WO2018010957A1 - Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'application afin d'être transmis à un dispositif informatique client; système, une entité de distribution d'application de logiciel, une application de client de logiciel et un dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application de client de logiciel sécurisé, un programme et un produit de programme d'ordinateur - Google Patents

Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'application afin d'être transmis à un dispositif informatique client; système, une entité de distribution d'application de logiciel, une application de client de logiciel et un dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application de client de logiciel sécurisé, un programme et un produit de programme d'ordinateur Download PDF

Info

Publication number
WO2018010957A1
WO2018010957A1 PCT/EP2017/065931 EP2017065931W WO2018010957A1 WO 2018010957 A1 WO2018010957 A1 WO 2018010957A1 EP 2017065931 W EP2017065931 W EP 2017065931W WO 2018010957 A1 WO2018010957 A1 WO 2018010957A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing device
client application
client computing
entity
software
Prior art date
Application number
PCT/EP2017/065931
Other languages
English (en)
Inventor
Matthias FRIELINGSDORF
Volker Schenk
Original Assignee
Deutsche Telekom Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deutsche Telekom Ag filed Critical Deutsche Telekom Ag
Publication of WO2018010957A1 publication Critical patent/WO2018010957A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • Method for providing an enhanced level of authentication related to a secure software client application provided by an application distribution entity in order to be transmitted to a client computing device system, application distribution entity, software client application, and client computing device for providing an enhanced level of authentication related to a secure software client application, program and computer program product
  • the present invention relates to a method for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device, wherein a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure
  • the present invention further relates to a system for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device, the system comprising the client computing device, the application distribution entity and a third party server entity.
  • the invention relates to an application distribution entity for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device.
  • the invention relates to a software client application instance for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device.
  • the present invention relates to a client computing device for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device.
  • the invention relates to a program comprising a computer readable program code and to a computer program product for providing an enhanced level of authentication related to a secure software client application provided by an application distribution entity.
  • client devices such as desktop computers, or mobile computers such as tablets, mobile phones or the like
  • download stores or application stores It is known to provide application stores such that the downloaded software is at least adapted to the client device class, i.e. a different version of the software could be downloaded dependent on whether the requesting client device is, e.g., a phone device or a tablet device.
  • An object of the present invention is to provide a cost effective and
  • the object of the present invention is achieved by a method for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device,
  • a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure communication channel is established between the application distribution entity and a third party server entity,
  • an asymmetric pair of cryptographic keys is generated in view of subsequently allowing for an authenticated transmission of data - provided by the software client application instance upon it being executed by the client computing device - to the third party server entity, the asymmetric pair of cryptographic keys comprising a specific private cryptographic key and a specific public cryptographic key,
  • the specific public cryptographic key is transmitted to the third party server entity using the second secure communication channel.
  • a software client application can be authenticated - i.e. provided with an enhanced level of authentication related to the software client application - (and thereby rendered more secure compared to a non-authenticated software client application) in an automated manner by means of the application distribution entity transmitting, to the client computing device, at least either (i.e. according to a first variant of the present invention) the software client application instance as well as the specific private cryptographic key using the first secure communication channel, or (i.e.
  • the software client application instance as well as the specific private cryptographic key and the specific public cryptographic key using the first secure communication channel, wherein in both the first and second variant according to the present invention, the specific private cryptographic key and the specific public cryptographic key are generated as an asymmetric pair of cryptographic keys, wherein this pair of cryptographic keys is generated in view of subsequently (i.e. after the software client application instance being transmitted to the client computing device) allowing for an authenticated transmission of data - provided or generated by the software client application instance upon it being executed by the client computing device - to the third party server entity.
  • the specific public cryptographic key is transmitted to the third party server entity using the second secure communication channel; this transmission (of the specific public cryptographic key to the third party server entity) either occurs (as a separate transmission) prior to or during or after the transmission of at least either the software client application instance as well as the specific private cryptographic key (first variant according to the present invention), or the software client application instance as well as the specific private cryptographic key and the specific public cryptographic key (second variant according to the present invention).
  • a cryptographically strong authentication of the client computing device and/or of the software client application instance For each software client application instance that is executed on the client computing device and for which the method according to the present invention is used, a client certificate or client secret is present, on the client computing device and/or within the software client application instance, by means of which a mutual authentication of the communication channel between the software client application instance (and/or the respective client computing device), on the one hand, and the third party server entity (especially my means of conventionally used server certificates), on the other hand, is possible.
  • a mutual authentication of the communication channel between the software client application instance (and/or the respective client computing device), on the one hand, and the third party server entity (especially my means of conventionally used server certificates), on the other hand is possible.
  • the data exchanged or transmitted) between the software client application instances of the client computing device and the third party server entity especially relating to data generated or provided by such a secure software client application, such as, e.g., medical data, bank relating data or the like.
  • a secure software client application such as, e.g., medical data, bank relating data or the like.
  • data exchanged between especially the software client application instance and the third party server entity should preferably be transmitted in a protected manner, especially regarding confidentiality and/or integrity and/or originality and/or non-repudiation.
  • the third party server entity corresponds, e.g., to an application server, i.e. providing the server component of the software client application (instance) on the client computing device.
  • an application server i.e. providing the server component of the software client application (instance) on the client computing device.
  • server entities or third party server entities
  • server certificates i.e. the servers are authenticated towards the software client applications.
  • the software client applications do not have a certificate typically used with a version of the TLS protocol family and, thus, the respective servers are typically not able to authenticate the software client applications in an easy and intuitive (for a user of the software client application) manner, in a comparatively cheap and/or comparatively fast manner, without requiring user interaction (or, at least, without requiring extensive user interaction) and especially automatically.
