[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2010128451A2 - Procédés d'authentification et d'autorisation robustes à plusieurs facteurs et systèmes associés - Google Patents

Procédés d'authentification et d'autorisation robustes à plusieurs facteurs et systèmes associés Download PDF

Info

Publication number
WO2010128451A2
WO2010128451A2 PCT/IB2010/051938 IB2010051938W WO2010128451A2 WO 2010128451 A2 WO2010128451 A2 WO 2010128451A2 IB 2010051938 W IB2010051938 W IB 2010051938W WO 2010128451 A2 WO2010128451 A2 WO 2010128451A2
Authority
WO
WIPO (PCT)
Prior art keywords
user
mobile device
server application
server
user mobile
Prior art date
Application number
PCT/IB2010/051938
Other languages
English (en)
Other versions
WO2010128451A3 (fr
Inventor
Kwok Yan Karch Lam
Jianbin Li
Guisi Wang
Jianping Song
Original Assignee
Privylink Private Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Privylink Private Limited filed Critical Privylink Private Limited
Priority to SG2011080629A priority Critical patent/SG175860A1/en
Publication of WO2010128451A2 publication Critical patent/WO2010128451A2/fr
Publication of WO2010128451A3 publication Critical patent/WO2010128451A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Definitions

  • the present invention relates to strong multi-factor authentication and authorization. More particularly, unique re- sponses comprising a context-based one-time passcode are generated and returned when an out-of-band user computing and communication device is challenged by a server upon receiving an online authentication or authorization request made by the user via a separate communication channel.
  • An online web or client application that exchanges sensitive data between a user and an application server typically requires user authentication and cryptographic data protection.
  • the basic identity authentication scheme requires the user to submit a unique user identifier and passcode to the application host for verification.
  • the passcode is a secret shared only between the user and application host. In actuality, passcodes and other sensitive data can be exposed to impos- ters through the illegitimate use of malicious software such as Trojan horses, as well as phishing and man-in-the-middle attacks .
  • Two-factor authentication schemes have been used to mitigate some security risks. These schemes typically rely upon some standalone devices or mobile text messaging to generate or deliver one-time passcodes which are valid for individual authentication sessions or for short durations of time.
  • a user Upon obtaining the one-time passcode, a user is required to enter and send it to the host server via an online communication channel for verification.
  • the online communication channel connects the host server and the user application from which the logon request has been initiated.
  • One-time passcodes are generated by algorithms and secret parameters known only to the respective users and application server. Two-factor au- thentication using short-lived passcodes makes it more difficult for imposters to gain access to user accounts.
  • the scheme is still vulnerable to Trojan horses, key logging and man-in-the-middle attacks, because the one-time passcodes entered by the users may be intercepted by malwares and illegitimate applications residing within or external to the user computers .
  • a generated private-public key pair can be used to protect sensitive data.
  • the secret user private key is stored in a secure hardware token or a protected file that can be accessed by a web or client application to digitally sign messages and data strings.
  • the matching user public key is kept by the application provider for use to verify the digital signature. The strength of this authentication scheme depends upon how well the user secret private keys are kept from malicious spy programs. Private keys can be exposed and thus vulnerable to illegitimate operations.
  • Muftic discloses in US patent 5,943,423 a smart token system containing storage or processing capability for secure elec- tronic transactions and identification.
  • Holdsworth discloses in US patent 7,412,420 systems and methods for enrolling a token in an online authentication program.
  • the present invention provides innovative methods and systems for robust multi-factor authentication and authorization based upon an out-of-band challenge and response process that derives context-based one-time passcodes.
  • the robust multi- factor authentication and authorization solutions provide inherent immunity to the aforesaid malicious attacks.
  • the present application provides methods and systems for robust multi-factor authentication and authorization.
  • a method of user authentication is provided.
  • an application hosted in a server is in communication with a user computing device via a first communication network and the server application is in further communication with a user mobile device via a second communication network.
  • the authentication method begins with a user sending a login request from the user computing device to the server application.
  • the server application generates and sends a challenge to the user mobile device.
  • the user mobile device then derives a unique response.
  • the user mobile device further derives and displays a context-based one-time passcode (OTP) for use by the user to submit from the user computing device to the server application via the first communication net- work.
  • OTP one-time passcode
  • the server subsequently verifies the received response and context-based OTP against some expected values, and the server application grants the user access right if the verification is positive.
  • the user mobile device may return the derived unique response to the server via the second communication network for verification.
