• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    Method and system to automatically authenticate a user through an authentication device. The present invention relates to a method and a system for automatically authenticating a user comprising: storing in a authentication device credentials of the user; check, from an electronic device, the accessible authentication devices; establish a communication between the devices through a short-range radio interface; sending, from the electronic device to the authentication device, an authentication request; check compliance with a set of access parameters; if the access parameters are met, send a response message to the received authentication request, according to the user's credentials, through the short-range radio interface; and authenticating the user in the electronic device according to the received response message. (Machine-translation by Google Translate, not legally binding)
    公开号:ES2671196A1
    申请号:ES201631551
    申请日:2016-12-05
    公开日:2018-06-05
    发明作者:Manuel Urueña Pascual;Ignacio Soto Campos
    申请人:Universidad Carlos III de Madrid;
    IPC主号:
    专利说明:

    5
    10
    fifteen
    twenty
    25
    30
    35
    Method and system to automatically authenticate a user using an authentication device
    TECHNICAL FIELD OF THE INVENTION
    The present invention has application in the field of computer security and more specifically in the methods and systems for authenticating users in the environment of websites, computer applications, and electronic devices.
    BACKGROUND OF THE INVENTION
    User authentication in electronic communications devices is a fundamental security process. Most services and electronic devices are not intended to be used by anonymous users, or at least not their most delicate features. Therefore, the authentication of a user is an essential process that today is part of the routine of access to most services or electronic devices.
    Currently, the main mechanism used for user authentication is passwords. That forces users to have to create and remember a significant number of passwords to use with the different accounts they own, which normally have different levels of security. This inevitably makes users, in addition to being forced to perform a tedious task such as continuously entering a password, resort to reusing passwords and / or using simple passwords that lead to significant security problems and open opportunities for computer attacks, by using of known password dictionaries or brute force. Although "password managers" (password managers, in English) can reduce the risk of using passwords by randomly generating them and storing them securely, the user's direct participation in the authentication process enables social engineering attacks, techniques phishing, or the use of malicious devices or software that records the sequence of keystrokes (keyloggers).
    The state of the art offers some safer alternatives to passwords, such as single-use passwords (OTP - One Time Password, in English), smart cards
    5
    10
    fifteen
    twenty
    25
    30
    35
    (Smart Cards. In English), biometric techniques or the sending of SMS authentication codes, although all of them have a very limited practical use, since they either require additional steps that involve annoying waste of time for the user (eg OTPs or codes by SMS) and where the user still has to enter a password, which makes the possibility of phishing attacks persist; or require dedicated peripherals on each computer from which an authentication is requested, such as smart cards or biometrics-based techniques.
    Other documents, which reflect the state of the art relating to the authentication of users using external authentication devices to avoid these deficiencies, are for example document US2015281227 A1, which describes an authentication mechanism in websites in which passwords are stored on a mobile phone An NFC tag (tag) is used to decrypt the password repository stored in the phone and it communicates with the user's computer through a notification server hosted on the Internet. However, the use of other credentials or local authentication methods, or their use in scenarios without Internet coverage, is not contemplated.
    On the other hand, WO 2013/089777 A1 describes an authentication system for websites that uses an external wireless device to store user passwords and communicates them with the user's computer via NFC. However, it only supports passwords and is reduced to the web authentication scenario without further configuration or modification of security levels.
    Due to the above, the known methods and systems for user authentication lack the necessary balance between security, usability and flexibility to adapt to different situations of users and services, which is missing in the state of the art some solution that combines all of the above, eliminate as far as possible the intervention of the user in the authentication process, while keeping him aware and with control of how and when to perform authentication, and which also is not restricted only to Use of passwords as user credentials.
