WO2017042375A1 - Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime - Google Patents

Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime Download PDF

Info

Publication number
WO2017042375A1
WO2017042375A1 PCT/EP2016/071386 EP2016071386W WO2017042375A1 WO 2017042375 A1 WO2017042375 A1 WO 2017042375A1 EP 2016071386 W EP2016071386 W EP 2016071386W WO 2017042375 A1 WO2017042375 A1 WO 2017042375A1
Authority
WO
WIPO (PCT)
Prior art keywords
secure element
token
server
pseudonym
access token
Prior art date
Application number
PCT/EP2016/071386
Other languages
English (en)
Inventor
Denis Pinkas
Original Assignee
Dp Security Consulting Sas
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dp Security Consulting Sas filed Critical Dp Security Consulting Sas
Priority to PCT/EP2016/076261 priority Critical patent/WO2017042400A1/fr
Publication of WO2017042375A1 publication Critical patent/WO2017042375A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Definitions

  • the present invention refers to a scheme giving access to an on line service by means of pseudonyms and of attributes contained in access tokens.
  • the method particularly relates to the access to a server via a network, for example via the Internet network, by a data-processing entity called “Client Application”, which can represent an individual or a legal entity, in the “client-server” paradigm.
  • Client Application a data-processing entity
  • client-server a data-processing entity
  • the access of a client to a server is conditioned by the presentation of some “attributes” of the user who, in the absence of his complete identity, reveal some personal data of this person.
  • some “attributes” of the user who, in the absence of his complete identity, reveal some personal data of this person.
  • the access to a server by means of the presentation of attributes is sometimes known under the English acronym ABC: “Attribute Based Credentials”.
  • a secure element also known under the name “secure element”, such as a smart card or a security module.
  • secure element such as a smart card or a security module.
  • the ABC4Trust project federates two solutions: the “U Prove” solution from Microsoft and the “Identity Mixer” (IdeMix) solution from IBM Zurich. Even with the use of a secure element, at least as described in the documentation accessible to the public in May 2015, none of these two solutions makes it possible to prevent the transfer of a quality from the person who possesses it, towards a person who does not possess it.
  • the purpose of the invention is to propose a simpler method making it possible to secure the access to a server without the ability to transfer a certified personal attribute from a person who has it to the benefit of a person who does not have it.
  • the invention allows the deployment of solutions of the type “Attribute Based Credentials” (ABC) which were under study within the ISO committee SC 27 WG 5, in September 2015.
  • a secure element such as the one that may be found in a smart card.
  • Such secure element shall be used by an individual, or by a legal entity or by a data-processing entity called “Client Application” (abbreviation CA), in the “client-server” paradigm.
  • CA Client Application
  • This “Client Application” can also be a trusted applet implemented in a web browser, for example a Java applet.
  • secure element will be used hereafter by convenience to indicate any protected physical component able to resist to physical and logical attacks and able to carry out a set of functions using at the same time protected internal data and external data provided by the environment of the secure element according to specific requirements.
  • This term covers also components known as smart cards, secure microcircuits, TPM (Trusted Platform Modules) that are present in some professional computers and UICC (Universal Integrated Circuit Cards) standardized by the 3GPP (3rd Generation Mobile System) and the ETSI (European Telecommunications Standardization Institute).
  • TPM Trustet Platform Modules
  • UICC Universal Integrated Circuit Cards
  • ETSI European Telecommunications Standardization Institute
  • the invention is based on concepts defined in technical specifications from the Alliance FIDO (Fast Identity One line) which are available at the following address: https://fidoalliance.org/specifications/download
  • the protocols described in this specification allow authentication using pseudonyms by using a different pseudonym for every server.
  • the protocols described in the documents of FIDO do not cater for and do not allow for the use of certified attributes.
  • the invention makes it possible to extend the FIDO architecture and the FIDO protocols to allow the transfer of certified attributes towards a server while respecting the principles of privacy by design.
  • figure 1 schematically illustrates the current FIDO architecture
  • figure 2 schematically illustrates the FIDO architecture enhanced according to the invention
  • figure 3 illustrates the main data contained in a secure element according to the invention.
  • the invention is a method allowing a user, using a Client Application (10), to access to an on-line Service Provider server (11) (abbreviation SP) by means of a secure element (12) with specific technical requirements, of a pseudonym and of an access token containing attributes, the aforementioned access token having been obtained from a server producing tokens, i.e. a Token Issuer (13), abbreviation (TI), characterized by the fact that the Client Application (10) has no possibility to grant the benefit of the aforesaid access token to another Client Application, and that the method comprises the following steps:
  • Public Information (14) (abbreviation PI) contained in the secure element allowing to know or to deduce that the granting of the aforesaid public information was conditioned by the respect of security requirements and functionalities applicable to the secure element and described within the framework of the aforesaid the invention, and
  • an associated private key (15) (abbreviation PrK) that will be used to carry out some specific operations, in manner such as the digital signatures generated using the aforementioned private key will be verifiable using the aforementioned public information,
  • Public Information (14) should contain information making it possible to know, by the means of a contact to a server, if a specific public data associated with the secure element is still valid (operation using a white list) or has been invalidated (operation using a black list).
  • each secure element (12) is delivered by its supplier with:
  • public key certificate which constitutes Public Information (14) should contain information making it possible to know, by the means of a contact to a server, if a public data specific to the secure element is still valid (e.g. using white lists) or were invalidated (e.g. using black lists).
  • each secure element (12) is delivered by its supplier with:
  • Public Information (14) containing a public data specific to the secure element, an identifier of the supplier of the secure element, as well as a public key common to a set of secure elements delivered by the aforementioned supplier of secure elements, and
  • Public Information (14) should contain information allowing of knowing, by means of a contact to a server, if a public data specific to the secure element is still valid (e.g. using white lists) or were invalidated (e.g. using black lists).
  • the invention is characterized in that ,in order to create an account on a target server by means of a pseudonym and of a public key, according to the procedure n° 1 described below, the secure element (12) generates upon the request of a Client Application data making it possible to implement the creation of an account on a given Service Provider or a given Token Issuer by means of a pseudonym, the request of the Client Application being accompanied at least by the following parameter:
  • pseudonym PS which is a random value or pseudo-random value of sufficient size with respect to the number of users potentially authenticatable on the server so that the probability that it can exist a collision between pseudonyms is practically non-existent
  • the invention is characterized in that , in order to create an account on a Token Issuer server by means of a pseudonym and of a public key, according to the procedure n° 2 described below, the secure element (12) provides at the request of the Client Application (10) data making possible to implement the creation of an account on a given Token Issuer server by means of a pseudonym (18), while simultaneously bringing to the server the proof to the Token Issuer that a secure element (12) conforms to specific requirements described within the framework of the aforesaid the invention is used, the request of the Client Application being accompanied at least by the following parameter:
  • pseudonym which is a random or a pseudo random value of sufficient size with respect to the number of users and particularly with a signed response obtained from a secure element following an access token request addressed to the secure element potentially authenticatable on the server so that the probability that it can exist a collision between pseudonyms is practically non-existent
  • the secure element provides data allowing authentication with respect to the Token Issuer server by digitally signing using the private key (19) generated above at least one of the following data:
  • the invention is characterized by the fact that , in order to request an access token to a Token Issuer server, according to the procedure n° 3 described below, from the moment where there already exists at least two entries(16) in the secure element (12), the first one designating a target server, i.e. the server for which the access token is intended, the second one designating a Token Issuer server whose entry has been created according to the procedure n° 2, the Client Application (10) must provide to the secure element the following elements:
  • the invention is characterized by the fact that, in order to request an access token to a Token Issuer server, according to the procedure n° 4 described below, from the moment when there exists at least already two entries (16) in the secure element (12), the first one indicating a target server, i.e. the server for which the access token is intended, the second one indicating a Token Issuer server (13) whose entry was created according to the procedure n° 1, and in this case, the Client Application (10) must provide to the secure element the same elements as those provided for the procedure n° 3, namely:
  • the invention is characterized by the fact that, in order to request an access token to a Token Issuer server, according to the procedure n° 4 described below, from the moment when there exists at least already two entries in the secure element, the first one indicating a target server, i.e. the server for which the access token is intended, the second one indicating a Token Issuer server whose entry was created according to the procedure n° 1, the Client Application must provide to the secure element the same elements as those provided for the procedure n° 3, namely :
  • the invention is characterized by the fact that in order to obtain the generation of an access token by a Token Issuer server (13), the token request addressed to the Token Issuer shall contain a signed response from the secure element where the field designating the future owner of the access token that will be either a pseudonym or a public key, the aforesaid field having necessarily been selected by the Client Application (10) among the pseudonyms or public keys generated by the secure element (12) and where the access token produced by the Token Issuer server (13) following the request signed by the secure element (12) includes to designate the owner of the token, the same field as the one contained in the signed response from the secure element designating the legitimate owner of the token.
