WO2017042375A1 - Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime - Google Patents
Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime Download PDFInfo
- Publication number
- WO2017042375A1 WO2017042375A1 PCT/EP2016/071386 EP2016071386W WO2017042375A1 WO 2017042375 A1 WO2017042375 A1 WO 2017042375A1 EP 2016071386 W EP2016071386 W EP 2016071386W WO 2017042375 A1 WO2017042375 A1 WO 2017042375A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- secure element
- token
- server
- pseudonym
- access token
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/42—Anonymization, e.g. involving pseudonyms
Definitions
- the present invention refers to a scheme giving access to an on line service by means of pseudonyms and of attributes contained in access tokens.
- the method particularly relates to the access to a server via a network, for example via the Internet network, by a data-processing entity called “Client Application”, which can represent an individual or a legal entity, in the “client-server” paradigm.
- Client Application a data-processing entity
- client-server a data-processing entity
- the access of a client to a server is conditioned by the presentation of some “attributes” of the user who, in the absence of his complete identity, reveal some personal data of this person.
- some “attributes” of the user who, in the absence of his complete identity, reveal some personal data of this person.
- the access to a server by means of the presentation of attributes is sometimes known under the English acronym ABC: “Attribute Based Credentials”.
- a secure element also known under the name “secure element”, such as a smart card or a security module.
- secure element such as a smart card or a security module.
- the ABC4Trust project federates two solutions: the “U Prove” solution from Microsoft and the “Identity Mixer” (IdeMix) solution from IBM Zurich. Even with the use of a secure element, at least as described in the documentation accessible to the public in May 2015, none of these two solutions makes it possible to prevent the transfer of a quality from the person who possesses it, towards a person who does not possess it.
- the purpose of the invention is to propose a simpler method making it possible to secure the access to a server without the ability to transfer a certified personal attribute from a person who has it to the benefit of a person who does not have it.
- the invention allows the deployment of solutions of the type “Attribute Based Credentials” (ABC) which were under study within the ISO committee SC 27 WG 5, in September 2015.
- a secure element such as the one that may be found in a smart card.
- Such secure element shall be used by an individual, or by a legal entity or by a data-processing entity called “Client Application” (abbreviation CA), in the “client-server” paradigm.
- CA Client Application
- This “Client Application” can also be a trusted applet implemented in a web browser, for example a Java applet.
- secure element will be used hereafter by convenience to indicate any protected physical component able to resist to physical and logical attacks and able to carry out a set of functions using at the same time protected internal data and external data provided by the environment of the secure element according to specific requirements.
- This term covers also components known as smart cards, secure microcircuits, TPM (Trusted Platform Modules) that are present in some professional computers and UICC (Universal Integrated Circuit Cards) standardized by the 3GPP (3rd Generation Mobile System) and the ETSI (European Telecommunications Standardization Institute).
- TPM Trustet Platform Modules
- UICC Universal Integrated Circuit Cards
- ETSI European Telecommunications Standardization Institute
- the invention is based on concepts defined in technical specifications from the Alliance FIDO (Fast Identity One line) which are available at the following address: https://fidoalliance.org/specifications/download
- the protocols described in this specification allow authentication using pseudonyms by using a different pseudonym for every server.
- the protocols described in the documents of FIDO do not cater for and do not allow for the use of certified attributes.
- the invention makes it possible to extend the FIDO architecture and the FIDO protocols to allow the transfer of certified attributes towards a server while respecting the principles of privacy by design.
- figure 1 schematically illustrates the current FIDO architecture
- figure 2 schematically illustrates the FIDO architecture enhanced according to the invention
- figure 3 illustrates the main data contained in a secure element according to the invention.
- the invention is a method allowing a user, using a Client Application (10), to access to an on-line Service Provider server (11) (abbreviation SP) by means of a secure element (12) with specific technical requirements, of a pseudonym and of an access token containing attributes, the aforementioned access token having been obtained from a server producing tokens, i.e. a Token Issuer (13), abbreviation (TI), characterized by the fact that the Client Application (10) has no possibility to grant the benefit of the aforesaid access token to another Client Application, and that the method comprises the following steps:
- Public Information (14) (abbreviation PI) contained in the secure element allowing to know or to deduce that the granting of the aforesaid public information was conditioned by the respect of security requirements and functionalities applicable to the secure element and described within the framework of the aforesaid the invention, and
- an associated private key (15) (abbreviation PrK) that will be used to carry out some specific operations, in manner such as the digital signatures generated using the aforementioned private key will be verifiable using the aforementioned public information,
- Public Information (14) should contain information making it possible to know, by the means of a contact to a server, if a specific public data associated with the secure element is still valid (operation using a white list) or has been invalidated (operation using a black list).
- each secure element (12) is delivered by its supplier with:
- public key certificate which constitutes Public Information (14) should contain information making it possible to know, by the means of a contact to a server, if a public data specific to the secure element is still valid (e.g. using white lists) or were invalidated (e.g. using black lists).
- each secure element (12) is delivered by its supplier with:
- Public Information (14) containing a public data specific to the secure element, an identifier of the supplier of the secure element, as well as a public key common to a set of secure elements delivered by the aforementioned supplier of secure elements, and
- Public Information (14) should contain information allowing of knowing, by means of a contact to a server, if a public data specific to the secure element is still valid (e.g. using white lists) or were invalidated (e.g. using black lists).
- the invention is characterized in that ,in order to create an account on a target server by means of a pseudonym and of a public key, according to the procedure n° 1 described below, the secure element (12) generates upon the request of a Client Application data making it possible to implement the creation of an account on a given Service Provider or a given Token Issuer by means of a pseudonym, the request of the Client Application being accompanied at least by the following parameter:
- pseudonym PS which is a random value or pseudo-random value of sufficient size with respect to the number of users potentially authenticatable on the server so that the probability that it can exist a collision between pseudonyms is practically non-existent
- the invention is characterized in that , in order to create an account on a Token Issuer server by means of a pseudonym and of a public key, according to the procedure n° 2 described below, the secure element (12) provides at the request of the Client Application (10) data making possible to implement the creation of an account on a given Token Issuer server by means of a pseudonym (18), while simultaneously bringing to the server the proof to the Token Issuer that a secure element (12) conforms to specific requirements described within the framework of the aforesaid the invention is used, the request of the Client Application being accompanied at least by the following parameter:
- pseudonym which is a random or a pseudo random value of sufficient size with respect to the number of users and particularly with a signed response obtained from a secure element following an access token request addressed to the secure element potentially authenticatable on the server so that the probability that it can exist a collision between pseudonyms is practically non-existent
- the secure element provides data allowing authentication with respect to the Token Issuer server by digitally signing using the private key (19) generated above at least one of the following data:
- the invention is characterized by the fact that , in order to request an access token to a Token Issuer server, according to the procedure n° 3 described below, from the moment where there already exists at least two entries(16) in the secure element (12), the first one designating a target server, i.e. the server for which the access token is intended, the second one designating a Token Issuer server whose entry has been created according to the procedure n° 2, the Client Application (10) must provide to the secure element the following elements:
- the invention is characterized by the fact that, in order to request an access token to a Token Issuer server, according to the procedure n° 4 described below, from the moment when there exists at least already two entries (16) in the secure element (12), the first one indicating a target server, i.e. the server for which the access token is intended, the second one indicating a Token Issuer server (13) whose entry was created according to the procedure n° 1, and in this case, the Client Application (10) must provide to the secure element the same elements as those provided for the procedure n° 3, namely:
- the invention is characterized by the fact that, in order to request an access token to a Token Issuer server, according to the procedure n° 4 described below, from the moment when there exists at least already two entries in the secure element, the first one indicating a target server, i.e. the server for which the access token is intended, the second one indicating a Token Issuer server whose entry was created according to the procedure n° 1, the Client Application must provide to the secure element the same elements as those provided for the procedure n° 3, namely :
- the invention is characterized by the fact that in order to obtain the generation of an access token by a Token Issuer server (13), the token request addressed to the Token Issuer shall contain a signed response from the secure element where the field designating the future owner of the access token that will be either a pseudonym or a public key, the aforesaid field having necessarily been selected by the Client Application (10) among the pseudonyms or public keys generated by the secure element (12) and where the access token produced by the Token Issuer server (13) following the request signed by the secure element (12) includes to designate the owner of the token, the same field as the one contained in the signed response from the secure element designating the legitimate owner of the token.
