WO2014141263A1 - Système d'authentification otp asymétrique - Google Patents

Système d'authentification otp asymétrique Download PDF

Info

Publication number
WO2014141263A1
WO2014141263A1 PCT/IL2014/050263 IL2014050263W WO2014141263A1 WO 2014141263 A1 WO2014141263 A1 WO 2014141263A1 IL 2014050263 W IL2014050263 W IL 2014050263W WO 2014141263 A1 WO2014141263 A1 WO 2014141263A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
otp
keys
clients
otps
Prior art date
Application number
PCT/IL2014/050263
Other languages
English (en)
Inventor
Evgeny GREKOV
Leonid Voldman
Original Assignee
Biothent Security Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Biothent Security Ltd. filed Critical Biothent Security Ltd.
Publication of WO2014141263A1 publication Critical patent/WO2014141263A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Definitions

  • the invention relates generally to authentication systems and more particularly the invention relates to access authentication, biometric authentication and remote directive strong authorization systems.
  • Authentication is a foundation service designed to provide information security. It is crucial to authorization and auditing sendees.
  • OTPs One time passwords
  • static passwords are passwords that are valid for a single authentication session or transaction in contrast to static passwords.
  • OTPs avoid a number of shortcomings that are associated with static passwords.
  • the most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks.
  • a potential intruder, who manages to record an OTP that was already used to log into a sendee or to conduct a transaction, will not be able to abuse it, since it will be no longer valid.
  • HMAC/Time Time-based and keyed- hash message authentication code
  • TOPT HOTP time-based and keyed- hash message authentication code
  • 2STEP-OTP two- step authentication
  • PKI Public-key cr ptography
  • OOB Out-of-band authentication - OOB (using alternative channels for OTP deliver ⁇ ' , e.g. SMS, e-mail, mobile push, etc.).
  • OOB method depends on permanent availability of secured delivery channels.
  • TOPT/HOTP, 2STEP-OTP and PKI-OTP are communication independent and therefore are more universal methods.
  • PKI refers to a cryptographic algorithm which requires generation of two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
  • the public key is used to encrypt plaindata and the private key is used to decrypt the cipherdata.
  • the term "asymmetric" stems from the use of different keys to perform these opposite functions, each the inverse of the other.
  • TOPT HOTP, 2STEP-OTP and PKI-OTP systems use share secret keys and other s nchronized data (e.g. synchronized time, PIN, serial numbers, etc.) as seed input for an OTP algorithm that allows servers to authenticate passwords generated by clients.
  • nchronized data e.g. synchronized time, PIN, serial numbers, etc.
  • TOPT/HOTP, 2STEP-OTP and PKI-OTP systems are vulnerable to shared secrets discovery due to keys thefts, keys leaks, unsecure keys exchange and the like.
  • Biometric authentication systems match captured biometric identifiers with specific templates stored in a biometnc database repository in order to verify that an individual is the person he or she claims to be.
  • Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Examples include, but are not limited to fingerprint, face recognition, DNA, Palm print, hand geometry, ins recognition, retina odor/scent.
  • biometric database repository raises privacy concerns about the safety and authorized use of biometric information, concerns that limit a wider use of biometric authentication systems in financial and commercial systems, such as web based businesses and e ⁇ commerce.
  • Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details and the like by masquerading as a trustworthy entity in an electronic communication.
  • Phishing emails may contain links to websites that are infected with malware. Phishing may be carried out by email spoofing or instant messaging, and it may direct users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
  • the asymmetric OTP authentication system may include a plurality of authentication clients and at least one authentication server.
  • the plurality of authentication clients may be configured to generate asymmetric encrvption and decryption key pairs and OTP keys, may register in the at least one authentication server the decryption keys and OTP keys.
  • the plurality of authentication clients may be configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and to provide to the authentication server the encrypted OTPs.
  • the at least one authentication server may ⁇ be configured to decrypt the clients' OTPs using the decryption keys, to generate servers' OTPs using the OTP keys and to authenticate requests by matching the decrypted authentication clients' OTPs with the server's generated OTPs.
  • authentication requests, by the authentication clients may be single step processes.
  • the authentication clients may be configured to initiate registration processes on a plurality of authentication servers.
  • the authentication clients may be configured to store in the authentication clients the generated encryption keys.
  • the OTPs may be generated using an algorithm such as: RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP) and the like.
  • the authentication clients may be: tokens, mobile devices, computing systems and the like.
  • the plurality of authentication clients may be further configured to receive biometric inputs, by biomet ic capable input devices, to generate and store biometric templates in the authentication clients,
  • the OTP keys and/or the asymmetric encryption and decryption key pairs may be built upon the stored biometric templates.
  • the plurality of authentication clients configured to receive biometric inputs may be further configured to match the biometric inputs with the stored biometric templates and to generate the OTPs if the biometnc inputs and the biometric templates match.
  • the biometric inputs may be: fingerprints, face images, voice recordings, DNA sequences, palm prints, hand geometries, iris images, retina images and odor, scent recordings and the like.
  • the OTP authentication system may be configured to authorize remote directives, wherein approval passwords may be the encrypted OTPs, wherein prior to generating the approval passwords, the plurality of authentication clients may be configured to receive encoded data blocks that may include the remote directives' content, and wherein the generated approval passwords may be generated using the OTP keys, the encryption and decryption keys and the remote directives' content.
  • the plurality of authentication clients may include means for receiving the data blocks from terminals and extracting the remote directives' content from the data blocks.
  • the plurality of authentication clients may include means for displaying the extracted remote directives' content accompanied with the clients' generated approval passwords.