    DESCRIPTION OF THE INVENTION
    The present invention solves the problems mentioned above by means of a flexible, high security and minimal intervention solution for the user who stores
    5
    10
    fifteen
    twenty
    25
    30
    35
    your credentials on an external authentication device with a short-range radio interface so that it can authenticate wherever you need (eg local electronic devices or remote websites). The credentials can be of different types, from passwords, RFID / NFC physical access control codes, single-use passwords, digital certificates or any other type of credentials. Thus, in a first aspect of the invention, a method for automatically authenticating a user comprising the following steps is presented:
    a) store user credentials in an authentication device;
    b) check, from an electronic device, the authentication devices accessible by a short-range radio interface;
    c) establish, between the electronic device and the authentication device, secure communication via the short-range radio interface;
    d) send, from the electronic device to the authentication device, an authentication request through the short-range radio interface;
    e) check the authentication device for compliance with a set of previously defined access parameters;
    f) if the previously defined access parameters are met, send, from the authentication device to the electronic device, a response message to the authentication request received, according to the user's credentials, through the short radio interface scope;
    g) authenticate the user in the electronic device according to the response message received.
    An embodiment of the present invention periodically checks that the authentication device continues to be accessible by the electronic device through the short-range radio interface and, in case the authentication device is no longer accessible, the user's session is blocked in the Electronic device.
    Additionally, the present invention contemplates in one of its embodiments the steps of:
    - send from the electronic device, a request to access a website hosted on a remote web server, through a web browser;
    - identify, through an extension of the web browser, the requested website;
    - send, from the extension of the web browser to the authentication device, a request for the user names registered on the website, through a short-range radio interface;
    - check, on the authentication device, that the website corresponds to
    4
    5
    10
    fifteen
    twenty
    25
    30
    35
    any previously registered website;
    - If the website corresponds to a previously registered website, send the registered usernames for that website to the web browser extension, through the short-range radio interface;
    - select, by the user, one of the registered user names that have been sent to the web browser extension;
    - send, from the extension of the web browser to the authentication device, an authentication request for the selected user name through the short-range radio interface;
    - send, from the authentication device to the web browser extension, a response message to the authentication request received, according to the user's credentials stored, through the short-range radio interface;
    - authenticate the user on the website according to the response message received.
    According to one of the embodiments of the invention, the step of establishing a communication between the electronic device and the authentication device, via the short-range radio interface, previously comprises the steps of:
    - perform an initial pairing of both devices, where the pairing includes an explicit consent of the user, in which both devices exchange their digital certificates, so that they can later authenticate securely;
    - verify, by the authentication device, the authenticity of the certificate of the electronic device obtained through the short-range radio interface by comparing the summary (digest, in English) of its public key, with the value shown by the electronic device, by example using a QR code that can be scanned by the authentication device;
    - save in the authentication device the certificate of the new electronic device paired in a white list of trusted devices that can be connected to the authentication device without confirmation by the user, or in the gray list, where known electronic devices are stored but whose connection requires confirmation by the user;
    Alternatively, in one embodiment of the invention, the devices rely on the certificates of a certification authority, so that electronic devices that have a certificate from said certification authority can connect to the authentication device (and vice versa) without the need for
    5
    10
    fifteen
    twenty
    25
    30
    35
    Prior pairing, although in that case the connection of a new electronic device will be notified to the user, who can save it in the white list, in the gray list, or in a black list if he does not want to allow said electronic device to be connected to the device. authentication in the future.
    According to one of the embodiments of the invention, establishing secure communication between the authentication device and the electronic device via the short-range radio interface further comprises the steps of:
    - establish a radio channel between the electronic device and the authentication device using the short-range radio interface;
    - initiate a TLS connection [RFC5246] on said radio channel from the authentication device;
    - validate the first certificate sent from the electronic device on the authentication device, and check if it is blacklisted, thereby canceling the establishment of the TLS session;
    - provide a second certificate from the authentication device to the electronic device;
    - complete the establishment of the TLS session in the event that the first and second certificates are valid and appear in the white list or the gray list of the authentication device, requesting confirmation from the user if necessary (if it appears in the gray list );
    - subsequently the negotiated TLS session can be summarized, avoiding the need to exchange the certificates of both devices again and demonstrate the possession of the private keys associated with them.
    In one of the embodiments of the invention, the step of sending authentication credentials from the authentication device to the electronic device through the short-range radio interface, further comprises requesting, in the authentication device, the user their authorization to Access the credentials requested by the electronic device.