- the invention is characterized by the fact that an access token produced by a Token Issuer server (13), following a signed request coming from a secure element (12), includes to designate the target server for which the access token is intended, a stream of bytes which is not interpretable by the Token Issuer server (13), because this stream of bytes is initially locally computed by the Client Application (10) using a hash function and two parameters as entries: a salt value and an identifier of the target server, and is then communicated to the Token Issuer server as a parameter of the request in order to be included into the access token and consequently when the Client Application communicates to the server target concomitantly with the access token, this identifier and this salt value, thanks to these two values, the target server shall first verify that the server identifier matches with its own identifier and then combine these two values using the same hash function to verify that it is identical to the stream of bytes contained in the access token and thus make sure that the access token is indeed intended to itself.
- the invention is characterized by the fact that the secure element used for this method shall have the usual properties of an hardware security module or of a secure element, within the meaning of industry standards and in particular, a resistance to external physical attacks, a resistance to differential cryptographic attacks, the impossibility of being able to duplicate the content of the secure element if this one does not authorize it, and in addition must contain the data described previously, must contain the data described in claim 2, must support the procedure n°1, if it supports the procedure n° 2 then it must support the procedure n° 3, if it does not support the procedure n° 2 then it must support the procedure n° 4 .
- the invention is characterized in that a Token Issuer server (13) will only agree to issue an access token following a token request from a user authenticated under a given pseudonym if it is able to check that:
- the invention is characterized by the fact that a target server will only agree after the usual checks, to associate to the account from a user authenticated under a given pseudonym or under a target specific public key the attributes contained into an access token, if that account has already been opened on this server under the pseudonym contained in the ad-hoc field of the access token, if this account is neither temporarily, nor definitively invalidated, if the date on which the access token was issued is close to the current time or if a validity period is indicated inside the access token the present time is included into that validity period, if the target server recognizes itself as a recipient of the access token and if the access token was signed by a Token Issuer server known to the target server to carry out all the checks prescribed in the previous paragraph.
- the pseudonym used on a Service Provider (11) shall only be generated by a secure element (12) fulfilling all the criteria defined in the method, and
- the key pair for authentication associated with this pseudonym and a Service Provider (11) shall only be generated by a secure element (12) fulfilling all the criteria defined in the method.
- the initial architecture of FIDO is extended by two additional components:
- Token Issuer (13) will be used to indicate either an Identity Provider (22), or an Attribute Provider (21).
- An Identity Provider (22), as well as an Attribute Provider (21) is able to issue access tokens.
- An access token is a stream of bits or bytes that is digitally signed by an Identity Provider (22) or by an Attribute Provider (21) and which contains, amongst other things, one or more attributes relating to a person (or to an entity). It is said that these attributes “are certified” by the Identity Provider (22) or by the Attribute Provider (21).
- An Identity Provider (22) mainly delivers attributes of the type: name, first name, birth date, birthplace, all this information having generally been collected and checked either using national identity documents in a paper form, or using national identity documents in electronic form.
- An Attribute Provider (21) can deliver any type of attribute, namely identity attributes and/or other attributes, for example: “Member of the golf club of Saint-Nom la Bretéche” or “Graduated with a DEA of Physics from the Paris University VI; Option "Games theory”, but also attributes types such as : name, first name, date of birth, birthplace, place of residence, etc.
- An Attribute Provider (21) may, under some cases, require the presentation of an access token produced by an Identity Provider (22) before agreeing to issue an access token.
- Figure 1 indicates a dialog D1 (23) between the Client Application (10) and the Service Provider (11),
- Case A the Client Application (10) directly contacts the Attribute Provider (21) by means of the dialog D2 (24) in order to obtain an access token, then contacts the Service Provider (11) by means of the dialog D1 (23) in order to transmit it to it.
- Case B the Client Application (10) directly contacts the Identity Provider (22) by means of the dialog D3 (25) in order to obtain an access token, then contacts the Service Provider (11) by means of the dialog D1 (23) in order to transmit it to it.
- Case C the Client Application 10) initially contacts the Identity Provider (22) by means of the dialog D3 (25) in order to obtain a security token, then contacts the Attribute Provider (21) by means of the dialog D2 (24) in order to transmit it to it, receives in return another access token and contacts finally the Service Provider (11) by means of the dialog D1 (23) in order to transmit the second access token to it.
- target server will usually be a Service Provider (10), but can also be an Attribute Provider (21) when an access token coming from a Identity Provider is presented to it.
- the exchanges for these three dialogs will preferably be carried out using an HTTPS mode (or equivalent) so that the content of the exchanges will not be understandable to the external world and that any modification or replay of an exchange can be detected.
- the Client Application Before being able to request an access token of a Token Issuer server, the Client Application (10) must beforehand create an account on this Token Issuer server using a secure element (12).
- the Client Application Before being able to present an access token to a target server, the Client Application (10) must beforehand create an account on the target server using a secure element (12).
- the creation of these accounts will preferably be carried out through a connection using a mode HTTPS (or equivalent) so that the Client Application located on the workstation of the user can obtain the assurance to be connected to the “genuine server”.
- HTTPS HyperText Transfer Protocol
- the Client Application (10) can then contact a Token Issuer server in order to obtain an access token (13) which will contain one or more attributes and which will then be presented to a target server. According to the attributes contained inside the token, the access will then be authorized or not by the target server.
- a Token Issuer server (13) shall not agree to issue an access token to a user unless it has been able to obtain the assurance that the access token has been requested following a request from a user who uses a secure element (12) which has characteristics which are the subject of the method.
- the invention mandates to target servers to follow a Rule 2: a target server will not accept an access token from a Token Issuer server (13) unless it has been able to obtain the assurance that the access token that was generated by this Token Issuer server (13) has been requested following a request from a user who uses a secure element (12) which has all the characteristics which are the subject of the method.
- the secure element is an Integrated Card Circuit (ICC).
- ICC Integrated Card Circuit
- no access token will be delivered by a Token Issuer server (13), unless the user has been able to demonstrate during the creation of the account, or failing this, at the time of at the time of the first token request, or failing this, at the time of each token request, that it uses a physical device which has, on the one hand, all the general characteristics of a secure element, in particular: resistance to the external physical attacks, resistance to the differential cryptographic attacks, impossibility of duplicating the contents of a secure element unless the secure element does not authorize the access to certain contents; and in addition specific complementary characteristics which are essential to the correct operation of the method. Those will be detailed hereafter.
- the Service Provider (11) will obtain on his side an indirect assurance owing to the fact that the user indeed uses a secure element which has all the characteristics which are the subject of the method. Indeed, the Service Provider (11) will grant his confidence only to Token Issuers (13) which guarantee to him to carry out this checking.
- Each secure element (12) must contain :
- the public information makes it possible to know directly or indirectly that its granting has been conditioned by the assurance that the secure element (12) fulfils the requirements imposed on the secure element because of the method, for example, by issuing a public key certificate issued under a given Certification Policy (CP).
- CP Certification Policy
- a secure element (12) in conformance with the requirements of the method will preferably have to be certified by an independent organization according to a set of requirements established in the form of a Protection Profile (PP) and with a level of assurance “high”, for example “EAL4+”.
- PP Protection Profile
- EAL4+ level of assurance
- Each secure element manufacturer providing secure elements in conformity with the requirements of the method should make sure that the Public Information (14) contained in the secure element (12) contains at least information making it possible to know, by the means of a contact to a server, if a public data specific to the secure element is still valid or has been invalidated.