  • the encoded data blocks may be: QR codes, blue tooth, NFC, Wi-Fi transmission, and combination thereof.
  • an OTP authentication method includes generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on at least one authentication server the decryption keys and OTP keys.
  • the methods includes generating authentication credentials, by the plurality of authentication clients, using encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys and authenticating the authentication requests, by the authentication servers, by decrypting the authentication clients' OTPs using the deciyption keys, generating servers' OTPs using the OTP keys, and matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
  • requesting authentication permits may include transmitting the encrypted OTPs m a single step.
  • a biometric asymmetric encrypting OTP authentication method may include receiving biometric inputs, by a plurality of authentication clients, by biometric capable input devices, generating and storing biometric templates in the client's devices, generating using the biometric templates, biometric asymmetric encryption and decryption key pairs and OTP keys and registering in at least one authentication server the decryption keys and OTP keys.
  • the method may include matching, by the plurality of authentication clients, biometric inputs with biometric templates.
  • the method may include generating authentication credentials, by plurality of authentication clients, using the encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys.
  • the method may include authenticating the authentication requests, by the authentication servers, by decrypting the clients' OTPs using the decryption keys, generating servers' OTPs using OTP keys, and by matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
  • requesting biometric authentication may include transmitting the encrypted OTPs in a single step.
  • a remote-directive strong authorization method may include generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers, the decryption keys and OTP keys.
  • the method may include transmitting, by the authorization servers, encoded data blocks that include the encoded content of remote directives to the authentication clients.
  • the method may include communicating, by the plurality of authentication clients, encrypted approval passwords generated using the remote directives' content and OTP keys and encrypted by the encryption key.
  • the method may include authorizing the remote directives, by the authorization servers, by decrypting the clients' approval password using the decryption keys, generating servers' approval passwords using the remote directives' content and OTP keys, and by matching the decrypted authentication clients' approval passwords with servers' generated approval passwords.
  • the method may include a plurality of term inals used for communicating messages to the authorization servers and for presenting data blocks received from the authorization servers to users.
  • the encoded data blocks may be QR codes, blue tooth, NFC, Wi-Fi transmission, and the like.
  • FIG. 1 illustrates an asymmetric OTP authentication system architecture, according to certain embodiments
  • FIG. 2 illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments
  • FIG. 3 illustrates an overview of an OTP authentication process, according to certain embodiments
  • FIG. 4 illustrates authentication clients' registration on an OTP server, according to certain embodiments
  • FIG. 5 illustrates a single step OTP authentication process, according to certain embodiments
  • FIG. 6 illustrates a flow chart of the OTP authentication process, according to certain embodiments.
  • FIG. 7 illustrates authentication client's registration on a plurality of
  • OTP servers according to certain embodiments.
  • FIG. 8 illustrates authentication clients' biometric registration on an
  • FIG 9 illustrates a biometric OTP authentication process, according to certain embodiments.
  • FIG 10 illustrates a flow chart of the biometric OTP authentication process, according to certain embodiments.
  • FIG. 11 illustrates a remote directive authorization system's submission form, according to certain embodiments.
  • FIG. 12 illustrates a remote directive authorization system's confirmation request, according to certain embodiments
  • FIG. 13 illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments
  • FIG. 14 illustrates submission of the approval password to the application server, according to certain embodiments
  • FIG. 15 illustrates a remote directive strong authorization process, according to certain embodiments
  • FIG. 16 illustrates a flow chart of the remote directive strong authorization process, according to certain embodiments.
  • FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments.
  • FIG. 18 illustrates a flowchart of a biometric OTP authentication method, according to certain embodiments.
  • FIG. 19 illustrates a flowchart of a remote directive strong authorization method, according to certain embodiments.
  • an asymmetric OTP authentication system uses different keys for OTP generation and authentication. Together with shared OTP key, the asymmetric OTP authentication system utilizes asymmetric keys pair, also known as encrypting decrypting or public/private keys pair, where encrypting key is used for encrypted OTP generation (i.e. authentication credentials) and decrypting key is used for OTP authentication.
  • the asymmetric OTP authentication system includes at least one authentication client and at least one authentication server. The one or more authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and register on the at least one authentication server the decryption and OTP keys.
  • the one or more authentication clients are configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and allow authentication using encrypted OTPs in a single authentication step.
  • the authentication servers are configured to decrypt the clients' OTPs using the registered decryption keys, to generate servers' OTPs using the registered OTP keys and to authenticate requests by matching authentication clients' OTPs with server's generated OTPs.
  • authentication clients are configured to provide the decryption keys, and not the encryption keys, to the contra-party authentication server. Since encryption keys are generated and stored at the authentication clients, only authentication clients are able to issue authentication credentials (e.g. encrypted OTPs) and hence encryption keys thefts, encryption keys leaks, un secure encryption keys exchange and the like from authentication servers are impossible.
  • authentication credentials e.g. encrypted OTPs
  • authentication clients are configured to generate OTPs and encrypt the generated OTPs using encryption keys generated and stored at the authentication clients only.