  • the invention is characterized by the fact that an access token produced by a Token Issuer server (13), following a signed request coming from a secure element (12), includes to designate the target server for which the access token is intended, a stream of bytes which is not interpretable by the Token Issuer server (13), because this stream of bytes is initially locally computed by the Client Application (10) using a hash function and two parameters as entries: a salt value and an identifier of the target server, and is then communicated to the Token Issuer server as a parameter of the request in order to be included into the access token and consequently when the Client Application communicates to the server target concomitantly with the access token, this identifier and this salt value, thanks to these two values, the target server shall first verify that the server identifier matches with its own identifier and then combine these two values using the same hash function to verify that it is identical to the stream of bytes contained in the access token and thus make sure that the access token is indeed intended to itself.
  • the invention is characterized by the fact that the secure element used for this method shall have the usual properties of an hardware security module or of a secure element, within the meaning of industry standards and in particular, a resistance to external physical attacks, a resistance to differential cryptographic attacks, the impossibility of being able to duplicate the content of the secure element if this one does not authorize it, and in addition must contain the data described previously, must contain the data described in claim 2, must support the procedure n°1, if it supports the procedure n° 2 then it must support the procedure n° 3, if it does not support the procedure n° 2 then it must support the procedure n° 4 .
  • the invention is characterized in that a Token Issuer server (13) will only agree to issue an access token following a token request from a user authenticated under a given pseudonym if it is able to check that:
  • the invention is characterized by the fact that a target server will only agree after the usual checks, to associate to the account from a user authenticated under a given pseudonym or under a target specific public key the attributes contained into an access token, if that account has already been opened on this server under the pseudonym contained in the ad-hoc field of the access token, if this account is neither temporarily, nor definitively invalidated, if the date on which the access token was issued is close to the current time or if a validity period is indicated inside the access token the present time is included into that validity period, if the target server recognizes itself as a recipient of the access token and if the access token was signed by a Token Issuer server known to the target server to carry out all the checks prescribed in the previous paragraph.
  • the pseudonym used on a Service Provider (11) shall only be generated by a secure element (12) fulfilling all the criteria defined in the method, and
  • the key pair for authentication associated with this pseudonym and a Service Provider (11) shall only be generated by a secure element (12) fulfilling all the criteria defined in the method.
  • the initial architecture of FIDO is extended by two additional components:
  • Token Issuer (13) will be used to indicate either an Identity Provider (22), or an Attribute Provider (21).
  • An Identity Provider (22), as well as an Attribute Provider (21) is able to issue access tokens.
  • An access token is a stream of bits or bytes that is digitally signed by an Identity Provider (22) or by an Attribute Provider (21) and which contains, amongst other things, one or more attributes relating to a person (or to an entity). It is said that these attributes “are certified” by the Identity Provider (22) or by the Attribute Provider (21).
  • An Identity Provider (22) mainly delivers attributes of the type: name, first name, birth date, birthplace, all this information having generally been collected and checked either using national identity documents in a paper form, or using national identity documents in electronic form.
  • An Attribute Provider (21) can deliver any type of attribute, namely identity attributes and/or other attributes, for example: “Member of the golf club of Saint-Nom la Bretéche” or “Graduated with a DEA of Physics from the Paris University VI; Option "Games theory”, but also attributes types such as : name, first name, date of birth, birthplace, place of residence, etc.
  • An Attribute Provider (21) may, under some cases, require the presentation of an access token produced by an Identity Provider (22) before agreeing to issue an access token.
  • Figure 1 indicates a dialog D1 (23) between the Client Application (10) and the Service Provider (11),
  • Case A the Client Application (10) directly contacts the Attribute Provider (21) by means of the dialog D2 (24) in order to obtain an access token, then contacts the Service Provider (11) by means of the dialog D1 (23) in order to transmit it to it.
  • Case B the Client Application (10) directly contacts the Identity Provider (22) by means of the dialog D3 (25) in order to obtain an access token, then contacts the Service Provider (11) by means of the dialog D1 (23) in order to transmit it to it.
  • Case C the Client Application 10) initially contacts the Identity Provider (22) by means of the dialog D3 (25) in order to obtain a security token, then contacts the Attribute Provider (21) by means of the dialog D2 (24) in order to transmit it to it, receives in return another access token and contacts finally the Service Provider (11) by means of the dialog D1 (23) in order to transmit the second access token to it.
  • target server will usually be a Service Provider (10), but can also be an Attribute Provider (21) when an access token coming from a Identity Provider is presented to it.
  • the exchanges for these three dialogs will preferably be carried out using an HTTPS mode (or equivalent) so that the content of the exchanges will not be understandable to the external world and that any modification or replay of an exchange can be detected.
  • the Client Application Before being able to request an access token of a Token Issuer server, the Client Application (10) must beforehand create an account on this Token Issuer server using a secure element (12).
  • the Client Application Before being able to present an access token to a target server, the Client Application (10) must beforehand create an account on the target server using a secure element (12).
  • the creation of these accounts will preferably be carried out through a connection using a mode HTTPS (or equivalent) so that the Client Application located on the workstation of the user can obtain the assurance to be connected to the “genuine server”.
  • HTTPS HyperText Transfer Protocol
  • the Client Application (10) can then contact a Token Issuer server in order to obtain an access token (13) which will contain one or more attributes and which will then be presented to a target server. According to the attributes contained inside the token, the access will then be authorized or not by the target server.
  • a Token Issuer server (13) shall not agree to issue an access token to a user unless it has been able to obtain the assurance that the access token has been requested following a request from a user who uses a secure element (12) which has characteristics which are the subject of the method.
  • the invention mandates to target servers to follow a Rule 2: a target server will not accept an access token from a Token Issuer server (13) unless it has been able to obtain the assurance that the access token that was generated by this Token Issuer server (13) has been requested following a request from a user who uses a secure element (12) which has all the characteristics which are the subject of the method.
  • the secure element is an Integrated Card Circuit (ICC).
  • ICC Integrated Card Circuit
  • no access token will be delivered by a Token Issuer server (13), unless the user has been able to demonstrate during the creation of the account, or failing this, at the time of at the time of the first token request, or failing this, at the time of each token request, that it uses a physical device which has, on the one hand, all the general characteristics of a secure element, in particular: resistance to the external physical attacks, resistance to the differential cryptographic attacks, impossibility of duplicating the contents of a secure element unless the secure element does not authorize the access to certain contents; and in addition specific complementary characteristics which are essential to the correct operation of the method. Those will be detailed hereafter.
  • the Service Provider (11) will obtain on his side an indirect assurance owing to the fact that the user indeed uses a secure element which has all the characteristics which are the subject of the method. Indeed, the Service Provider (11) will grant his confidence only to Token Issuers (13) which guarantee to him to carry out this checking.
  • Each secure element (12) must contain :
  • the public information makes it possible to know directly or indirectly that its granting has been conditioned by the assurance that the secure element (12) fulfils the requirements imposed on the secure element because of the method, for example, by issuing a public key certificate issued under a given Certification Policy (CP).
  • CP Certification Policy
  • a secure element (12) in conformance with the requirements of the method will preferably have to be certified by an independent organization according to a set of requirements established in the form of a Protection Profile (PP) and with a level of assurance “high”, for example “EAL4+”.
  • PP Protection Profile
  • EAL4+ level of assurance
  • Each secure element manufacturer providing secure elements in conformity with the requirements of the method should make sure that the Public Information (14) contained in the secure element (12) contains at least information making it possible to know, by the means of a contact to a server, if a public data specific to the secure element is still valid or has been invalidated.
  • the secure element (12) shall be able to generate two pieces of data and to associate them with an identifier of the target server IdS (17), as illustrated on Figure 3:
  • pseudonym PS that is a random or pseudo-random value of sufficient size to avoid any collision between pseudonyms on the server in question and which shall mandatorily be generated by the secure element
  • a key pair (i.e. a private key CP (19) and a public key) which shall mandatorily be generated by the secure element.
  • an index can be added.
  • the secure element stores in a permanent way on the level of an “entry” (16), at least, the three following information:
  • each entry may be able moreover to include:
  • the Client Application (10) can require that the private key (15) specific to the secure element (12) as well as public information (14) making it possible to check the data signed with the private key (15) specific to this secure element (12) is implemented at the time of the authentication. If it is the case, this characteristic can be stored into the secure element (12) so that the Client Application (10) can hold account of it and to avoid remaking this same request at the time of an other authentication.
  • a command may be used by the Client Application allowing, after the agreement of the user, the removal of one or more entries (16).
