Method and Devices For User Authentication

US 20080212771A1
Filed: 10/05/2006
Published: 09/04/2008
Est. Priority Date: 10/05/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating a user using a communication terminal to access a server via a telecommunications network, the method comprising:

receiving from the user a personal identification code;

generating a data set from secure session establishment protocol messages exchanged between the communication terminal and the server;

generating a transaction authentication number based on the data set, using the personal identification code;

transmitting the transaction authentication number from the communication terminal to the server; and

verifying in the server the transaction authentication number based on the secure session establishment protocol messages exchanged with the communication terminal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For authenticating a user using a communication terminal (1) to access a server (4) via a telecommunications network, a personal identification code is received from the user From secure session establishment protocol messages exchanged (S1, S2, S3) between the communication terminal (1) and the server (4), a data set is generated (S4). Based on the data set, a transaction authentication number is generated (S52) using the personal identification code. The transaction authentication number is transmitted (S54) from the communication terminal (1) to the server (4). In the server (4), the transaction authentication number received is verified (S20) based on the secure session establishment protocol messages exchanged with the communication terminal (1). The transaction authentication number enables session aware user authentication that protects online users against real-time man-in-the-middle attacks.

Citations

47 Claims

1. A method of authenticating a user using a communication terminal to access a server via a telecommunications network, the method comprising:
- receiving from the user a personal identification code;
  
  generating a data set from secure session establishment protocol messages exchanged between the communication terminal and the server;
  
  generating a transaction authentication number based on the data set, using the personal identification code;
  
  transmitting the transaction authentication number from the communication terminal to the server; and
  
  verifying in the server the transaction authentication number based on the secure session establishment protocol messages exchanged with the communication terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1, wherein the method further comprises generating in an authentication module associated with the communication terminal an authentication base number from the data set;
    - wherein the transaction authentication number is generated from the authentication base number, using the personal identification code;
      
      wherein the method further comprises generating in the server an authentication base number from the secure session establishment protocol messages exchanged; and
      
      wherein the transaction authentication number is verified in the server using the authentication base number generated in the server.
  - 3. The method according to claim 2, wherein the method further comprises entering the authentication base number and the personal identification code into a challenge/response token device, not connected to the communication terminal;
    - wherein the transaction authentication number is generated in the challenge/response token device as a token response value based on the authentication base number and the personal identification code; and
      
      wherein the method further comprises entering the transaction authentication number into the communication terminal, prior to transmitting the transaction authentication number to the server.
  - 4. The method according to one of the claims 2 or 3, wherein generating the authentication base number from the data set comprises generating a random number, selecting from the data set selected digits, the digits being determined by digits of the random number, and composing the authentication base number from the selected digits and the digits of the random number.
  - 5. The method according to claim 1, wherein the transaction authentication number is generated in an authentication module associated with the communication terminal as a keyed cryptographic digest value from the personal identification code and from the secure session establishment protocol messages exchanged between the communication terminal and the server, using as a key a secret shared with the server;
    - wherein the method further comprises generating in the server a keyed cryptographic digest value using a personal identification code stored in the server; and
      
      wherein the transaction authentication number is verified in the server based on a comparison of the keyed cryptographic digest value received from the communication terminal and the keyed cryptographic digest value generated in the server.
  - 6. The method according to claim 5, using as the key one of the personal identification code and a secret token key associated with the authentication module.
  - 7. The method according to claim 5, wherein the method further comprises generating a lookup index from the data set;
    - wherein the method further comprises determining in a code table a selected code using the lookup index;
      
      wherein the selected code is used as the key; and
      
      wherein the server generates the keyed cryptographic digest value using as the key a selected code from a code table stored in the server.
  - 8. The method according to claim 7, wherein the server keeps track of selected codes used by the communication terminal;
    - and wherein, for cases where the server determines that a selected code was previously used by the communication terminal, the server re-initiates session establishment with the communication terminal.
  - 9. The method according to claim 1, wherein the transaction authentication number is generated in an authentication module associated with the communication terminal as a cryptogram by encrypting the data set, the personal identification code, and at least one nonce, using a public key;
    - wherein the method further comprises determining in the server a received data set and a received personal identification code by decrypting the cryptogram, using a private key; and
      
      wherein the transaction authentication number is verified in the server based on a comparison of the received data set with a data set generated in the server from the secure session establishment protocol messages exchanged, and on a comparison of the received personal identification code with a personal identification code stored in the server.
  - 10. The method according to claim 9, wherein the method further comprises generating a lookup index from the data set, and determining in a code table a selected code using the lookup index;
    - wherein the selected code is used in generating the cryptogram;
      
      wherein the server determines a received selected code from the cryptogram, using the private key; and
      