  • Known authentication techniques involve, e.g., using a separate channel, transmission of data per snail mail, the use of credentials (such as, e.g., user name and password), other authentication techniques such as the use of OAuth-tokens; however, such techniques typically require a registration process step of the user, hence (perhaps unintuitive) user interaction.
  • An alternative consists in transmitting a secret as part of the software client application.
  • conventionally such secrets are typically not individual to each software client application instance; this means that two client computing devices, having the same software client application (while, of course, having different instances of the (same) software client application), would have the same secret - hence, an attacker able to retrieve that secret (common to all such instances of the software client application) would be able to eavesdrop on the communication between the software client application instances and the respective server, and could also make the respective server believe being a software client application instance of that kind (impersonation).
  • a pair of cryptographic keys is generated, and the (specific) private cryptographic key transmitted using a secure communication channel (i.e.
  • the first secure communication channel between the application distribution entity and the software client application instance (i.e. the client computing device).
  • This secure communication channel is typically provided by the application distribution entity, i.e. typically by the application store or app store.
  • This binding of the pair of cryptographic keys to the software client application instance also ensures that multiple requests to provide or to issue a client certificate do not result in providing a plurality of pairs of cryptographic key: typically, the application distribution entity ensures that each client computing device is able to download each software client application only once (of course, the download of updates is normally allowed).
  • the client i.e. the software client application instance within the client computing device
  • an application-specific client certificate providing the possibility of a cryptographically strong authentication of the client with regard to the third party server entity (and vice versa using the server certificate), e.g. by means of using TLS with mutual authentication.
  • the method according to the present invention is independent from which specific protocol is used and which secure communication channel is used; other protocols than TLS, and also the use of a VPN (Virtual Private Network) channel is possible.
  • the cryptographically strong authentication of the client i.e. the software client application instance and/or the client computing device
  • the cryptographically strong authentication of the client i.e. the software client application instance and/or the client computing device
  • a request (or transmitted data) received at the third party server entity is able to be unequivocally assigned to a specific software client application instance (and hence typically a person), or - especially in case of anonymous usage - that at least no fabricated data are received.
  • An example of the latter situation might refer to a software client application that anonymously collects medical data, e.g. for a medical survey:
  • the use of a client certificate that is individual to the software client application instance limits the motivation of an attacker and also the potential damage: In case that an attacker is able to successfully retrieve the specific private cryptographic key, the use, according to the present invention, of an instance-specific client certificate (i.e. specific to each software client application instance) also means that the attacker is only able use this specific client certificate, i.e. with respect to this specific software client application instance; in order to use another software client application instance, the corresponding other client certificate would need to be retrieved.
  • the generation of the pair of cryptographic keys is typically performed on a backend side (typically either at the application distribution entity or at the third party server entity, or at a trusted entity)
  • the developer of the software client application or the operator of the application distribution entity
  • the developer of the software client application is able to use a comparatively high cryptographic quality of the generated cryptographic keys; typically, at a backend side, more resources, especially concerning processing power, high-quality random number generators, etc., are available.
  • a unique identity information is assigned to the software client application instance, the identity information being specific to the software client application instance or to the combination of the software client application instance and the client computing device,
  • the identity information is additionally transmitted to the client computing device using the first secure communication channel, and furthermore
  • the identity information or the mutual assignment of the specific public cryptographic key to the identity information is transmitted to the third party server entity using the second secure communication channel.
  • the identity information is additionally transmitted to the client computing device using the first secure communication channel (i.e. the identity information is transmitted additionally to the software client application instance as well as the specific private cryptographic key.
  • the identity information is additionally transmitted to the client computing device using the first secure communication channel (i.e. the identity information is transmitted additionally to the software client application instance as well as the specific private cryptographic key and the specific public cryptographic key).
  • at least one of the identity information and the mutual assignment of the specific public cryptographic key to the identity information is (or are) transmitted to the third party server entity using the second secure communication channel.
  • a unique identity information is assigned to the software client application instance
  • the identity information especially being specific to the software client application instance or to the combination of the software client application instance and the client computing device,
  • a trusted entity having a further private cryptographic key, is used as certification authority such that a combination of, on the one hand, the identity information of the software client application instance, and, on the other hand, the specific public cryptographic key, is cryptographically signed using the further private cryptographic key of the trusted entity and thereby a client application certificate information obtained, the client application certificate information being specific to the software client application instance, wherein during the second step,
  • the client application certificate information is additionally transmitted to the client computing device using the first secure communication channel, and furthermore — at least one out of the group comprising the identity information, the mutual assignment of the specific public cryptographic key to the identity information, and the client application certificate information is transmitted to the third party server entity using the second secure communication channel.
  • the client application certificate information is obtained using a cryptographic signature operation (typically performed on a piece of data, such as both the identity information and the specific public cryptographic key itself or the result of a hashing operation performed on the identity information and the specific public cryptographic key (i.e. applying a hash operation to the combination of the identity information and the specific public cryptographic key)) using the further private cryptographic key to produce a digital signature of the combination of the identity information and the specific public cryptographic key, i.e. the client application certificate information; this means that thereafter, it is possible to verify this signature (i.e.
  • the client application certificate information by performing a cryptographic operation with the specific public key on the signature obtained (i.e. the client application certificate information) with the (further) public cryptographic key of the trusted entity (and, if applicable, applying the hashing operation prior to this decryption operation).
