Method and system for identifying an authorized individual by means of unpredictable single-use passwords

US 20060064600A1
Filed: 02/05/2004
Published: 03/23/2006
Est. Priority Date: 02/06/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for the identification of a party authorized to have the benefit of a service delivered by a provider party via a telematics network, in which said provider party is connected to the network by means of an electronic communications and processing system (S) capable of managing a procedure for identification of user parties authorized to operate with the provider, each user party being able to connect to the network by means of a respective electronic communications and processing system (C), and in which the provider party requests a temporary password (PWD) identifying the user party to allow the user access to the services delivered, characterized in that:

upon request by the user party, one of said communications and processing systems (S;

C) of the user party or of the provider party generates a random number (RND) by means of a predetermined algorithm for generating random numbers (ALGRND), and communicates said number (RND) to the other party via the network;

in that it involves autonomous execution of a procedure for calculating the password (PWD) at the processing systems (S, C) of both parties on the basis of predetermined common algorithms, said calculating procedure comprising the operations of;

generating a first string of characters (N30) by means of a first algorithm (ALGN30), on the basis of said random number (RND) and of a hidden dynamic variable (n;

p) not transmitted over the network, but obtained from said processing systems (S, C) independently;

extracting a second string of characters (N3), a subset of said first string (N30), by means of a second algorithm (ALGN3), as a function of said hidden dynamic variable (n;

p) and of said random number (RND); and

generating the temporary password (PWD) by means of a third algorithm (ALGPWD), on the basis of said second string of characters (N3), and in that identification of the authorized party takes place following the transmission to the processing system (S) of the provider party, of the password (PWD) calculated by the processing system (C) of the user party, and through subsequent comparison with the password (PWD) calculated by the processing system (S) of the provider party, so that access to the service is permitted if such comparison gives a positive result, and is otherwise denied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is described for the identification of a party authorised to have the benefit of a service delivered by a provider party via a telematics network, in which the provider party and each user party are connected to the network by means of a respective electronic communications and processing system (S, C), and the provider party requests a temporary password (PWD) identifying the user party to allow access to the services delivered. The method is characterised in that it involves autonomous execution of a procedure for calculating the password (PWD) in the processing systems (S, C) of both parties on the basis of predetermined algorithms, the above-mentioned calculating procedure comprising the operations of: generating a first string of characters (N30) by means of a first pre-established algorithm (ALGN30), on the basis of a random number (RND) and a hidden dynamic variable (n; p) not transmitted over the network, but obtained by the processing systems (S, C) independently; extracting a second string of characters (N3), a subset of the first string (N30), by means of a second pre-established algorithm (ALGN3), as a function of the hidden dynamic variable (n; p) and of said random number (RND); and generating the temporary password (PWD) by means of a third pre-established algorithm (ALGPWD), on the basis of the above-mentioned second string of characters (N3). The authorised party is identified as a result of the comparison between the password (PWD) calculated by the processing system (S) of the provider party and that calculated by the processing system (C) of the user party, whereby access to the service is permitted if this comparison gives a positive result and otherwise is denied. The password thus obtained may also be used as a single-use key in a system for encrypting all the information exchanged between the authorised user party and the service provider party.

Citations

39 Claims

1. A method for the identification of a party authorized to have the benefit of a service delivered by a provider party via a telematics network, in which said provider party is connected to the network by means of an electronic communications and processing system (S) capable of managing a procedure for identification of user parties authorized to operate with the provider, each user party being able to connect to the network by means of a respective electronic communications and processing system (C), and in which the provider party requests a temporary password (PWD) identifying the user party to allow the user access to the services delivered, characterized in that:
- upon request by the user party, one of said communications and processing systems (S;
  
