JP2002505552A - Method and apparatus for ensuring access to services in a communication network - Google Patents

Abstract

SUMMARY The present invention relates to a method for accessing services from any communication terminal to a data communication network, for example, an intelligent network, a personal network, or a mobile wireless network. In this case, it is important that the authentication for obtaining the right to access the desired service is performed by inputting a number sequence. In addition, the present invention relates to an apparatus capable of performing reliable authentication of a user when a service is requested in a communication network.

Description

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to a method for guaranteeing access from any communication terminal device to a service via a communication network such as a personal network, an intelligent network or a mobile radio network, in which case the requirements are Access to the desired service has been authenticated by entering a number sequence. In addition, the present invention relates to an apparatus that enables reliable authentication of a user when requesting a service in a communication network.

[0002] The intelligent network IN is an architecture that enables a communication network to provide services to subscribers of the network. These value-added services, which are also referred to as such, provide those involved in the network with the opportunity to differentiate from the competition and develop additional resources.

In order to be able to provide value-added services in an intelligent network, a network worker must have at least one central office in the network.
Service control base). The central department stores information necessary for implementing the service (storage of the service program, transfer to the responsible network station, etc.). This central office is also referred to as the execution office.

In this case, the subscriber of the communication network can request a new service of interest. For example, one of the known services is a so-called “credit card calling”. This service allows the caller to settle the charge for the call via a credit card. At this time, a personal identification number (PIN) is required in addition to the credit card number in order to establish the access right to the above-mentioned service in order to prevent abuse due to loss of the credit card, for example. .

In the case of other services, for example, mobile communication networks, personal networks,
Or similar access protection exists or is conceivable, such as in a personal virtual network.

In all these cases, the number code to be authenticated is entered via the keyboard of the terminal device and transmitted transparently (ie in optical text) via the transmission line or the switching point of the communication network. Is done.

In this case, the following two possibilities are considered for eavesdropping on the access code.

[0008] a) eavesdropping of the personal identification number PIN by monitoring the user at the time of inputting via the keyboard of the terminal device, b) personal identification number PIN at the time of data transmission between the terminal device and the central department in charge It is an object of the present invention to provide means for more securely and reliably establishing access to a service in a communication network.

The object is achieved by the invention according to the characterizing part of claim 1.

In this method, the following steps are taken.

To guarantee access, after a unique number sequence is input, encryption is performed by an encryption function or a mathematical one-way function (Einwegfunkution) known to those skilled in the art. The one-way function is a mathematical function f (x) = y, where y can be easily calculated. On the other hand, the calculation from y to x is very complicated and not always unique. In doing so, the further parameters are encrypted together, which are changed with each new entry of the number sequence. Thereby any new encryption process provides a new result. This is then coded directly for each protocol together with the variable parameters or in a number sequence, possibly transmitted in a multi-frequency dialing tone manner via the switching office to the central office. . The transmission in that case is performed in the same manner as the conventional authentication method.

In the central office, the transmitted number sequence is evaluated,
One result is calculated from a known one-way function, an estimated personal identification number, parameters supplied together, and the like, and is compared with the received value.

[0013] Implementation of this authentication scheme is relatively simple. Many more encryption techniques are well known to those skilled in the art. The implementation of the method is only required on the part of the user and the department in charge, and therefore the cost of implementation is low. Existing data banks can easily be expanded with respect to the storage area of access codes already received.

It is clear that the advantage of this method lies in subscriber protection. Users don't need to pay more than with previous approaches. That's because the access code had to be entered before. However, fraudulent subscribers are effectively avoided from talking on their own. Such fraud has been highly potential in the past. This is because there was no prerequisite to ensure that the credit card user was the owner of the credit card when entering the credit card number. That is, the access including the personal identification number was easily achieved by simple observation of the input number. In such a case, the missing data will stop unauthorized use via the encryption scheme used.

[0015] The insertion of one or more variable parameters, for example variable parameters such as information about the point in time of the request, forms an access code guaranteed for eavesdropping. Attempts to eavesdrop on the network (eg on connection lines) are thereby wasted. This is because access codes used repeatedly are rejected from the beginning.

The above-mentioned object is further solved by a device according to the invention.

In this case, a device for encrypting the inputted personal identification number is used. This device requires an input device (keyboard) similar to that of the communication terminal device. In this device, the conversion of the input number sequence is performed by a mathematical one-way function with variable parameters. The result of this calculation, along with the second parameter, is translated in a multi-frequency signaling tone manner and forwarded to the terminal. Transmission is performed from the terminal device to the central office. The central office authenticates the received access code.

This substantial advantage, in addition to the advantages described above, is that the number can already be entered for a relatively long time before actual use. Therefore, at least “theft” by monitoring at least the input of the number is effectively avoided.