  • the further private cryptographic key is the private cryptographic key of the trusted entity used as certification authority, i.e. the trusted entity generates the client application certificate information.
  • the client application certificate information is additionally transmitted to the client computing device using the first secure communication channel (i.e. the client application certificate information is transmitted additionally to the software client application instance as well as the specific private cryptographic key.
  • the client application certificate information is additionally transmitted to the client computing device using the first secure communication channel (i.e. the client application certificate information is transmitted additionally to the software client application instance as well as the specific private cryptographic key and the specific public cryptographic key).
  • the client application certificate information is (or are) transmitted to the third party server entity using the second secure communication channel.
  • a server certificate is additionally transmitted to the client computing device, using the first secure communication channel.
  • the software client application instance itself i.e. without the additional pieces of information
  • the software client application instance itself might be (but does not need to be) provided in an un-individualized manner, i.e. being related to an information content representing, e.g., code executable on the client computing device, such code being, if applicable (but not necessarily), specific to the device class of the client computing device but not (individually) specific to the client computing device itself, i.e. individually to the client computing device.
  • the additional pieces of information provide for an individualization of the whole of the software client application instance on the one hand, and the additional pieces of information on the other hand.
  • the whole of the software client application instance and the additional pieces of information is also called application instance package.
  • the additional pieces of information are transmitted to the client computing device either separately from the software client application instance (e.g. as separate "files" or transmission content representing or being able to represent "files"; e.g. the software client application instance could be transmitted initially, and the (or part of the) additional pieces of information transmitted in a subsequent step or in a plurality of subsequent steps) or while transmitting the software client application instance (especially as part of the application instance package, e.g.
  • client application data generated by and/or involving the software client application instance are transmitted, from the client computing device, to the third party server entity and/or to a further client computing device and/or to a further software client application instance.
  • the software client application instance together with at least the specific private cryptographic key is used to securely communicate with the application distribution entity and/or with the trusted entity and/or with the third party server entity and/or with a further client computing device and/or with a further software client application instance.
  • any data generated and/or transmitted by the software client application instance (and received by the third party server entity and/or any other server entity or device (such as a further client computing device and/or a further software client application instance)) can be authenticated and hence its confidentiality, integrity and/or plausibility verified.
  • the client application certificate information is
  • the unique identity information is an anonymous information or a pseudonymous information or an information identifying the user of the software client application instance, and wherein - in case of the unique identity information being anonymous information - especially the unique identity information is independent from an identification of either the software client application instance and/or the software client application and/or the client computing device and/or the user of the client computing device (as in this case otherwise that data might be misused to break the intended anonymity).
  • the application distribution entity is an application store, wherein especially the trusted entity is identical to the third party server entity.
  • the present invention relates to a system for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device, the system comprising the client computing device, the application distribution entity and a third party server entity,
  • system is configured such that a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure communication channel is established between the application distribution entity and the third party server entity,
  • system is furthermore configured such that:
  • an asymmetric pair of cryptographic keys is generated in view of subsequently allowing for an authenticated transmission of data - provided by the software client application instance upon it being executed by the client computing device - to the third party server entity, the asymmetric pair of cryptographic keys comprising a specific private cryptographic key and a specific public cryptographic key,
  • the present invention relates to an application distribution entity for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device, wherein the application distribution entity is configured such that a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure
  • application distribution entity is furthermore configured such that:
  • an asymmetric pair of cryptographic keys is generated in view of subsequently allowing for an authenticated transmission of data - provided by the software client application instance upon it being executed by the client computing device - to the third party server entity, the asymmetric pair of cryptographic keys comprising a specific private cryptographic key and a specific public cryptographic key,
  • the present invention relates to a software client application instance for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device,
  • the software client application instance is configured such that a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure
  • the software client application instance is furthermore configured such that: — an asymmetric pair of cryptographic keys is generated in view of subsequently allowing for an authenticated transmission of data - provided by the software client application instance upon it being executed by the client computing device - to the third party server entity, the asymmetric pair of cryptographic keys comprising a specific private cryptographic key and a specific public cryptographic key,
  • the present invention relates to a client computing device for providing an enhanced level of authentication related to a secure software client application that is provided, by an application distribution entity, in order to be transmitted, using a telecommunications network, to a client computing device in view of software code of the software client application being executed by the client computing device, wherein the client computing device is configured such that a first secure communication channel is established - in view of transmitting an instance of the software client application to the client computing device - between the client computing device and the application distribution entity, and wherein a second secure communication channel is established between the application distribution entity and a third party server entity, wherein the client computing device is furthermore configured such that:
  • an asymmetric pair of cryptographic keys is generated in view of subsequently allowing for an authenticated transmission of data - provided by the software client application instance upon it being executed by the client computing device - to the third party server entity, the asymmetric pair of cryptographic keys comprising a specific private cryptographic key and a specific public cryptographic key,
  • the present invention relates to a program comprising a computer readable program code which, when executed on a computer or on a client computing device or as part of a software client application instance or on an application distribution entity or on a trusted entity, or in part on a client computing device and/or in part as part of a software client application instance and/or in part on an application distribution entity and/or in part on a trusted entity, causes the computer and/or the client computing device and/or the software client application instance and/or the application distribution entity and/or the trusted entity to perform an inventive method.