  C) of the user party or of the provider party generates a random number (RND) by means of a predetermined algorithm for generating random numbers (ALGRND), and communicates said number (RND) to the other party via the network;
  
  in that it involves autonomous execution of a procedure for calculating the password (PWD) at the processing systems (S, C) of both parties on the basis of predetermined common algorithms, said calculating procedure comprising the operations of;
  
  generating a first string of characters (N30) by means of a first algorithm (ALGN30), on the basis of said random number (RND) and of a hidden dynamic variable (n;
  
  p) not transmitted over the network, but obtained from said processing systems (S, C) independently;
  
  extracting a second string of characters (N3), a subset of said first string (N30), by means of a second algorithm (ALGN3), as a function of said hidden dynamic variable (n;
  
  p) and of said random number (RND); and
  
  generating the temporary password (PWD) by means of a third algorithm (ALGPWD), on the basis of said second string of characters (N3), and in that identification of the authorized party takes place following the transmission to the processing system (S) of the provider party, of the password (PWD) calculated by the processing system (C) of the user party, and through subsequent comparison with the password (PWD) calculated by the processing system (S) of the provider party, so that access to the service is permitted if such comparison gives a positive result, and is otherwise denied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 2. A method according to claim 1, characterized in that said hidden dynamic variable (n) indicates the number of connections between the user party and the provider party which have previously taken place.
  - 3. A method according to claim 2, characterized in that the processing system (C) of the user party updates said dynamic variable (n) by increasing by one or more units the value known to it subsequent to generation of the temporary pass-word (PWD).
  - 4. A method according to claim 2, characterized in that the processing system (S) of the provider party updates said dynamic variable (n) by increasing by one or more units the value known to it subsequent to an operation of comparison between passwords (PWD) with a positive result.
  - 5. A method according to claim 1, characterized in that said hidden dynamic variable (n) is a function of the number of connections between the user party and the provider party which have occurred previously and of said random number (RND).
  - 6. A method according to claim 1, characterized in that said hidden dynamic variable (n;
    - p) can be altered at the re-quest of the user party via an initializing procedure.
  - 7. A method according to claim 1, characterized in that said hidden dynamic variable (n;
    - p) can be altered at the re-quest of the provider party via an initializing procedure started subsequent to an operation of comparison between passwords (PWD, PWD′
      
      ) with a negative outcome.
  - 8. A method according to claim 1, characterized in that the generation of the temporary password (PWD) by means of said third algorithm (ALGPWD) is also conducted as a function of said hidden dynamic variable (n;
    - p).
  - 9. A method according to claim 1, characterized in that, upon a request for connection by a user party, the processing system (S) of the provider party requests from said user party an identification string (PIN) as a function of which to select one or more predetermined static variables.
  - 10. A method according to claim 9, characterized in that said identification string (PIN) makes it possible to choose data (DEVID) relating to the processing system (C) of the user party and data predetermined by the user when activating the service.
  - 11. A method according to claim 9, characterized in that it comprises the operation of checking the validity of the identification string (PIN) at the processing system (S) of the provider party, and in case of a negative outcome, access to the service is denied.
  - 12. A method according to claim 9, characterized in that the generation of the first string of characters (N30) by means of said first algorithm (ALGN30) is also conducted on the basis of said static variables.
  - 13. A method according to claim 1, characterized in that the number of characters of said first string of characters (N30) is determined as a function of said hidden dynamic variable (n;
    - p) and of said random number (RND).
  - 14. A method according to claim 1, characterized in that said second string of characters (N3) has a number of characters less than half the number of characters of said first string (N30).
  - 15. A method according to claim 14, characterized in that the order of the characters forming said second string (N3) is different from the order in which they are presented in the first string (N30), their positions being dependent upon said dynamic variable (n;
    - p) and said random number (RND).
  - 16. A method according to claim 6, characterized in that said initializing procedure comprises the transmission to the processing system (S) of the provider party of an initializing string (JLY_p) selected by the processing system (C) of the user party from an initializing table previously stored independently in both systems (S, C).
  - 17. A method according to claim 16, characterized in that said initializing table comprises two sets, respectively a first set including a plurality of strings of characters (JLY_k) and a second set including a plurality of integer numbers (p) in one-to-one correspondence with the strings of characters (JLY_k) of the first set.
  - 18. A method according to claim 17, characterized in that said second set does not comprise consecutive numbers.
  - 19. A method according to claim 17, characterized in that the initializing procedure comprises the steps of:
    - selection by the processing system (C) of the user party of the string of characters (JLY_p) corresponding to the smallest integer number (p) greater than the current value (n+1) of the dynamic variable stored by the system (C);
      
      transmission of said string (JLY_p) to the processing system (S) of the provider party as an initializing string;
      
      selection by the processing system (S) of the provider party, of the integer number (p) in the relevant initializing table, corresponding to the string of characters received (JLY_p); and
      