  • the Client Application will also be able to provide to the secure element a complementary indicator enabling it to make the difference between an entry relating to a Service Provider (11) and an entry relating to a Token Issuer server (13).
  • the indicator will be stored by the secure element (12) in the entry (16) as a complementary data (20) in question.
  • an access token produced by a Token Issuer server and intended to a target server shall contain at least the following information:
  • a validity period of the access token possibly associated a field allowing to check the revocation status of this token; or, for a mono session token, the time when the access token was issued, usually a UTC (Universal Coordinated Time) time,
  • the field (a) makes it possible the target server to know for which pseudonym the access token has been issued. If the pseudonym is not recognized, the access token shall be rejected by the target server.
  • the field (b) makes it possible for the target server to know the attributes certified as produced by an Identity Provider (22) or by an Attribute Provider (21).
  • the field (c) makes it possible to make sure of the identity of the signer of the security token.
  • the field (d) makes it possible to deliver mono session security tokens or multi sessions security tokens.
  • the attributes present in the access token will only be maintained by the Service Provider (11) during one session. Any session will have a limited duration, with time-out in the event of a prolonged inactivity.
  • the field (e) makes it possible to identify the serial number of the access token with the aim of revoking it, for example, using a mechanism such as CRLs (Certificate Revocation Lists) or OCSP responses (On-line Certificate Status Protocol).
  • CRLs ificate Revocation Lists
  • OCSP responses On-line Certificate Status Protocol
  • the field (e) also makes possible to identify in a unique way, in particular for audit purposes, an access token issued by a Token Issuer server .
  • the field (f) makes it possible to target the access token for a given target server, without allowing the identification of this server by the Token Issuer. To this end, before requesting an access token from a Token Issuer, the user will hide the identifier of the target server in the following way.
  • He He combines by means of a one way hash function, the identifier of the target server with a random pseudo-random value of a sufficient size, called a “salt”.
  • the result of the computation is placed in the field (f) called “stream of bytes representative of the target server”.
  • the identifier of a target server containing a semantics is thus never present in the access token and the identifier or the identity of the target server remains thus completely unknown to the server producing the token.
  • the identifier or the identity of an Attribute Provider (21) remains completely unknown to an Identity Provider (22). This constitutes an advantageous feature of the method.
  • the Client Application communicates to the target server the value of the salt while a fixed rule is defined to transform the address of the target server to identify the target server.
  • the target server knowing at the same time the value of the salt and its own identifier is able to check that the value contained in the field (f) is indeed the one that it will have recomputed locally. If it were not the case, the access token will have to be rejected.
  • the user For the creation of an account on a Token Issuer server, the user transmits to the secure element:
  • the field (d) could also belong to the data signed by the private key generated by the secure element for this server, but for security reasons that is not necessary.
  • a digital signature is generally computed using a private key on a hash value computed using a one-way hash function supplemented when necessary by padding bits.
  • the field (c) makes it possible to prove the possession of the public key contained in the field (b).
  • the field (e) allows the Token Issuer server to make sure using the field (d) that the received data come indeed from a secure element in conformance with the requirements of the method and that it is indeed this certificate which belongs to the secure element. Once these checks have been carried out, the Token Issuer server creates an account associated with the pseudonym and the public key that were generated by the secure element.
  • the fields (d) and (e) can moreover be considered as being a protection able to counter inopportune openings of accounts, because only a holder of a secure element in conformity with the requirements of the method will be able to open an account on a Token Issuer server .
  • the user For the creation of an account on a Service Provider (11), the user transmits to the secure element :
  • eID-PIN electronic Identification - Personal Identification Number
  • PIN Personal Identification Number
  • the Client Application will be able to require the confirmation by means of a man-machine interaction and to present the eID-PIN at the secure element in a transparent way for the user.
  • the operations which are described hereafter make it possible to use the technique of the challenges as well as the technique of the unique numbers.
  • the challenge received during the second exchange is included into the data conveyed during the third exchange, while in the second case, the unique number is directly included into the data conveyed during the first exchange.
  • the challenge or the unique number must thus always be transmitted by the Client Application to the secure element .
  • the user transmits to the secure element the following elements:
  • the certificate life time period of the secure element may lead adding two complementary protocol elements, insofar as:
  • the two complementary protocol elements are the following:
  • the new certificate for example an X.509 certificate, carrying the public key specific to the secure element , and
  • the choice will be to carry out by the user according to the volume of the data to be exchanged and/or to the importance of the semantics of these data.
  • the user transmits to the secure element the following elements:
  • the user will have to indicate to the secure element that he agrees to authenticate, for example, by presenting an eID-PIN.
  • the user transmits to the secure element the following elements:
  • the field (a) ensures a protection against replay. It should be noticed that this protection comes in complement from that offered by the HTTPS protocol, if this one is be used.
  • the field (b) allows the Client Application A, following a dialog with the user, to request only the attributes which the user wishes to be included into the token. It is related to the combination of two privacy principles usually known under the names “data minimization and “user consent”.
  • the field (c) makes it possible to deliver a mono session token or a multi sessions security token.
  • the field (d) is "copied and pasted” into the access token by the Token Issuer server.
  • the field (e) is of primary importance because it makes it possible to select the pseudonym of the user who will be included into the security token. It is particularly important to notice that this pseudonym must already be present in the secure element and that it has been thus necessarily generated by the secure element and that consequently that in any case it could not be the pseudonym used by another person with whom the requestor of the access token would be in collusion. It is this fundamental characteristic which makes it possible to prevent the transmission of an attribute pertaining to a person (or an entity) the profit of one or to several other people (or entities), even if these people (or entities) are in collusion.
  • the field (f) has two usages:
  • the server will be able to incorporate the required attributes, obviously insofar as the user indeed possesses them.
  • the user has the possibility of requesting each attribute either by indicating only its type, or by indicating at the same time its type and a value.
  • the server will be able to generate a multi sessions token or a mono session token, insofar if it supports the two types of tokens.
  • the value contained in the field (d) is blindly copied using the field (d) of the command. Later on, this same field will be blindly copied in the field (f) of the access token by the Token Issuer server. In this way, a Token Issuer server cannot identify the servers consuming the tokens, by the simple examination of the received commands.
  • the value contained in the field (e) is the pseudonym which comes from the value contained in the secure element in the entry pointed by the field (e) from the command.
  • the field (f) will allow the Token Issuer server to select the suitable public key in order to enable him to check the digital signature contained in the field (g).
  • the Token Issuer server Before the issuance of a security token, the Token Issuer server should check that the certificate of the secure element attached to the account is not revoked. If this certificate were revoked, then the required token shall not be issued.
  • TLV Type, Length, Value
  • BER BASIC Encoding Rules
  • DER Distinguished Encoding Rules
  • Another way of doing is to insert systematically at the head of the message (or in the tail of the message) a different code allowing to make the difference between a response to a command requesting an access token and any response to another command, in particular, a command allowing to ensure the integrity and the authentication of external data. From the moment where the coding of the fields or the data additional belongs to the data which enter into the computation of the digital signature, it is possible to discriminate between the various types of messages.
  • the access token may be transmitted after the authentication of the user by means of his pseudonym; the connection between messages and access tokens being then performed through the use of the HTTPS protocol,
  • the access token may be part of the content of a message being protected using data origin authentication, the connection between the message and the token being then established whether the HTTPS protocol is used or not.
  • the secure element will be carried out by means of single electronic component or by means of several electronic components encapsulated in another component or by means of several electronic components protected by an secure enclosure, generally called a “cryptographic module”, one or the other of these achievements having the protections as described in the invention, while the aforementioned “secure element” will be interfaced with its external environment, either by means of an interface with contacts or by means of an interface without contact.
  • Figure 1 schematically illustrates the original FIDO architecture.
  • Figure 2 schematically illustrates the FIDO architecture supplemented according to the invention.
  • Figure 3 illustrates the essential data contained in a secure element according to the invention.
  • CV certificate Card Verifiable certificate.
  • EAL4 Evaluation Assurance Level 4.
  • eID-PIN electronic Identification - Personal Number Identification.
  • ETSI European Telecommunications Standardization Institute.
  • FIDO Fast Identity One-line.
  • ICC Integrated Card Circuit.
  • HTTP Hypertext Transfer Protocol
  • HTTPS Hypertext Transfer Protocol Secure
  • OCSP One-line Certificate Status Protocol.
  • PIN Personal Number Identification
  • TLV Type, Length, Value.
  • TPM Trusted Platform Module
  • UTC Universal Time Coordinated.
  • X.509 Recommendation of the ITU-T X.509: Open Systems Interconnection - The Directory: Public key and attribute certificate frameworks.