  • the user may initiate the login request and submit the con- text-based OTP through an online web or client application executed on the user computing device.
  • the login request may comprise a unique user identifier and passcode.
  • the user mobile device may de- rive the response by digitally signing the received challenge with a user private cryptographic key typically used in asymmetric cryptography, and the corresponding user public cryptographic key is kept by the server application for verification .
  • the challenge code may be generated in the server application by encrypting a code, which may be a randomly generated string or a randomly generated string combined with a context-based data, with the user public cryptographic key and the response may be computed in the user mobile device by decrypting the challenge with the corresponding user private cryptographic key typically used in asymmetric cryptography.
  • the user private key and associated cryptographic parameters may be stored in a secure module integrated in or with the user mobile device, and without limitation, the secure module may be a digital signal processing module or a smart chip.
  • the user private key and associated cryptographic parameters may be stored in a secure module integrated in or with the user mobile device, and without limitation, the secure module may be a digital signal processing module or a smart chip card interfaced with the user mobile device.
  • the response derivation may be processed by an application executed in the secure module.
  • the user mobile device may derive the context-based OTP by transforming the generated response with a mathematical function known to the server application.
  • the transformation may comprise the step of truncating the generated response.
  • the transformation may com- prise the step of evaluating a digest or summary of the generated response.
  • the user mobile device may be a cellular telephony device capable of exchanging data with the server application via a point-to-point communication protocol such as Short Messaging Services (SMS) .
  • SMS Short Messaging Services
  • a method of transaction authorization is provided.
  • an application hosted in a server is in communication with a user computing device via a first communication network and the server application is in communication with a user mobile device via a second communication network.
  • the transaction authorization method begins with a user submitting some transaction data from the user computing device to the server application.
  • the server application then exam- ines the received transaction data against a set of predetermined criteria.
  • the server application sends a full confirmation page to the user computing device, a transaction summary and a challenge to the mobile device.
  • the user mobile device then computes a unique response to the challenge when instructed by the user after inspecting the received confirmation page and transaction summary displayed on the user computing device and user mobile device respectively.
  • the user mobile device derives and displays a context-based onetime passcode (OTP) for use by the user to submit from the user computing device to the server application via the first communication network, the server verifies the received context-based OTP against some expected values, and the server application authorizes the transaction if the verification is positive .
  • OTP onetime passcode
  • the user mobile device may return the response to the server via the second communication network for verification.
  • the transaction data submission may be provided by an online web or client application executed on the user computing device, with the client application capable of capturing and compiling user entry into a predetermined format readable by the server application .
  • the challenge may be a transac- tion summary and the user mobile device may compute response by signing the received transaction summary with a user private cryptographic key typically used in asymmetric cryptography, and the corresponding user public cryptographic key is kept by the server application for verification.
  • the challenge code may be generated in the server application by encrypting a transaction summary with the user public cryptographic key and the response may be computed in the user mobile device by decrypting the challenge with the corresponding user private cryptographic key typically used in asymmetric cryptography.
  • the user private key and associated cryptographic parameters may be stored in a secure module integrated in or with the user mobile device, and without limitation, the secure module may be a digital signal processing module or a smart chip card interfaced with the user mobile device.
  • the response and context-based OTP derivation may be processed by an application executed in the secure module.
  • the user mobile device may derive the context-based OTP by transforming the generated response with a mathematical function known to the server application.
  • the transformation may comprise the step of truncating the derived response.
  • the transformation may comprise the step of evaluating a digest or summary of the generated response.
  • the server application may notify the user of the verification result by sending specific messages to the user computing and mobile devices .
  • the user mobile device may be a cellular telephony device capable of exchanging data with the server application via a point-to-point communication protocol such as Short Messaging Services (SMS) .
  • SMS Short Messaging Services
  • a system for user authentication and transaction authorization comprises a server hosting a server application which is in communication with a user computing device via a first communication network and the server application is in communication with a user mobile device via a second communication network.