      replacement of the current value of the dynamic variable (n+1;
      
      n) with the value of said integer number (p) in both processing systems (C, S) of the user party and the provider party.
  - 20. A method according to claim 1, characterized in that said first, second and third common algorithms (ALGN30, ALGN3, ALGPWD) may be personalized to the user party.
  - 21. A method according to claim 1, characterized in that said passwords (PWD) calculated autonomously by the processing systems (C, S) of the user party and of the provider party are supplied as keys to a predetermined algorithm for encryption of the subsequent communications between said parties.
  - 22. A system for the identification of a party authorized to have the benefit of a service delivered by a provider party via a telematics network, for example to allow access to services of e-banking, e-commerce, withdrawal of cash or commercial transactions, access to protected web sites and to shared resources for the management of electronic mail, access to controlled areas, wherein:
    - said provider party is connected to the network by means of an electronic communications and processing system (S) capable of managing a procedure for identifying user parties authorized to operate with the provider, each user party is able to connect to the network by means of a respective electronic communications and processing system (C), and the provider party requests a temporary password (PWD) identifying the party requesting authorization to allow access to the services delivered, characterized in that the communications and processing systems (C, S) of said user party and provider party are arranged to carry out a method of identification according to claim 1.
  - 23. A system according to claim 22, characterized in that said processing system (C) of the user party comprises an electronic processing, storage and communications terminal and a programmable electronic personalizing module which can be linked to said terminal.
  - 24. A system according to claim 23, characterized in that said personalizing module comprises a removable microprocessor card.
  - 25. A system according to claim 23, characterized in that said personalizing module includes at least one rewritable non-volatile memory unit, storing a dynamic variable (n;
    - p) indicating the number of connections between the user party and the provider party which have taken place previously and an initializing table.
  - 26. A system according to claim 25, characterized in that said initializing table comprises two sets, respectively a first set including a plurality of strings of characters (JLY_k) and a second set including a plurality of integer numbers (p) in one-to-one correspondence with the strings of characters (JLY_k) of the first set.
  - 27. A method according to claim 26, characterized in that said second set does not comprise consecutive numbers.
  - 28. A system according to claim 23, characterized in that said terminal comprises at least one non-volatile memory unit storing data identifying the terminal and/or the user party.
  - 29. A system according to claim 25, characterized in that said at least one memory unit of the personalizing module stores card identification data and the algorithms necessary to execute the method of identification by the terminal.
  - 30. A system according to claim 29, characterized in that said processing terminal of the user comprises an electronic card reading device and a processing unit capable of executing the programs stored on the card.
  - 31. A system according to claim 23, characterized in that said terminal can be incorporated in an interface device to a telematics network.
  - 32. A system according to claim 31, in which said terminal can be incorporated in a telephone.
  - 33. A system according to claim 31, in which said terminal can be incorporated in a palm-top computer.
  - 34. A system according to claim 24, characterized in that said terminal is capable of receiving several cards and has means for selecting the card to be used.
  - 35. A system according to claims 23, characterized in that said terminal comprises display means for the presentation of the passwords generated and a keypad for selection, setting and control.
  - 36. A system according to claim 35, characterized in that said keypad comprises keys marked with characters for inputting the data requested in the identification procedure and at least one push-button to activate a procedure for initializing the system.
  - 37. A system according to claim 23, characterized in that said terminal comprises a voice recognition device and a device for emitting audio messages.
  - 38. A system according to claim 23, characterized in that said terminal comprises a device for reading biometric data of the user party.
  - 39. A system according to claim 23, characterized in that said terminal is further provided with a communications port enabling it to be connected directly to an interface device to a telematics network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Consiglio Nazionale Delle Ricerche-Infm Istituto Nazionale Per La Fisica Della Materia
Original Assignee
Consiglio Nazionale Delle Ricerche-Infm Istituto Nazionale Per La Fisica Della Materia
Inventors
Blasone, Massimo, Polichetti, Massimiliano

Application Number

US10/544,868
Publication Number

US 20060064600A1
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/445   by mutual authentication, e...

Method and system for identifying an authorized individual by means of unpredictable single-use passwords

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for identifying an authorized individual by means of unpredictable single-use passwords

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links