Abstract

La présente invention concerne un procédé qui permet à un utilisateur, en utilisant une application client, d'accéder à un serveur cible en ligne au moyen d'un élément sécurisé, d'un pseudonyme et d'un jeton d'accès qui contient des attributs, le jeton d'accès susmentionné ayant été obtenu à partir d'un serveur émetteur de jeton, qui peut être un fournisseur d'attribut ou un fournisseur d'identité, ledit procédé étant caractérisé par le fait que l'application client qui obtient le jeton d'accès est incapable d'accorder le bénéfice du jeton d'accès susmentionné à une autre application client, et en ce que le procédé comprend les étapes suivantes : - la fourniture, à des utilisateurs d'éléments sécurisés, de caractéristiques spécifiques par des fournisseurs d'éléments sécurisés, - la création d'un compte sur un serveur cible au moyen d'un pseudonyme, d'une clef publique et d'un tel élément sécurisé, - la création d'un compte sur un serveur émetteur de jeton au moyen d'un pseudonyme, d'une clef publique et d'un tel élément sécurisé, - la demande d'un jeton d'accès à un serveur émetteur de jeton au moyen d'un pseudonyme ou en variante d'une clef publique et d'un tel élément sécurisé, - la génération d'un jeton d'accès par un serveur émetteur de jeton, et - l'acceptation du jeton d'accès par le serveur cible.
PCT/EP2016/071386 2015-09-11 2016-09-10 Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime WO2017042375A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2016/076261 WO2017042400A1 (fr) 2015-09-11 2016-10-31 Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1501894A FR3041195A1 (fr) 2015-09-11 2015-09-11 Procede d'acces a un service en ligne au moyen d'un microcircuit securise et de jetons de securite restreignant l'utilisation de ces jetons a leur detenteur legitime
FR1501894 2015-09-11

Publications (1)

Publication Number Publication Date
WO2017042375A1 true WO2017042375A1 (fr) 2017-03-16

Family

ID=55345859

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/071386 WO2017042375A1 (fr) 2015-09-11 2016-09-10 Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime

Country Status (2)

Country Link
FR (1) FR3041195A1 (fr)
WO (1) WO2017042375A1 (fr)