- the secure element (12) shall be able to generate two pieces of data and to associate them with an identifier of the target server IdS (17), as illustrated on Figure 3:
- pseudonym PS that is a random or pseudo-random value of sufficient size to avoid any collision between pseudonyms on the server in question and which shall mandatorily be generated by the secure element
- a key pair (i.e. a private key CP (19) and a public key) which shall mandatorily be generated by the secure element.
- an index can be added.
- the secure element stores in a permanent way on the level of an “entry” (16), at least, the three following information:
- each entry may be able moreover to include:
- the Client Application (10) can require that the private key (15) specific to the secure element (12) as well as public information (14) making it possible to check the data signed with the private key (15) specific to this secure element (12) is implemented at the time of the authentication. If it is the case, this characteristic can be stored into the secure element (12) so that the Client Application (10) can hold account of it and to avoid remaking this same request at the time of an other authentication.
- a command may be used by the Client Application allowing, after the agreement of the user, the removal of one or more entries (16).
- the Client Application will also be able to provide to the secure element a complementary indicator enabling it to make the difference between an entry relating to a Service Provider (11) and an entry relating to a Token Issuer server (13).
- the indicator will be stored by the secure element (12) in the entry (16) as a complementary data (20) in question.
- an access token produced by a Token Issuer server and intended to a target server shall contain at least the following information:
- a validity period of the access token possibly associated a field allowing to check the revocation status of this token; or, for a mono session token, the time when the access token was issued, usually a UTC (Universal Coordinated Time) time,
- the field (a) makes it possible the target server to know for which pseudonym the access token has been issued. If the pseudonym is not recognized, the access token shall be rejected by the target server.
- the field (b) makes it possible for the target server to know the attributes certified as produced by an Identity Provider (22) or by an Attribute Provider (21).
- the field (c) makes it possible to make sure of the identity of the signer of the security token.
- the field (d) makes it possible to deliver mono session security tokens or multi sessions security tokens.
- the attributes present in the access token will only be maintained by the Service Provider (11) during one session. Any session will have a limited duration, with time-out in the event of a prolonged inactivity.
- the field (e) makes it possible to identify the serial number of the access token with the aim of revoking it, for example, using a mechanism such as CRLs (Certificate Revocation Lists) or OCSP responses (On-line Certificate Status Protocol).
- CRLs ificate Revocation Lists
- OCSP responses On-line Certificate Status Protocol
- the field (e) also makes possible to identify in a unique way, in particular for audit purposes, an access token issued by a Token Issuer server .
- the field (f) makes it possible to target the access token for a given target server, without allowing the identification of this server by the Token Issuer. To this end, before requesting an access token from a Token Issuer, the user will hide the identifier of the target server in the following way.
- He He combines by means of a one way hash function, the identifier of the target server with a random pseudo-random value of a sufficient size, called a “salt”.
- the result of the computation is placed in the field (f) called “stream of bytes representative of the target server”.
- the identifier of a target server containing a semantics is thus never present in the access token and the identifier or the identity of the target server remains thus completely unknown to the server producing the token.
- the identifier or the identity of an Attribute Provider (21) remains completely unknown to an Identity Provider (22). This constitutes an advantageous feature of the method.
- the Client Application communicates to the target server the value of the salt while a fixed rule is defined to transform the address of the target server to identify the target server.
- the target server knowing at the same time the value of the salt and its own identifier is able to check that the value contained in the field (f) is indeed the one that it will have recomputed locally. If it were not the case, the access token will have to be rejected.
- the user For the creation of an account on a Token Issuer server, the user transmits to the secure element:
- the field (d) could also belong to the data signed by the private key generated by the secure element for this server, but for security reasons that is not necessary.
- a digital signature is generally computed using a private key on a hash value computed using a one-way hash function supplemented when necessary by padding bits.
- the field (c) makes it possible to prove the possession of the public key contained in the field (b).
- the field (e) allows the Token Issuer server to make sure using the field (d) that the received data come indeed from a secure element in conformance with the requirements of the method and that it is indeed this certificate which belongs to the secure element. Once these checks have been carried out, the Token Issuer server creates an account associated with the pseudonym and the public key that were generated by the secure element.
- the fields (d) and (e) can moreover be considered as being a protection able to counter inopportune openings of accounts, because only a holder of a secure element in conformity with the requirements of the method will be able to open an account on a Token Issuer server .
- the user For the creation of an account on a Service Provider (11), the user transmits to the secure element :
- eID-PIN electronic Identification - Personal Identification Number
- PIN Personal Identification Number
- the Client Application will be able to require the confirmation by means of a man-machine interaction and to present the eID-PIN at the secure element in a transparent way for the user.
- the operations which are described hereafter make it possible to use the technique of the challenges as well as the technique of the unique numbers.
- the challenge received during the second exchange is included into the data conveyed during the third exchange, while in the second case, the unique number is directly included into the data conveyed during the first exchange.
- the challenge or the unique number must thus always be transmitted by the Client Application to the secure element .
- the user transmits to the secure element the following elements:
- the certificate life time period of the secure element may lead adding two complementary protocol elements, insofar as:
- the two complementary protocol elements are the following:
- the new certificate for example an X.509 certificate, carrying the public key specific to the secure element , and
- the choice will be to carry out by the user according to the volume of the data to be exchanged and/or to the importance of the semantics of these data.
- the user transmits to the secure element the following elements:
- the user will have to indicate to the secure element that he agrees to authenticate, for example, by presenting an eID-PIN.
- the user transmits to the secure element the following elements:
- the field (a) ensures a protection against replay. It should be noticed that this protection comes in complement from that offered by the HTTPS protocol, if this one is be used.
- the field (b) allows the Client Application A, following a dialog with the user, to request only the attributes which the user wishes to be included into the token. It is related to the combination of two privacy principles usually known under the names “data minimization and “user consent”.
- the field (c) makes it possible to deliver a mono session token or a multi sessions security token.
- the field (d) is "copied and pasted” into the access token by the Token Issuer server.
- the field (e) is of primary importance because it makes it possible to select the pseudonym of the user who will be included into the security token. It is particularly important to notice that this pseudonym must already be present in the secure element and that it has been thus necessarily generated by the secure element and that consequently that in any case it could not be the pseudonym used by another person with whom the requestor of the access token would be in collusion. It is this fundamental characteristic which makes it possible to prevent the transmission of an attribute pertaining to a person (or an entity) the profit of one or to several other people (or entities), even if these people (or entities) are in collusion.
- the field (f) has two usages:
- the server will be able to incorporate the required attributes, obviously insofar as the user indeed possesses them.
- the user has the possibility of requesting each attribute either by indicating only its type, or by indicating at the same time its type and a value.
- the server will be able to generate a multi sessions token or a mono session token, insofar if it supports the two types of tokens.
- the value contained in the field (d) is blindly copied using the field (d) of the command. Later on, this same field will be blindly copied in the field (f) of the access token by the Token Issuer server. In this way, a Token Issuer server cannot identify the servers consuming the tokens, by the simple examination of the received commands.
- the value contained in the field (e) is the pseudonym which comes from the value contained in the secure element in the entry pointed by the field (e) from the command.
- the field (f) will allow the Token Issuer server to select the suitable public key in order to enable him to check the digital signature contained in the field (g).
- the Token Issuer server Before the issuance of a security token, the Token Issuer server should check that the certificate of the secure element attached to the account is not revoked. If this certificate were revoked, then the required token shall not be issued.
- TLV Type, Length, Value
- BER BASIC Encoding Rules
- DER Distinguished Encoding Rules
- Another way of doing is to insert systematically at the head of the message (or in the tail of the message) a different code allowing to make the difference between a response to a command requesting an access token and any response to another command, in particular, a command allowing to ensure the integrity and the authentication of external data. From the moment where the coding of the fields or the data additional belongs to the data which enter into the computation of the digital signature, it is possible to discriminate between the various types of messages.
