Telecommunications – Radiotelephone system – Security or fraud prevention
Reexamination Certificate
1999-02-04
2002-08-06
Trost, William (Department: 2683)
Telecommunications
Radiotelephone system
Security or fraud prevention
C455S456500, C380S033000
Reexamination Certificate
active
06430407
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method for providing an authentication to an application. The invention relates further to an arrangement for providing an authentication to an application and further to an apparatus to be used in the authentication.
BACKGROUND OF THE INVENTION
Various electronic applications exist which involve a need for an authentication. Authentication may be required, for example, when a user is accessing a specific application and/or when a user already uses an application and there arises a need to verify the user or to receive such an acknowledgment from the user which allows the application to make some further proceedings.
Examples of applications which might require an authentication include various commercial services obtained through communications networks, such as Internet, Intranet or Local Area Networks (LAN), payments and banking services accessed through communications networks, resource access, remote programming, reprogramming or updating of software etc. Even certain free of charge services obtained through communications networks may require an authentication. The amount of services or applications which require at least some degree of authentication of the user who is trying to access them (or of the user who is already using them but where there is a need to check authorization during the use of the service or a need to acknowledge something during the use) has increased greatly during the past years. The need for the authentication is also expected to increase further in the future.
At present there are already some well known solutions for communication authentication. These normally use various cryptographic techniques between two communicating computer devices. According to a basic scenario for the authentication, a random challenge is given to encryption functions of said two computer devices. Both of these computers have a secret, i.e., an encryption key, which is also given to the encryption function in both of the computers. Thereafter, the results of the calculations of the two encryption functions are compared, and if the result of the comparison is positive, the authentication is considered as being in force. If the comparison gives a negative result, then the authentication test is considered as having failed.
There are also various already existing authentication arrangements. The following examples of the prior art arrangements are given with a brief description of some of the drawbacks thereof:
Passwords. At present, the use of a password or several passwords is the most often used approach for the authentication. The password is given to the remote application through an user interface, e.g., through a computer terminal connected to a communications network. However, this solution does not take the vulnerability of the network into account, since the password is exposed to everyone who has access to the network (and who is skilled enough to read the passwords).
A secret. This may be described as an electronic password or a signature or an encryption key which is stored and used by for example the user interface. Even though the secret is not revealed to the network, it may end up in the “wrong hands” and could be used by some party other than those who are originally intended to be the users of the secret.
Authentication software in the user interface. This is a more sophisticated approach to authentication. The password is given to a program in the user interface, which then automatically authenticates cryptographically access to the requested application. Even though this provides a more secure arrangement than the above solution, it still leaves a possibility for catching the passwords from the user interface. It is also possible to modify the software without notice to the actual user.
Smart cards with associated readers. A smart card is capable of communicating encrypted challenge-response messages, but it does not contain a user interface for receiving an authorization from the user itself. Such an interface may exist in the smart card readers, but such readers must be well protected against any possibilities for misuse, and thus the ordinary users (i.e., the large majority of users, i.e., the public) cannot usually have physical access to these reader interfaces, but they have to trust to the organization providing the smart cards. In addition, the smart card readers cannot be shared between organizations which do not have trust to each others.
Smart cards with a user interface. These do already exist, but they are expensive since each security processor must have a secure user interface of it's own. These are rare and the input/output capability thereof is still extremely limited, and thus they are not held to be an economically suitable solution for the authentication problem.
A separate personal authentication device. In this approach the user is used as “a communication means” between the user interface and a separate authentication device. The user interface gives a challenge which the user then types in to a hand held authentication device (pocket-calculator like device). The authentication device may, e.g., give a number as a response, and the user then types this number in to the user interface. In this the problems relate to the need of purchasing, using and carrying a separate device. In some instances there is also a possibility of incorrect typing of the usually long and complex character strings.
The above already mentions some parties which may be involved when implementing the present authentication systems. They are briefly explained in more detail in the following:
The user is usually a human being who uses various applications or services. The user can be identified by means of a password (or secret) which is only known by him/her (a public key method), or by means of a secret which is shared between the user and the application (a secret key method).
The application is the party that wants to ensure the authenticity of the user. The application can also in some occasions be called as a service. From the application's point of view the authenticity question can be divided in four different categories (questions): 1) is the user at the moment in the other end? (so called peer-entity-authentication), 2) are the further messages received from the same user? (integrity of the message stream), 3) does a specific message originate from a certain user? (data origin authentication), and 4) is the message such that even a third party may believe it to originate from a certain user? (non-repudiation).
The user interface is the device or arrangement which enables the user to access the application or service. In most instances it can also be referred to as a terminal, and may consist of devices such as computers (e.g., Personal Computer, PC), workstations, telephone terminals, mobile stations such as mobile telephones or radios or pagers, automatic money teller and/or banking machines, etc. The user interface provides input/output facilities and it may possibly even provide a part of the application.
The Personal Authentication Device (PAD) is a piece of hardware that the user carries with him. The PAD may have some basic input/output functionality and even some processing facilities. The above referred smart cards and separate authentication devices may also be considered as PADs. In most cases the user can rely on his PAD, since the user has it (almost) always with him and thus under continuous control. All the possible passwords or secrets are hidden in the hardware thereof such that there is no easy manner to reveal them. The device itself is not easy to modify such that the communication path between the user and the security processor could be endangered. In addition, the PADs usually have a minimum amount of stored state and the programs thereof are not easily modifiable.
SUMMARY OF THE INVENTION
Even though the above described prior art solutions for authentication already exist, there are still some shortages, in addition to those already
Nixon & Vanderhye P.C.
Perez-Gutierrez Rafael
Telefonaktiebolaget LM Ericsson (publ)
Trost William
LandOfFree
METHOD, APPARATUS, AND ARRANGEMENT FOR AUTHENTICATING A USER... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with METHOD, APPARATUS, AND ARRANGEMENT FOR AUTHENTICATING A USER..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and METHOD, APPARATUS, AND ARRANGEMENT FOR AUTHENTICATING A USER... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2914300