Cited By (102)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10425129B1 (en) 2019-02-27 2019-09-24 Capital One Services, Llc Techniques to reduce power consumption in near field communication systems
US10438437B1 (en) 2019-03-20 2019-10-08 Capital One Services, Llc Tap to copy data to clipboard via NFC
US10467622B1 (en) 2019-02-01 2019-11-05 Capital One Services, Llc Using on-demand applications to generate virtual numbers for a contactless card to securely autofill forms
US10467445B1 (en) 2019-03-28 2019-11-05 Capital One Services, Llc Devices and methods for contactless card alignment with a foldable mobile device
US10489781B1 (en) 2018-10-02 2019-11-26 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10498401B1 (en) 2019-07-15 2019-12-03 Capital One Services, Llc System and method for guiding card positioning using phone sensors
US10505738B1 (en) 2018-10-02 2019-12-10 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10506426B1 (en) 2019-07-19 2019-12-10 Capital One Services, Llc Techniques for call authentication
US10510074B1 (en) 2019-02-01 2019-12-17 Capital One Services, Llc One-tap payment using a contactless card
US10511443B1 (en) 2018-10-02 2019-12-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10516447B1 (en) 2019-06-17 2019-12-24 Capital One Services, Llc Dynamic power levels in NFC card communications
US10523708B1 (en) 2019-03-18 2019-12-31 Capital One Services, Llc System and method for second factor authentication of customer support calls
US10535062B1 (en) 2019-03-20 2020-01-14 Capital One Services, Llc Using a contactless card to securely share personal data stored in a blockchain
US10542036B1 (en) 2018-10-02 2020-01-21 Capital One Services, Llc Systems and methods for signaling an attack on contactless cards
US10541995B1 (en) 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method
US10546444B2 (en) 2018-06-21 2020-01-28 Capital One Services, Llc Systems and methods for secure read-only authentication
US10554411B1 (en) 2018-10-02 2020-02-04 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10565587B1 (en) 2018-10-02 2020-02-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10582386B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10581611B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10579998B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10592710B1 (en) 2018-10-02 2020-03-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10607214B1 (en) 2018-10-02 2020-03-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10607216B1 (en) 2018-10-02 2020-03-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10615981B1 (en) 2018-10-02 2020-04-07 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10623393B1 (en) 2018-10-02 2020-04-14 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10630653B1 (en) 2018-10-02 2020-04-21 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10643420B1 (en) 2019-03-20 2020-05-05 Capital One Services, Llc Contextual tapping engine
US10657754B1 (en) 2019-12-23 2020-05-19 Capital One Services, Llc Contactless card and personal identification system
US10664941B1 (en) 2019-12-24 2020-05-26 Capital One Services, Llc Steganographic image encoding of biometric template information on a card
US10680824B2 (en) 2018-10-02 2020-06-09 Capital One Services, Llc Systems and methods for inventory management using cryptographic authentication of contactless cards
US10685350B2 (en) 2018-10-02 2020-06-16 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10686603B2 (en) 2018-10-02 2020-06-16 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10701560B1 (en) 2019-10-02 2020-06-30 Capital One Services, Llc Client device authentication using contactless legacy magnetic stripe data
US10713649B1 (en) 2019-07-09 2020-07-14 Capital One Services, Llc System and method enabling mobile near-field communication to update display on a payment card
US10733283B1 (en) 2019-12-23 2020-08-04 Capital One Services, Llc Secure password generation and management using NFC and contactless smart cards
US10733645B2 (en) 2018-10-02 2020-08-04 Capital One Services, Llc Systems and methods for establishing identity for order pick up
US10733601B1 (en) 2019-07-17 2020-08-04 Capital One Services, Llc Body area network facilitated authentication or payment authorization
US10748138B2 (en) 2018-10-02 2020-08-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10757574B1 (en) 2019-12-26 2020-08-25 Capital One Services, Llc Multi-factor authentication providing a credential via a contactless card for secure messaging
US10771254B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for email-based card activation
US10771253B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10783519B2 (en) 2018-10-02 2020-09-22 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10797882B2 (en) 2018-10-02 2020-10-06 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10832271B1 (en) 2019-07-17 2020-11-10 Capital One Services, Llc Verified reviews using a contactless card
US10841091B2 (en) 2018-10-02 2020-11-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10853795B1 (en) 2019-12-24 2020-12-01 Capital One Services, Llc Secure authentication based on identity data stored in a contactless card
US10860814B2 (en) 2018-10-02 2020-12-08 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10861006B1 (en) 2020-04-30 2020-12-08 Capital One Services, Llc Systems and methods for data access control using a short-range transceiver
US10860914B1 (en) 2019-12-31 2020-12-08 Capital One Services, Llc Contactless card and method of assembly
US10862540B1 (en) 2019-12-23 2020-12-08 Capital One Services, Llc Method for mapping NFC field strength and location on mobile devices
US10871958B1 (en) 2019-07-03 2020-12-22 Capital One Services, Llc Techniques to perform applet programming
US10885410B1 (en) 2019-12-23 2021-01-05 Capital One Services, Llc Generating barcodes utilizing cryptographic techniques
US10885514B1 (en) 2019-07-15 2021-01-05 Capital One Services, Llc System and method for using image data to trigger contactless card transactions
US10909544B1 (en) 2019-12-26 2021-02-02 Capital One Services, Llc Accessing and utilizing multiple loyalty point accounts
US10909527B2 (en) 2018-10-02 2021-02-02 Capital One Services, Llc Systems and methods for performing a reissue of a contactless card
US10915888B1 (en) 2020-04-30 2021-02-09 Capital One Services, Llc Contactless card with multiple rotating security keys
US10949520B2 (en) 2018-10-02 2021-03-16 Capital One Services, Llc Systems and methods for cross coupling risk analytics and one-time-passcodes
US10963865B1 (en) 2020-05-12 2021-03-30 Capital One Services, Llc Augmented reality card activation experience
US10970712B2 (en) 2019-03-21 2021-04-06 Capital One Services, Llc Delegated administration of permissions using a contactless card
US10984416B2 (en) 2019-03-20 2021-04-20 Capital One Services, Llc NFC mobile currency transfer
US10992477B2 (en) 2018-10-02 2021-04-27 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11030339B1 (en) 2020-04-30 2021-06-08 Capital One Services, Llc Systems and methods for data access control of personal user data using a short-range transceiver
US11037136B2 (en) 2019-01-24 2021-06-15 Capital One Services, Llc Tap to autofill card data
US11038688B1 (en) 2019-12-30 2021-06-15 Capital One Services, Llc Techniques to control applets for contactless cards
US11062098B1 (en) 2020-08-11 2021-07-13 Capital One Services, Llc Augmented reality information display and interaction via NFC based authentication
US11063979B1 (en) 2020-05-18 2021-07-13 Capital One Services, Llc Enabling communications between applications in a mobile operating system
US11100511B1 (en) 2020-05-18 2021-08-24 Capital One Services, Llc Application-based point of sale system in mobile operating systems
US11113685B2 (en) 2019-12-23 2021-09-07 Capital One Services, Llc Card issuing with restricted virtual numbers
US11120453B2 (en) 2019-02-01 2021-09-14 Capital One Services, Llc Tap card to securely generate card data to copy to clipboard
US11165586B1 (en) 2020-10-30 2021-11-02 Capital One Services, Llc Call center web-based authentication using a contactless card
US11182771B2 (en) 2019-07-17 2021-11-23 Capital One Services, Llc System for value loading onto in-vehicle device
US11200563B2 (en) 2019-12-24 2021-12-14 Capital One Services, Llc Account registration using a contactless card
US11210664B2 (en) 2018-10-02 2021-12-28 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
US11210656B2 (en) 2020-04-13 2021-12-28 Capital One Services, Llc Determining specific terms for contactless card activation
US11216799B1 (en) 2021-01-04 2022-01-04 Capital One Services, Llc Secure generation of one-time passcodes using a contactless card
US11222342B2 (en) 2020-04-30 2022-01-11 Capital One Services, Llc Accurate images in graphical user interfaces to enable data transfer
US11245438B1 (en) 2021-03-26 2022-02-08 Capital One Services, Llc Network-enabled smart apparatus and systems and methods for activating and provisioning same
US11354555B1 (en) 2021-05-04 2022-06-07 Capital One Services, Llc Methods, mediums, and systems for applying a display to a transaction card
US11361302B2 (en) 2019-01-11 2022-06-14 Capital One Services, Llc Systems and methods for touch screen interface interaction using a card overlay
US11373169B2 (en) 2020-11-03 2022-06-28 Capital One Services, Llc Web-based activation of contactless cards
US11392933B2 (en) 2019-07-03 2022-07-19 Capital One Services, Llc Systems and methods for providing online and hybridcard interactions
US11438329B2 (en) 2021-01-29 2022-09-06 Capital One Services, Llc Systems and methods for authenticated peer-to-peer data transfer using resource locators
US11455620B2 (en) 2019-12-31 2022-09-27 Capital One Services, Llc Tapping a contactless card to a computing device to provision a virtual number
US11482312B2 (en) 2020-10-30 2022-10-25 Capital One Services, Llc Secure verification of medical status using a contactless card
US11521262B2 (en) 2019-05-28 2022-12-06 Capital One Services, Llc NFC enhanced augmented reality information overlays
US11521213B2 (en) 2019-07-18 2022-12-06 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning
US11562358B2 (en) 2021-01-28 2023-01-24 Capital One Services, Llc Systems and methods for near field contactless card communication and cryptographic authentication
US11615395B2 (en) 2019-12-23 2023-03-28 Capital One Services, Llc Authentication for third party digital wallet provisioning
US11637826B2 (en) 2021-02-24 2023-04-25 Capital One Services, Llc Establishing authentication persistence
US11651361B2 (en) 2019-12-23 2023-05-16 Capital One Services, Llc Secure authentication based on passport data stored in a contactless card
US11682012B2 (en) 2021-01-27 2023-06-20 Capital One Services, Llc Contactless delivery systems and methods
US11687930B2 (en) 2021-01-28 2023-06-27 Capital One Services, Llc Systems and methods for authentication of access tokens
US11694187B2 (en) 2019-07-03 2023-07-04 Capital One Services, Llc Constraining transactional capabilities for contactless cards
US11777933B2 (en) 2021-02-03 2023-10-03 Capital One Services, Llc URL-based authentication for payment cards
US11792001B2 (en) 2021-01-28 2023-10-17 Capital One Services, Llc Systems and methods for secure reprovisioning
CN116992419A (zh) * 2023-09-28 2023-11-03 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) 地图服务共享权限控制方法、系统、电子设备及存储介质
US11823175B2 (en) 2020-04-30 2023-11-21 Capital One Services, Llc Intelligent card unlock
US11902442B2 (en) 2021-04-22 2024-02-13 Capital One Services, Llc Secure management of accounts on display devices using a contactless card
US11935035B2 (en) 2021-04-20 2024-03-19 Capital One Services, Llc Techniques to utilize resource locators by a contactless card to perform a sequence of operations
US11961089B2 (en) 2021-04-20 2024-04-16 Capital One Services, Llc On-demand applications to extend web services
US11974127B2 (en) 2021-08-18 2024-04-30 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120084565A1 (en) * 2010-09-30 2012-04-05 Microsoft Corporation Cryptographic device that binds an additional authentication factor to multiple identities
WO2014005148A1 (fr) * 2012-06-29 2014-01-03 Id Dataweb, Inc. Système et procédé servant à l'établissement et à la monétisation d'identités sécurisées dans le cyberespace comprenant un service de données personnelles et une console utilisateur

