Secure user and data authentication over a communication network

US 7,296,149 B2
Filed: 09/06/2002
Issued: 11/13/2007
Est. Priority Date: 03/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method of performing user and data authentication over a client (22) in communication via a first network (14) with a server infrastructure (16), the client (22) having access via a user-controllable card reader (24) to a smart card (26) on which confidential user data comprising at least one signature key (K_PRIV_—

_AUT_—_CLIENT, K_PRIV_—_SIG_—_CLIENT) is stored, the method comprising the steps of;

performing a user authentication step, the user authentication step including displaying by the card reader (24) an authentication context, controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to the confidential user data on the smart card until signature approval is received, and, in the case of signature approval, submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing;

performing a data authentication step, the data authentication step including displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method of performing user and data authentication over a client (22) in communication via a network (14) with a server infrastructure (16). The client (22) has access via a user-controllable card reader (24) to a smart card (26) on which at least one signature key is stored. The method comprises a user authentication step which includes displaying by the card reader (24) an authentication context, controlling the card reader to request the user for signature approval, and, in the case of signature approval, submitting a challenge, if required together with context data, or data derived therefrom to the smart card (26) for signing. The method further comprises a data authentication step which includes displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.

78 Citations

View as Search Results

29 Claims

1. A method of performing user and data authentication over a client (22) in communication via a first network (14) with a server infrastructure (16), the client (22) having access via a user-controllable card reader (24) to a smart card (26) on which confidential user data comprising at least one signature key (K_PRIV_—
- _AUT_—_CLIENT, K_PRIV_—_SIG_—_CLIENT) is stored, the method comprising the steps of;
  
  performing a user authentication step, the user authentication step including displaying by the card reader (24) an authentication context, controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to the confidential user data on the smart card until signature approval is received, and, in the case of signature approval, submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing;
  
  performing a data authentication step, the data authentication step including displaying by the card reader (24) the data to be authenticated, controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 26, 27, 28, 29)
- - 2. The method of claim 1, wherein during the user and the data authentication step the same signature key (K_PRIV_—
    - _SIG_—_CLIENT), which is stored on the smart card (26), is used for signature generation.
  - 3. The method of claim 1, wherein the user authentication step is performed over an encrypted channel (64) which is established prior to or in context with the user authentication step.
  - 4. The method of claim 1, wherein a first authentication key (K_READER) is associated with the card reader (24).
  - 5. The method of claim 4, further comprising signing with the authentication key (K_READER) associated with the card reader (24) the signature which was generated with the at least one signature key (K_PRIV_—
    - _AUT_—_CLIENT, K_PRIV_—_SIG_—_CLIENT) stored on the smart card (26), and transmitting both signatures, if necessary together with the challenge, the context data and/or the data to be authenticated, to the server infrastructure (16).
  - 6. The method of claim 1, wherein a second authentication key (K_PRIV_—
    - _AUT_—_CLIENT) is stored on the smart card (26).
  - 7. The method of claim 6, wherein during the user authentication step the second authentication key (K_PRIV_—
    - _AUT_—
      
      CLIENT) is used for signing and wherein during the data authentication step the signature key (K_PRIV_—_SIG_—_CLIENT) is used for signing.
  - 8. The method of claim 6, wherein the user authentication step includes a first user authentication step involving the encrypted channel and the second authentication key (K_PRIV_—
    - _AUT_—_CLIENT), and a second user authentication step involving at least the first and the second authentication key (K_READER, K_PRIV_—_AUT_—_CLIENT).
  - 9. The method of claim 8, wherein a dependence of the first user authentication step on an encryption key (K_EP) of the server infrastructure (16) is introduced.
  - 10. The method of claim 1, wherein the server infrastructure (16) further includes:
    - a second network (52), preferably secure Intranet, in which the application server (58) is arranged; and
      
      an entrance point (54, 56) of the second network (52), the entrance point (54, 56) being coupled to the first network (14).
  - 11. The method of claim 10, wherein the first user authentication step is entrance point-controlled.
  - 12. The method of claim 8, wherein the first user authentication step is performed on a layer below an application layer and the second user authentication step is performed on the application layer.
  - 13. The method of claim 8, wherein the first user authentication step comprises a first substep during which an encrypted channel is established and a second substep during which the encrypted channel is used to transmit information required for user authentication.
  - 14. A computer program product having program code means for performing the steps of claim 1 when the computer program product is run on a computer system.
  - 15. The computer program product of claim 14, stored on a computer readable recording medium.
  - 26. The method of claim 1, further comprising receiving signature approval by a press of a button on the card reader.
  - 27. The method of claim 8, further comprising requiring, for the second authentication step, a second signature approval for accessing the smart card if a pre-determined time has expired.
  - 28. The method of claim 1, the authentication context comprising a text message requesting the user for the signature approval.
  - 29. The method of claim 1, the confidential user data further comprising secret bank information.

