WO2015049540A1 - Authentification sécurisée d'identifiant - Google Patents

Authentification sécurisée d'identifiant Download PDF

Info

Publication number
WO2015049540A1
WO2015049540A1 PCT/GB2014/052998 GB2014052998W WO2015049540A1 WO 2015049540 A1 WO2015049540 A1 WO 2015049540A1 GB 2014052998 W GB2014052998 W GB 2014052998W WO 2015049540 A1 WO2015049540 A1 WO 2015049540A1
Authority
WO
WIPO (PCT)
Prior art keywords
channel
response
data
over
request
Prior art date
Application number
PCT/GB2014/052998
Other languages
English (en)
Inventor
Keith CURRAN
Tarlok TEJI
Original Assignee
Technology Business Management Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB1317575.7A external-priority patent/GB2518877A/en
Priority claimed from US14/238,780 external-priority patent/US9832649B1/en
Application filed by Technology Business Management Limited filed Critical Technology Business Management Limited
Publication of WO2015049540A1 publication Critical patent/WO2015049540A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • This invention relates to secure ID authentication procedures, particularly, but not exclusively, for authenticating financial and other transactions over publicly accessible communications networks such as cellular telephone networks and the world wide web.
  • An accepted authentication procedure for credit and debit card transactions involves the use of a PIN - a personal identification code, usually consisting of a four digit number, such as 7356 - that is known, or supposed to be known, only to the card holder. Not even the issuing bank or card company knows the user's PIN.
  • a payment card PIN is held on the card as an element of data in a magnetic strip or an embedded microchip.
  • the terminal reads the PIN from the magnetic strip or microchip and requests the user to enter the PIN on a keypad. If they match, the transaction is authenticated. In this instance, there is no transmission of the PIN over the network.
  • the module simply confirms that the payment is authorised.
  • a Passcode can be used, which may be alphanumeric and comprise more than four characters.
  • the PIN or Passcode is vulnerable, however, to discovery when transmitted over a publicly accessible network. Knowledge of the PIN or Passcode could enable
  • a common approach is to require a two-part identity check, one part being specific to the instrument used to transmit the information to the service module, the other part being specific to the user. If the instrument is a mobile phone, a combination of phone ID and user ID is required. The phone will have a unique ID, being, of course, the telephone number as it appears on the SIM card. The industry mandates that there is only ever one SIM card with any particular number. However, transmitting this information over a network is open to the risk of
  • SEVI card ID is unique - it is only required to record and re-use the data stream to access the service module. Simply encrypting the information is no help. It would, in any event, be the encoded information that is intercepted. It is not necessary to de-encrypt it, just use it in the encrypted format, to gain access.
  • OTP systems are found in WO2010/101476, WO0131840, and numerous other patent publications.
  • OTP systems require software on the user module to generate them, and corresponding software on the service module to verify them, and, in order to provide acceptable levels of security, the software and its usage are sometimes made deliberately complex, in some instances requiring time-limited passwords and random number generators, or costly ancillary equipment.
  • the present invention provides simpler approaches to the problem of secure ID authentication.
  • the invention comprises a secure ID authentication system for authenticating, over a multi-channel network comprising at least three of a land line channel, a voice and data channel, a UDDI (Universal Description Discovery and Integration) channel and a USSD (Unstructured Supplementary Service Data) channel, a response from a user module comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction, in which; a request is sent to an identity application server (IAS) holding a database of user module ID information; the IAS transmits the request over the cellular network as a class 2 SMS message to the SIM card; the SIM card causes the request to be displayed on the user module; when a response is entered, the user module encrypts the response and associated data and transmits the encrypted data over the cellular network to an over-the-air (OTA) gateway to the IAS; and the IAS decrypts the data and transmits the response to the API in which the request, the class 2 SMS message and the encrypted data are each sent over at least one of two
  • the request may be sent to the IAS over a channel selected from the land line and the voice and data channel.
  • the response may be transmitted over the UDDI channel or the USSD channel.
  • the class 2 SMS message and the response may be transmitted over different channels.
  • the class 2 SMS message and the response may be both sent over a channel selected from the UDDI and USSD channels.
  • the first channel may comprise the normal channel of the cellular network over which voice and texts are carried.
  • the second channel may comprise a UDDI (Universal Description Discovery and Integration) network, which is an Extensible Markup Language network on which web service applications can be registered and located.
  • UDDI Universal Description Discovery and Integration
  • the second channel may comprise a USSD channel, which is a channel using a USSD (Unstructured Supplementary Service Data) protocol.
  • USSD Unstructured Supplementary Service Data
  • Such a channel is used by cellular telephones to provide real time communication between user modules and the service provider's computers for sundry purposes, including updating credits balances on pay-as- you-go SIM cards. There is no store and forwarding functionality.
  • the second channel may be the normal voice and text channel, the first channel being the USSD or UDDI channel.
  • the user module may comprise a mobile phone, a tablet or a laptop, palmtop, netbook or other computer with cellular network connectivity.
  • Services requiring authentication may comprise credit card payments, PayPal payments, request or order placement for goods or services, voting in elections or referendums and accessing Cloud data stores.
  • the system may involve a user PIN or Passcode request, and the system may then include a test server holding a database of encrypted user module ID and associated PIN or Passcode data.
  • the OTA gateway then transmits the encrypted data to the test server, which, if it has a match for user module ID and PIN or Passcode data, transmits the data to the IAS, which decrypts it and forwards the response to the API as being PIN or Passcode authenticated.
  • Figure 1 is a block diagram
  • FIG. 1 is a flow chart. Description of the Invention:
  • the drawing illustrates a secure ID authentication system for authenticating over a multichannel cellular radio network a response from a user module, such as a mobile phone MP, comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction.
  • the transaction may be one not requiring to be secured by a PIN, such as a subscription to a newsletter or one requiring a simple yes/no answer or a selection from a list of options, or one involving a payment or the provision of personal information, that needs a PIN entry.
  • PIN for PIN, of course, one may substitute Passcode.
  • the request is sent - Step I, Figure 2 - to an identity application server (IAS) holding a database of user module ID information.
  • IAS identity application server
  • the request is shown being sent over a landline CI but it could otherwise be sent over a voice and data channel C2 of a cellular radio network CN.
  • the IAS converts the request - Step II - to a Class 2 SMS message which it transmits - Step III - to the SFM card of the phone MP which displays the message on the phone VDU, with optional audio for visually impaired users, and requests an input.
  • the request is sent over channel C2, but it could also be sent over another channel C3 which is a UDDI channel or yet another channel C4 which is a USSD channel of the network CN
  • the user enters the information requested at Step IV.
  • the information is encrypted and sent - Step V - over channel C3 or channel C4 of the cellular network CN to an OTA gateway, such as a 03.48 gateway. Encryption can be effected in any secure way, such as hash encryption. If the information contains a PIN - decision step VI - it is sent on to a PIN test server PTS, which contains a database of module ID information and associated PINs, where it is matched, Step VII, or not, with data stored in the database.
  • the message is forwarded - Step VIII -to the IAS, or the procedure terminated - Step XI - perhaps with a "wrong PIN" message back, to the phone MP. If the message does not contain a PIN, it is sent straight from the OTA gateway to the IAS. Messages that reach the IAS result - Step IX - in a "transaction approved" message sent back to the API and the procedure terminated at Step X. Coding in the request may specify which channel should be used for the response, so that, with a request sent over the voice and text channel, the response is sent, unpredictably, without knowledge of the coding, over either of the other channels.
  • the system can provide secure access to a personal database that might be kept in the API.
  • the database might comprise a virtual vault that securely stores personal data such as birth certificate and passport details, purchase records, from which a personal profile might be built up which could be selectively available to retailers, who might thereby recommend products and services, an address book, clearly, and a CV, as well as driving licence and insurance details. All this could be securely accessed by, and added to or changed, from a mobile phone or like device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