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120084565A1 (en) * 2010-09-30 2012-04-05 Microsoft Corporation Cryptographic device that binds an additional authentication factor to multiple identities
WO2014005148A1 (fr) * 2012-06-29 2014-01-03 Id Dataweb, Inc. Système et procédé servant à l'établissement et à la monétisation d'identités sécurisées dans le cyberespace comprenant un service de données personnelles et une console utilisateur

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BJONES RONNY ET AL: "Integrating Anonymous Credentials with eIDs for Privacy-Respecting Online Authentication", 10 October 2012, CORRECT SYSTEM DESIGN; [LECTURE NOTES IN COMPUTER SCIENCE; LECT.NOTES COMPUTER], SPRINGER INTERNATIONAL PUBLISHING, CHAM, PAGE(S) 111 - 124, ISBN: 978-3-540-72913-6, ISSN: 0302-9743, XP047265617 *

Cited By (149)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10546444B2 (en) 2018-06-21 2020-01-28 Capital One Services, Llc Systems and methods for secure read-only authentication
US10878651B2 (en) 2018-06-21 2020-12-29 Capital One Services, Llc Systems and methods for secure read-only authentication
US11784820B2 (en) 2018-10-02 2023-10-10 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11728994B2 (en) 2018-10-02 2023-08-15 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10489781B1 (en) 2018-10-02 2019-11-26 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11349667B2 (en) 2018-10-02 2022-05-31 Capital One Services, Llc Systems and methods for inventory management using cryptographic authentication of contactless cards
US10505738B1 (en) 2018-10-02 2019-12-10 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11341480B2 (en) 2018-10-02 2022-05-24 Capital One Services, Llc Systems and methods for phone-based card activation
US11336454B2 (en) 2018-10-02 2022-05-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10511443B1 (en) 2018-10-02 2019-12-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11321546B2 (en) 2018-10-02 2022-05-03 Capital One Services, Llc Systems and methods data transmission using contactless cards
US11301848B2 (en) 2018-10-02 2022-04-12 Capital One Services, Llc Systems and methods for secure transaction approval
US11297046B2 (en) 2018-10-02 2022-04-05 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11770254B2 (en) 2018-10-02 2023-09-26 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11423452B2 (en) 2018-10-02 2022-08-23 Capital One Services, Llc Systems and methods for establishing identity for order pick up
US11438164B2 (en) 2018-10-02 2022-09-06 Capital One Services, Llc Systems and methods for email-based card activation
US10554411B1 (en) 2018-10-02 2020-02-04 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10565587B1 (en) 2018-10-02 2020-02-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10582386B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10581611B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10579998B1 (en) 2018-10-02 2020-03-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10592710B1 (en) 2018-10-02 2020-03-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10607214B1 (en) 2018-10-02 2020-03-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10607216B1 (en) 2018-10-02 2020-03-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10615981B1 (en) 2018-10-02 2020-04-07 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10623393B1 (en) 2018-10-02 2020-04-14 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10630653B1 (en) 2018-10-02 2020-04-21 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11233645B2 (en) 2018-10-02 2022-01-25 Capital One Services, Llc Systems and methods of key selection for cryptographic authentication of contactless cards
US11924188B2 (en) 2018-10-02 2024-03-05 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11843698B2 (en) 2018-10-02 2023-12-12 Capital One Services, Llc Systems and methods of key selection for cryptographic authentication of contactless cards
US10680824B2 (en) 2018-10-02 2020-06-09 Capital One Services, Llc Systems and methods for inventory management using cryptographic authentication of contactless cards
US10685350B2 (en) 2018-10-02 2020-06-16 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10686603B2 (en) 2018-10-02 2020-06-16 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11232272B2 (en) 2018-10-02 2022-01-25 Capital One Services, Llc Systems and methods for contactless card applet communication
US11438311B2 (en) 2018-10-02 2022-09-06 Capital One Services, Llc Systems and methods for card information management
US11843700B2 (en) 2018-10-02 2023-12-12 Capital One Services, Llc Systems and methods for email-based card activation
US10733645B2 (en) 2018-10-02 2020-08-04 Capital One Services, Llc Systems and methods for establishing identity for order pick up
US11444775B2 (en) 2018-10-02 2022-09-13 Capital One Services, Llc Systems and methods for content management using contactless cards
US10748138B2 (en) 2018-10-02 2020-08-18 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11804964B2 (en) 2018-10-02 2023-10-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10771254B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for email-based card activation
US10771253B2 (en) 2018-10-02 2020-09-08 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10778437B2 (en) 2018-10-02 2020-09-15 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11456873B2 (en) 2018-10-02 2022-09-27 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10783519B2 (en) 2018-10-02 2020-09-22 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10797882B2 (en) 2018-10-02 2020-10-06 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11210664B2 (en) 2018-10-02 2021-12-28 Capital One Services, Llc Systems and methods for amplifying the strength of cryptographic algorithms
US10841091B2 (en) 2018-10-02 2020-11-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11790187B2 (en) 2018-10-02 2023-10-17 Capital One Services, Llc Systems and methods for data transmission using contactless cards
US10860814B2 (en) 2018-10-02 2020-12-08 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11469898B2 (en) 2018-10-02 2022-10-11 Capital One Services, Llc Systems and methods for message presentation using contactless cards
US10542036B1 (en) 2018-10-02 2020-01-21 Capital One Services, Llc Systems and methods for signaling an attack on contactless cards
US11195174B2 (en) 2018-10-02 2021-12-07 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11182784B2 (en) 2018-10-02 2021-11-23 Capital One Services, Llc Systems and methods for performing transactions with contactless cards
US11182785B2 (en) 2018-10-02 2021-11-23 Capital One Services, Llc Systems and methods for authorization and access to services using contactless cards
US10880327B2 (en) 2018-10-02 2020-12-29 Capital One Services, Llc Systems and methods for signaling an attack on contactless cards
US10887106B2 (en) 2018-10-02 2021-01-05 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11699047B2 (en) 2018-10-02 2023-07-11 Capital One Services, Llc Systems and methods for contactless card applet communication
US11502844B2 (en) 2018-10-02 2022-11-15 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11144915B2 (en) 2018-10-02 2021-10-12 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards using risk factors
US10909527B2 (en) 2018-10-02 2021-02-02 Capital One Services, Llc Systems and methods for performing a reissue of a contactless card
US11658997B2 (en) 2018-10-02 2023-05-23 Capital One Services, Llc Systems and methods for signaling an attack on contactless cards
US10949520B2 (en) 2018-10-02 2021-03-16 Capital One Services, Llc Systems and methods for cross coupling risk analytics and one-time-passcodes
US10965465B2 (en) 2018-10-02 2021-03-30 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11129019B2 (en) 2018-10-02 2021-09-21 Capital One Services, Llc Systems and methods for performing transactions with contactless cards
US11102007B2 (en) 2018-10-02 2021-08-24 Capital One Services, Llc Contactless card emulation system and method
US11544707B2 (en) 2018-10-02 2023-01-03 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10992477B2 (en) 2018-10-02 2021-04-27 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11610195B2 (en) 2018-10-02 2023-03-21 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11563583B2 (en) 2018-10-02 2023-01-24 Capital One Services, Llc Systems and methods for content management using contactless cards
US11361302B2 (en) 2019-01-11 2022-06-14 Capital One Services, Llc Systems and methods for touch screen interface interaction using a card overlay
US11037136B2 (en) 2019-01-24 2021-06-15 Capital One Services, Llc Tap to autofill card data
US10467622B1 (en) 2019-02-01 2019-11-05 Capital One Services, Llc Using on-demand applications to generate virtual numbers for a contactless card to securely autofill forms
US11120453B2 (en) 2019-02-01 2021-09-14 Capital One Services, Llc Tap card to securely generate card data to copy to clipboard
US10510074B1 (en) 2019-02-01 2019-12-17 Capital One Services, Llc One-tap payment using a contactless card
US10425129B1 (en) 2019-02-27 2019-09-24 Capital One Services, Llc Techniques to reduce power consumption in near field communication systems