  • the present invention relates to computer program product for providing an enhanced level of authentication related to a secure software client application provided by an application distribution entity
  • the computer program product comprising a computer program stored on a storage medium, the computer program comprising program code which, when executed on a computer or on a client computing device or as part of a software client application instance or on an application distribution entity or on a trusted entity, or in part on a client computing device and/or in part as part of a software client application instance and/or in part on an application distribution entity and/or in part on a trusted entity, causes the computer and/or the client computing device and/or the software client application instance and/or the application distribution entity and/or the trusted entity to perform an inventive method.
  • Figure 1 schematically illustrates an exemplary system and situation according to the present invention where a mobile communication network - with a user equipment connected to the mobile communication network - is connected to an application distribution entity, and the application distribution entity is able to exchange information with a trusted entity and/or with a third party server entity.
  • Figure 2 schematically illustrates a communication diagram related to a first example of the invention.
  • Figure 3 schematically illustrates a communication diagram related to further examples of the invention.
  • FIG. 1 a system for realizing the present invention is schematically shown, the system comprising a telecommunications network 100, especially a mobile communication network 100, and especially a public land mobile network 100.
  • the telecommunications network 100 is connected to a user equipment 20 that is also referred to as a client computing device 20.
  • the system furthermore also comprises an application distribution entity 200, a trusted entity 300, and a third party server entity 400.
  • a software client application instance 121 is transmitted to the client computing device 20, i.e. after this transmission, the client computing device 20 comprises the software client application instance 121 .
  • a client application certificate information 321 is transmitted to the client computing device 20; this specifically represented in Figure 1.
  • the communication between the client computing device 20 and the third party server entity 400 is to be secured by means of not only relying on the use of a (comparatively high level) server certificate but also using a kind of (comparatively high level) client certificate.
  • the third party server entity 400 corresponds, e.g., to an application server, i.e. providing the server component of the software client application (instance) on the client computing device 20.
  • FIG. 2 a communication diagram relating to a first example of the present invention is schematically represented.
  • the communication diagram involves the client computing device 20, the application distribution entity 200, the trusted entity 300 and the third party server entity 400.
  • a request is transmitted from the client computing device 20 to the application distribution entity 200 to transmit a software client application, i.e. to install the software client application on the client computing device 20.
  • the application distribution entity 200 typically distributes a multitude of different software client applications to a multitude of different client computing devices, e.g. as an app store or the like.
  • an instance of the software client application i.e. a software client application instance, is able to be provided by the application distribution entity 200.
  • a second processing step 202 the application distribution entity 200 requests, from the trusted entity 300, to generate a pair of cryptographic keys, comprising a specific private cryptographic key 222 and a specific public cryptographic key 223.
  • the trusted entity 300 After the trusted entity 300 has generated the pair of cryptographic keys 222, 223 (corresponding to the first step of the inventive method), these are transmitted to the application distribution entity 200 in a third processing step 203.
  • the software client application instance 121 and the specific private cryptographic key 222 is transmitted to the client computing device 20, especially as an application instance package 121 ', and in a fifth processing step 205, the specific public cryptographic key 223 is transmitted to the third party server entity 400 (thereby realizing the second step of the inventive method).
  • FIG. 3 a communication diagram relating to further examples of the invention is schematically shown.
  • the communication diagram again involves the client computing device 20, the application distribution entity 200, the trusted entity 300 and the third party server entity 400.
  • a request is transmitted from the client computing device 20 to the application distribution entity 200 to transmit a software client application, i.e. to install the software client application on the client computing device 20.
  • a software client application i.e. to install the software client application on the client computing device 20.
  • an instance of the software client application i.e. a software client application instance, is able to be provided by the application distribution entity 200.
  • a unique identity information 221 is generated and/or assigned to an instance of the software client application to be transmitted to the requesting client computing device 20.
  • the identity information 221 is specific to the software client application instance 121 or to the combination of the software client application instance 121 and the client computing device 20.
  • the application distribution entity 200 requests, from the trusted entity 300, to generate a pair of cryptographic keys, comprising a specific private cryptographic key 222 and a specific public cryptographic key 223, and typically transmits the identity information 221 to the trusted entity 300.
  • the trusted entity 300 in a fourth step of the inventive method, subsequent to the first step and prior to the second step, the trusted entity 300, having a further private cryptographic key 322, is used as certification authority such that a combination of, on the one hand, the identity information 221 of the software client application instance 121 , and, on the other hand, the specific public cryptographic key 223, is cryptographically signed using the further private cryptographic key 322 of the trusted entity 300 and thereby a client application certificate information 321 obtained, wherein the client application certificate information 321 is specific to the software client application instance 121.
  • a server certificate 423 of the third party server entity 400 is transmitted to the trusted entity 300. After the trusted entity 300 has generated the pair of cryptographic keys 222, 223 (corresponding to the first step of the inventive method) and the client application certificate information 321 , these are transmitted to the application distribution entity 200 in a third processing step 203.
  • the first secure communication channel is used, i.e. the secure communication channel that is also used, by the application distribution entity 200, to distribute the software client applications (i.e. the software client application instances).
  • the software client applications i.e. the software client application instances
  • mechanisms of the5 application distribution entity 200 i.e. of the app store
  • can assure that only one copy of an app i.e. one software client application instance
  • an additional step according to the method of the present invention might consist of transmitting the server certificate 423 to the client computing device 20 that the software client application instance 121 might use to perform a better or more secure verification or authentication of the server side, e.g. by means of storing the server certificate, and, during verification in the context of the TLS 10 connection setup, only allowing this server certificate as a valid certificate (in an
  • the app installer i.e. a component of the operating system of the client computing device 20, used to install new software client application instances
  • the additional pieces of information i.e. the application certificate, i.e. especially the specific private cryptographic key 222, and/or the specific public cryptographic key 223 and/or the identity information
  • the client application certificate information 321 and/or the server certificate 423 (without the private key of the server certificate 423)) at an appropriate location within the client computing device 20, e.g. private keys in an iOS keychain and/or by means of using the Android API (application programming interface) of the keychain.
  • Android API application programming interface