  • the user computing device is used to submit user login request and transaction data to the server appli- cation.
  • the user mobile device is used to derive a unique response upon receiving a challenge from the server application.
  • the user mobile device further derives a context-based one-time passcode (OTP) for the user to submit to the server application by means of an online web or client application executed in the user computing device.
  • OTP one-time passcode
  • the server application verifies the response and context-based OTP against the respective expected values derived using some predetermined algorithms and parameters.
  • the user computing device and user mobile device are used to display transaction confirmation and summary pages respectively for inspection by the user.
  • the server may host a plurality of general and secure database for storing application specific data, and it may interface with other internal and external computing and communication systems for executing tasks that are required by the server application.
  • the user computing device may be desktop or portable computers capable of executing the corresponding web or client application required to provide online access to and exchange data with the server application, and the user computing device supports all the communication protocols re- quired by the server application.
  • the user mobile device may be a cellular telephony device capable of exchanging data with the server application via a point-to-point communication protocol such as Short Messaging Services (SMS) .
  • SMS Short Messaging Services
  • the system may comprise a secure module integrated in or with the user mobile device for securely storing and executing sensitive cryptographic operations associated with digital signing of the transaction data and response derivation, and without limitation, the secure module may be a digital signal processing module or a smart chip card interfaced with the user mobile device.
  • the present invention provides innovative methods and systems for robust multi-factor authentication and authorization with inherent immunity to man-in-the-middle attacks and malwares including Trojan horses, key loggers and other illegitimate spy programs .
  • FIG. 1 illustrates a multi-factor authentication and au- thorization system configured to implement the robust authentication and authorization schemes of the present invention
  • FIG. 2 illustrates a process flow of the user authentica- tion process executed by the multi-factor authentication and authorization system of FIG. 1, and
  • FIG. 3 illustrates a process flow of a transaction authorization process executed by the multi-factor authentication and authorization system of FIG. 1.
  • FIG. 1 shows a multi-factor authentication and authorization system 100 comprising a server 110 hosting a particular server application 115 to be accessed by a person operating a user computing device 130.
  • the user computing device 130 exchanges data with the server 110 via a first communication network 120.
  • the user further operates a user mobile device 150 which exchanges data with the server 110 via a second communication network 140.
  • the server application 115 is accessible only to legitimate users who can be successfully authenticated in a multi-factor authentication process. Successfully authenticated users may proceed to access pre-determined services and data in accordance with the respective access rights of the users among other criteria.
  • the server 110 typically serves a plurality of end users each operating the user computing and mobile devices 130 & 150.
  • the server 110 comprises the necessary hardware and software systems, subsystems and modules for hosting applications that are accessible to legitimate users who can be successfully authenticated. Said server subsystems and modules are application specific and they typically perform core process computation, authentication, data communications with user com- puting and mobile devices 130 & 150.
  • the server 100 may host a plurality of general and secure database for storing application specific data, user identifiers, user passcodes, cryptographic keys and other parameters required for processing challenge-and-response computations .
  • the server 110 may interface with other internal and external computing and communication systems for executing tasks that are required by said server application 115.
  • the user computing device 130 is typically a desktop or portable computing device capable of executing a web or client application required to provide online access to and exchange data with said server application 115.
  • the user computing device 130 supports all the communication protocols required by said server application 115.
  • the user computing device 130 may be a desktop computer, portable computer, personal computer, thin client computer, network computer, personal digital assistant or other types of computing and embedded device that supports said web or client application 115 as well as communicates with the server 110 via the first communication network 120.
  • the communication protocols supported by the user computing device 130 includes but are not limited to Hypertext Transfer Protocol, File Transfer Protocol, Transmission Control Protocol, Internet Protocol and their variants.
  • the first communication network 120 supports all data exchange between the web and client application of the user computing device 130 and the server application 115.
  • the first communication network 120 may comprise a plurality of inter-connecting networks of different types including fixed, wireless and cellular networks.
  • Said fixed networks include but are not limited to Public Switched Telephone Network, Digital Subscriber Lines and Local Area Networks.
