAN (Wireless Local Area Network), Bluetooth, Infrared and so on), and/or, more probably, an interface for a fixed/wired connection, such as a LAN interface (Ethernet, for example), USB (Universal Serial Bus) port or Firewire (such as IEEE 1394) interface, are needed in practice to enable communication with other entities, such as the network infrastructure, electronic service user and mobile certification service. It is evident that more functionalities can be added to the arrangement 604 and that the above- mentioned functionalities are modifiable depending on each particular embodiment of the invention.
  • GSM Global System for Mobile Communications
  • WLAN Wireless Local Area Network
  • Bluetooth Infrared and so on
  • an interface for a fixed/wired connection such as a LAN interface (Ethernet, for example), USB (Universal Serial Bus) port or Firewire (such as IEEE 1394) interface
  • the arrangement according to the invention may alternatively or in addition, communicate, i.e. transmit and/or receive one or more messages, with an electronic service directly, without an electronic service user and his/her terminal between them, if allowed by the identifica- tion methods in use.
  • some other identification solution such as a self-developed (so-called proprietary) identification solution developed by the administrator of the arrangement, or an identification solution adapted by the administrator, or some more generic alternative, optionally standardized solution, can be used, as an identification alternative to the TUP AS service, along with mobile certification.
  • the solution can be adapted to identify users of an online service (or online services) by means online service identifiers and, optionally, one-time passwords, for example.
  • the solution can be administered by banks or at least one bank or other financial institution.
  • given embodiments may replace mobile certification with some other identification method.
  • given embodiments may use two or more identification methods, such as mobile certification based identification and TUP AS identification, in the same identification task.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Radar Systems Or Details Thereof (AREA)

Abstract

La présente invention se rapporte à un dispositif (204, 304, 604), au moins un appareil électronique, qui facilite l'identification d'un utilisateur d'un service électronique (202a), comme un service en ligne par exemple. Le dispositif comprend : des moyens de traitement (610) pour traiter des instructions et d'autres données; des moyens de stockage (616) pour stocker les instructions et les autres données; et des moyens de transfert de données (612) pour transmettre et recevoir des données. Le dispositif selon l'invention est adapté : pour recevoir une demande d'identification relative audit service électronique, sur la base d'un service d'identification électronique comme le service TUPAS utilisé par des banques; pour envoyer à l'utilisateur (202b) dudit service électronique une demande (401, 402, 420) de saisie de son identifiant utilisateur afin d'identifier l'utilisateur au moyen du dispositif; pour recevoir l'identifiant utilisateur (310, 404, 422) de l'utilisateur; si l'identifiant utilisateur est un identifiant utilisateur utilisé dans un système de certification mobile, comme un numéro de station mobile par exemple, pour envoyer une demande de certification mobile (312) contenant l'identifiant utilisateur, qui est, de préférence, un numéro de station mobile comme un numéro RNIS international de station mobile par exemple, à une entité (206, 306) qui fournit une certification mobile ou au moins une interface prévue à cette fin; pour recevoir une réponse à la demande de certification mobile (318); pour traiter, sur la base de la réponse à la demande de certification mobile, un message de réponse relatif audit service d'identification électronique, comme le service TUPAS par exemple; et pour envoyer le message de réponse (320) à l'utilisateur. La présente invention se rapporte d'autre part à un procédé correspondant.
PCT/FI2012/050236 2011-03-14 2012-03-13 Dispositif et procédé d'identification électronique WO2012127103A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20115247 2011-03-14
FI20115247A FI20115247L (fi) 2011-03-14 2011-03-14 Järjestely ja menetelmä sähköistä tunnistamista varten

Publications (1)

Publication Number Publication Date
WO2012127103A1 true WO2012127103A1 (fr) 2012-09-27

Family

ID=43806458

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2012/050236 WO2012127103A1 (fr) 2011-03-14 2012-03-13 Dispositif et procédé d'identification électronique

Country Status (2)

Country Link
FI (1) FI20115247L (fr)
WO (1) WO2012127103A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11228592B1 (en) 2020-04-27 2022-01-18 Identity Reel, LLC Consent-based authorization system
CN115002051A (zh) * 2022-06-29 2022-09-02 广州彩熠灯光股份有限公司 灯具通信方法、装置和灯具