- the access token may be transmitted after the authentication of the user by means of his pseudonym; the connection between messages and access tokens being then performed through the use of the HTTPS protocol,
- the access token may be part of the content of a message being protected using data origin authentication, the connection between the message and the token being then established whether the HTTPS protocol is used or not.
- the secure element will be carried out by means of single electronic component or by means of several electronic components encapsulated in another component or by means of several electronic components protected by an secure enclosure, generally called a “cryptographic module”, one or the other of these achievements having the protections as described in the invention, while the aforementioned “secure element” will be interfaced with its external environment, either by means of an interface with contacts or by means of an interface without contact.
- Figure 1 schematically illustrates the original FIDO architecture.
- Figure 2 schematically illustrates the FIDO architecture supplemented according to the invention.
- Figure 3 illustrates the essential data contained in a secure element according to the invention.
- CV certificate Card Verifiable certificate.
- EAL4 Evaluation Assurance Level 4.
- eID-PIN electronic Identification - Personal Number Identification.
- ETSI European Telecommunications Standardization Institute.
- FIDO Fast Identity One-line.
- ICC Integrated Card Circuit.
- HTTP Hypertext Transfer Protocol
- HTTPS Hypertext Transfer Protocol Secure
- OCSP One-line Certificate Status Protocol.
- PIN Personal Number Identification
- TLV Type, Length, Value.
- TPM Trusted Platform Module
- UTC Universal Time Coordinated.
- X.509 Recommendation of the ITU-T X.509: Open Systems Interconnection - The Directory: Public key and attribute certificate frameworks.
Abstract
La présente invention concerne un procédé qui permet à un utilisateur, en utilisant une application client, d'accéder à un serveur cible en ligne au moyen d'un élément sécurisé, d'un pseudonyme et d'un jeton d'accès qui contient des attributs, le jeton d'accès susmentionné ayant été obtenu à partir d'un serveur émetteur de jeton, qui peut être un fournisseur d'attribut ou un fournisseur d'identité, ledit procédé étant caractérisé par le fait que l'application client qui obtient le jeton d'accès est incapable d'accorder le bénéfice du jeton d'accès susmentionné à une autre application client, et en ce que le procédé comprend les étapes suivantes : - la fourniture, à des utilisateurs d'éléments sécurisés, de caractéristiques spécifiques par des fournisseurs d'éléments sécurisés, - la création d'un compte sur un serveur cible au moyen d'un pseudonyme, d'une clef publique et d'un tel élément sécurisé, - la création d'un compte sur un serveur émetteur de jeton au moyen d'un pseudonyme, d'une clef publique et d'un tel élément sécurisé, - la demande d'un jeton d'accès à un serveur émetteur de jeton au moyen d'un pseudonyme ou en variante d'une clef publique et d'un tel élément sécurisé, - la génération d'un jeton d'accès par un serveur émetteur de jeton, et - l'acceptation du jeton d'accès par le serveur cible.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2016/076261 WO2017042400A1 (fr) | 2015-09-11 | 2016-10-31 | Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1501894A FR3041195A1 (fr) | 2015-09-11 | 2015-09-11 | Procede d'acces a un service en ligne au moyen d'un microcircuit securise et de jetons de securite restreignant l'utilisation de ces jetons a leur detenteur legitime |
FR1501894 | 2015-09-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017042375A1 true WO2017042375A1 (fr) | 2017-03-16 |
Family
ID=55345859
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2016/071386 WO2017042375A1 (fr) | 2015-09-11 | 2016-09-10 | Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime |
Country Status (2)
Country | Link |
---|---|
FR (1) | FR3041195A1 (fr) |
WO (1) | WO2017042375A1 (fr) |
Cited By (102)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10425129B1 (en) | 2019-02-27 | 2019-09-24 | Capital One Services, Llc | Techniques to reduce power consumption in near field communication systems |
US10438437B1 (en) | 2019-03-20 | 2019-10-08 | Capital One Services, Llc | Tap to copy data to clipboard via NFC |
US10467622B1 (en) | 2019-02-01 | 2019-11-05 | Capital One Services, Llc | Using on-demand applications to generate virtual numbers for a contactless card to securely autofill forms |
US10467445B1 (en) | 2019-03-28 | 2019-11-05 | Capital One Services, Llc | Devices and methods for contactless card alignment with a foldable mobile device |
US10489781B1 (en) | 2018-10-02 | 2019-11-26 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10498401B1 (en) | 2019-07-15 | 2019-12-03 | Capital One Services, Llc | System and method for guiding card positioning using phone sensors |
US10505738B1 (en) | 2018-10-02 | 2019-12-10 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10506426B1 (en) | 2019-07-19 | 2019-12-10 | Capital One Services, Llc | Techniques for call authentication |
US10510074B1 (en) | 2019-02-01 | 2019-12-17 | Capital One Services, Llc | One-tap payment using a contactless card |
US10511443B1 (en) | 2018-10-02 | 2019-12-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10516447B1 (en) | 2019-06-17 | 2019-12-24 | Capital One Services, Llc | Dynamic power levels in NFC card communications |
US10523708B1 (en) | 2019-03-18 | 2019-12-31 | Capital One Services, Llc | System and method for second factor authentication of customer support calls |
US10535062B1 (en) | 2019-03-20 | 2020-01-14 | Capital One Services, Llc | Using a contactless card to securely share personal data stored in a blockchain |
US10542036B1 (en) | 2018-10-02 | 2020-01-21 | Capital One Services, Llc | Systems and methods for signaling an attack on contactless cards |
US10541995B1 (en) | 2019-07-23 | 2020-01-21 | Capital One Services, Llc | First factor contactless card authentication system and method |
US10546444B2 (en) | 2018-06-21 | 2020-01-28 | Capital One Services, Llc | Systems and methods for secure read-only authentication |
US10554411B1 (en) | 2018-10-02 | 2020-02-04 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10565587B1 (en) | 2018-10-02 | 2020-02-18 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10582386B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10581611B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10579998B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10592710B1 (en) | 2018-10-02 | 2020-03-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10607214B1 (en) | 2018-10-02 | 2020-03-31 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10607216B1 (en) | 2018-10-02 | 2020-03-31 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10615981B1 (en) | 2018-10-02 | 2020-04-07 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10623393B1 (en) | 2018-10-02 | 2020-04-14 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10630653B1 (en) | 2018-10-02 | 2020-04-21 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10643420B1 (en) | 2019-03-20 | 2020-05-05 | Capital One Services, Llc | Contextual tapping engine |
US10657754B1 (en) | 2019-12-23 | 2020-05-19 | Capital One Services, Llc | Contactless card and personal identification system |
US10664941B1 (en) | 2019-12-24 | 2020-05-26 | Capital One Services, Llc | Steganographic image encoding of biometric template information on a card |
US10680824B2 (en) | 2018-10-02 | 2020-06-09 | Capital One Services, Llc | Systems and methods for inventory management using cryptographic authentication of contactless cards |
US10685350B2 (en) | 2018-10-02 | 2020-06-16 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10686603B2 (en) | 2018-10-02 | 2020-06-16 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10701560B1 (en) | 2019-10-02 | 2020-06-30 | Capital One Services, Llc | Client device authentication using contactless legacy magnetic stripe data |