  • issued authentication credentials and/or secure codes mean encrypted OTPs that are provided by authentication clients and the terms encrypted OTPs, secure codes and issued credentials are used interchangeably.
  • user name and user ID mean a unique sequence of characters used to identify a user and allow access to a computing system. The terms user name and user ID are used interchangeably herein.
  • secure keys means authentication keys, OTP keys, encryption/decryption keys needed to generate and/or validate authentication credentials.
  • the use of asymmetric encrypted OTPs allows authentication servers to validate that the authentication client that provided credentials for authentication requests is the same authentication client that provided the decryption key on registration since only the encrypting authentication client preserves the encr ption key.
  • the encryption keys are created by the authentication clients and are not disclosed at any time to external computing environments.
  • embodiments of the present invention facilitate a single step authentication process similar to static password authentication process
  • Another advantage of the asymmetric OTP authentication system is that the use of OTPs prevents man-in-the-middle attacks since OTPs change in each authentication request. Since OTPs are encrypted by the authentication clients and only the authentication client that provided the decryption key on registration preserves the paired encryption key and can generate a valid encr pted OTP, mathematical means cannot be used to crack the authentication keys used to generate the authentication credentials.
  • Another advantage of the asymmetric OTP authentication system is that a user name is not required to be stored with the security keys at the authentication client. Hence, even if security keys are stolen they will not be accompanied by the user names in contrast to authentication servers where user names must be linked to security keys and may be both stolen by hackers.
  • authentication clients' registration processes may be initiated by authentication clients on a plurality of authentication servers and may be re-initiated by the authentication clients.
  • a biometric asymmetric OTP authentication system is disclosed.
  • a plurality of authentication clients are configured to receive biometnc inputs using biometric capable input devices, to convert biometric inputs into biometric templates and store the biometric templates in the authentication clients' repository, to match biometric inputs with stored biometric templates, to generate encryption and decryption key pairs and OT keys build upon biometric templates derivatives (e.g. biometric template's digital representation or biometric template's digital signature), to generate OTPs using the generated OTP keys and encrypt OTPs using encryption key.
  • the plurality of authentication clients are configured to issue authentication credentials allowing a single step authentication process.
  • Authentication servers are configured to decrypt authentication credentials using the decr ption keys and to generate OTPs using OTP keys. Authentication servers are configured to authenticate received requests by validating the decrypted clients' OTPs with the server's generated OTPs.
  • the plurality of biometric authentication clients may be configured to generate asymmetric encryption and decryption key pairs and/or OTP keys using biometric inputs and/or biometric templates derivatives.
  • Biometric inputs may be fingerprints, face images, voice recordings,
  • DNA sequences DNA sequences, palm prints, hand geometries, iris images, retina images, odor and scent recordings, veins topography and the like.
  • a remote directives strong authorization system is disclosed.
  • a plurality of authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and to provide the decryption keys and OTP keys to authorization servers.
  • the plurality of authentication clients are configured to receive encoded data blocks that include the content of remote directives from the authorization servers, to issue encrypted approval passwords based on the remote directives' content and the OTP keys.
  • the authorization servers are configured to decrypt the authentication clients' approval passwords using the decryption keys, to generate servers' approval passwords using the remote directives' content and the OTP keys and to authenticate the remote directives by matching decrypted clients' approval passwords with server's generated approval passwords.
  • a plurality of terminals are configured to provide data blocks received from authorization servers (by displaying Quick Response (QR.) codes for example).
  • QR codes are given as an example only and Blue Tooth and/or NFC and/or WiFi communication and the like may be used by terminals to provide the data blocks to the authentication clients.
  • a plurality of authentication clients may be configured to receive the provided data blocks from authorization servers and to present the data blocks' content (i.e. remote directive) to users.
  • OTP authentication system may include a plurality of authentication clients 101a and 101 b configured to connect to one or more computing systems 103 using their input means further connected through a network 105 to one or more application servers 107.
  • Application servers 107 may be connected to OTP server 113.
  • Computing system 103 may be a personal computer (PC), a mobile device, an IP AD and the like.
  • Authentication clients 101a and 101b are configured to issue credentials for web server 107 to be further authenticated by OTP authentication server 113.
  • FIG. 2 illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments.
  • Authentication client 101 which may be mobile device and/or tokens for example, may be configured to generate secure key 201 and complementary key- Ill.
  • Secure key 201 may includes OTP key 203 and encryption key 205 that may be stored at client 101.
  • Complementary key 211 may include OTP key 213, a copy of OTP key 203, and decryption key 215 that may be registered on OTP server 113.
  • Encryption key 205 and decryption key 215 are an asymmetric key pair.
  • FIG. 3 illustrates an overview of an
  • Authentication Client 101 may be configured to generate OTPs 310 using OTP key 203, to encrypt OTPs using encryption key 205 and provide encrypted OTPs to OTP server 113.
  • OTP server 113 may be configured to generate OTPs 320 using OTP key 213, which is identical to OTP key 203.
  • OTP server 113 may be configured to decrypt OTPs provided by client 101 using registered decryption key 215 and match 330 decrypted clients' OTPs 31 ⁇ with servers' OTPs 320.
  • OTP authentication system may include at least one authentication server 113 and a plurality of authentication clients 101a, 101b and 101c.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to generate 402, 404 and 406 asymmetric encryption and decryption key pairs and OTP keys and to register the keys 401, 403 and 405 on the at least one authentication server 113.