  • Said wireless networks include but are not limited to Wireless Local Area Networks, Wi-Fi and Bluetooth.
  • Said cellular networks include but are not limited to third generation mobile networks, GSM and CDMA mobile networks and WIMAX data networks.
  • the user mobile device 150 Upon receiving a challenge from the server application 115, the user mobile device 150 is capable of computing a unique response and returning the response to the server application 115. Thus, the user mobile device 150 is capable of support- ing all the communication protocols required by said server application 115 hosted in the server 110.
  • the user mobile device 150 is also capable of displaying con- text-based one-time passcodes (OTP) derived from the computed responses.
  • OTP con- text-based one-time passcodes
  • Context-based OTPs are used for submission through the user computing device 130 to the server application 115 for authentication and authorization.
  • the user mobile device 150 is capable of providing an environment for executing the response computation securely, as well as safekeeping all the secret parameters and cryptographic keys associated with said computation.
  • Said secure environment may be provided by a software, firmware or hardware-based trusted module such as a dedicated digital signal processing semiconductor module or a secure smart chip card accessible by the user mobile device 150.
  • the computed responses are typically returned to the server 110 via a point-to-point communication protocol such as Short Messaging Services (SMS) .
  • SMS Short Messaging Services
  • the user mobile device 150 may be a cellular telephone, smartphone, digital trunk radio, satellite telephone or any types of communication device with cellular or wireless con- nectivity compatible to the communication standards of the second communication network 140.
  • the second communication network 140 supports all data exchange between the user mobile device 150 and the server ap- plication 115 hosted in server 110.
  • the second communication network 140 may comprise a plurality of inter-connecting wireless and cellular networks.
  • FIG. 2 shows a process flow of an authentication process executed by the multi-factor authentication and authorization system of FIG. 1.
  • the authentication process 200 determines the identity of a user using a challenge and response mecha- nism which involves the server 110 and both the user computing and mobile devices 130 & 150.
  • the authentication process 200 begins with step 210 in which a user, who attempts to gain access to the server application 115, enters his or her user identifier in a client application run on the user computing device 130.
  • Said user identifier is a unique identification code registered by the server application 115 prior to the login attempt.
  • the client application then sends a login request comprising at least the user identifier to the corresponding server application 115.
  • the server 110 Upon receiving the user login request together with the user identification information, the server 110 proceeds to generate a challenge and transaction identification code (TID) in step 220.
  • the challenge may comprise a randomly generated string or cryptographic nounce .
  • the challenge may also comprise a randomly generated string combined with context-based data.
  • the TID is a unique code assigned by the server application 115 in response to a particular login request. The TID is then sent to both the user computing and mobile devices
  • the user mobile device 150 Based upon the received challenge and transaction identification data, the user mobile device 150 derives a response and a context-based one-time passcode (OTP) in step 230.
  • OTP is transformed from the derived response and said transforma- tion function and its associated parameters are known to the server application 115.
  • the context-based OTP is typically shorter than the corresponding full response, for facilitating the user to perform manual data entry. Every challenge and response sequence is unique. Thus, every challenge and OTP sequence is also unique.
  • the user mobile device 150 displays the derived context-based OTP for the user to enter, in step 240, into the client ap- plication of the user computing device 130.
  • the server application 115 may act in accordance with predefined security policies to demand both the user mobile and computing devices 150 &
  • the authentication process 200 proceeds with the user mobile device 150 sending the transaction ID and derived response (235) to the server 110 via the second communication network 140, and the user computing device 130 returning the transaction ID and context- based OTP (245) to the server 110 via the first communication network 120.
  • the server application 115 verifies the received response, context-based OTP and transaction ID by comparing the received data against the respective expected values. This is possible as the response and context-based OTPs are generated by the user mobile device 150 using predetermined algorithms and parameters known to the server application 115.
  • the server application 115 determines whether said verification process is successful in step 260 and proceeds to the next process or transaction in step 270 if the verification is positive.
  • the login request is rejected and the session is terminated in step 280 if said verification is negative.
  • the server application 115 may notify the user of the verification result by sending appropriate messages to the user computing device 130 or mobile device 150 or both.
  • a user private cryptographic key typically used in asymmetric cryptography may be employed to generate the response by digitally signing the received challenge.
  • the user secret private key is stored in a secure environment in the user mobile device 150.