US10713649B1 (en) | 2019-07-09 | 2020-07-14 | Capital One Services, Llc | System and method enabling mobile near-field communication to update display on a payment card |
US10733283B1 (en) | 2019-12-23 | 2020-08-04 | Capital One Services, Llc | Secure password generation and management using NFC and contactless smart cards |
US10733645B2 (en) | 2018-10-02 | 2020-08-04 | Capital One Services, Llc | Systems and methods for establishing identity for order pick up |
US10733601B1 (en) | 2019-07-17 | 2020-08-04 | Capital One Services, Llc | Body area network facilitated authentication or payment authorization |
US10748138B2 (en) | 2018-10-02 | 2020-08-18 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10757574B1 (en) | 2019-12-26 | 2020-08-25 | Capital One Services, Llc | Multi-factor authentication providing a credential via a contactless card for secure messaging |
US10771254B2 (en) | 2018-10-02 | 2020-09-08 | Capital One Services, Llc | Systems and methods for email-based card activation |
US10771253B2 (en) | 2018-10-02 | 2020-09-08 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10783519B2 (en) | 2018-10-02 | 2020-09-22 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10797882B2 (en) | 2018-10-02 | 2020-10-06 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10832271B1 (en) | 2019-07-17 | 2020-11-10 | Capital One Services, Llc | Verified reviews using a contactless card |
US10841091B2 (en) | 2018-10-02 | 2020-11-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10853795B1 (en) | 2019-12-24 | 2020-12-01 | Capital One Services, Llc | Secure authentication based on identity data stored in a contactless card |
US10860814B2 (en) | 2018-10-02 | 2020-12-08 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10861006B1 (en) | 2020-04-30 | 2020-12-08 | Capital One Services, Llc | Systems and methods for data access control using a short-range transceiver |
US10860914B1 (en) | 2019-12-31 | 2020-12-08 | Capital One Services, Llc | Contactless card and method of assembly |
US10862540B1 (en) | 2019-12-23 | 2020-12-08 | Capital One Services, Llc | Method for mapping NFC field strength and location on mobile devices |
US10871958B1 (en) | 2019-07-03 | 2020-12-22 | Capital One Services, Llc | Techniques to perform applet programming |
US10885410B1 (en) | 2019-12-23 | 2021-01-05 | Capital One Services, Llc | Generating barcodes utilizing cryptographic techniques |
US10885514B1 (en) | 2019-07-15 | 2021-01-05 | Capital One Services, Llc | System and method for using image data to trigger contactless card transactions |
US10909544B1 (en) | 2019-12-26 | 2021-02-02 | Capital One Services, Llc | Accessing and utilizing multiple loyalty point accounts |
US10909527B2 (en) | 2018-10-02 | 2021-02-02 | Capital One Services, Llc | Systems and methods for performing a reissue of a contactless card |
US10915888B1 (en) | 2020-04-30 | 2021-02-09 | Capital One Services, Llc | Contactless card with multiple rotating security keys |
US10949520B2 (en) | 2018-10-02 | 2021-03-16 | Capital One Services, Llc | Systems and methods for cross coupling risk analytics and one-time-passcodes |
US10963865B1 (en) | 2020-05-12 | 2021-03-30 | Capital One Services, Llc | Augmented reality card activation experience |
US10970712B2 (en) | 2019-03-21 | 2021-04-06 | Capital One Services, Llc | Delegated administration of permissions using a contactless card |
US10984416B2 (en) | 2019-03-20 | 2021-04-20 | Capital One Services, Llc | NFC mobile currency transfer |
US10992477B2 (en) | 2018-10-02 | 2021-04-27 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11030339B1 (en) | 2020-04-30 | 2021-06-08 | Capital One Services, Llc | Systems and methods for data access control of personal user data using a short-range transceiver |
US11037136B2 (en) | 2019-01-24 | 2021-06-15 | Capital One Services, Llc | Tap to autofill card data |
US11038688B1 (en) | 2019-12-30 | 2021-06-15 | Capital One Services, Llc | Techniques to control applets for contactless cards |
US11062098B1 (en) | 2020-08-11 | 2021-07-13 | Capital One Services, Llc | Augmented reality information display and interaction via NFC based authentication |
US11063979B1 (en) | 2020-05-18 | 2021-07-13 | Capital One Services, Llc | Enabling communications between applications in a mobile operating system |
US11100511B1 (en) | 2020-05-18 | 2021-08-24 | Capital One Services, Llc | Application-based point of sale system in mobile operating systems |
US11113685B2 (en) | 2019-12-23 | 2021-09-07 | Capital One Services, Llc | Card issuing with restricted virtual numbers |
US11120453B2 (en) | 2019-02-01 | 2021-09-14 | Capital One Services, Llc | Tap card to securely generate card data to copy to clipboard |
US11165586B1 (en) | 2020-10-30 | 2021-11-02 | Capital One Services, Llc | Call center web-based authentication using a contactless card |
US11182771B2 (en) | 2019-07-17 | 2021-11-23 | Capital One Services, Llc | System for value loading onto in-vehicle device |
US11200563B2 (en) | 2019-12-24 | 2021-12-14 | Capital One Services, Llc | Account registration using a contactless card |
US11210664B2 (en) | 2018-10-02 | 2021-12-28 | Capital One Services, Llc | Systems and methods for amplifying the strength of cryptographic algorithms |
US11210656B2 (en) | 2020-04-13 | 2021-12-28 | Capital One Services, Llc | Determining specific terms for contactless card activation |
US11216799B1 (en) | 2021-01-04 | 2022-01-04 | Capital One Services, Llc | Secure generation of one-time passcodes using a contactless card |
US11222342B2 (en) | 2020-04-30 | 2022-01-11 | Capital One Services, Llc | Accurate images in graphical user interfaces to enable data transfer |
US11245438B1 (en) | 2021-03-26 | 2022-02-08 | Capital One Services, Llc | Network-enabled smart apparatus and systems and methods for activating and provisioning same |
US11354555B1 (en) | 2021-05-04 | 2022-06-07 | Capital One Services, Llc | Methods, mediums, and systems for applying a display to a transaction card |
US11361302B2 (en) | 2019-01-11 | 2022-06-14 | Capital One Services, Llc | Systems and methods for touch screen interface interaction using a card overlay |
US11373169B2 (en) | 2020-11-03 | 2022-06-28 | Capital One Services, Llc | Web-based activation of contactless cards |
US11392933B2 (en) | 2019-07-03 | 2022-07-19 | Capital One Services, Llc | Systems and methods for providing online and hybridcard interactions |
US11438329B2 (en) | 2021-01-29 | 2022-09-06 | Capital One Services, Llc | Systems and methods for authenticated peer-to-peer data transfer using resource locators |
US11455620B2 (en) | 2019-12-31 | 2022-09-27 | Capital One Services, Llc | Tapping a contactless card to a computing device to provision a virtual number |
US11482312B2 (en) | 2020-10-30 | 2022-10-25 | Capital One Services, Llc | Secure verification of medical status using a contactless card |
US11521262B2 (en) | 2019-05-28 | 2022-12-06 | Capital One Services, Llc | NFC enhanced augmented reality information overlays |
US11521213B2 (en) | 2019-07-18 | 2022-12-06 | Capital One Services, Llc | Continuous authentication for digital services based on contactless card positioning |
US11562358B2 (en) | 2021-01-28 | 2023-01-24 | Capital One Services, Llc | Systems and methods for near field contactless card communication and cryptographic authentication |
US11615395B2 (en) | 2019-12-23 | 2023-03-28 | Capital One Services, Llc | Authentication for third party digital wallet provisioning |
US11637826B2 (en) | 2021-02-24 | 2023-04-25 | Capital One Services, Llc | Establishing authentication persistence |
US11651361B2 (en) | 2019-12-23 | 2023-05-16 | Capital One Services, Llc | Secure authentication based on passport data stored in a contactless card |
US11682012B2 (en) | 2021-01-27 | 2023-06-20 | Capital One Services, Llc | Contactless delivery systems and methods |
US11687930B2 (en) | 2021-01-28 | 2023-06-27 | Capital One Services, Llc | Systems and methods for authentication of access tokens |