  • Clients 101a, 101b and 101c may be computers, tokens, mobile devices and the like.
  • clients 101a, 101b and 101c may be configured to register the decryption key 215, OTP key 203 on authentication server 113 and to store the generated encryption key 205, OTP key 203 in the clients.
  • generating and storing the encrypting key at the clients facilitates an efficient authentication process having a single authentication step similar to static password systems and furthermore, guarantees that only authentication clients are able to generate valid credentials using their keys.
  • Single step OTP authentication system 500 includes at least one authentication server 113 and at least one authentication client 101.
  • Authentication client 101 may be configured to issue credentials for authentication request (a) using an encryption key 205 encrypted OTP 203.
  • Authentication server 113 may be configured to authenticate request (b) by decrypting 215 and matching the decrypted authentication request's OTP with a generated OTP using OTP key 203.
  • Authentication server 113 may be configured to generate OTPs using OTP key 203 stored in authentication server 113.
  • the information required for authenticating by server 113 e.g. encrypted OTP and optionally a user ID, may be provided in a single authentication step (a) similar to static password authentication systems.
  • FIG. 6, illustrates a flow chart of the
  • OTP authentication process 6 ⁇ 0 may be configured to generate OTP using OTP key 203 and encrypt the generated OTP using encryption key 205 (FIG. 3).
  • OTP server 113 may be configured to draw the user's registered decryption key 215 and OTP key 213 from a repository stored in the OTP server using user name 605.
  • OTP server 113 may be configured to receive the client's encrypted OTP 603 to decrypt the client's OTP 609 using decryption key 215.
  • OTP server 113 may be configured to generate OTP 611 using the registered OTP key 213,
  • OTP Server 113 and authentication client 101 may be configured to generate OTPs using the synchronized clock and other synchronized data (not shown).
  • OTP server 113 may be configured to match 613 the client's decrypted
  • OTP 609 with the authentication server's generated OTP 611.
  • OTP authentication server 113 may be configured to authenticate the request 615 if the two OTPs match 614.
  • OTPs may be generated, by authentication clients and servers, using algorithms such as RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP), combinations of thereof and the like.
  • RFC 1760 S/KEY
  • OTP RFC 2289
  • OTP RFC 4226
  • TOTP RFC 6238
  • authentication client 101 is configured to generate valid encrypted OTPs using OTP key 203 and encr ption key 205, Since encryption key 205 is generated and stored at, authentication client 101, encryption key 205 cannot be stolen or leak out from authentication server 113.
  • FIG. 7, illustrates client's registration on a plurality of authentication servers 700, according to certain embodiments.
  • Authentication client 101 may be configured to register on a plurality of authentication servers 113, 115 and 117.
  • Authentication client 101 may be configured to generate identical or diverse sets of decryption/encryption keys and OTP keys 701 for each one of the OTP authentication servers and register them in each OTP servers 113, 115 and 117.
  • Authentication client 101 may be configured to store for each server
  • biometric identifiers are stored in authentication clients and not in centralized database repositories.
  • Authentication clients are configured to store and match biometric inputs and to generate OTPs that may be authenticated by authentication servers that are not required to store any biometric identifiers.
  • biometric templates are stored at the authentication clients only. Furthermore, storing the encr pting keys only at the authentication clients prevents stealing the encrypting keys from authentication servers. Finally, storing the encryption keys at the authentication clients allows a single step authentication process similar to static password authentication systems.
  • FIG. 8 illustrates clients' registration 800 on an OTP server, according to certain embodiments.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to receive biometric inputs 802, 812 and 822 by biometric capable devices 852, 862 and 872 that may be included in authentication clients 101a, 101b and 101c or may be external devices.
  • the plurality of clients 101a, 101b and 101c may be configured to generate 803, 813 and 823 biometric templates from the biometric inputs and to store the generated biometric templates in the clients on enrolment.
  • Biometric inputs may be fingerprints, face images, voice recordings,
  • Plurality of authentication clients 101a, 101b and 101c may be configured to generate asymmetric encryption and decryption key pairs (806 and 808, 81 and 818, 826 and 828) and OTP keys (804, 814 and 824) that may be built upon the generated biometric templates.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to provide 805, 815 and 825 decryption keys (808, 818 and 828), OTP keys (804, 814 and 824) to OTP server 113 and to store the generated encryption keys (806, 816 and 826) and OTP keys in the authentication clients.
  • the plurality of authentication clients may be configured to generate asymmetric encr ption and decryption key pairs and/or OTP keys using the biometric inputs and/or the biometric templates.
  • Biometric OTP authentication system 900 may include at least one authentication server 113 and at least one authentication client 101.
  • Authentication client 101 may be configured to issue credentials for biometric authentication request (a) using encrypted OTP 901.
  • OTP server 113 may be configured to authenticate the biometric authentication request (b) by matching the decrypted clients' authentication request's OTP with OTP server's 113 generated OTP.
  • OTP server 113 may be configured to generate OTPs using OTP keys stored in the authentication server on registration.
  • the OTP auth entication process may be a single step authentication process where the information required for biometric authentication may be provided in a single step (a).
  • Authentication client 101a may be configured to receive biometric input 802 from biometric capable devices 852 and may be configured to match biometric input 802 with a stored biometric template 1001 generated on registration. If matching 1002, client 101a may be configured to generate an OTP and to encrypt it 1004 using encryption key 806 generated on registration. OTP 1004 may be generated using OTP key 804.
  • OTP server 113 may be configured to draw user's decryption key 808 and OTP key 804 from the server repository using user ID 1006.
  • OTP server 113 may be configured to receive the client's encrypted OTP 1005 and to decrypt the client's OTP 1009 using decr ption key 808.
