WO2015049540A1 - Authentification sécurisée d'identifiant - Google Patents
Authentification sécurisée d'identifiant Download PDFInfo
- Publication number
- WO2015049540A1 WO2015049540A1 PCT/GB2014/052998 GB2014052998W WO2015049540A1 WO 2015049540 A1 WO2015049540 A1 WO 2015049540A1 GB 2014052998 W GB2014052998 W GB 2014052998W WO 2015049540 A1 WO2015049540 A1 WO 2015049540A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- channel
- response
- data
- over
- request
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/42—User authentication using separate channels for security data
- G06F21/43—User authentication using separate channels for security data wireless channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
Definitions
- This invention relates to secure ID authentication procedures, particularly, but not exclusively, for authenticating financial and other transactions over publicly accessible communications networks such as cellular telephone networks and the world wide web.
- An accepted authentication procedure for credit and debit card transactions involves the use of a PIN - a personal identification code, usually consisting of a four digit number, such as 7356 - that is known, or supposed to be known, only to the card holder. Not even the issuing bank or card company knows the user's PIN.
- a payment card PIN is held on the card as an element of data in a magnetic strip or an embedded microchip.
- the terminal reads the PIN from the magnetic strip or microchip and requests the user to enter the PIN on a keypad. If they match, the transaction is authenticated. In this instance, there is no transmission of the PIN over the network.
- the module simply confirms that the payment is authorised.
- a Passcode can be used, which may be alphanumeric and comprise more than four characters.
- the PIN or Passcode is vulnerable, however, to discovery when transmitted over a publicly accessible network. Knowledge of the PIN or Passcode could enable
- a common approach is to require a two-part identity check, one part being specific to the instrument used to transmit the information to the service module, the other part being specific to the user. If the instrument is a mobile phone, a combination of phone ID and user ID is required. The phone will have a unique ID, being, of course, the telephone number as it appears on the SIM card. The industry mandates that there is only ever one SIM card with any particular number. However, transmitting this information over a network is open to the risk of
- SEVI card ID is unique - it is only required to record and re-use the data stream to access the service module. Simply encrypting the information is no help. It would, in any event, be the encoded information that is intercepted. It is not necessary to de-encrypt it, just use it in the encrypted format, to gain access.
- OTP systems are found in WO2010/101476, WO0131840, and numerous other patent publications.
- OTP systems require software on the user module to generate them, and corresponding software on the service module to verify them, and, in order to provide acceptable levels of security, the software and its usage are sometimes made deliberately complex, in some instances requiring time-limited passwords and random number generators, or costly ancillary equipment.
- the present invention provides simpler approaches to the problem of secure ID authentication.
- the invention comprises a secure ID authentication system for authenticating, over a multi-channel network comprising at least three of a land line channel, a voice and data channel, a UDDI (Universal Description Discovery and Integration) channel and a USSD (Unstructured Supplementary Service Data) channel, a response from a user module comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction, in which; a request is sent to an identity application server (IAS) holding a database of user module ID information; the IAS transmits the request over the cellular network as a class 2 SMS message to the SIM card; the SIM card causes the request to be displayed on the user module; when a response is entered, the user module encrypts the response and associated data and transmits the encrypted data over the cellular network to an over-the-air (OTA) gateway to the IAS; and the IAS decrypts the data and transmits the response to the API in which the request, the class 2 SMS message and the encrypted data are each sent over at least one of two
- the request may be sent to the IAS over a channel selected from the land line and the voice and data channel.
- the response may be transmitted over the UDDI channel or the USSD channel.
- the class 2 SMS message and the response may be transmitted over different channels.
- the class 2 SMS message and the response may be both sent over a channel selected from the UDDI and USSD channels.
- the first channel may comprise the normal channel of the cellular network over which voice and texts are carried.
- the second channel may comprise a UDDI (Universal Description Discovery and Integration) network, which is an Extensible Markup Language network on which web service applications can be registered and located.
- UDDI Universal Description Discovery and Integration
- the second channel may comprise a USSD channel, which is a channel using a USSD (Unstructured Supplementary Service Data) protocol.
- USSD Unstructured Supplementary Service Data
- Such a channel is used by cellular telephones to provide real time communication between user modules and the service provider's computers for sundry purposes, including updating credits balances on pay-as- you-go SIM cards. There is no store and forwarding functionality.
- the second channel may be the normal voice and text channel, the first channel being the USSD or UDDI channel.
