A COMPUTER IMPLEMENTED METHOD TO IMPROVE SECURITY IN AUTHENTICATION/AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF

US 20160156598A1
Filed: 06/23/2014
Published: 06/02/2016
Est. Priority Date: 06/24/2013
Status: Abandoned Application

First Claim

Patent Images

1-15. -15. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method and computer program products to improve security in authentication/authorization systems

The computer implemented method comprising controlling the access to different resources and actions defined for a user by a first server, reducing the exposure time at which such operations are available, establishing a dual channel verification through the use of a second server and a defining a secure channel for certificate exchange for authentication.

The computer programs implement the method.

Citations

30 Claims

1-15. -15. (canceled)

16. A computer implemented method to improve security in authentication/authorization systems, the method comprising:
- receiving, by a first server, from a user via a first dedicated program, a request to be logged into a service of said first server; and
  
  authenticating, by said first server, credentials information of said user in order to authorize said service login request, said credentials information comprising information validating the identity of the user in the first server,the method comprising;
  
  receiving, by a second server, from a second dedicated program installed in a computing device of said user, configuration information that the user has established for the operations provided by the first server;
  
  requesting, by the user, once the service login request being authorized by the first server, to perform an operation in the first server;
  
  receiving, by the second server, from the first server, a request about an operation status associated to what said user has established about said requested operation in order to assist the first server in authorizing or rejecting the requested operation; and
  
  verifying, by the second server, said operation status previously established by the user for said requested operation, and in case said operation status being established as valid by the user, the second server generating an extra authentication factor mechanism for reinforcing authorization of said requested operation, wherein said extra authentication factor mechanism includes a public/private key encryption process or the use of a public/private key for generating a digital signature.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer implemented method of claim 16, wherein said request performed by the first server to the second server comprises a credential exchange between the first server and the second server in order to provide mutual authentication, and the method comprising the sending, by the second server, of the result of said operation status to the first server.
  - 18. The computer implemented method of claim 16, wherein said operation been reinforced with the use of said extra authentication factor mechanism including a public/private key for generating a digital signature by means of performing following actions:
    - generating and sending, by the second server to the second dedicated program, a one-time password (OTP) that the user is going to use for setting up the extra authentication factor mechanism;
      
      recovering, by the second dedicated program, a private key of the user in order to digitally sign the received OTP, said recovering been performed after the user having decided to sign the received OTP within the second dedicated program and having stored said private key in a software or a hardware mechanism of the computing device; and
      
      sending, by the second dedicated program, the digitally signed OTP to the second server and the digital signature employed, the latter verifying integrity of the received digitally signed OTP with the OTP that the second server generated, and integrity of the private key that was used to perform said signing of the OTP with an stored user public key that the second server had.
  - 19. The computer implemented method of claim 18, further comprising:
    - if the private key used to perform the signing of the OTP matches the user public key stored in the second server, sending, by the second server to the first server, the result of said operation status, performed by the first server, along with the generated OTP;
      
      requesting, by the first server, the OTP to the user, the latter recovering the OTP through the second dedicated program and further sending it to the first server; and
      
      checking, by the first server, if the OTP received from the second server and the OTP received from the user matches.
  - 20. The computer implemented method of claim 16, wherein said requested operation been reinforced with the use of said extra authentication factor mechanism including a public/private key encryption process by means of performing, after having sent, by the second server, the result of said operation status to the first server including an OTP used by the user for setting up the extra authentication factor mechanism, the following actions:
    - requesting, by the first server to the user through an interface, said OTP used by the user for setting up the extra authentication factor mechanism;
      
      encrypting, by the second server, the OTP with a public key of the user and sending the encrypted OTP to the second dedicated program, said public key been previously stored in the second server by the user;
      
      recovering, by the second dedicated program, a private key of the user and using the private key of the user to decrypt the received encrypted OTP, said recovering been performed after the user having stored the private key in a software or a hardware mechanism of the computing device;
      
      sending, by the second dedicated program, the decrypted OTP to the user, the latter sending the decrypted OTP via said interface; and
      
      checking, by the first server, if the OTP received from the user and the OTP received from second server matches.
  - 21. The computer implemented method of claim 16, wherein said requested operation been reinforced with the use of said extra authentication factor mechanism including a public/private key encryption process performed by to the first server by means of performing, after the second server having sent the result of said operation status to the first server, the following actions:
    - generating, by the first server, an OTP that the user is going to use for setting up the extra authentication factor mechanism;
      