  • OTP server 113 may be configured to generate OTP 1011 using OTP key 804.
  • OTP server 113 and client 101a may be configured to generate OTP 1011 and 1004 using in addition to OTP key 804 and also synchronized clock and other synchronized data (not shown).
  • OTP server 113 may be configured to match 1013 the client's decrypted OTP 1009 with the server's generated OTP 1011 .
  • OTP server 113 may be configured to authenticate the requested biornetric authentication 1014 if the two OTPs match 1013.
  • Phishing techniques attempt to substitute content of users remote directives transmitted over a network by masquerading as a trustworthy entity in the remote directive transmission chain. Phishing techniques may attempt to change remote directives' amounts and receiver's identity in bank transfers or payment orders, change items type and buyer details in purchase orders and the like.
  • approval passwords generated in both authentication clients and authorization servers, among other security keys, are based on the remote directives' content. Phishing attempts may be prevented since the approval passwords that are based on the remote directives' content will not match if the remote directive content is changed by a man- iii-the-middle-attack or other means.
  • authentication clients may be configured to receive data blocks by means of QR codes (blue tooth, Wi-Fi communication, NFC and the like) that are generated by authorization servers that include the remote directive contents and to present the contents to users.
  • QR codes blue tooth, Wi-Fi communication, NFC and the like
  • a remote directive's submission form 1101 may include payment order information, such as Name: Mr. John Smith for example, Account: 123-456789/ A and Amount: $15.45 for example.
  • submission form 1101 may appear on terminal's screen where the terminal may be configured to transmit the submission fonn (a) to web server 107.
  • submission form 1101 may appear on any kind of computing system's display.
  • Application server 107 may be configured to transmit a confirmation request with data block in plain form or encrypted (b) to client 101a that contains the remote directives content in a QR code 1201 representation that may be displayed on computing system screen FIG. I, 103 for example.
  • FIG. 13 illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments.
  • Authentication client 101a (shown in FIG. 12) may be configured to scan the QR code 1301, extract the directive content from the scanned QR code and present 1509 the content on authentication client's 101a display to a user.
  • the remote directive content that may include for example Name: Mr. John Smith, Account: 123-456789/A, Amount: $15.45 may be presented to the user accompanied by an approval password 1303.
  • the approval password, 753847 for example, is the remote directive's content dependent OTP.
  • the remote directive's content dependent approval password is generated by authentication client 101 a using client ' s OTP key (FIG. 2, 203) and is further encrypted by an encryption key (FIG. 3, 205).
  • FIG. 14 illustrates submission of an approval password to application server 107, according to certain embodiments.
  • Authentication client 101 a may be configured to provide the remote directive's content dependent approval password (c) to application server 107 through terminal 1203.
  • authorization server (not shown) may be configured to decrypt the received remote directive's content dependent OTP (c) using decryption key FIG. 3, 215, to generate a remote directive's content dependent approval password using a registered OTP key (FIG.3, 213) and to match decrypted client's OTPs and Server's generated OTP as illustrated in FIG. 15 below.
  • FIG. 15 illustrates a remote directive strong authorization process, according to certain embodiments.
  • Remote directive strong authorization system 1500 may include at least one authorization server 1501 and at least one authentication client 101.
  • Authentication client 101 may be configured to generate encryption and decryption keys and OT keys and register the OTP and decryption keys on at least one authorization server 1501.
  • Authentication client 101 may be configured to store the decryption key and OTP key in authorization server 1501 and to score the generated encryption key and OTP key in authentication client 101.
  • Authorization server 1501 may be configured to provide to authentication client 101 encoded data blocks 1503 that include remote directives' contents 1502.
  • the provided encoded data blocks 1510 may be for example in form of QR codes 1503 (e.g. 2D barcodes).
  • Authentication client 101 may be configured to decode encoded blocks 1504 and to present the encoded blocks' content 1.506 to users accompanied with encrypted OTP 1505, which is encrypted by encryption key 205 generating approval password 1509.
  • Authentication client 101 may be configured to provide 1520 the encrypted approval password 1509 to authorization sever 1501.
  • Authorization server 1501 may be configured to authorize remote directives 1530 by- matching 1508 decrypted authentication clients' communicated approval passwords with server's generated approval passwords 1507.
  • FIG. 16 illustrates a flow chart of the remote directive authorization process 1600, according to certain embodiments.
  • Authorization server 1501 is configured to receive 1603 a remote directive 1601.
  • Authorization server 1501 may be configured to encode the remote directive's content in data block in form of QR code 1605 and to provide the QR code 1510 to authentication client 101 (e.g. by displaying it on directive terminal's screen).
  • Authentication client 101 may be configured to scan the QR code 1607 and to display the content of the remote directive encoded in the QR code to the user 1609 for validation.
  • Authentication client 101 may be configured to generate approval passwords using OTP key 203 and the remote directives' content 1611.
  • Authentication client 101 may be configured to encrypt approval passwords using encryption key FIG. 3, 203 and may be configured to provide 1520 the encrypted approval passwords 1611 for authorization on authorization server 1501.
  • Authorization Server 1501 may be configured to draw the user's decryption key 215 and OTP key 213 from the authorization server 1501 repository using user name 1604.
  • Authorization server 1501 may be configured to decrypt approval passwords 1613 using decryption key 215. Authorization server 1501 may be configured to generate server's approval passwords 1615 using OTP key 213 and the remote directive content 1606,
  • authorization server 1501 and client 101 may be configured to generate the server's and client's approval passwords 1615 and 1611 using the synchronized data e.g. clock and the like (not shown).
  • Authorization server 1501 may be configured to match 1617 the decrypted client's approval passwords 1613 with the server's generated approval passwords 1615.