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051372A (zh) * 2006-04-06 2007-10-10 北京易富金川科技有限公司 电子商务中对金融业务信息安全认证的方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101051372A (zh) * 2006-04-06 2007-10-10 北京易富金川科技有限公司 电子商务中对金融业务信息安全认证的方法

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
FUJITSU SERVICES OY: "Suomalaisen julkishallinnon VETUMA-palvelu, sovelluksille tarjotun toiminallisuuden kuvaus, versio 3.0", VETUMA, VERKKOTUNNISTUS JA -MAKSAMINEN, 5 November 2010 (2010-11-05), pages 1 - 33, Retrieved from the Internet <URL:http://www.suomi.fi/suomifi/tyohuone/yhteiset_palvelut/verkkotunnistaminen_ja_maksaminen_vetuma/tekninen_rajapinta/tekninen_rajapinta/01_Vetuma_palvelun_sovelluksille_tarjoaman_toiminnallisuuden_kuvaus_v3_0.pdf> [retrieved on 20111108] *
MIKKOLA, T.: "Henkilön sähköinen vahva tunnistus", OPINNAYTETYO MAALISKUU, 2009, pages 1 - 65, Retrieved from the Internet <URL:https://publications.theseus.fi/bitstream/handle/10024/3808/MBA_Opinnaytetyo_Mikkola_Teija.pdf?sequence=1> [retrieved on 20120613] *
OJALUOMA, J.: "Mobiilitunnistamisen hyodytja mahdollisuudet Helsingin yliopistossa", PRO GRADU -TUTKIELMA, HELSINGIN YLIOPISTO, TIETOJENKASITTELYTIETEEN LAITOS,HELSINKI, 31 March 2008 (2008-03-31), pages 1 - 89, Retrieved from the Internet <URL:https://helda.helsinki.fi/bitstream/handle/10138/21397/mobiilit.pdf?> [retrieved on 20120613] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11228592B1 (en) 2020-04-27 2022-01-18 Identity Reel, LLC Consent-based authorization system
CN115002051A (zh) * 2022-06-29 2022-09-02 广州彩熠灯光股份有限公司 灯具通信方法、装置和灯具
CN115002051B (zh) * 2022-06-29 2023-12-15 广州彩熠灯光股份有限公司 灯具通信方法、装置和灯具

Also Published As

Publication number Publication date
FI20115247L (fi) 2012-09-15
FI20115247A0 (fi) 2011-03-14

Similar Documents

Publication Publication Date Title
KR102624700B1 (ko) IoT 장치와 애플리케이션 간의 생체 식별 및 검증
US7853782B1 (en) Secure intermediation system and method
CN101023622B (zh) 配置和供应无线手持设备
EP1615097B1 (fr) Procédé d&#39;authentification à chemin double
US8819800B2 (en) Protecting user information
US10230727B2 (en) Method and system for authenticating a user
CN101478396B (zh) 一种基于私有密钥的低相关性的单向跨域身份验证方法及其应用
US10212154B2 (en) Method and system for authenticating a user
US20070277013A1 (en) Method for transmitting protected information to a plurality of recipients
CN102143134A (zh) 分布式身份认证方法、装置与系统
KR100960057B1 (ko) 인증서의 데이터 내용에 대한 요건이 세팅되는 인증서를포함하는 서비스 이용 방법
JP2013211020A (ja) フィッシング攻撃を防ぐ方法および装置
WO2013184266A2 (fr) Sécurité d&#39;authentification 2chk améliorée comportant des transactions d&#39;interrogation
Beltran et al. User identity for WebRTC services: A matter of trust
EP2439969B1 (fr) Authentification de données personnelles dans un système de télécommunications
EP1075748B1 (fr) Procede, agencement et dispositif d&#39;authentification
CN1606846A (zh) 电子签字方法
CN106357669B (zh) 一种Web系统登录方法及登录辅助系统
WO2012127103A1 (fr) Dispositif et procédé d&#39;identification électronique
Kerttula A novel federated strong mobile signature service—the finnish case
US11405339B1 (en) Managing exchange of instant messages using an assigned communication code
US9172679B1 (en) Secure intermediation system and method
US11716331B2 (en) Authentication method, an authentication device and a system comprising the authentication device
JP2020173507A (ja) 認証仲介装置及び認証仲介プログラム
Agbede Strong Electronic Identification: Survey & Scenario Planning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12760657

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12760657

Country of ref document: EP

Kind code of ref document: A1