  • the secure environment can be implemented using hardware, firmware or software based secure module.
  • One form of the secure module is a secure smart chip card that interfaces with the user mobile device 150.
  • the matching user public cryptographic key is kept by the server application 115 for use to verify said signed challenge.
  • the context-based OTP is derived from the response which is typically a long data string.
  • the context-based OTP may be a simple truncation, a digest or summary of the response or it may use a transformation function known to the server application .
  • the server application 115 may act in accordance with predefined security policies to demand only the user computing device 130 to return an appropriate response in the form of a context-based OTP when the user mobile device 150 is challenged (222) .
  • a flag or identifier in the challenge code may be used to instruct the user mobile device 150 not to return a full response via the second communication network 140. This is advantageous when the communication costs and network latency associated with the second communication network 140 are significant.
  • This scenario is represented in the process flow 200 by having the selector 232 switched to an "open" state such that the path 235 is open.
  • the derived full response is only used by the user mobile device 150 to compute the corresponding context-based OTP in step 230. Only the user computing device 130 returns the transaction ID and context- based OTP (245) to the server 110 via the first communication network 120.
  • the server application 115 verifies the received context-based OTP and transaction ID by comparing the received data against the respective expected values. This is possible as the context-based OTPs are generated by the user mobile device 150 using predetermined algorithms and parameters known to the server application 115.
  • the challenge code may be generated by encrypting a challenge code with the user public cryptographic key stored in the server 110.
  • the challenge code may comprise a randomly generated string or cryptographic nounce .
  • the challenge may also comprise a randomly generated string combined with context-based data.
  • the user mobile device 150 may generate the response by decrypting the received challenge code with the user private cryptographic key stored in the secure module of the mobile device 150.
  • the computed response is then transformed to evaluate the context-based OTP, which is returned, in steps 240 & 245 to the server application 115 via the user computing device 130 and the first communication network 120.
  • FIG. 3 shows a process flow of an authorization process executed by the multi-factor authentication and authorization system of FIG. 1.
  • the authorization process 300 allows a user to confirm and the server application 115 to authorize a genuine transaction submitted by the user.
  • the authorization process 300 begins with step 310 in which the user computing device 130 captures the transaction data entered by the user and compiles said transaction data into a predetermined format readable by the server application 115.
  • the server application 115 parses the received transaction data and checks whether the submitted transaction data is valid and sufficient for the transaction to be further processed.
  • the server application 115 may compare the data against a set of predetermined cri- teria to verify whether the user has sufficient right and privilege associated with the transaction.
  • the server application 115 proceeds from step 321 to terminate the transaction and notify the user in step 380 if the verification in steps 320 & 321 is negative. If said verification is positive, the authorization 300 proceeds to send a full confirmation page to the user computing device 130 in step 324, as well as a transaction summary and a challenge to the user mobile device 150 in step 322.
  • the user reads the full confirmation page and transaction summary displayed on the user computing device 130 and mobile device 150 respectively. If the user has no objection to both said confirmation page and transaction summary, he may instruct the user mobile device 150 to compute a unique response to the received challenge, as well as generating a context-based one-time passcode (OTP) in step 330.
  • OTP is transformed from the derived response and said transformation function and its associated parameters are known to the server application 115.
  • the context-based OTP is typically shorter than the corresponding response, for facilitating the user to perform manual data entry. Every re- sponse is uniquely mapped to a received challenge, and every context-based OTP is uniquely derived from a response.
  • the user mobile device 150 displays the derived context-based OTP for the user to enter into the client application of the user computing device 130 in step 340.
  • the server application 115 may act in accordance with predefined secu- rity policies to demand both the user mobile and computing devices 150 & 130 to return appropriate responses when the user mobile device 150 is challenged (322) .
  • a flag or identifier in the challenge code may be used to instruct the user mobile device 150 to compute and return a response accord- ingly.
  • This scenario is represented in the process flow 300 by having the selector 332 switched to a "close" state such that step 330 can advance to step 350 via the path 335.
  • the challenge may be the same transaction summary that user mobile device 150 has received in step 322.
  • the user mobile device 150 computes the response by digitally signing said transaction summary.
  • the authorization process 300 proceeds with the user mobile de- vice 150 sending the digital signature (335) to the server 110 via the second communication network 140, and the user computing device 130 returning the context-based OTP (345) to the server 110 via the first communication network 120.