US10523708B1 (en) 2019-03-18 2019-12-31 Capital One Services, Llc System and method for second factor authentication of customer support calls
US10438437B1 (en) 2019-03-20 2019-10-08 Capital One Services, Llc Tap to copy data to clipboard via NFC
US10535062B1 (en) 2019-03-20 2020-01-14 Capital One Services, Llc Using a contactless card to securely share personal data stored in a blockchain
US10783736B1 (en) 2019-03-20 2020-09-22 Capital One Services, Llc Tap to copy data to clipboard via NFC
US10984416B2 (en) 2019-03-20 2021-04-20 Capital One Services, Llc NFC mobile currency transfer
US10643420B1 (en) 2019-03-20 2020-05-05 Capital One Services, Llc Contextual tapping engine
US10970712B2 (en) 2019-03-21 2021-04-06 Capital One Services, Llc Delegated administration of permissions using a contactless card
US10467445B1 (en) 2019-03-28 2019-11-05 Capital One Services, Llc Devices and methods for contactless card alignment with a foldable mobile device
US11521262B2 (en) 2019-05-28 2022-12-06 Capital One Services, Llc NFC enhanced augmented reality information overlays
US10516447B1 (en) 2019-06-17 2019-12-24 Capital One Services, Llc Dynamic power levels in NFC card communications
US11392933B2 (en) 2019-07-03 2022-07-19 Capital One Services, Llc Systems and methods for providing online and hybridcard interactions
US11694187B2 (en) 2019-07-03 2023-07-04 Capital One Services, Llc Constraining transactional capabilities for contactless cards
US10871958B1 (en) 2019-07-03 2020-12-22 Capital One Services, Llc Techniques to perform applet programming
US10713649B1 (en) 2019-07-09 2020-07-14 Capital One Services, Llc System and method enabling mobile near-field communication to update display on a payment card
US10885514B1 (en) 2019-07-15 2021-01-05 Capital One Services, Llc System and method for using image data to trigger contactless card transactions
US10498401B1 (en) 2019-07-15 2019-12-03 Capital One Services, Llc System and method for guiding card positioning using phone sensors
US11182771B2 (en) 2019-07-17 2021-11-23 Capital One Services, Llc System for value loading onto in-vehicle device
US10733601B1 (en) 2019-07-17 2020-08-04 Capital One Services, Llc Body area network facilitated authentication or payment authorization
US10832271B1 (en) 2019-07-17 2020-11-10 Capital One Services, Llc Verified reviews using a contactless card
US11521213B2 (en) 2019-07-18 2022-12-06 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning
US10506426B1 (en) 2019-07-19 2019-12-10 Capital One Services, Llc Techniques for call authentication
US10541995B1 (en) 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method
US11638148B2 (en) 2019-10-02 2023-04-25 Capital One Services, Llc Client device authentication using contactless legacy magnetic stripe data
US10701560B1 (en) 2019-10-02 2020-06-30 Capital One Services, Llc Client device authentication using contactless legacy magnetic stripe data
US11113685B2 (en) 2019-12-23 2021-09-07 Capital One Services, Llc Card issuing with restricted virtual numbers
US10657754B1 (en) 2019-12-23 2020-05-19 Capital One Services, Llc Contactless card and personal identification system
US10885410B1 (en) 2019-12-23 2021-01-05 Capital One Services, Llc Generating barcodes utilizing cryptographic techniques
US10733283B1 (en) 2019-12-23 2020-08-04 Capital One Services, Llc Secure password generation and management using NFC and contactless smart cards
US11651361B2 (en) 2019-12-23 2023-05-16 Capital One Services, Llc Secure authentication based on passport data stored in a contactless card
US11615395B2 (en) 2019-12-23 2023-03-28 Capital One Services, Llc Authentication for third party digital wallet provisioning
US10862540B1 (en) 2019-12-23 2020-12-08 Capital One Services, Llc Method for mapping NFC field strength and location on mobile devices
US11200563B2 (en) 2019-12-24 2021-12-14 Capital One Services, Llc Account registration using a contactless card
US10664941B1 (en) 2019-12-24 2020-05-26 Capital One Services, Llc Steganographic image encoding of biometric template information on a card
US10853795B1 (en) 2019-12-24 2020-12-01 Capital One Services, Llc Secure authentication based on identity data stored in a contactless card
US10909544B1 (en) 2019-12-26 2021-02-02 Capital One Services, Llc Accessing and utilizing multiple loyalty point accounts
US10757574B1 (en) 2019-12-26 2020-08-25 Capital One Services, Llc Multi-factor authentication providing a credential via a contactless card for secure messaging
US11038688B1 (en) 2019-12-30 2021-06-15 Capital One Services, Llc Techniques to control applets for contactless cards
US11455620B2 (en) 2019-12-31 2022-09-27 Capital One Services, Llc Tapping a contactless card to a computing device to provision a virtual number
US10860914B1 (en) 2019-12-31 2020-12-08 Capital One Services, Llc Contactless card and method of assembly
US11210656B2 (en) 2020-04-13 2021-12-28 Capital One Services, Llc Determining specific terms for contactless card activation
US11823175B2 (en) 2020-04-30 2023-11-21 Capital One Services, Llc Intelligent card unlock
US11562346B2 (en) 2020-04-30 2023-01-24 Capital One Services, Llc Contactless card with multiple rotating security keys
US11030339B1 (en) 2020-04-30 2021-06-08 Capital One Services, Llc Systems and methods for data access control of personal user data using a short-range transceiver
US10861006B1 (en) 2020-04-30 2020-12-08 Capital One Services, Llc Systems and methods for data access control using a short-range transceiver
US11222342B2 (en) 2020-04-30 2022-01-11 Capital One Services, Llc Accurate images in graphical user interfaces to enable data transfer
US10915888B1 (en) 2020-04-30 2021-02-09 Capital One Services, Llc Contactless card with multiple rotating security keys
US11270291B2 (en) 2020-04-30 2022-03-08 Capital One Services, Llc Systems and methods for data access control using a short-range transceiver
US10963865B1 (en) 2020-05-12 2021-03-30 Capital One Services, Llc Augmented reality card activation experience
US11063979B1 (en) 2020-05-18 2021-07-13 Capital One Services, Llc Enabling communications between applications in a mobile operating system
US11100511B1 (en) 2020-05-18 2021-08-24 Capital One Services, Llc Application-based point of sale system in mobile operating systems
US11062098B1 (en) 2020-08-11 2021-07-13 Capital One Services, Llc Augmented reality information display and interaction via NFC based authentication
US11165586B1 (en) 2020-10-30 2021-11-02 Capital One Services, Llc Call center web-based authentication using a contactless card
US11482312B2 (en) 2020-10-30 2022-10-25 Capital One Services, Llc Secure verification of medical status using a contactless card
US11373169B2 (en) 2020-11-03 2022-06-28 Capital One Services, Llc Web-based activation of contactless cards
US11216799B1 (en) 2021-01-04 2022-01-04 Capital One Services, Llc Secure generation of one-time passcodes using a contactless card
US11682012B2 (en) 2021-01-27 2023-06-20 Capital One Services, Llc Contactless delivery systems and methods
US11687930B2 (en) 2021-01-28 2023-06-27 Capital One Services, Llc Systems and methods for authentication of access tokens
US11922417B2 (en) 2021-01-28 2024-03-05 Capital One Services, Llc Systems and methods for near field contactless card communication and cryptographic authentication
US11562358B2 (en) 2021-01-28 2023-01-24 Capital One Services, Llc Systems and methods for near field contactless card communication and cryptographic authentication
US11792001B2 (en) 2021-01-28 2023-10-17 Capital One Services, Llc Systems and methods for secure reprovisioning
US11438329B2 (en) 2021-01-29 2022-09-06 Capital One Services, Llc Systems and methods for authenticated peer-to-peer data transfer using resource locators
US11777933B2 (en) 2021-02-03 2023-10-03 Capital One Services, Llc URL-based authentication for payment cards
US11637826B2 (en) 2021-02-24 2023-04-25 Capital One Services, Llc Establishing authentication persistence
US20220311475A1 (en) 2021-03-26 2022-09-29 Capital One Services, Llc Network-enabled smart apparatus and systems and methods for activating and provisioning same
US11245438B1 (en) 2021-03-26 2022-02-08 Capital One Services, Llc Network-enabled smart apparatus and systems and methods for activating and provisioning same
US11848724B2 (en) 2021-03-26 2023-12-19 Capital One Services, Llc Network-enabled smart apparatus and systems and methods for activating and provisioning same
US11935035B2 (en) 2021-04-20 2024-03-19 Capital One Services, Llc Techniques to utilize resource locators by a contactless card to perform a sequence of operations
US11961089B2 (en) 2021-04-20 2024-04-16 Capital One Services, Llc On-demand applications to extend web services
US11902442B2 (en) 2021-04-22 2024-02-13 Capital One Services, Llc Secure management of accounts on display devices using a contactless card
US11354555B1 (en) 2021-05-04 2022-06-07 Capital One Services, Llc Methods, mediums, and systems for applying a display to a transaction card
US11974127B2 (en) 2021-08-18 2024-04-30 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
CN116992419A (zh) * 2023-09-28 2023-11-03 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) 地图服务共享权限控制方法、系统、电子设备及存储介质
CN116992419B (zh) * 2023-09-28 2024-01-02 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) 地图服务共享权限控制方法、系统、电子设备及存储介质