16. A server infrastructure (16) comprising:
- a communication channel between the server infrastructure (16) and a client infrastructure (12) across a first network (14), the client infrastructure (12) including a client (22) having access to a user-controllable card reader (24) with a display (38);
  
  an authenticated link between the server infrastructure (16) and the client infrastructure (12), the authenticated link being established by displaying an authentication context on the display (38) of the card reader (24), by controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to confidential user data on the smart card until signature approval is received, and, in the case of signature approval, by submitting a challenge, if required together with context data, or data derived therefrom, to the smart card (26) for signing; and
  
  a signed data transmission (70) between the client infrastructure (12) and the server infrastructure (16), the signed data transmission (70) being established by displaying on the display (38) the data to be authenticated, by controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, by submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The server infrastructure of claim 16, wherein the first network (14) is the Internet or an insecure external network.
  - 18. The server infrastructure of claim 16, wherein the server infrastructure (16) further includes:
    - a second network (52), preferably a secure Intranet, in which the application server (58) is arranged; and
      
      an entrance point (54, 56) of the second network (52), the entrance point (54, 56) being coupled to the first network (14).
  - 19. The server infrastructure of claim 18, wherein the entrance point comprises a proxy server component (56) and/or is situated on the application server (58).
  - 20. The server infrastructure of claim 18, wherein the second network (32) comprises the functionality of a certificate authority (60).
  - 21. The server infrastructure of claim 20, further comprising a secure end-to-end management channel (72) between the second network (52) comprising the certificate authority (60) functionality and the smart card (26).

22. A network system comprising:
- client infrastructure (12) with a client (22) associated with a card reader (24) for a smart card (26), the smart card (26) having a first secure memory location for storing at least a first signature key (K_PRIV_—_AUT_—_CLIENT, K_PRIV_—
  
  SIG_—_CLIENT) and the card reader (24) having a display (38);
  
  an authenticated link between the server infrastructure (16) and the client infrastructure (12), the authenticated link being established by displaying on the display (38) an authentication context, by controlling the card reader (24) to request the user for signature approval before permitting access to the smart card and to prevent access to confidential user data on the smart card until signature approval is received, and, in the case of signature approval, by submitting a challenge, if appropriate together with context data, or data derived therefrom, to the smart card (26) for signing; and
  
  a signed data transmission (70) between the client infrastructure (12) and the server infrastructure (16), the signed data transmission (70) being established by displaying on the display (38) the data to be authenticated, by controlling the card reader (24) to request the user for signature approval, and, in the case of signature approval, by submitting the data to be authenticated, or data derived therefrom, to the smart card (26) for signing.
- View Dependent Claims (23, 24, 25)
- - 23. The network system of claim 22, wherein the card reader (24) has a second secure memory location for storing an authentication key (K_READER).
  - 24. The network system of claim 22, wherein the client (12) comprises a wrapper (46), e.g., PKCS#11, for establishing a communication link between a client application (48) and one of a plurality of different smart cards (26).
  - 25. The network system of claim 22, wherein the card reader (24) is at least a class 4 reader or a FINREAD-compatible card reader.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
UBS Business Solutions AG (UBS Ag)
Original Assignee
UBS Ag
Inventors
Hiltgen, Alain P.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
LASHLEY, LAUREL L

Application Number

US10/235,936
Publication Number

US 20030177353A1
Time in Patent Office

1,894 Days
Field of Search

None
US Class Current

713/161
CPC Class Codes

G06F 21/34   involving the use of extern...

G06Q 20/3674   involving authentication

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0869   for achieving mutual authen...

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

Secure user and data authentication over a communication network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Secure user and data authentication over a communication network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links