- the user module may comprise a mobile phone, a tablet or a laptop, palmtop, netbook or other computer with cellular network connectivity.
- Services requiring authentication may comprise credit card payments, PayPal payments, request or order placement for goods or services, voting in elections or referendums and accessing Cloud data stores.
- the system may involve a user PIN or Passcode request, and the system may then include a test server holding a database of encrypted user module ID and associated PIN or Passcode data.
- the OTA gateway then transmits the encrypted data to the test server, which, if it has a match for user module ID and PIN or Passcode data, transmits the data to the IAS, which decrypts it and forwards the response to the API as being PIN or Passcode authenticated.
- Figure 1 is a block diagram
- FIG. 1 is a flow chart. Description of the Invention:
- the drawing illustrates a secure ID authentication system for authenticating over a multichannel cellular radio network a response from a user module, such as a mobile phone MP, comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction.
- the transaction may be one not requiring to be secured by a PIN, such as a subscription to a newsletter or one requiring a simple yes/no answer or a selection from a list of options, or one involving a payment or the provision of personal information, that needs a PIN entry.
- PIN for PIN, of course, one may substitute Passcode.
- the request is sent - Step I, Figure 2 - to an identity application server (IAS) holding a database of user module ID information.
- IAS identity application server
- the request is shown being sent over a landline CI but it could otherwise be sent over a voice and data channel C2 of a cellular radio network CN.
- the IAS converts the request - Step II - to a Class 2 SMS message which it transmits - Step III - to the SFM card of the phone MP which displays the message on the phone VDU, with optional audio for visually impaired users, and requests an input.
- the request is sent over channel C2, but it could also be sent over another channel C3 which is a UDDI channel or yet another channel C4 which is a USSD channel of the network CN
- the user enters the information requested at Step IV.
- the information is encrypted and sent - Step V - over channel C3 or channel C4 of the cellular network CN to an OTA gateway, such as a 03.48 gateway. Encryption can be effected in any secure way, such as hash encryption. If the information contains a PIN - decision step VI - it is sent on to a PIN test server PTS, which contains a database of module ID information and associated PINs, where it is matched, Step VII, or not, with data stored in the database.
- the message is forwarded - Step VIII -to the IAS, or the procedure terminated - Step XI - perhaps with a "wrong PIN" message back, to the phone MP. If the message does not contain a PIN, it is sent straight from the OTA gateway to the IAS. Messages that reach the IAS result - Step IX - in a "transaction approved" message sent back to the API and the procedure terminated at Step X. Coding in the request may specify which channel should be used for the response, so that, with a request sent over the voice and text channel, the response is sent, unpredictably, without knowledge of the coding, over either of the other channels.
- the system can provide secure access to a personal database that might be kept in the API.
- the database might comprise a virtual vault that securely stores personal data such as birth certificate and passport details, purchase records, from which a personal profile might be built up which could be selectively available to retailers, who might thereby recommend products and services, an address book, clearly, and a CV, as well as driving licence and insurance details. All this could be securely accessed by, and added to or changed, from a mobile phone or like device.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
L'invention concerne un système d'authentification d'ID sécurisé permettant d'authentifier sur un réseau radio cellulaire multicanaux une réponse d'un module utilisateur comprenant une carte SIM à une demande provenant d'une interface de programmation d'applications (API) afin d'authentifier une transaction; dans ce système, une requête est envoyée à un serveur d'applications d'identité (IDS) comprenant une base de données d'informations d'identifiant de module utilisateur; le serveur IAS transmet sur un premier canal du réseau cellulaire, la requête sous forme d'un message SMS de classe 2 envoyé à la carte SIM; la carte SIM commande l'affichage de la requête sur le module utilisateur; lorsqu'une réponse est introduite, le module utilisateur crypte la réponse et des données associées et transmet les données cryptées sur un second canal du réseau cellulaire à une passerelle en direct à destination du serveur IAS; et le serveur IAS déchiffre les données et transmet la réponse à l'API.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1317575.7 | 2013-10-04 | ||