  • Authorization server 1501 may be configured to authorize 1530 the client's remote directive 1601 if the two approval passwords match 1617.
  • FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments.
  • OTP authentication method 1700 includes: in stage 1710, generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decryption keys and OTP keys; in stage 1720, requesting authentication permits, by- using credentials generated by plurality of authentication clients, using encrypted OTPs wherein the OTPs are generated using the OTP keys and encrypted by the encryption keys; in stage 1730, approving the authentication requests, by the authentication servers, by matching the decr pted client's OTPs with the server's generated OTPs.
  • OTP authentication method 1700 stage 1720 includes a single step authentication that may include further communicating users IDs to the authentication server.
  • OTP authentication method 1700 stage 1730 may include decrypting the authentication request credentials using the decryption keys and generating OTPs using the OTP keys.
  • FIG. 18 illustrates a flowchart of biometric OTP authentication method, according to certain embodiments.
  • Biometric OTP authentication method 1800 includes: in stage 1810, receiving biometric inputs, by a plurality of authentication clients, using biometric capable input devices, generating and storing biometric templates in the authentication client's devices, generating asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decr ption keys and OTP keys; in stage 1820, matching, by a plurality of authentication clients, biometric inputs with biometric templates: in stage 1830, requesting authentication permits using authentication credentials, e.g. encrypted biometric OTPs, wherein the authentication credentials are generated using the OTP keys and encrypted by the encryption keys; in stage 1840, authenticating the authentication requests by matching the decrypted client's OTPs with the server's generated OTPs.
  • stage 1810 receiving biometric inputs, by a plurality of authentication clients, using biometric capable input devices, generating and storing biometric templates in the authentication client's devices, generating asymmetric encryption and decryption key pairs and OTP keys and registering on
  • Biometric OTP authentication method 1800 stage 1810 generating asymmetric encryption and decryption key pairs and OTP keys may include generating the keys using the biometric templates.
  • Biometric OTP authentication method 1800 stage 1830 includes a single step authentication that may include further communicating users IDs to the authentication server.
  • Biometric OTP authentication method 1800 stage 1840 may include, by the authentication server, decrypting the authentication credentials using the decryption keys and generating OTPs using the OTP keys.
  • FIG. 19 illustrates a flowchart of remote directive strong authori zation method, according to certain embodiments.
  • Remote directive OTP strong authorization method 1900 includes: in stage 1910, generating, by a plurality of clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers the decryption keys and OTP keys; in stage 1920, transmitting, by the authorization servers, encoded data blocks that include remote directives' content to authentication clients; in stage 1930, communicating, by the plurality of authentication clients, encrypted approval password based on the remote directives' content and the OTP keys; in stage 1940, authorizing the remote directives by matching decrypted clients' approval passwords with servers' generated approval passwords.
  • Remote directive strong authorization method 1900 stage 1940 may include decrypting clients' approval passwords using decryption keys and generating approval passwords using remote directives' content and OTP keys.
  • Remote directive strong authorization method 1900 plurality of authentication clients may include a plurality of terminals configured to communicating messages to authorization servers and to presenting data blocks (e.g. QR codes) received from the authorization servers to users.
  • data blocks e.g. QR codes
  • the above described OTP authentication system may ⁇ be used to authenticate in a single step similar to static password authentication systems.
  • autlientication clients are configured to encrypt credentials using encryption keys, generated and stored only in the authentication clients, and thus the encryption keys are not provided to authentication sen/ers and hence cannot be stolen or leak from authentication servers.
  • biometric OTP authentication system may be used for biometric authentication without storing biometric identifiers in biometric database repositories.
  • biometric authentication may be a single step authentication similar to static password authentication systems.
  • the above described remote directive strong authorization system may be used to authorize remote directives and prevent phishing attacks by the usage of encrypted approval passwords that is based on the remote directive content and OTP keys.
  • Another advantage of the above described remote directive authorization system is that it is a strong authentication system, that use asymmet ric encryption and decryption key pairs to encrypt and decrypt OTPs, e.g. the approval passwords, and furthermore use the content of the remote directives as additional security factor when generating the approval passwords.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne des systèmes d'authentification par mot de passe à usage unique (OTP) asymétrique, d'authentification biométrique et d'autorisation directive puissante à distance. Le système d'authentification OTP asymétrique comprend une pluralité de clients d'authentification et au moins un serveur d'authentification. La pluralité de clients d'authentification est conçue pour générer des paires de clés de chiffrement et déchiffrement asymétriques et des clés OTP et enregistre dans l'au moins un serveur d'authentification les clés de déchiffrement et les clés OTP. La pluralité de clients d'authentification est conçue pour générer des OTP au moyen des clés OTP, pour chiffrer les OTP générés au moyen des clés de chiffrement et pour générer des informations d'identification au moyen des OTP chiffrés. Le serveur d'authentification est conçu pour déchiffrer les OTP des clients au moyen des clés de déchiffrement, pour générer les OTP des serveurs au moyen des clés OTP et pour authentifier des demandes en faisant correspondre les OTP déchiffrés des clients aux OTP générés du serveur.
PCT/IL2014/050263 2013-03-13 2014-03-13 Système d'authentification otp asymétrique WO2014141263A1 (fr)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US201361779580P 2013-03-13 2013-03-13
US201361779707P 2013-03-13 2013-03-13
US61/779,707 2013-03-13
US61/779,580 2013-03-13
US201361846172P 2013-07-15 2013-07-15
US61/846,172 2013-07-15