Also Published As

Publication number Publication date
FR3041195A1 (fr) 2017-03-17

Similar Documents

Publication Publication Date Title
WO2017042375A1 (fr) Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime
WO2017042400A1 (fr) Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime
US10929524B2 (en) Method and system for verifying an access request
Neuman et al. The Kerberos network authentication service (V5)
KR100962399B1 (ko) 익명 공개 키 기반구조 제공 방법 및 이를 이용한 서비스제공 방법
US6148404A (en) Authentication system using authentication information valid one-time
US8090939B2 (en) Digital certificate that indicates a parameter of an associated cryptographic token
JP7083892B2 (ja) デジタル証明書のモバイル認証相互運用性
CA2357792C (fr) Methode et dispositif pour executer des transactions protegees
EP2721764B1 (fr) État de révocation utilisant d'autres justificatifs
US20100268942A1 (en) Systems and Methods for Using Cryptographic Keys
KR20020081269A (ko) 전자 신원의 발행 방법
US9398024B2 (en) System and method for reliably authenticating an appliance
Neuman et al. RFC 4120: The Kerberos network authentication service (V5)
KR101051420B1 (ko) 안전 otp 생성 장치 및 방법
Stapleton et al. Security Without Obscurity: A Guide to PKI Operations
EP2530868A1 (fr) Procédé pour générer un jeton d'identification anonyme ne pouvant être lié et pouvant être acheminé
KR20020086030A (ko) 개인식별정보를 포함하는 공개키 인증서를 이용한 사용자인증 방법 및 시스템
Srinivas et al. FIDO UAF architectural overview
Costa Reducing fraud in authentication systems using attribute certificates
do Vale Remote Qualified Digital Signatures
Alrodhan Privacy and practicality of identity management systems
Wiesmaier Johannes A. Buchmann· Evangelos Karatsiolis
Maeda et al. Mutual Authentication Protocol for HTTP draft-ietf-httpauth-mutual-03
Raeburn Network working group c. neuman request for comments: 4120 USC-ISI obsoletes: 1510 t. Yu category: Standards track s. hartman

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16778997

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16778997

Country of ref document: EP

Kind code of ref document: A1