      wherein verifying the transaction authentication number includes comparing the received selected code with a selected code determined by the server from a code table stored in the server.
  - 11. The method according to claim 10, wherein the server keeps track of selected codes used by the communication terminal;
    - and wherein, for cases where the server determines that a selected code was previously used by the communication terminal, the server re-initiates session establishment with the communication terminal.
  - 12. The method according to claim 1, wherein the transaction authentication number and a user identifier are transmitted from the communication terminal to the server;
    - and wherein the transaction authentication number is verified in the server using the personal identification code assigned to the user identifier.
  - 13. The method according to claim 12, wherein the personal identification code is received together with a biometric identifier from the user;
    - andwherein the transaction authentication number is verified in the server using a biometric identifier stored in the server.
  - 14. The method according to claim 1, wherein the method further comprises generating in an authentication module associated with the communication terminal a digital signature from the data set, using a private key of a key pair associated with the authentication module;
    - transmitting the digital signature from the communication terminal to the server; and
      
      verifying in the server the digital signature using a public key of the key pair.
  - 15. The method according to claim 2, wherein the authentication base number is generated in an authentication module associated with the communication terminal from the data set, using a secret token key associated with the authentication module;
    - and wherein the authentication base number is generated in the server from the secure session establishment protocol messages exchanged, using the secret token key.
  - 16. The method according to claim 15, wherein the data set is transferred from the communication terminal to the authentication module through a device interface, connecting the authentication module to the communication terminal;
    - and wherein the secret token is stored in the authentication module.
  - 17. The method according to claim 16, wherein a token identifier is transmitted from the communication terminal to the server together with the transaction authentication number;
    - and wherein the secret token key is determined in the server based on the token identifier.
  - 18. The method according to claim 17, wherein a master key is stored in the server;
    - and wherein the secret token key is generated in the server from the token identifier using the master key for encrypting the token identifier.
  - 19. The method according to claim 15, wherein the user selects one of multiple possible institution scopes for the authentication module;
    - wherein the institution scope selected by the user makes the authentication module use one institution-specific secret token key of a set of multiple secret token keys for generating the authentication base number;
      
      wherein the server is associated with a specific institution and uses the institution-specific secret token key for generating the authentication base number; and
      
      wherein the server uses an institution-specific personal identification code for verifying the transaction authentication number.
  - 20. The method according to claim 2, wherein the authentication base number is displayed by an authentication module associated with the communication terminal;
    - and wherein the transaction authentication number, generated by the user from the personal identification code and the authentication base number displayed by the authentication module, is received in the communication terminal from the user.
  - 21. The method according to claim 1, wherein after successful verification of the transaction authentication number in the server, a server authentication code is generated in the server from the data set, applying a public function to the data set and using a secret token key for encryption;
    - wherein the server authentication code is transmitted from the server to the communication terminal;
      
      wherein the server authentication code received from the server is displayed by the communication terminal;
      
      wherein a server authentication code is generated in an authentication module associated with the communication terminal from the data set, applying the public function to the data set and using the secret token key for encryption; and
      
      wherein the server authentication code generated in the authentication module is displayed by the authentication module for visual verification with the server authentication code displayed by the communication terminal.

22. A computer program product comprising computer program code means for controlling one or more processors of a communication terminal, such that the communication terminalreceives from a user a personal identification code;
- generates a data set from secure session establishment protocol messages exchanged between the communication terminal and a server;
  
  generates a transaction authentication number based on the data set, using the personal identification code; and
  
  transmits the transaction authentication number to the server for verification.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The computer program product according to claim 22, comprising further computer program code means for controlling the processors such that the communication terminal generates an authentication base number from the data set;
    - and generates the transaction authentication number from the authentication base number, using the personal identification code.
  - 24. The computer program product according to claim 23, comprising further computer program code means for controlling the processors such that the communication terminal generates a random number;
    - selects from the data set selected digits, the digits being determined by digits of the random number; and
      
      composes the authentication base number from the selected digits and the digits of the random number.
  - 25. The computer program product according to claim 22, comprising further computer program code means for controlling the processors such that the communication terminal generates the transaction authentication number as a keyed cryptographic digest value from the personal identification code and from secure the session establishment protocol messages exchanged between the communication terminal and the server, using as a key a secret shared with the server.
  - 26. The computer program product according to claim 25, comprising further computer program code means for controlling the processors such that the communication terminal uses as the key one of the personal identification code and a secret token key.
  - 27. The computer program product according to claim 25, comprising further computer program code means for controlling the processors such that the communication terminal performs generating a lookup index from the data set;
    - determines in a code table a selected code using the lookup index; and
      
      uses the selected code as the key.
  - 28. The computer program product according to claim 22, comprising further computer program code means for controlling the processors such that the communication terminal generates the transaction authentication number as a cryptogram by encrypting the data set, the personal identification code, and at least one nonce, using a public key.
  - 29. The computer program product according to claim 28, comprising further computer program code means for controlling the processors such that the communication terminal performs generating a lookup index from the data set;
    - determines in a code table a selected code using the lookup index; and
      
      uses the selected code in generating the cryptogram.
  - 30. The computer program product according to claim 22, comprising further computer program code means for controlling the processors such that the communication terminal receives a biometric identifier from the user through a sensor of the communication terminal, and that the communication terminal uses the biometric identifier as the personal identification code.
  - 31. The computer program product according to claim 23, comprising further computer program code means for controlling the processors such that the communication terminal receives instructions for selecting one of multiple possible institution scopes, and that the communication terminal uses one institution-specific secret token key of a set of multiple secret token keys for generating the authentication base number.
  - 32. The computer program product according to claim 22, comprising further computer program code means for controlling the processors such that the communication terminal receives from the server a server authentication code, that the communication terminal generates a server authentication code from the data set, applying a public function to the data set and using the secret token key for encryption, and that the communication terminal verifies the server authentication code received from the server based on the server authentication code generated by the communication terminal.