GB1317575.7A GB2518877A (en) | 2013-10-04 | 2013-10-04 | Secure ID authentication |
US14/238,780 | 2014-02-13 | ||
US14/238,780 US9832649B1 (en) | 2011-10-12 | 2014-02-13 | Secure ID authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015049540A1 true WO2015049540A1 (fr) | 2015-04-09 |
Family
ID=51842670
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2014/052998 WO2015049540A1 (fr) | 2013-10-04 | 2014-10-03 | Authentification sécurisée d'identifiant |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2015049540A1 (fr) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011133988A2 (fr) * | 2010-04-23 | 2011-10-27 | Thandisizwe Ezwenilethu Pama | Système de vérification d'identité utilisant des ussd lancées par le réseau |
WO2012004640A1 (fr) * | 2010-07-08 | 2012-01-12 | Entersect Technologies (Pty) Ltd. | Authentification de transaction |
US20130073463A1 (en) * | 2011-09-19 | 2013-03-21 | James Dimmick | Issuer trusted party system |
WO2013054073A1 (fr) * | 2011-10-12 | 2013-04-18 | The Technology Business Management Limited | Système d'authentification d'identifiant (id) sécurisé |
-
2014
- 2014-10-03 WO PCT/GB2014/052998 patent/WO2015049540A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011133988A2 (fr) * | 2010-04-23 | 2011-10-27 | Thandisizwe Ezwenilethu Pama | Système de vérification d'identité utilisant des ussd lancées par le réseau |
WO2012004640A1 (fr) * | 2010-07-08 | 2012-01-12 | Entersect Technologies (Pty) Ltd. | Authentification de transaction |
US20130073463A1 (en) * | 2011-09-19 | 2013-03-21 | James Dimmick | Issuer trusted party system |
WO2013054073A1 (fr) * | 2011-10-12 | 2013-04-18 | The Technology Business Management Limited | Système d'authentification d'identifiant (id) sécurisé |
Non-Patent Citations (1)
Title |
---|
"Secure USSD Facility for Financial Institutions Analysis and Recommendation Report Client Internal System Amber USSD Gateway", PATTERN MATCHED TECHNOLOGIES, 1 January 2010 (2010-01-01), XP055161035, Retrieved from the Internet <URL:http://www.patternmatched.com/download/pmt-docs/amber-docs/pmt-amr-ussd-sf_2d1.pdf> [retrieved on 20150109] * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210344678A1 (en) | System for accessing data from multiple devices | |
US11122082B2 (en) | System and method for second factor authentication of customer support calls | |
US9741033B2 (en) | System and method for point of sale payment data credentials management using out-of-band authentication | |
KR102304778B1 (ko) | 소프트웨어 애플리케이션에서 초기에 신뢰를 설정하고 주기적으로 확인하기 위한 시스템 및 방법 | |
AU2013216868B2 (en) | Tokenization in mobile and payment environments | |
US10552823B1 (en) | System and method for authentication of a mobile device | |
CN105741112A (zh) | 基于网络的认证支付装置、认证支付方法及认证支付系统 | |
US20160155123A1 (en) | System and method for user authentication by using a physical financial card and mobile communication terminal | |
CN102271041A (zh) | 个人身份认证的根服务系统 | |
JP2013514556A (ja) | 安全に取引を処理するための方法及びシステム | |
EP2767065A1 (fr) | Système d'authentification d'identifiant (id) sécurisé | |
ES2963411T3 (es) | Sistema y método para la preautenticación de llamadas de atención al cliente | |
US9832649B1 (en) | Secure ID authentication | |
KR20160092944A (ko) | 실물카드를 이용한 온라인 금융거래 본인인증 시스템 및 방법 | |
KR101210054B1 (ko) | 비 대면 서비스 이용자 본인인증 지원시스템 | |
KR20150142773A (ko) | 스마트 오티피 인증 시스템 및 방법 | |
KR101795849B1 (ko) | 핀테크 서비스 연동을 위한 인증 장치 및 방법과 이를 위한 컴퓨터 프로그램 | |
JP2022551997A (ja) | 近距離送受信機を使用した、安全なメモリのデータアクセス制御のための、システム及び方法 | |
WO2015049540A1 (fr) | Authentification sécurisée d'identifiant | |
KR101879842B1 (ko) | Otp를 이용한 사용자 인증 방법 및 시스템 | |
KR102451670B1 (ko) | 계좌 및 성명을 공통 암호화하여 간편결제 등록을 수행하는 시스템, 및 간편결제 등록 방법 | |
US20140297541A1 (en) | ID Authentication | |
GB2518877A (en) | Secure ID authentication | |
Narayana et al. | Development of protected endorsement for online banking using mobile phones |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14790674 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14790674 Country of ref document: EP Kind code of ref document: A1 |