Publications (1)

Publication Number Publication Date
WO2014141263A1 true WO2014141263A1 (fr) 2014-09-18

Family

ID=51536009

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2014/050263 WO2014141263A1 (fr) 2013-03-13 2014-03-13 Système d'authentification otp asymétrique

Country Status (1)

Country Link
WO (1) WO2014141263A1 (fr)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618117A (zh) * 2015-02-04 2015-05-13 北京云安世纪科技有限公司 基于二维码的智能卡设备的身份认证装置及方法
CN107231234A (zh) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 一种身份注册方法及装置
US9860243B2 (en) 2015-07-29 2018-01-02 International Business Machines Corporation Authenticating applications using a temporary password
US9930034B2 (en) 2015-07-29 2018-03-27 International Business Machines Corporation Authenticating applications using a temporary password
EP3312750A1 (fr) * 2016-10-24 2018-04-25 Fujitsu Limited Dispositif de traitement des informations, système de traitement des informations et procédé de traitement des informations
IT201600127809A1 (it) * 2016-12-19 2018-06-19 Dispositivo per le transazioni di pagamento con tecnologia contactless (nfc), avente algoritmo di generazione codice otp univoco integrante stringa di testo template generata dalla scansione biometrica dell’impronta digitale, con funzione di token otp, riconoscimento di identità e funzione di abbonamento per i mezzi pubblici e relativi processi di funzionamento, associazione e utilizzo
EP3435589A1 (fr) 2017-07-25 2019-01-30 Telefonica Digital España, S.L.U. Procédé et système de cryptage de communications sans fil comprenant l'authentification
RU2698424C1 (ru) * 2017-05-10 2019-08-26 Хун-Чиэнь ЧОУ Способ управления авторизацией
EP3588413A1 (fr) * 2018-06-21 2020-01-01 Auriga S.p.A. Procédé d'identification à authentification forte pour l'activation d'un système informatique
US20200145408A1 (en) * 2018-11-05 2020-05-07 International Business Machines Corporation System to effectively validate the authentication of otp usage
US11138608B2 (en) 2018-06-28 2021-10-05 International Business Machines Corporation Authorizing multiparty blockchain transactions via one-time passwords