  • the server application 115 verifies the received digital signature and context-based OTP by comparing the received data against the respective expected values. This is possible as the corresponding user public key is kept by the server application, and the context-based OTPs are generated by the user mobile device 150 using predetermined algorithms and parameters known to the server application 115.
  • the server application 115 determines whether said verification- tion process is successful in step 360 and proceeds to the next process in step 370 if the verification is positive. The transaction is rejected and the session is terminated in step 380 if said verification is negative.
  • the server application 115 may notify the user of the verification result by sending appropriate messages to the user computing device 130 or user mobile device 150 or both.
  • a user private cryptographic key typically used in asymmetric cryptography may be employed to enable the digital signing of the transaction summary.
  • the user secret private key is stored in a secure environment in the user mobile device 150.
  • the secure environment can be implemented using hardware, firmware or software based secure module.
  • One form of the secure module is a secure smart chip card that interfaces with the user mobile device 150.
  • the matching user public cryptographic key is kept by the server application for use to verify said digital signature.
  • the context-based OTP is derived from the digital signature which is typically a long data string.
  • the context-based OTP may be a simple truncation, a digest or summary of the digital signature or it may use a transformation function known to the server application.
  • the server application 115 may act in accordance with predefined security policies to demand only the user computing device 130 to return an appropriate response in the form of a context-based OTP when the user mobile device 150 is challenged (322) .
  • a flag or identifier in the challenge code may be used to instruct the user mobile device 150 not to return any response via the second communication network 140. This is advantageous when the communication costs and network latency associated with the second communication network 140 are significant.
  • This scenario is represented in the process flow 300 by having the selector 332 switched to an "open" state such that the path 335 is open.
  • the challenge received in step 322 is only used by the user mobile device 150 to compute the corresponding context-based OTP in step 330. Only the user computing device 130 submits the context-based OTP (345) to the server 110 via the first communication network 120.
  • the server application 115 verifies the received context-based OTP by comparing the received data against the respective expected values. This is possible as the context-based OTPs are generated by the user mobile device 150 using predetermined algorithms and parameters known to the server application 115.
  • the challenge code may be generated by encrypting the transaction summary with the user public cryptographic key stored in the server 110.
  • the user mobile device 150 may generate the response by decrypting the received challenge code with the user private cryptographic key stored in the secure module of the mobile device 150.
  • the computed response is then transformed to evaluate the context-based OTP, which is returned, in steps 340 & 345, to the server application 115 via the user comput- ing device 130 and the first communication network 120.
  • the multi-factor authentication and authorization system 100 provides an innovative means of strong user login authentication 200 and user authorization 300.
  • the authenti- cation and authorization system 100 comprises a user mobile device 150 operating out-of-band with reference to the user computing device 130.
  • Unique responses are generated and returned when the user mobile device 150 is challenged by an application 115 hosted in the server 100 upon receiving an online authentication or authorization request made by the user via the user computing device 130 over a separate communication channel 120.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne des procédés et des systèmes d'authentification et d'autorisation d'utilisateur. Une application hébergée dans un serveur est en communication avec un dispositif informatique utilisateur par le biais d'un premier réseau de communication, ainsi qu'avec un dispositif mobile utilisateur par le biais d'un second réseau de communication. Le procédé d'authentification débute par l'envoi par un utilisateur d'une demande de connexion depuis le dispositif informatique utilisateur vers l'application de serveur. L'application de serveur génère et envoie une demande d'accès au dispositif mobile utilisateur. Ensuite, le dispositif mobile utilisateur déduit une réponse et la renvoie au serveur par le biais du second réseau de communication pour vérification. De plus, le dispositif mobile utilisateur déduit un code d'accès unique (OTP) contextuel et l'affiche pour que l'utilisateur le soumette depuis le dispositif informatique utilisateur vers l'application de serveur par le biais du premier réseau de communication pour vérification. Le serveur vérifie ensuite la réponse reçue et l'OTP contextuel et accorde le droit d'accès à l'utilisateur si la vérification est positive.
PCT/IB2010/051938 2009-05-04 2010-05-04 Procédés d'authentification et d'autorisation robustes à plusieurs facteurs et systèmes associés WO2010128451A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
SG2011080629A SG175860A1 (en) 2009-05-04 2010-05-04 Methods of robust multi-factor authentication and authorization and systems thereof

