System and method for providing an user's security when setting-up a connection over insecure networks

US 8,266,434 B2
Filed: 05/10/2010
Issued: 09/11/2012
Est. Priority Date: 04/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method for setting up a secure communication line between a user and a service provider using non-secure communication channels within an insecure network, comprising the steps of:

transmitting an identity token or identity claim from a user station to a service provider station, wherein the user station and service provider station are coupled to the insecure network, and wherein the service provider station comprises at least one computer system including at least one processor;

triggering, with the at least one processor, the creation of a secret URL by the service provider station upon reception of the identity token or identity claim;

transmitting, from the at least one computer system, the secret URL over a telephone line as secure side channel to the user station;

obtaining the secret URL within the user station; and

setting-up a new communication path in the insecure network that links the user and the service provider station based on said secret URL, wherein the step of triggering the creation of a secret URL comprises the steps of;

creating a crypto-container by the service provider station, wherein the crypto-container includes the secret URL encrypted with a key known to the user, wherein the secure side channel is used to transmit the crypto-container; and

decrypting the crypto-container within the user station to obtain the secret URL.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for setting up a secure communication line between a user and a service provider using non-secure communication channels within an insecure network, comprising the steps of transmitting an identity token from a user station to a service provider station both coupled to the insecure network; upon reception of the identity token, triggering the creation of a secret URL by the service provider station; transmitting the secret URL within a secure side channel to the user station; obtaining, within the user station, the secret URL, and setting-up a new communication path in the insecure network linking the user and the service provider station based on said secret URL. Beside discarding a man-in-the-middle by denying him access to the data flow it is also possible to stop him through denying him access to the content of the data flow. Such access can be denied through use of a one-time codebook with semantics only known to the User and the authentication service provider.

8 Citations

View as Search Results

12 Claims

1. A method for setting up a secure communication line between a user and a service provider using non-secure communication channels within an insecure network, comprising the steps of:
- transmitting an identity token or identity claim from a user station to a service provider station, wherein the user station and service provider station are coupled to the insecure network, and wherein the service provider station comprises at least one computer system including at least one processor;
  
  triggering, with the at least one processor, the creation of a secret URL by the service provider station upon reception of the identity token or identity claim;
  
  transmitting, from the at least one computer system, the secret URL over a telephone line as secure side channel to the user station;
  
  obtaining the secret URL within the user station; and
  
  setting-up a new communication path in the insecure network that links the user and the service provider station based on said secret URL, wherein the step of triggering the creation of a secret URL comprises the steps of;
  
  creating a crypto-container by the service provider station, wherein the crypto-container includes the secret URL encrypted with a key known to the user, wherein the secure side channel is used to transmit the crypto-container; and
  
  decrypting the crypto-container within the user station to obtain the secret URL.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein at least one of the user and the service provider performs a correct authentication.
  - 3. The method according to claim 1, wherein a challenge response authentication protocol is used to transmit the crypto-container from the service provider station to the user station.
  - 4. The method according to claim 1, wherein the step of obtaining the secret URL within the user station comprises the steps of:
    - presenting the crypto-container through representation of information of the crypto-container via a data terminal equipment of the user stationdetecting the information by an autonomous mobile authentication device; and
      
      decrypting the information through the authentication device.
  - 5. The method according to claim 4, wherein the information is presented one of optically on a screen of the data terminal equipment and audibly through speakers associated with the data terminal equipment.

6. A method for setting up a secure communication between a user and a service provider using non-secure communication channels within an insecure network, comprising the steps of:
- transmitting an identity token or identity claim from a user station to a service provider station, wherein the user station and service provider station are coupled to the insecure network, and wherein the service provider station comprises at least one computer system including at least one processor;
  
  triggering, with the at least one processor, the creation of a secret codebook by the service provider station upon reception of the identity token or identity claim;
  
  transmitting, from the at least one computer system, the secret codebook over a telephone line as a secure side channel to the user station;
  
  obtaining the secret codebook within the user station; and
  
  transmitting a choice from the codebook to the service provider station, wherein the step of triggering the creation of a secret codebook comprises the steps of;
  
  creating a crypto-container by the service provider station, wherein the crypto-container includes the secret codebook encrypted with a key known to the user, wherein the secure side channel is used to transmit the crypto-container; and
  
  decrypting the crypto-container within the user station to obtain the secret codebook.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method according to claim 6, wherein at least one of the user and the service provider performs a correct authentication.
  - 8. The method according to claim 6, wherein a challenge response authentication protocol is used to transmit the crypto-container from the service provider station to the user station.
  - 9. The method according to claim 6, wherein the step of obtaining the secret codebook within the user station comprises the steps of:
    - presenting the crypto-container through representation of information of the crypto-container via a data terminal equipment of the user stationdetecting the information by an autonomous mobile authentication device; and
      
      decrypting the information through the authentication device.
  - 10. The method according to claim 9, wherein the information is presented one of optically on a screen of the data terminal equipment and audibly through speakers associated with the data terminal equipment.

11. A system for setting up a secure communication line between a user computer and a service provider computer using non-secure communication channels within an insecure network, comprising:
- a user computer coupled to the insecure network through a first data terminal equipment;
  
  a service provider computer coupled to the insecure network through a second data terminal equipment;
  
  a communication path in the insecure network linking the user computer and the service provider computer;
  
  a first communication unit for communicating a request from the user computer to the service provider computer;
  
  a URL creation module for creating a URL within the service provider computer;
  
  a second communication unit for communicating the URL from the service provider computer to the user computer over a telephone line as a secure side channel;
  
  a URL accessing unit for accessing the URL by the user; and
  
  a set-up module for setting-up a new communication path in the insecure network linking the user computer and the service provider computer based on the secret URL.

12. A system for setting up a secure communication between a user computer and a service provider computer using non-secure communication channels within an insecure network, comprising:
- a user computer coupled to the insecure network through a first data terminal equipment;
  
  a service provider computer coupled to the insecure network through a second data terminal equipment;
  
  a communication path in the insecure network linking the user computer and the service provider computer;
  
  a first communication unit for communicating a request from the user computer to the service provider computer;
  
  a codebook creation module for creating a codebook within the service provider computer;
  
  a second communication unit for communicating the codebook from the service provider computer to the user over a telephone line as a secure side channel;
  
  a codebook accessing unit for accessing the codebook by the user; and
  
  a codebook choice display menu module for enabling and transmitting the choice of one of the codebook options to communicate the choice in the insecure network linking the user computer and the service provider computer based on the secret knowledge.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Agses International General Agency GmbH
Original Assignee
Agses International General Agency GmbH
Inventors
Müller, Lorenz, Jacomet, Marcel, Cattin-Liebl, Roger, Rollier, Alain
Primary Examiner(s)
Song, Hosuk

Application Number

US12/776,782
Publication Number

US 20110107093A1
Time in Patent Office

855 Days
Field of Search

726 2- 5, 726 9- 10, 726/20, 713/168, 713/176, 713/179, 713/181, 713/185, 713/189, 713192-194
US Class Current

713/168
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 63/18   using different networks or...

System and method for providing an user's security when setting-up a connection over insecure networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

System and method for providing an user's security when setting-up a connection over insecure networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others