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020144128A1 (en) * 2000-12-14 2002-10-03 Mahfuzur Rahman Architecture for secure remote access and transmission using a generalized password scheme with biometric features
US20050050330A1 (en) * 2003-08-27 2005-03-03 Leedor Agam Security token
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020144128A1 (en) * 2000-12-14 2002-10-03 Mahfuzur Rahman Architecture for secure remote access and transmission using a generalized password scheme with biometric features
US20050050330A1 (en) * 2003-08-27 2005-03-03 Leedor Agam Security token
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618117A (zh) * 2015-02-04 2015-05-13 北京云安世纪科技有限公司 基于二维码的智能卡设备的身份认证装置及方法
CN104618117B (zh) * 2015-02-04 2018-06-12 北京奇虎科技有限公司 基于二维码的智能卡设备的身份认证装置及方法
US9860243B2 (en) 2015-07-29 2018-01-02 International Business Machines Corporation Authenticating applications using a temporary password
US9930034B2 (en) 2015-07-29 2018-03-27 International Business Machines Corporation Authenticating applications using a temporary password
CN107231234A (zh) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 一种身份注册方法及装置
US11012238B2 (en) 2016-03-25 2021-05-18 Alibaba Group Holding Limited Identity registration method and device
US10833862B2 (en) 2016-03-25 2020-11-10 Alibaba Group Holding Limited Identity registration method and device
CN107231234B (zh) * 2016-03-25 2020-06-09 创新先进技术有限公司 一种身份注册方法及装置
US10659457B2 (en) 2016-10-24 2020-05-19 Fujitsu Limited Information processing device, information processing system, and information processing method
EP3312750A1 (fr) * 2016-10-24 2018-04-25 Fujitsu Limited Dispositif de traitement des informations, système de traitement des informations et procédé de traitement des informations
WO2018116115A1 (fr) * 2016-12-19 2018-06-28 Frollini Lorenzo Dispositif sans contact et procédé de génération d'un code temporaire unique
IT201600127809A1 (it) * 2016-12-19 2018-06-19 Dispositivo per le transazioni di pagamento con tecnologia contactless (nfc), avente algoritmo di generazione codice otp univoco integrante stringa di testo template generata dalla scansione biometrica dell’impronta digitale, con funzione di token otp, riconoscimento di identità e funzione di abbonamento per i mezzi pubblici e relativi processi di funzionamento, associazione e utilizzo
RU2698424C1 (ru) * 2017-05-10 2019-08-26 Хун-Чиэнь ЧОУ Способ управления авторизацией
EP3435589A1 (fr) 2017-07-25 2019-01-30 Telefonica Digital España, S.L.U. Procédé et système de cryptage de communications sans fil comprenant l'authentification
EP3588413A1 (fr) * 2018-06-21 2020-01-01 Auriga S.p.A. Procédé d'identification à authentification forte pour l'activation d'un système informatique
US11138608B2 (en) 2018-06-28 2021-10-05 International Business Machines Corporation Authorizing multiparty blockchain transactions via one-time passwords
US20200145408A1 (en) * 2018-11-05 2020-05-07 International Business Machines Corporation System to effectively validate the authentication of otp usage
US10951609B2 (en) * 2018-11-05 2021-03-16 International Business Machines Corporation System to effectively validate the authentication of OTP usage

Similar Documents

Publication Publication Date Title
US10609014B2 (en) Un-password: risk aware end-to-end multi-factor authentication via dynamic pairing
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
US20200358614A1 (en) Securing Transactions with a Blockchain Network
WO2014141263A1 (fr) Système d'authentification otp asymétrique
JP6399382B2 (ja) 認証システム
US20160269393A1 (en) Protecting passwords and biometrics against back-end security breaches
US20160205098A1 (en) Identity verifying method, apparatus and system, and related devices
NO324315B1 (no) Metode og system for sikker brukerautentisering ved personlig dataterminal
US8397281B2 (en) Service assisted secret provisioning
CN111630811A (zh) 生成和寄存用于多点认证的密钥的系统和方法
CN107277059A (zh) 一种基于二维码的一次性口令身份认证方法及系统
US20140258718A1 (en) Method and system for secure transmission of biometric data
US10686771B2 (en) User sign-in and authentication without passwords
US10742410B2 (en) Updating biometric template protection keys
US10574452B2 (en) Two-step central matching
US8806216B2 (en) Implementation process for the use of cryptographic data of a user stored in a data base
KR101856530B1 (ko) 사용자 인지 기반 암호화 프로토콜을 제공하는 암호화 시스템 및 이를 이용하는 온라인 결제 처리 방법, 보안 장치 및 거래 승인 서버
Kaur et al. A comparative analysis of various multistep login authentication mechanisms
Maheshwari et al. Secure authentication using biometric templates in Kerberos
US20240005820A1 (en) Content encryption and in-place decryption using visually encoded ciphertext
Xu et al. Qrtoken: Unifying authentication framework to protect user online identity
US20240169350A1 (en) Securing transactions with a blockchain network
Molla Mobile user authentication system (MUAS) for e-commerce applications.
Reddy et al. A comparative analysis of various multifactor authentication mechanisms
Atzeni et al. Authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14765417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WPC Withdrawal of priority claims after completion of the technical preparations for international publication

Ref document number: 61/846,172

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

Ref document number: 61/779,580

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

Ref document number: 61/779,707

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

122 Ep: pct application non-entry in european phase

Ref document number: 14765417

Country of ref document: EP

Kind code of ref document: A1