Further advantageous embodiments and embodiments of the invention are described in the dependent claims.

The method according to the invention is particularly suitable for certain types of communication networks. Here, first, the architecture of the intelligent network is cited.
In this case, the "credit card calling" service has already been implemented.
The infrastructure required for this method already exists. In addition to personal networks that require a mechanism for external access, a virtual private network VPN that can be realized with the intelligent network IN technique
Also exists. Finally, the method is applicable to a communication network for mobile radio that requires authentication of a device user.

[0021] Many means are conceivable for variable parameters. In the simplest case, a random number is generated each time. The corresponding generating function for this random number is also well known to those skilled in the art. A further possibility is time information, for example the scheduling of arbitrary timestamps into time slots. In such cases, on the other hand,
It is checked whether the access code received by the central office is the current value. In contrast, if the transmitter and the receiver are synchronized in time, the transmission of additional variable parameters is not necessary. According to yet another possibility, a mathematical sequence is formed using the initial value n. In this case, the succeeding number n2 can be obtained from the preceding number n1 by various methods, for example, a sum of fixed values.

Many methods and functions are known to those skilled in the art for encryption. Especially IT
In the X.509 specification and RFC1938 specification of the U recommendation, various complicated and reliable authentication / encryption methods are introduced.

In the X.509 specification of the ITU recommendation, two systems are introduced.

The first relatively simple scheme is satisfied in the encryption process. The one-way function f is applied to one or more variable parameters and the personal identification number PIN, and in some cases is used to extend the strings known in the MFV transmitter and the communication service. The result from the function f (parameter1, [parameter2,...], PIN) is converted into a sequence, which is transferred from the MFV transmitter.

Two-stage encryption is complicated to implement and requires more computational power at the transmitter and receiver, but its security capabilities are significantly higher. In this case, a one-step method as described above is performed as the first encryption step. Subsequently, a second step is performed with a second mathematical algorithm f '(which may be equivalent to the first function f). This result is calculated as follows.

F ′ (Parameter x1 [, Parameter x2,...]], F (Parameter y1 [, Parameter y
2], PIN), PIN) A generalized encryption scheme is defined by the multiplexing of one or various different algorithms, each using an input parameter PIN and an additional variable parameter.

If the result of the encryption is not a numerical sequence of numbers, or cannot be transmitted without MVF tones (like ISDN), the result requires a corresponding translation before transmission.

In the authentication method, the transmitted number code is checked. Thereby, it is determined whether or not the subscriber has a valid access right to the service. Additionally, abuse identification with a legitimate access code to service access is possible.

The authentication may be performed as follows.

An inquiry is made by the central office as to whether the transmitted access code has already been received once within a predetermined time interval, and if it has already been received, the authentication is interrupted without establishing the authentication. .

If not already received, the central office calculates an estimated access code using the same one-way function and the second parameter contained in the received access code, Compare the result with the one received. If the calculated access code matches the received access code, authentication is established, and the subscriber is permitted to access a desired service.

Advantageously, the encryption device is integrated in the communication terminal. This allows the subscriber
There is no need to have a second device that is easily lost. Further, transmission errors from the encryption device to the terminal device are also avoided. The existing MVF tone generator in the terminal device is applicable and can be changed in some cases.

The communication network of the method according to the invention (in particular an intelligent network,
The applicability to personal networks, mobile wireless networks) is diverse. Above all, the billing system is an important factor for both service providers and network subscribers. There is also a huge risk in the case of handling credit cards by telephone. In particular, in cases where a card is lost without being noticed, the actual situation of the damage will become clear only after the next receipt is sent. Here too, very high value is obtained for the service provider and also for the network subscriber at relatively low cost.

Embodiments Next, embodiments of the present invention will be described in detail in the following description with reference to the drawings. In this case, FIG. 1 is a diagram showing a process of forming, transmitting, and authenticating a one-time access code in an intelligent network. FIG. 2 is a diagram showing a one-stage type one-time access code according to the X.509 specification of the ITU recommendation. FIG. 3 is a diagram showing the process of formation, and FIG. 3 is a diagram showing the process of forming a two-stage one-time access code according to the X.509 specification of the ITU recommendation.

FIG. 1 shows a path of an access key PIN from a subscriber to a central office SCP in an intelligent network. After input to the encryption device MFV, the access key PIN is transferred to the terminal device KE using a multi-frequency dialing tone scheme, from which it is transmitted via the communication network to the central office S.
Transferred to CP. After passing through the switching center SSP on this path, the encrypted access code is now transmitted transparently at this point. In this case, the access code may be stolen by eavesdropping. The central office SCP checks this access code based on already known data, for example, data from the data bank DB or the information sent together from the supplied number string. After the calculation of the estimated access code and the comparison with the obtained access code, a response is sent as to the establishment of the validity of the transmitted access code and the presence or absence of the access right of the subscriber.