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client qui est fournie, par une entité de distribution d'applications, afin d'être transmis, à l'aide d'un réseau de télécommunications, à un dispositif informatique client en fonction du code logiciel de l'application client logicielle qui est exécutée par le dispositif informatique client, un premier canal de communication sécurisé étant établi en vue de la transmission d'une instance de l'application client logicielle au dispositif informatique client-entre le dispositif informatique client et l'entité de distribution d'application, et un second canal de communication sécurisé étant établi entre l'entité de distribution d'application et une entité de serveur de tierce partie, le procédé comprenant les étapes suivantes :-dans une première étape, une paire asymétrique de clés cryptographiques est générée en vue de permettre ultérieurement une transmission authentifiée de données fournies par l'instance d'application client logicielle lorsqu'elle est exécutée par le dispositif informatique client à l'entité serveur de tierce partie, la paire asymétrique de clés cryptographiques comprenant une clé cryptographique privée spécifique et une clé cryptographique publique spécifique,-dans une deuxième étape, après la première étape,-l'instance d'application client logicielle ainsi que la clé cryptographique privée spécifique, ou-l'instance d'application client logicielle ainsi que la clé cryptographique privée spécifique et la clé cryptographique publique spécifique, est transmise au dispositif informatique client à l'aide du premier canal de communication sécurisé, et la clé cryptographique publique spécifique est transmise à l'entité serveur de tierce partie à l'aide du second canal de communication sécurisé.
PCT/EP2017/065931 2016-07-12 2017-06-27 Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'application afin d'être transmis à un dispositif informatique client; système, une entité de distribution d'application de logiciel, une application de client de logiciel et un dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application de client de logiciel sécurisé, un programme et un produit de programme d'ordinateur WO2018010957A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP16179012 2016-07-12
EP16179012.6 2016-07-12