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG200903010-7A SG166028A1 (en) 2009-05-04 2009-05-04 Methods of robust multi-factor authentication and authorization and systems thereof
SG200903010-7 2009-05-04

Publications (2)

Publication Number Publication Date
WO2010128451A2 true WO2010128451A2 (fr) 2010-11-11
WO2010128451A3 WO2010128451A3 (fr) 2011-03-24

Family

ID=43050566

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2010/051938 WO2010128451A2 (fr) 2009-05-04 2010-05-04 Procédés d'authentification et d'autorisation robustes à plusieurs facteurs et systèmes associés

Country Status (2)

Country Link
SG (2) SG166028A1 (fr)
WO (1) WO2010128451A2 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012162843A1 (fr) * 2011-06-03 2012-12-06 Research In Motion Limted Système et procédé pour accéder à des réseaux privés
CN103427999A (zh) * 2013-08-23 2013-12-04 北京易优安信息技术有限公司 用户身份验证方法及系统
CN104113556A (zh) * 2014-07-31 2014-10-22 国家超级计算深圳中心(深圳云计算中心) 网络登录验证方法和系统及移动终端和应用服务器
US9477852B1 (en) 2014-07-24 2016-10-25 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US9679152B1 (en) 2014-07-24 2017-06-13 Wells Fargo Bank, N.A. Augmented reality security access
GB2564624B (en) * 2016-07-11 2021-10-13 Disney Entpr Inc Configuration for multi-factor event authorization
WO2022018522A1 (fr) 2020-07-24 2022-01-27 Roach Hensley Procédé protégeant de manière adéquate l'identité authentique et les données personnelles d'une personne physique et confirmant à distance l'identité authentique de ladite personne physique à une partie bénéficiaire par l'intermédiaire d'une entité de confiance
JP7438984B2 (ja) 2019-02-01 2024-02-27 オラクル・インターナショナル・コーポレイション ユーザフットプリントなしのマルチファクタ認証

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040083272A (ko) * 2003-03-21 2004-10-01 (주)뱅크타운 챌린지/레스펀스에 기반한 무선 일회용 비밀번호 모듈이탑재된 이동통신 단말기를 이용한 웹 및/또는 무선네트워크 상에서의 사용자 인증 방법 및 시스템
KR20070077569A (ko) * 2006-01-24 2007-07-27 삼성전자주식회사 휴대폰을 이용한 일회용 패스워드 서비스 시스템 및 방법
KR20080061714A (ko) * 2006-12-28 2008-07-03 손민석 이동통신단말기에서 생성되는 일회용 비밀번호를 기반으로한 사용자 인증 방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040083272A (ko) * 2003-03-21 2004-10-01 (주)뱅크타운 챌린지/레스펀스에 기반한 무선 일회용 비밀번호 모듈이탑재된 이동통신 단말기를 이용한 웹 및/또는 무선네트워크 상에서의 사용자 인증 방법 및 시스템
KR20070077569A (ko) * 2006-01-24 2007-07-27 삼성전자주식회사 휴대폰을 이용한 일회용 패스워드 서비스 시스템 및 방법
KR20080061714A (ko) * 2006-12-28 2008-07-03 손민석 이동통신단말기에서 생성되는 일회용 비밀번호를 기반으로한 사용자 인증 방법