    Optionally, the authorization can be by touching the user on a touch screen of the authentication device, shaking the authentication device, entering a PIN or password associated with the corresponding credential, or using a biometric sensor on the device Authentication
    5
    10
    fifteen
    twenty
    25
    30
    35
    The set of access parameters is also contemplated to collect a schedule parameter and a location parameter and, according to one of the embodiments of the present invention, the step of verifying compliance with said set of access parameters comprises determining whether The time and location associated with the authentication request received by the authentication device meet the previously defined time and location requirements for the credential or credential repository being accessed.
    If more than one known authentication device is discovered within the scope of the short-range radio interface of the electronic device to which access is desired, one of the embodiments of the invention contemplates the step of selecting, by the user, its authentication device through an interaction with the electronic device.
    Optionally, the selection of the authentication device, when there are several accessible from the electronic device that you wish to access, is done by bringing the authentication device itself or a user access card to an RFID / NFC reader in the electronic device, to thus providing the physical address of the authentication device to the electronic device, directly or by means of a unique identifier that can be translated into it (for example, by asking a management server or checking which of the nearby authentication devices announces said identifier).
    In one of the embodiments of the invention, the installation of user credentials in the authentication device, it is contemplated that it comprises the following steps:
    - provide, by the user, a user registration information on the website registration server;
    - send the registration information from the registration server to a credential server;
    - generate a QR code on the registration server;
    - generate, on the credential server, user credentials associated with the registration information;
    - scan, using the authentication device, the QR code generated by the registration server;
    - as a result of scanning the QR code, displaying a request for confirmation of registration on the website on the authentication device;
    5
    10
    fifteen
    twenty
    25
    30
    - in case the user confirms the registration, establish a connection between the authentication device and the address encoded in the QR code that points to the credential server;
    - provide, from the credential server to the authentication device, the user credentials generated, through the established connection.
    The step of providing the credentials generated from the credential server comprises, according to an embodiment of the invention, at least one of the following techniques:
    - provide a random password;
    - provide a seed to generate single-use passwords;
    - negotiate a shared key through a Diffie-Hellman key exchange.
    - provide a certificate for the user
    In one of the embodiments of the invention, providing the user credentials in the form of a digital certificate comprises the use of the registration protocol in public key infrastructure on secure transport (EST) according to RFC7030.
    A second aspect of the present invention relates to a system for automatically authenticating a user comprising:
    - an authentication device configured to securely store user credentials; establish secure communication with an electronic device through a short-range radio interface; check compliance with a set of previously defined access parameters; and, if the previously defined access parameters are met, send to the electronic device, a response message to an authentication request received, according to the user's credentials, through the short-range radio interface;
    - an electronic device configured to check the authentication devices accessible by the short-range radio interface; establish secure communication with the authentication device through the short-range radio interface; send an authentication request to the authentication device through the short-range radio interface; and authenticate the user according to the response message received.
    5
    10
    fifteen
    twenty
    25
    30
    35
    Additionally, according to one of the embodiments of the present invention, the system also optionally comprises:
    - a registration server configured to receive registration information from a user on a website; send the registration information to a credential server; generate a QR code; Y
    - a credential server configured to receive registration information from the registration server; generate user credentials associated with the registration information; establish a secure connection with the authentication device; provide the authentication device with the user credentials generated, through the secure connection established between the two;
    where the authentication device is also configured to:
    - scan the QR code generated by the registration server; As a result of the QR code scan, display a request for confirmation of registration on the website; in case the user confirms the registration, establish a secure connection with the address encoded in the QR code that points to the credential server;
    - receive, from the credential server, the generated user credentials, through the secure connection established and store them in a secure credential repository within the authentication device.
    According to one of the embodiments of the present invention, the authentication device further comprises a clock that provides a time parameter and location means that provide a location parameter, and where the authentication device is further configured to determine whether the time and location parameters, provided by the clock and the location means respectively, associated with the authentication request received by the authentication device, meet previously defined time and location requirements.
    A final aspect of the invention relates to a computer program product comprising computer program code, adapted to perform the method of the present invention when said program code is executed in a computer, a digital signal processor, a formation of programmable gates in the field, an application-specific integrated circuit, a microprocessor, a micro-controller or any other form of programmable hardware.
