Secure user and data authentication over a communication network
First Claim
1. A method of performing user and data authentication over a client (22) in communication via a first network (14) with a server infrastructure (16), the client (22) having access via a user-controllable card reader (24) to a smart card (26) on which confidential user data comprising at least one signature key (KPRIV—
-
AUT—
CLIENT, KPRIV—
SIG—
CLIENT) is stored, the method comprising the steps of;
performing a user authentication step, the user authentication step including displaying by the card reader (24) an authentication context, controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to the confidential user data on the smart card until signature approval is received, and, in the case of signature approval, submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing;
performing a data authentication step, the data authentication step including displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method of performing user and data authentication over a client (22) in communication via a network (14) with a server infrastructure (16). The client (22) has access via a user-controllable card reader (24) to a smart card (26) on which at least one signature key is stored. The method comprises a user authentication step which includes displaying by the card reader (24) an authentication context, controlling the card reader to request the user for signature approval, and, in the case of signature approval, submitting a challenge, if required together with context data, or data derived therefrom to the smart card (26) for signing. The method further comprises a data authentication step which includes displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.
-
Citations
29 Claims
-
1. A method of performing user and data authentication over a client (22) in communication via a first network (14) with a server infrastructure (16), the client (22) having access via a user-controllable card reader (24) to a smart card (26) on which confidential user data comprising at least one signature key (KPRIV
— -
AUT
— CLIENT, KPRIV— SIG— CLIENT) is stored, the method comprising the steps of;performing a user authentication step, the user authentication step including displaying by the card reader (24) an authentication context, controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to the confidential user data on the smart card until signature approval is received, and, in the case of signature approval, submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing; performing a data authentication step, the data authentication step including displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 26, 27, 28, 29)
-
AUT
-
16. A server infrastructure (16) comprising:
-
a communication channel between the server infrastructure (16) and a client infrastructure (12) across a first network (14), the client infrastructure (12) including a client (22) having access to a user-controllable card reader (24) with a display (38); an authenticated link between the server infrastructure (16) and the client infrastructure (12), the authenticated link being established by displaying an authentication context on the display (38) of the card reader (24), by controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to confidential user data on the smart card until signature approval is received, and, in the case of signature approval, by submitting a challenge, if required together with context data, or data derived therefrom, to the smart card (26) for signing; and a signed data transmission (70) between the client infrastructure (12) and the server infrastructure (16), the signed data transmission (70) being established by displaying on the display (38) the data to be authenticated, by controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, by submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A network system comprising:
-
client infrastructure (12) with a client (22) associated with a card reader (24) for a smart card (26), the smart card (26) having a first secure memory location for storing at least a first signature key (KPRIV — AUT— CLIENT, KPRIV—
SIG— CLIENT) and the card reader (24) having a display (38);an authenticated link between the server infrastructure (16) and the client infrastructure (12), the authenticated link being established by displaying on the display (38) an authentication context, by controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to confidential user data on the smart card until signature approval is received, and, in the case of signature approval, by submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing; and a signed data transmission (70) between the client infrastructure (12) and the server infrastructure (16), the signed data transmission (70) being established by displaying on the display (38) the data to be authenticated, by controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, by submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing. - View Dependent Claims (23, 24, 25)
-
Specification