US11694187B2 (en) | 2019-07-03 | 2023-07-04 | Capital One Services, Llc | Constraining transactional capabilities for contactless cards |
US11777933B2 (en) | 2021-02-03 | 2023-10-03 | Capital One Services, Llc | URL-based authentication for payment cards |
US11792001B2 (en) | 2021-01-28 | 2023-10-17 | Capital One Services, Llc | Systems and methods for secure reprovisioning |
CN116992419A (zh) * | 2023-09-28 | 2023-11-03 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | 地图服务共享权限控制方法、系统、电子设备及存储介质 |
US11823175B2 (en) | 2020-04-30 | 2023-11-21 | Capital One Services, Llc | Intelligent card unlock |
US11902442B2 (en) | 2021-04-22 | 2024-02-13 | Capital One Services, Llc | Secure management of accounts on display devices using a contactless card |
US11935035B2 (en) | 2021-04-20 | 2024-03-19 | Capital One Services, Llc | Techniques to utilize resource locators by a contactless card to perform a sequence of operations |
US11961089B2 (en) | 2021-04-20 | 2024-04-16 | Capital One Services, Llc | On-demand applications to extend web services |
US11974127B2 (en) | 2021-08-18 | 2024-04-30 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120084565A1 (en) * | 2010-09-30 | 2012-04-05 | Microsoft Corporation | Cryptographic device that binds an additional authentication factor to multiple identities |
WO2014005148A1 (fr) * | 2012-06-29 | 2014-01-03 | Id Dataweb, Inc. | Système et procédé servant à l'établissement et à la monétisation d'identités sécurisées dans le cyberespace comprenant un service de données personnelles et une console utilisateur |
-
2015
- 2015-09-11 FR FR1501894A patent/FR3041195A1/fr not_active Withdrawn
-
2016
- 2016-09-10 WO PCT/EP2016/071386 patent/WO2017042375A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120084565A1 (en) * | 2010-09-30 | 2012-04-05 | Microsoft Corporation | Cryptographic device that binds an additional authentication factor to multiple identities |
WO2014005148A1 (fr) * | 2012-06-29 | 2014-01-03 | Id Dataweb, Inc. | Système et procédé servant à l'établissement et à la monétisation d'identités sécurisées dans le cyberespace comprenant un service de données personnelles et une console utilisateur |
Non-Patent Citations (1)
Title |
---|
BJONES RONNY ET AL: "Integrating Anonymous Credentials with eIDs for Privacy-Respecting Online Authentication", 10 October 2012, CORRECT SYSTEM DESIGN; [LECTURE NOTES IN COMPUTER SCIENCE; LECT.NOTES COMPUTER], SPRINGER INTERNATIONAL PUBLISHING, CHAM, PAGE(S) 111 - 124, ISBN: 978-3-540-72913-6, ISSN: 0302-9743, XP047265617 * |
Cited By (149)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10546444B2 (en) | 2018-06-21 | 2020-01-28 | Capital One Services, Llc | Systems and methods for secure read-only authentication |
US10878651B2 (en) | 2018-06-21 | 2020-12-29 | Capital One Services, Llc | Systems and methods for secure read-only authentication |
US11784820B2 (en) | 2018-10-02 | 2023-10-10 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11728994B2 (en) | 2018-10-02 | 2023-08-15 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10489781B1 (en) | 2018-10-02 | 2019-11-26 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11349667B2 (en) | 2018-10-02 | 2022-05-31 | Capital One Services, Llc | Systems and methods for inventory management using cryptographic authentication of contactless cards |
US10505738B1 (en) | 2018-10-02 | 2019-12-10 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11341480B2 (en) | 2018-10-02 | 2022-05-24 | Capital One Services, Llc | Systems and methods for phone-based card activation |
US11336454B2 (en) | 2018-10-02 | 2022-05-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10511443B1 (en) | 2018-10-02 | 2019-12-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11321546B2 (en) | 2018-10-02 | 2022-05-03 | Capital One Services, Llc | Systems and methods data transmission using contactless cards |
US11301848B2 (en) | 2018-10-02 | 2022-04-12 | Capital One Services, Llc | Systems and methods for secure transaction approval |
US11297046B2 (en) | 2018-10-02 | 2022-04-05 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11770254B2 (en) | 2018-10-02 | 2023-09-26 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11423452B2 (en) | 2018-10-02 | 2022-08-23 | Capital One Services, Llc | Systems and methods for establishing identity for order pick up |
US11438164B2 (en) | 2018-10-02 | 2022-09-06 | Capital One Services, Llc | Systems and methods for email-based card activation |
US10554411B1 (en) | 2018-10-02 | 2020-02-04 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10565587B1 (en) | 2018-10-02 | 2020-02-18 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10582386B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10581611B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10579998B1 (en) | 2018-10-02 | 2020-03-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10592710B1 (en) | 2018-10-02 | 2020-03-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10607214B1 (en) | 2018-10-02 | 2020-03-31 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10607216B1 (en) | 2018-10-02 | 2020-03-31 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10615981B1 (en) | 2018-10-02 | 2020-04-07 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10623393B1 (en) | 2018-10-02 | 2020-04-14 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10630653B1 (en) | 2018-10-02 | 2020-04-21 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11233645B2 (en) | 2018-10-02 | 2022-01-25 | Capital One Services, Llc | Systems and methods of key selection for cryptographic authentication of contactless cards |
US11924188B2 (en) | 2018-10-02 | 2024-03-05 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11843698B2 (en) | 2018-10-02 | 2023-12-12 | Capital One Services, Llc | Systems and methods of key selection for cryptographic authentication of contactless cards |
US10680824B2 (en) | 2018-10-02 | 2020-06-09 | Capital One Services, Llc | Systems and methods for inventory management using cryptographic authentication of contactless cards |
US10685350B2 (en) | 2018-10-02 | 2020-06-16 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10686603B2 (en) | 2018-10-02 | 2020-06-16 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11232272B2 (en) | 2018-10-02 | 2022-01-25 | Capital One Services, Llc | Systems and methods for contactless card applet communication |
US11438311B2 (en) | 2018-10-02 | 2022-09-06 | Capital One Services, Llc | Systems and methods for card information management |
US11843700B2 (en) | 2018-10-02 | 2023-12-12 | Capital One Services, Llc | Systems and methods for email-based card activation |
US10733645B2 (en) | 2018-10-02 | 2020-08-04 | Capital One Services, Llc | Systems and methods for establishing identity for order pick up |
US11444775B2 (en) | 2018-10-02 | 2022-09-13 | Capital One Services, Llc | Systems and methods for content management using contactless cards |
US10748138B2 (en) | 2018-10-02 | 2020-08-18 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11804964B2 (en) | 2018-10-02 | 2023-10-31 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10771254B2 (en) | 2018-10-02 | 2020-09-08 | Capital One Services, Llc | Systems and methods for email-based card activation |
US10771253B2 (en) | 2018-10-02 | 2020-09-08 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10778437B2 (en) | 2018-10-02 | 2020-09-15 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11456873B2 (en) | 2018-10-02 | 2022-09-27 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10783519B2 (en) | 2018-10-02 | 2020-09-22 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10797882B2 (en) | 2018-10-02 | 2020-10-06 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11210664B2 (en) | 2018-10-02 | 2021-12-28 | Capital One Services, Llc | Systems and methods for amplifying the strength of cryptographic algorithms |
US10841091B2 (en) | 2018-10-02 | 2020-11-17 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11790187B2 (en) | 2018-10-02 | 2023-10-17 | Capital One Services, Llc | Systems and methods for data transmission using contactless cards |