      encrypting, by the first server, the generated OTP with a public key of the user and further sending the encrypted OTP to the second server, said public key been previously stored in the first server by the user;
      
      requesting, by the first server to the user through an interface, the OTP;
      
      sending, by the second server, the encrypted OTP to the second dedicated program installed in the computing device of the user;
      
      recovering, by the second dedicated program, a private key of the user and using the private key of the user to decrypt the received encrypted OTP, said recovering been performed after the user having stored the private key in a software or a hardware mechanism of the computing device;
      
      sending, by the second dedicated program, the decrypted OTP to the user, the latter sending the decrypted OTP via said interface; and
      
      checking, by the first server, if the OTP received from the user and its own generated OTP matches.
  - 22. The computer implemented method of claim 21, wherein the requesting of the OTP to the user and the sending of the encrypted OTP to the second dedicated program are performed at the same time.
  - 23. The computer implemented method of claim 16, wherein said requested operation been reinforced with the use of said extra authentication factor mechanism including a public/private key for generating a digital signature executed by to the first server by means of performing, after the second server having sent the result of said operation status to the first server, the following actions:
    - generating, by the first server, an OTP that the user is going to use for setting up the extra authentication factor mechanism and sending the generated OTP to the second server;
      
      requesting, by the first server to the user through an interface, the OTP;
      
      sending, by the second server, the OTP to the second dedicated program;
      
      recovering, by the second dedicated program, a private key of the user in order to digitally sign the received OTP, said recovering been performed after the user having decided to sign the received OTP within the second dedicated program and having stored said private key in a software or a hardware mechanism of the computing device;
      
      sending, by the second dedicated program, the digitally signed OTP and the digital signature employed for the signing to the second server, the latter forwarding them to the first server;
      
      sending, by the second dedicated program, the digitally signed OTP to the user, the latter sending the digitally signed OTP via said interface; and
      
      checking, by the first server, if the digitally signed OTP received from the user and the digitally signed OTP received from the second server matches.
  - 24. The computer implemented method of claim 23, wherein the second dedicated program performs both of said sending'"'"'s, of the digitally signed OTP and the digital signature employed for the signing to the second server and of the digitally signed OTP to the user, at the same time.
  - 25. The computer implemented method of claim 16, wherein the second server notifies the user if the request to be logged into a service of said first server is rejected.
  - 26. The computer implemented method of claim 25, wherein said notification comprises one of a sending of a Short Message Service (SMS), a sending of an email, a sending of a message by a smartphone messenger application, a highlighting or pushing in said second dedicated program of said user computing device.
  - 27. The computer implemented method of claim 16, wherein said operation status is set as valid or as invalid a certain period of time.
  - 28. The computer implemented method of claim 16, wherein the request to be logged into a service of the first server and/or the request to perform an operation in the first server are recorded in order to provide statistics.
  - 29. A computer program product, which includes computer program code instructions that when executed in a computer implement the steps of the method of claim 16.
  - 30. The computer program product of claim 29, further including computer program code instructions that when executed in a computer implement the following:
    - generating and sending, by the second server to the second dedicated program, a one-time password (OTP) that the user is going to use for setting up the extra authentication factor mechanism;
      
      recovering, by the second dedicated program, a private key of the user in order to digitally sign the received OTP, said recovering been performed after the user having decided to sign the received OTP within the second dedicated program and having stored said private key in a software or a hardware mechanism of the computing device; and
      
      sending, by the second dedicated program, the digitally signed OTP to the second server and the digital signature employed, the latter verifying integrity of the received digitally signed OTP with the OTP that the second server generated, and integrity of the private key that was used to perform said signing of the OTP with an stored user public key that the second server had.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonica Digital Espana SLU
Original Assignee
Telefonica Digital Espana SLU
Inventors
ALONSO CEBRIAN, Jose Maria, BARROSO BERRUETA, David, PALAZON ROMERO, Jose Maria, GUZMAN SACRISTAN, Antonio

Application Number

US14/900,453
Publication Number

US 20160156598A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/10   for controlling access to d...

A COMPUTER IMPLEMENTED METHOD TO IMPROVE SECURITY IN AUTHENTICATION/AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

A COMPUTER IMPLEMENTED METHOD TO IMPROVE SECURITY IN AUTHENTICATION/AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links