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9118667B2 (en) 2011-06-03 2015-08-25 Blackberry Limited System and method for accessing private networks
WO2012162843A1 (fr) * 2011-06-03 2012-12-06 Research In Motion Limted Système et procédé pour accéder à des réseaux privés
CN103427999A (zh) * 2013-08-23 2013-12-04 北京易优安信息技术有限公司 用户身份验证方法及系统
US10623959B1 (en) 2014-07-24 2020-04-14 Wells Fargo Bank, N.A. Augmented reality security access
US11397937B1 (en) 2014-07-24 2022-07-26 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US9679152B1 (en) 2014-07-24 2017-06-13 Wells Fargo Bank, N.A. Augmented reality security access
US9836736B1 (en) 2014-07-24 2017-12-05 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US10200868B1 (en) 2014-07-24 2019-02-05 Wells Fargo Bank, N.A. Augmented reality security access
US10713645B1 (en) 2014-07-24 2020-07-14 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US9477852B1 (en) 2014-07-24 2016-10-25 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US11810098B1 (en) 2014-07-24 2023-11-07 Wells Fargo Bank, N.A. Augmented reality numberless transaction card
US11284260B1 (en) 2014-07-24 2022-03-22 Wells Fargo Bank, N.A. Augmented reality security access
CN104113556A (zh) * 2014-07-31 2014-10-22 国家超级计算深圳中心(深圳云计算中心) 网络登录验证方法和系统及移动终端和应用服务器
GB2564624B (en) * 2016-07-11 2021-10-13 Disney Entpr Inc Configuration for multi-factor event authorization
JP7438984B2 (ja) 2019-02-01 2024-02-27 オラクル・インターナショナル・コーポレイション ユーザフットプリントなしのマルチファクタ認証
NL2026156A (en) * 2020-07-24 2022-03-29 Anthony Francis Everts Roy A method that adequately protects the authentic identity and personal data of a natural person and remotely confirms the authentic identity of this natural person through a trusted entity to a beneficiary party.
WO2022018522A1 (fr) 2020-07-24 2022-01-27 Roach Hensley Procédé protégeant de manière adéquate l'identité authentique et les données personnelles d'une personne physique et confirmant à distance l'identité authentique de ladite personne physique à une partie bénéficiaire par l'intermédiaire d'une entité de confiance

Also Published As

Publication number Publication date
SG175860A1 (en) 2011-12-29
SG166028A1 (en) 2010-11-29
WO2010128451A3 (fr) 2011-03-24

Similar Documents

Publication Publication Date Title
CN106664208B (zh) 使用安全传输协议建立信任的系统和方法
US9231925B1 (en) Network authentication method for secure electronic transactions
US9838205B2 (en) Network authentication method for secure electronic transactions
US8112787B2 (en) System and method for securing a credential via user and server verification
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
CN105850073B (zh) 信息系统访问认证方法及装置
US9185096B2 (en) Identity verification
CN101051908B (zh) 动态密码认证系统及方法
CN112425114B (zh) 受公钥-私钥对保护的密码管理器
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
Harini et al. 2CAuth: A new two factor authentication scheme using QR-code
US20090063850A1 (en) Multiple factor user authentication system
US8397281B2 (en) Service assisted secret provisioning
WO2010128451A2 (fr) Procédés d'authentification et d'autorisation robustes à plusieurs facteurs et systèmes associés
US20120221862A1 (en) Multifactor Authentication System and Methodology
Aravindhan et al. One time password: A survey
CN114301617A (zh) 多云应用网关的身份认证方法、装置、计算机设备及介质
TW202207667A (zh) 通訊系統中改善安全性之認證及驗證方法
Karthiga et al. Enhancing performance of user authentication protocol with resist to password reuse attacks
WO2011060739A1 (fr) Système et procédé de sécurité
Kumari et al. Hacking resistance protocol for securing passwords using personal device
Mumtaz et al. Strong authentication protocol based on Java Crypto chips
Corella et al. A comprehensive approach to cryptographic and biometric authentication from a mobile perspective
CN115987598A (zh) 一种基于WebAuthn协议的国密算法身份认证系统、方法和装置
Malaysia Suggested Mechanisms for Understanding the Ideas in Authentication System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10772081

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10772081

Country of ref document: EP

Kind code of ref document: A2