US10860814B2 (en) | 2018-10-02 | 2020-12-08 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11469898B2 (en) | 2018-10-02 | 2022-10-11 | Capital One Services, Llc | Systems and methods for message presentation using contactless cards |
US10542036B1 (en) | 2018-10-02 | 2020-01-21 | Capital One Services, Llc | Systems and methods for signaling an attack on contactless cards |
US11195174B2 (en) | 2018-10-02 | 2021-12-07 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11182784B2 (en) | 2018-10-02 | 2021-11-23 | Capital One Services, Llc | Systems and methods for performing transactions with contactless cards |
US11182785B2 (en) | 2018-10-02 | 2021-11-23 | Capital One Services, Llc | Systems and methods for authorization and access to services using contactless cards |
US10880327B2 (en) | 2018-10-02 | 2020-12-29 | Capital One Services, Llc | Systems and methods for signaling an attack on contactless cards |
US10887106B2 (en) | 2018-10-02 | 2021-01-05 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11699047B2 (en) | 2018-10-02 | 2023-07-11 | Capital One Services, Llc | Systems and methods for contactless card applet communication |
US11502844B2 (en) | 2018-10-02 | 2022-11-15 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11144915B2 (en) | 2018-10-02 | 2021-10-12 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards using risk factors |
US10909527B2 (en) | 2018-10-02 | 2021-02-02 | Capital One Services, Llc | Systems and methods for performing a reissue of a contactless card |
US11658997B2 (en) | 2018-10-02 | 2023-05-23 | Capital One Services, Llc | Systems and methods for signaling an attack on contactless cards |
US10949520B2 (en) | 2018-10-02 | 2021-03-16 | Capital One Services, Llc | Systems and methods for cross coupling risk analytics and one-time-passcodes |
US10965465B2 (en) | 2018-10-02 | 2021-03-30 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11129019B2 (en) | 2018-10-02 | 2021-09-21 | Capital One Services, Llc | Systems and methods for performing transactions with contactless cards |
US11102007B2 (en) | 2018-10-02 | 2021-08-24 | Capital One Services, Llc | Contactless card emulation system and method |
US11544707B2 (en) | 2018-10-02 | 2023-01-03 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US10992477B2 (en) | 2018-10-02 | 2021-04-27 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11610195B2 (en) | 2018-10-02 | 2023-03-21 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
US11563583B2 (en) | 2018-10-02 | 2023-01-24 | Capital One Services, Llc | Systems and methods for content management using contactless cards |
US11361302B2 (en) | 2019-01-11 | 2022-06-14 | Capital One Services, Llc | Systems and methods for touch screen interface interaction using a card overlay |
US11037136B2 (en) | 2019-01-24 | 2021-06-15 | Capital One Services, Llc | Tap to autofill card data |
US10467622B1 (en) | 2019-02-01 | 2019-11-05 | Capital One Services, Llc | Using on-demand applications to generate virtual numbers for a contactless card to securely autofill forms |
US11120453B2 (en) | 2019-02-01 | 2021-09-14 | Capital One Services, Llc | Tap card to securely generate card data to copy to clipboard |
US10510074B1 (en) | 2019-02-01 | 2019-12-17 | Capital One Services, Llc | One-tap payment using a contactless card |
US10425129B1 (en) | 2019-02-27 | 2019-09-24 | Capital One Services, Llc | Techniques to reduce power consumption in near field communication systems |
US10523708B1 (en) | 2019-03-18 | 2019-12-31 | Capital One Services, Llc | System and method for second factor authentication of customer support calls |
US10438437B1 (en) | 2019-03-20 | 2019-10-08 | Capital One Services, Llc | Tap to copy data to clipboard via NFC |
US10535062B1 (en) | 2019-03-20 | 2020-01-14 | Capital One Services, Llc | Using a contactless card to securely share personal data stored in a blockchain |
US10783736B1 (en) | 2019-03-20 | 2020-09-22 | Capital One Services, Llc | Tap to copy data to clipboard via NFC |
US10984416B2 (en) | 2019-03-20 | 2021-04-20 | Capital One Services, Llc | NFC mobile currency transfer |
US10643420B1 (en) | 2019-03-20 | 2020-05-05 | Capital One Services, Llc | Contextual tapping engine |
US10970712B2 (en) | 2019-03-21 | 2021-04-06 | Capital One Services, Llc | Delegated administration of permissions using a contactless card |
US10467445B1 (en) | 2019-03-28 | 2019-11-05 | Capital One Services, Llc | Devices and methods for contactless card alignment with a foldable mobile device |
US11521262B2 (en) | 2019-05-28 | 2022-12-06 | Capital One Services, Llc | NFC enhanced augmented reality information overlays |
US10516447B1 (en) | 2019-06-17 | 2019-12-24 | Capital One Services, Llc | Dynamic power levels in NFC card communications |
US11392933B2 (en) | 2019-07-03 | 2022-07-19 | Capital One Services, Llc | Systems and methods for providing online and hybridcard interactions |
US11694187B2 (en) | 2019-07-03 | 2023-07-04 | Capital One Services, Llc | Constraining transactional capabilities for contactless cards |
US10871958B1 (en) | 2019-07-03 | 2020-12-22 | Capital One Services, Llc | Techniques to perform applet programming |
US10713649B1 (en) | 2019-07-09 | 2020-07-14 | Capital One Services, Llc | System and method enabling mobile near-field communication to update display on a payment card |
US10885514B1 (en) | 2019-07-15 | 2021-01-05 | Capital One Services, Llc | System and method for using image data to trigger contactless card transactions |
US10498401B1 (en) | 2019-07-15 | 2019-12-03 | Capital One Services, Llc | System and method for guiding card positioning using phone sensors |
US11182771B2 (en) | 2019-07-17 | 2021-11-23 | Capital One Services, Llc | System for value loading onto in-vehicle device |
US10733601B1 (en) | 2019-07-17 | 2020-08-04 | Capital One Services, Llc | Body area network facilitated authentication or payment authorization |
US10832271B1 (en) | 2019-07-17 | 2020-11-10 | Capital One Services, Llc | Verified reviews using a contactless card |
US11521213B2 (en) | 2019-07-18 | 2022-12-06 | Capital One Services, Llc | Continuous authentication for digital services based on contactless card positioning |
US10506426B1 (en) | 2019-07-19 | 2019-12-10 | Capital One Services, Llc | Techniques for call authentication |
US10541995B1 (en) | 2019-07-23 | 2020-01-21 | Capital One Services, Llc | First factor contactless card authentication system and method |
US11638148B2 (en) | 2019-10-02 | 2023-04-25 | Capital One Services, Llc | Client device authentication using contactless legacy magnetic stripe data |
US10701560B1 (en) | 2019-10-02 | 2020-06-30 | Capital One Services, Llc | Client device authentication using contactless legacy magnetic stripe data |
US11113685B2 (en) | 2019-12-23 | 2021-09-07 | Capital One Services, Llc | Card issuing with restricted virtual numbers |
US10657754B1 (en) | 2019-12-23 | 2020-05-19 | Capital One Services, Llc | Contactless card and personal identification system |
US10885410B1 (en) | 2019-12-23 | 2021-01-05 | Capital One Services, Llc | Generating barcodes utilizing cryptographic techniques |
US10733283B1 (en) | 2019-12-23 | 2020-08-04 | Capital One Services, Llc | Secure password generation and management using NFC and contactless smart cards |
US11651361B2 (en) | 2019-12-23 | 2023-05-16 | Capital One Services, Llc | Secure authentication based on passport data stored in a contactless card |
US11615395B2 (en) | 2019-12-23 | 2023-03-28 | Capital One Services, Llc | Authentication for third party digital wallet provisioning |
US10862540B1 (en) | 2019-12-23 | 2020-12-08 | Capital One Services, Llc | Method for mapping NFC field strength and location on mobile devices |
US11200563B2 (en) | 2019-12-24 | 2021-12-14 | Capital One Services, Llc | Account registration using a contactless card |
US10664941B1 (en) | 2019-12-24 | 2020-05-26 | Capital One Services, Llc | Steganographic image encoding of biometric template information on a card |