Publications (1)

Publication Number Publication Date
WO2018010957A1 true WO2018010957A1 (fr) 2018-01-18

Family

ID=56409520

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/065931 WO2018010957A1 (fr) 2016-07-12 2017-06-27 Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'application afin d'être transmis à un dispositif informatique client; système, une entité de distribution d'application de logiciel, une application de client de logiciel et un dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application de client de logiciel sécurisé, un programme et un produit de programme d'ordinateur

Country Status (1)

Country Link
WO (1) WO2018010957A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023179102A1 (fr) * 2022-03-22 2023-09-28 华为技术有限公司 Procédé de détermination d'identité de confiance d'application, et unité et dispositif de gestion

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6748528B1 (en) * 1999-08-30 2004-06-08 International Business Machines Corporation Methods, systems, and computer program products for establishing secured SSL communication sessions
US20050027871A1 (en) * 2003-06-05 2005-02-03 William Bradley Interoperable systems and methods for peer-to-peer service orchestration
US20050154889A1 (en) * 2004-01-08 2005-07-14 International Business Machines Corporation Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US20060075242A1 (en) * 2004-10-01 2006-04-06 Selim Aissi System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
US20060195689A1 (en) * 2005-02-28 2006-08-31 Carsten Blecken Authenticated and confidential communication between software components executing in un-trusted environments
US8312518B1 (en) * 2007-09-27 2012-11-13 Avaya Inc. Island of trust in a service-oriented environment
WO2016019106A1 (fr) * 2014-07-31 2016-02-04 Nok Nok Labs, Inc. Système et procédé pour établir une confiance à l'aide de protocoles de transmission sécurisés