L'invention concerne un système d'authentification d'ID sécurisé permettant d'authentifier sur un réseau radio cellulaire multicanaux une réponse d'un module utilisateur comprenant une carte SIM à une demande provenant d'une interface de programmation d'applications (API) afin d'authentifier une transaction; dans ce système, une requête est envoyée à un serveur d'applications d'identité (IDS) comprenant une base de données d'informations d'identifiant de module utilisateur; le serveur IAS transmet sur un premier canal du réseau cellulaire, la requête sous forme d'un message SMS de classe 2 envoyé à la carte SIM; la carte SIM commande l'affichage de la requête sur le module utilisateur; lorsqu'une réponse est introduite, le module utilisateur crypte la réponse et des données associées et transmet les données cryptées sur un second canal du réseau cellulaire à une passerelle en direct à destination du serveur IAS; et le serveur IAS déchiffre les données et transmet la réponse à l'API.
PCT/GB2014/052998 2013-10-04 2014-10-03 Authentification sécurisée d'identifiant WO2015049540A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB1317575.7 2013-10-04
GB1317575.7A GB2518877A (en) 2013-10-04 2013-10-04 Secure ID authentication
US14/238,780 2014-02-13
US14/238,780 US9832649B1 (en) 2011-10-12 2014-02-13 Secure ID authentication