    5
    10
    fifteen
    twenty
    25
    30
    35
    The present invention therefore allows a user to authenticate securely and quickly where they need, be it the physical world, local computers, remote websites, etc. The user only needs to have the authentication device nearby, that is, within the coverage of the short-range radio interface used, preferably Bluetooth, where authentication is requested. In addition, the present invention has great flexibility and configuration possibilities that allow for example that authentication is performed or not based on access parameters such as time or location.
    The authentication device, according to the present invention, may comprise processing and storage capabilities, graphical user interface, touch screen, clock, navigation system and / or other location mechanisms, accelerometer, camera, biometric sensors, wireless interfaces Short-range Bluetooth and NFC, and / or network communications. The sensors mentioned above can be used to improve the usability and protection of the user's credentials, for example by limiting the location and hours at which the stored credentials can be used and / or requesting explicit authorization from the user, using different methods, to access a credential.
    Unlike traditional security tokens (such as OTP keychains or smart cards) that normally only support a specific type of credentials, the present invention supports different types of credentials, including passwords, digital certificates or single-use passwords, and It can be used for both local and remote authentication. In addition, communication between the authentication device and the user's computer is carried out through a short-range wireless communication, preferably based on Bluetooth, which allows the use of the present invention in situations without Internet access, in addition to reducing the attack surface (from all Internet to only nearby Bluetooth devices).
    Finally, although other state-of-the-art solutions use very short-range radio interfaces such as RFID / NFC tags, these are used to decrypt the password repository stored in the phone, while the scenarios proposed by the present invention of “Touch -to-access ”the NFC interface of the phone or an external RFID / NFC tag are used only to identify the authentication device with which the electronic device must be accessed, since the secure connection is still used for the exchange of credentials TLS over Bluetooth.
    5
    10
    fifteen
    twenty
    25
    30
    35
    To complement the description that is being made and in order to help a better understanding of the characteristics of the invention, a set of figures is attached as an integral part of said description, where illustrative and non-limiting nature has been represented. next:
    Figure 1.- illustrates the exchange of messages in a scenario of access to a local computer using the method and system of the present invention.
    Figure 2.- illustrates the exchange of messages in a scenario of access to a remote website that requires authentication using the method and system of the present invention. Figure 3.- illustrates the procedure contemplated by one of the embodiments of the invention for the installation of credentials in an authentication device.
    DETAILED DESCRIPTION OF THE INVENTION
    What is defined in this detailed description is provided to help a thorough understanding of the invention. Accordingly, people moderately skilled in the art will recognize that variations, changes and modifications of the embodiments described herein are possible without departing from the scope of the invention. In addition, the description of functions and elements well known in the state of the art is omitted for clarity and conciseness.
    Of course, the embodiments of the invention can be implemented in a wide variety of platforms, protocols, devices and systems, so the specific designs and implementations presented in this document are provided solely for purposes of illustration and understanding, and never for Limit aspects of the invention.
    The present invention discloses in one of its embodiments an authentication device, (such as a mobile phone, but can also be implemented in a dedicated electronic device), which stores and manages the credentials of a user, so that when he needs to authenticate before any electronic device (a local computer, a website that is accessed from a local computer, a physical access control lathe, etc.) it can do so thanks to said authentication device, which communicates through a radio interface short range, preferably Bluetooth, with the electronic device that is requesting user authentication, and then use the
    5
    10
    fifteen
    twenty
    25
    30
    35
    credentials stored to perform local or remote authentication, so that the user only has to confirm that he wants to authenticate, instead of having to remember and enter that credential manually.
    Thus, the present invention proposes an easy-to-use, scalable, and flexible authentication device, where users store their credentials in a portable device other than the electronic device against which they want to authenticate. Thus, even if an attacker were able to compromise the electronic device, typically a personal computer, the user's credentials would be safe on their authentication device, encrypted by software with a master key known only to the user or within an Element Secure (SE - Secure Element in English) hardware. In addition, short-range radio interfaces, such as Bluetooth or NFC, used to establish local communications with other devices (such as a local computer or a physical access control lathe) advantageously allow authentication without the need for peripherals. additional as a smart card reader (Smart Cards, in English) or dedicated biometric sensors, nor require communication over the Internet.