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6748528B1 (en) * 1999-08-30 2004-06-08 International Business Machines Corporation Methods, systems, and computer program products for establishing secured SSL communication sessions
US20050027871A1 (en) * 2003-06-05 2005-02-03 William Bradley Interoperable systems and methods for peer-to-peer service orchestration
US20050154889A1 (en) * 2004-01-08 2005-07-14 International Business Machines Corporation Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US20060075242A1 (en) * 2004-10-01 2006-04-06 Selim Aissi System and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks
US20060195689A1 (en) * 2005-02-28 2006-08-31 Carsten Blecken Authenticated and confidential communication between software components executing in un-trusted environments
US8312518B1 (en) * 2007-09-27 2012-11-13 Avaya Inc. Island of trust in a service-oriented environment
WO2016019106A1 (fr) * 2014-07-31 2016-02-04 Nok Nok Labs, Inc. Système et procédé pour établir une confiance à l'aide de protocoles de transmission sécurisés

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023179102A1 (fr) * 2022-03-22 2023-09-28 华为技术有限公司 Procédé de détermination d'identité de confiance d'application, et unité et dispositif de gestion

Similar Documents

Publication Publication Date Title
US11757662B2 (en) Confidential authentication and provisioning
CN107040369B (zh) 数据传输方法、装置及系统
US11368445B2 (en) Local encryption for single sign-on
US9686080B2 (en) System and method to provide secure credential
US11329962B2 (en) Pluggable cipher suite negotiation
US9973481B1 (en) Envelope-based encryption method
CN107040513B (zh) 一种可信访问认证处理方法、用户终端和服务端
JP2019502286A (ja) 部分的に信頼できる第三者機関を通しての鍵交換
US10693638B1 (en) Protected cryptographic environment
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US11190504B1 (en) Certificate-based service authorization
US20130046984A1 (en) Establishing a Secured Communication Session
US9398024B2 (en) System and method for reliably authenticating an appliance
US20190305940A1 (en) Group shareable credentials
Das et al. A decentralized open web cryptographic standard
EP3511852B1 (fr) Procédé permettant de fournir un niveau amélioré d'authentification associée à une application client de logiciel sécurisée fournie par une entité de distribution d'application afin d'être transmise à un dispositif informatique client, système, instance d'application client de logiciel ou dispositif informatique client, entité serveur tiers et programme et produit-programme d'ordinateur
WO2018010957A1 (fr) Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'application afin d'être transmis à un dispositif informatique client; système, une entité de distribution d'application de logiciel, une application de client de logiciel et un dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application de client de logiciel sécurisé, un programme et un produit de programme d'ordinateur
Baka et al. SSL/TLS under lock and key: a guide to understanding SSL/TLS cryptography
CN114503105A (zh) 用于浏览器应用的密码服务
WO2018011775A1 (fr) Procédé pour fournir un niveau amélioré d'authentification relatif à une application logicielle sécurisée de client fournie par une entité de distribution d'applications pour être transmise à un dispositif informatique client; système, entité de distribution d'applications, application logicielle de client et dispositif de calcul client pour fournir un niveau amélioré d'authentification associé à une application logicielle sécurisée de client, programme et produit de programme informatique
EP3512231B1 (fr) Procédé pour fournir un niveau d'authentification amélioré lié à la distribution d'une application de client logiciel sécurisé; ainsi que systeme correspondant et produit de programme informatique.
Chang et al. A dependable storage service system in cloud environment
Corella et al. Strong and convenient multi-factor authentication on mobile devices
Díaz García et al. Multiprotocol Authentication Device for HPC and Cloud Environments Based on Elliptic Curve Cryptography
Moghaddam et al. GD2SA: Geo detection and digital signature authorization for secure accessing to cloud computing environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17732931

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17732931

Country of ref document: EP

Kind code of ref document: A1