Publications (1)

Publication Number Publication Date
WO2015049540A1 true WO2015049540A1 (fr) 2015-04-09

Family

ID=51842670

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2014/052998 WO2015049540A1 (fr) 2013-10-04 2014-10-03 Authentification sécurisée d'identifiant

Country Status (1)

Country Link
WO (1) WO2015049540A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011133988A2 (fr) * 2010-04-23 2011-10-27 Thandisizwe Ezwenilethu Pama Système de vérification d'identité utilisant des ussd lancées par le réseau
WO2012004640A1 (fr) * 2010-07-08 2012-01-12 Entersect Technologies (Pty) Ltd. Authentification de transaction
US20130073463A1 (en) * 2011-09-19 2013-03-21 James Dimmick Issuer trusted party system
WO2013054073A1 (fr) * 2011-10-12 2013-04-18 The Technology Business Management Limited Système d'authentification d'identifiant (id) sécurisé

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011133988A2 (fr) * 2010-04-23 2011-10-27 Thandisizwe Ezwenilethu Pama Système de vérification d'identité utilisant des ussd lancées par le réseau
WO2012004640A1 (fr) * 2010-07-08 2012-01-12 Entersect Technologies (Pty) Ltd. Authentification de transaction
US20130073463A1 (en) * 2011-09-19 2013-03-21 James Dimmick Issuer trusted party system
WO2013054073A1 (fr) * 2011-10-12 2013-04-18 The Technology Business Management Limited Système d'authentification d'identifiant (id) sécurisé

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Secure USSD Facility for Financial Institutions Analysis and Recommendation Report Client Internal System Amber USSD Gateway", PATTERN MATCHED TECHNOLOGIES, 1 January 2010 (2010-01-01), XP055161035, Retrieved from the Internet <URL:http://www.patternmatched.com/download/pmt-docs/amber-docs/pmt-amr-ussd-sf_2d1.pdf> [retrieved on 20150109] *

Similar Documents

Publication Publication Date Title
US20210344678A1 (en) System for accessing data from multiple devices
US11122082B2 (en) System and method for second factor authentication of customer support calls
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
KR102304778B1 (ko) 소프트웨어 애플리케이션에서 초기에 신뢰를 설정하고 주기적으로 확인하기 위한 시스템 및 방법
AU2013216868B2 (en) Tokenization in mobile and payment environments
US10552823B1 (en) System and method for authentication of a mobile device
CN105741112A (zh) 基于网络的认证支付装置、认证支付方法及认证支付系统
US20160155123A1 (en) System and method for user authentication by using a physical financial card and mobile communication terminal
CN102271041A (zh) 个人身份认证的根服务系统
JP2013514556A (ja) 安全に取引を処理するための方法及びシステム
EP2767065A1 (fr) Système d&#39;authentification d&#39;identifiant (id) sécurisé
ES2963411T3 (es) Sistema y método para la preautenticación de llamadas de atención al cliente
US9832649B1 (en) Secure ID authentication
KR20160092944A (ko) 실물카드를 이용한 온라인 금융거래 본인인증 시스템 및 방법
KR101210054B1 (ko) 비 대면 서비스 이용자 본인인증 지원시스템
KR20150142773A (ko) 스마트 오티피 인증 시스템 및 방법
KR101795849B1 (ko) 핀테크 서비스 연동을 위한 인증 장치 및 방법과 이를 위한 컴퓨터 프로그램
JP2022551997A (ja) 近距離送受信機を使用した、安全なメモリのデータアクセス制御のための、システム及び方法
WO2015049540A1 (fr) Authentification sécurisée d&#39;identifiant
KR101879842B1 (ko) Otp를 이용한 사용자 인증 방법 및 시스템
KR102451670B1 (ko) 계좌 및 성명을 공통 암호화하여 간편결제 등록을 수행하는 시스템, 및 간편결제 등록 방법
US20140297541A1 (en) ID Authentication
GB2518877A (en) Secure ID authentication
Narayana et al. Development of protected endorsement for online banking using mobile phones

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14790674

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14790674

Country of ref document: EP

Kind code of ref document: A1