33. A computerized server, configured for exchanging data with a communication terminal via a telecommunications network, the server comprising a user authentication module configuredto receive a transaction authentication number from the communication terminal, the transaction authentication number being based on a personal identification code received from a user of the communication terminal and on a data set generated from secure session establishment protocol messages exchanged between the communication terminal and the server;
- andto verify the transaction authentication number received based on the secure session establishment protocol messages exchanged with the communication terminal.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 34. The server according to claim 33, wherein the user authentication module is configured to generate an authentication base number from the secure session establishment protocol messages exchanged, and to verify the transaction authentication number received using the authentication base number generated and the personal identification code.
  - 35. The server according to claim 34, wherein the user authentication module is configured to generate the authentication base number by generating a random number, by selecting from the data set selected digits, the digits being determined by digits of the random number, and by composing the authentication base number from the selected digits and the digits of the random number.
  - 36. The server according to claim 33, wherein the user authentication module is configured to generate a transaction authentication number as a keyed cryptographic digest value from the personal identification code and from the secure session establishment protocol messages exchanged between the communication terminal and the server, using a personal identification code stored in the server and using as a key a secret shared with the communication terminal;
    - and to verify the transaction authentication number received based on a comparison of the transaction authentication number received and the keyed cryptographic digest value generated in the server.
  - 37. The server according to claim 36, wherein the user authentication module is configured, for generating the keyed cryptographic digest value, to use as the key one of the personal identification code and a secret token key associated with user.
  - 38. The server according to claim 36, wherein the user authentication module is configured, for generating the keyed cryptographic digest value, to use as the key a selected code from a code table stored in the server.
  - 39. The server according to claim 33, wherein the user authentication module is configured to generate a transaction authentication number as a cryptogram by encrypting the data set, the personal identification code, and at least one nonce, using a public key;
    - to determine a received data set and a received personal identification code by decrypting a cryptogram received from the communication terminal, using a private key; and
      
      to verify the transaction authentication number received based on a comparison of the received data set with a data set generated in the server from the secure session establishment protocol messages exchanged, and on a comparison of the received personal identification code with a personal identification code stored in the server.
  - 40. The server according to claim 39, wherein the user authentication module is configured to determine a received selected code from the cryptogram received from the communication terminal, using the private key;
    - and to compare the received selected code with a selected code determined from a code table stored in the server when verifying the transaction authentication number.
  - 41. The server according to one of claims 38 or 40, wherein the user authentication module is configured to keep track of selected codes used for the communication terminal, and, for cases where a selected code was previously used by the communication terminal, to re-initiate session establishment with the communication terminal.
  - 42. The server according to claim 33, wherein the user authentication module is configured to receive a personal identification code including a biometric identifier of the user;
    - and to verify the transaction authentication number using a biometric identifier stored in the server.
  - 43. The server according to claim 34, wherein the user authentication module is configured to generate the authentication base number from the secure session establishment protocol messages exchanged, using a secret token key.
  - 44. The server according to claim 43, wherein the user authentication module is configured to receive with the transaction authentication number a token identifier from the communication terminal, and to determine the secret token key based on the token identifier.
  - 45. The server according to claim 43, wherein the server further comprises a stored master key, and wherein the user authentication module is configured to generate the secret token key from the token identifier using the master key for encrypting the token identifier.
  - 46. The server according to claim 33, wherein the user authentication module is configured to generate a server authentication code from the data set, after successful verification of the transaction authentication number, applying a public function to the data set and using the secret token key for encryption, and to transmit the server authentication code to the communication terminal.

47. A method of changing a personal identification code by a user using a communication terminal to access a server via a telecommunications network, the method comprising:
- receiving from the user an old personal identification code;
  
  receiving from the user a new personal identification code;
  
  generating a data set from secure session establishment protocol messages exchanged between the communication terminal and the server;
  
  generating in an authentication module associated with the communication terminal an authentication base number from the data set, using a secret token key associated with the authentication module;
  
  generating an identification change code from the authentication base number, the old personal identification code, and the new personal identification code;
  
  transmitting the identification change code from the communication terminal to the server;
  
  generating in the server an authentication base number from the secure session establishment protocol messages exchanged, using the secret token key; and
  
  deriving in the server the new personal identification code from the identification change code, using the old personal identification code and the authentication base number generated in the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Privasphere AG
Original Assignee
Privasphere AG
Inventors
Hauser, Ralf

Application Number

US12/089,516
Publication Number

US 20080212771A1
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/34   involving the use of extern...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

Method and Devices For User Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Devices For User Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links