US10853795B1 (en) | 2019-12-24 | 2020-12-01 | Capital One Services, Llc | Secure authentication based on identity data stored in a contactless card |
US10909544B1 (en) | 2019-12-26 | 2021-02-02 | Capital One Services, Llc | Accessing and utilizing multiple loyalty point accounts |
US10757574B1 (en) | 2019-12-26 | 2020-08-25 | Capital One Services, Llc | Multi-factor authentication providing a credential via a contactless card for secure messaging |
US11038688B1 (en) | 2019-12-30 | 2021-06-15 | Capital One Services, Llc | Techniques to control applets for contactless cards |
US11455620B2 (en) | 2019-12-31 | 2022-09-27 | Capital One Services, Llc | Tapping a contactless card to a computing device to provision a virtual number |
US10860914B1 (en) | 2019-12-31 | 2020-12-08 | Capital One Services, Llc | Contactless card and method of assembly |
US11210656B2 (en) | 2020-04-13 | 2021-12-28 | Capital One Services, Llc | Determining specific terms for contactless card activation |
US11823175B2 (en) | 2020-04-30 | 2023-11-21 | Capital One Services, Llc | Intelligent card unlock |
US11562346B2 (en) | 2020-04-30 | 2023-01-24 | Capital One Services, Llc | Contactless card with multiple rotating security keys |
US11030339B1 (en) | 2020-04-30 | 2021-06-08 | Capital One Services, Llc | Systems and methods for data access control of personal user data using a short-range transceiver |
US10861006B1 (en) | 2020-04-30 | 2020-12-08 | Capital One Services, Llc | Systems and methods for data access control using a short-range transceiver |
US11222342B2 (en) | 2020-04-30 | 2022-01-11 | Capital One Services, Llc | Accurate images in graphical user interfaces to enable data transfer |
US10915888B1 (en) | 2020-04-30 | 2021-02-09 | Capital One Services, Llc | Contactless card with multiple rotating security keys |
US11270291B2 (en) | 2020-04-30 | 2022-03-08 | Capital One Services, Llc | Systems and methods for data access control using a short-range transceiver |
US10963865B1 (en) | 2020-05-12 | 2021-03-30 | Capital One Services, Llc | Augmented reality card activation experience |
US11063979B1 (en) | 2020-05-18 | 2021-07-13 | Capital One Services, Llc | Enabling communications between applications in a mobile operating system |
US11100511B1 (en) | 2020-05-18 | 2021-08-24 | Capital One Services, Llc | Application-based point of sale system in mobile operating systems |
US11062098B1 (en) | 2020-08-11 | 2021-07-13 | Capital One Services, Llc | Augmented reality information display and interaction via NFC based authentication |
US11165586B1 (en) | 2020-10-30 | 2021-11-02 | Capital One Services, Llc | Call center web-based authentication using a contactless card |
US11482312B2 (en) | 2020-10-30 | 2022-10-25 | Capital One Services, Llc | Secure verification of medical status using a contactless card |
US11373169B2 (en) | 2020-11-03 | 2022-06-28 | Capital One Services, Llc | Web-based activation of contactless cards |
US11216799B1 (en) | 2021-01-04 | 2022-01-04 | Capital One Services, Llc | Secure generation of one-time passcodes using a contactless card |
US11682012B2 (en) | 2021-01-27 | 2023-06-20 | Capital One Services, Llc | Contactless delivery systems and methods |
US11687930B2 (en) | 2021-01-28 | 2023-06-27 | Capital One Services, Llc | Systems and methods for authentication of access tokens |
US11922417B2 (en) | 2021-01-28 | 2024-03-05 | Capital One Services, Llc | Systems and methods for near field contactless card communication and cryptographic authentication |
US11562358B2 (en) | 2021-01-28 | 2023-01-24 | Capital One Services, Llc | Systems and methods for near field contactless card communication and cryptographic authentication |
US11792001B2 (en) | 2021-01-28 | 2023-10-17 | Capital One Services, Llc | Systems and methods for secure reprovisioning |
US11438329B2 (en) | 2021-01-29 | 2022-09-06 | Capital One Services, Llc | Systems and methods for authenticated peer-to-peer data transfer using resource locators |
US11777933B2 (en) | 2021-02-03 | 2023-10-03 | Capital One Services, Llc | URL-based authentication for payment cards |
US11637826B2 (en) | 2021-02-24 | 2023-04-25 | Capital One Services, Llc | Establishing authentication persistence |
US20220311475A1 (en) | 2021-03-26 | 2022-09-29 | Capital One Services, Llc | Network-enabled smart apparatus and systems and methods for activating and provisioning same |
US11245438B1 (en) | 2021-03-26 | 2022-02-08 | Capital One Services, Llc | Network-enabled smart apparatus and systems and methods for activating and provisioning same |
US11848724B2 (en) | 2021-03-26 | 2023-12-19 | Capital One Services, Llc | Network-enabled smart apparatus and systems and methods for activating and provisioning same |
US11935035B2 (en) | 2021-04-20 | 2024-03-19 | Capital One Services, Llc | Techniques to utilize resource locators by a contactless card to perform a sequence of operations |
US11961089B2 (en) | 2021-04-20 | 2024-04-16 | Capital One Services, Llc | On-demand applications to extend web services |
US11902442B2 (en) | 2021-04-22 | 2024-02-13 | Capital One Services, Llc | Secure management of accounts on display devices using a contactless card |
US11354555B1 (en) | 2021-05-04 | 2022-06-07 | Capital One Services, Llc | Methods, mediums, and systems for applying a display to a transaction card |
US11974127B2 (en) | 2021-08-18 | 2024-04-30 | Capital One Services, Llc | Systems and methods for cryptographic authentication of contactless cards |
CN116992419A (zh) * | 2023-09-28 | 2023-11-03 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | 地图服务共享权限控制方法、系统、电子设备及存储介质 |
CN116992419B (zh) * | 2023-09-28 | 2024-01-02 | 江西省信息中心(江西省电子政务网络管理中心、江西省信用中心、江西省大数据中心) | 地图服务共享权限控制方法、系统、电子设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
FR3041195A1 (fr) | 2017-03-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017042375A1 (fr) | Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'un élément sécurisé limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime | |
WO2017042400A1 (fr) | Procédé d'accès à un service en ligne au moyen de jetons d'accès et d'éléments sécurisés limitant l'utilisation de ces jetons d'accès à leur propriétaire légitime | |
US10929524B2 (en) | Method and system for verifying an access request | |
Neuman et al. | The Kerberos network authentication service (V5) | |
KR100962399B1 (ko) | 익명 공개 키 기반구조 제공 방법 및 이를 이용한 서비스제공 방법 | |
US6148404A (en) | Authentication system using authentication information valid one-time | |
US8090939B2 (en) | Digital certificate that indicates a parameter of an associated cryptographic token | |
JP7083892B2 (ja) | デジタル証明書のモバイル認証相互運用性 | |
CA2357792C (fr) | Methode et dispositif pour executer des transactions protegees | |
EP2721764B1 (fr) | État de révocation utilisant d'autres justificatifs | |
US20100268942A1 (en) | Systems and Methods for Using Cryptographic Keys | |
KR20020081269A (ko) | 전자 신원의 발행 방법 | |
US9398024B2 (en) | System and method for reliably authenticating an appliance | |
Neuman et al. | RFC 4120: The Kerberos network authentication service (V5) | |
KR101051420B1 (ko) | 안전 otp 생성 장치 및 방법 | |
Stapleton et al. | Security Without Obscurity: A Guide to PKI Operations | |
EP2530868A1 (fr) | Procédé pour générer un jeton d'identification anonyme ne pouvant être lié et pouvant être acheminé | |
KR20020086030A (ko) | 개인식별정보를 포함하는 공개키 인증서를 이용한 사용자인증 방법 및 시스템 | |
Srinivas et al. | FIDO UAF architectural overview | |
Costa | Reducing fraud in authentication systems using attribute certificates | |
do Vale | Remote Qualified Digital Signatures | |
Alrodhan | Privacy and practicality of identity management systems | |
Wiesmaier | Johannes A. Buchmann· Evangelos Karatsiolis | |
Maeda et al. | Mutual Authentication Protocol for HTTP draft-ietf-httpauth-mutual-03 | |
Raeburn | Network working group c. neuman request for comments: 4120 USC-ISI obsoletes: 1510 t. Yu category: Standards track s. hartman |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16778997 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16778997 Country of ref document: EP Kind code of ref document: A1 |