FIGS. 2 and 3 schematically show the generation of an access code, which is transmitted over a network to a central office. In this case, a symmetric key is required (PIN), which is known on the subscriber side and on the side of the central office performing the authentication. This PIN itself is not transmitted without encryption. Here, two variable parameters are additionally encrypted: time information (Zeit, Zeit ') and a random number. These factors are changed for each authentication step, thereby preventing the reuse of eavesdropping one-time access codes. Unless this component can be automatically derived at the central office, it must be transmitted during authentication. Additional data, such as any text, may be streamed together in forming the one-time access code. These data are known, derivable or additionally transmitted on both sides.
By using the one-way function f (f '), the encrypted access code rpP
IN is formed.

[Brief description of the drawings]

FIG. 1 is a diagram showing a process of forming, transmitting, and authenticating a one-time access code in an intelligent network.

FIG. 2 is a diagram showing a process of forming a one-step type one-time access code according to the X.509 specification of the ITU recommendation.

FIG. 3 is a diagram showing a process of forming a two-stage one-time access code according to the X.509 specification of the ITU recommendation.

[Explanation of symbols]

 f, f 'Mathematical function IN Intelligent network ITU International Telecommunication Union KE Communication terminal PIN Personal identification number rpPIN Reuse protected PIN SCP Service control base SSP Service switching base

[Procedural Amendment] Submission of translation of Article 34 Amendment of the Patent Cooperation Treaty

[Submission date] February 18, 2000 (2000.2.18)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] Claims

[Correction method] Change

[Correction contents]

[Claims]

──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5B085 AE09 AE23 5J104 AA07 BA01 KA01 MA01 NA05 PA01 5K024 AA62 GG01 GG06 GG08

Claims (16)

[Claims] 1. A method for guaranteeing access to a service in a communication network, wherein the access guarantee is performed at a terminal device by inputting a unique number sequence known only to a service user; Wherein the number sequence is supplemented by at least one further variable parameter prior to transmission by the communication network, in a form that is transparently transmitted to the central office via the exchange in the communication network and evaluated there. Encrypted using a generic algorithm (one-way function), the result of the function calculation is transmitted to a central office in charge using a multi-frequency dialing scheme, and authentication is performed in the central office. And how. 2. The method of claim 1, wherein said communication network is an intelligent network. 3. The variable parameter according to claim 1, wherein the variable parameter is time information.
The described method. 4. The method according to claim 1, wherein the variable parameter is a random number. 5. The method according to claim 1, wherein the variable parameter is a sequence of numbers starting from an integer n, wherein n2 following n1 is computed. 6. The method according to claim 1, wherein a one-stage method according to the X.509 specification of the ITU recommendation is used for the method for the encryption. 7. The method according to claim 1, wherein a two-stage method according to the X.509 specification of ITU recommendation is used for the encryption method. 8. The method according to claim 1, wherein a method according to the RFC 1983 specification is used for the encryption method. 9. A hash function is used as the mathematical function used,
A method according to any one of claims 1 to 8. 10. The method according to claim 1, wherein the result of the mathematical function has to be encoded into a number sequence before transmission. 11. The method according to claim 1, wherein the authentication is not established if the encrypted number sequence has already been transmitted once within a predetermined time interval. 12. The encrypted number sequence is transmitted only once within a predetermined time interval, and b) the encrypted number sequence matches the number sequence calculated on the communication service side. 12. The method according to any one of claims 1 to 11, wherein authentication is established in that case. 13. A device in a communication network for using a service provided in a corresponding network, comprising a data communication terminal (KE), wherein the terminal is connected to a user via an input device. To enable the selection of a service and the input of a number sequence for authentication, comprising at least one exchange (SSP), which exchanges service requests and number sequences transparently. Have a central office (SCP) for the network in question,
In a type in which a service request is evaluated and user authentication is performed based on an input number sequence, an encryption device (MVF) is provided, and the encryption device is used for a number sequence (PIN). An input device, a calculation device for calculating the result from the mathematical function (f) and the number sequence, and an output device for transmitting the calculated result as a multi-frequency dialing tone. The input of the sequence takes place in said device, where it is encrypted, and the result of this encryption is transferred to the network via the terminal device in a multi-frequency dialing manner. Authentication procedures must be performed before access to the And wherein the. 14. The apparatus according to claim 13, wherein said communication network is an intelligent network. 15. The apparatus according to claim 13, wherein said communication network is a mobile telephone network. 16. The device according to claim 13, wherein the encryption device is one of components of a data communication terminal device.