    The authentication device of the present invention, according to one of its embodiments, will hereinafter be referred to as "MobiToken" to distinguish it from other devices. This MobiToken device organizes user credentials in one or more credential repositories (for example a "work" repository, another "personal" repository, etc.) that may have different access policies. Each user credential has a domain to which it belongs (for example pc01.example.org or * .example.org), a identity or username (so that users can have multiple accounts in the same service), and one or more credential types (eg password and an OTP generator) for two-factor authentication (2FA - two factor authentication, in English) or two step verification (2SV).
    The MobiToken device of the present invention allows to enable or disable access to a given credential manually, so that a credential will only be accessible if the user manually enables it. In addition, it allows you to assign different access policies to different credentials depending on your security level. For example, a "Always Allow" policy can be assigned to low security sites (eg, a social network), while access to a high security service may require you to enter a PIN code to unlock the Secure Item that stores the credential and / or use a biometric mechanism to authorize its use, either each time it is accessed, or with validity
    for a certain time. One of the policies used is based on presenting a dialogue of
    12
    5
    10
    fifteen
    twenty
    25
    30
    35
    "Allow / Deny" authentication whenever you try to access a credential, which can be authorized by the user through gestures such as touching the screen or shaking the device (even being inside a bag, for example) which can be detected by a MobiToken device accelerometer (especially if it is implemented in a smart mobile phone, since it is common to incorporate this and other sensors.) MobiToken also allows advanced access policies based on the use of additional MobiToken device sensors, such as , enabling a corporate credential repository only in a certain time slot (09:00 to 18:00 for example), or closing it if the user leaves the office (detecting it by means of the corresponding localization means usually present in any smart mobile phone ) As access policies can be assigned to the different entities in the hierarchy of credentials, the most specific one applies (for example, * .example.org workstations may require a PIN code each time they are accessed, but access to the user's personal computer pc01.example.org may only require it once up to date).
    The MobiToken device of the present invention can also specify which devices can be connected to it (to authenticate the user) by using white, gray and black lists. The devices in the white list are reliable and can be connected to the MobiToken device automatically (although confirmation can then be requested from the user to access a protected credential), while connections from gray list devices require user confirmation, and the devices from The blacklist cannot connect to the MobiToken device. In addition, if the user denies the access of a device to his MobiToken or one of the stored credentials, he can additionally report the possible attack, so that the device is added to the blacklist, and all data of the access attempt (such as for example the attacker's device, time, credential requested) can be registered and sent automatically to the organization's security service. As for social engineering and phishing attacks, an attacker could try to trick the user into sending their credentials by email or phone, however, provided the user tries to manually access a credential (Since in most cases the access should be automatic), the MobiToken device can be configured, according to one of the embodiments, to show an information screen to the user explaining in a didactic way that he should never divulge his passwords when request it by mail or phone, as well as the steps to follow to verify that you are really accessing a service in a secure way (that is, checking the DNS domain name, the green HTTPS lock, and
    13
    5
    10
    fifteen
    twenty
    25
    30
    the last certification authority observed for said website).
    Different use cases for a communication device or "MobiToken" according to the present invention are described below:
    Use case 1: access to a local computer.
    The first use case of a MobiToken device is local access to a computer, which usually requires the user to type his password many times a day. From the point of view of users, access to their personal computer with MobiToken is reduced to pressing any key on the keyboard or moving the mouse to wake up the computer or remove the screensaver. However, instead of displaying the login screen to enter the password, MobiToken users simply continue their sessions immediately, as if the computer was not password protected.
    Figure 1 illustrates the exchange of messages that occurs in this scenario. A process is running on the user's personal computer (10), trying to connect continuously via a short-range radio interface, in this case Bluetooth, to the user's MobiToken device (11) (it is assumed that the computer has a single user and that the corresponding MobiToken device has already been paired with the computer and is associated with that user). First, a Bluetooth RFCOMM connection between the PC and the MobiToken device is established (1) and a TLS session [RFC5247] is established with mutual authentication with certificates on it. The TLS session starts from the MobiToken device, so you can validate the computer certificate before providing yours. If both certificates are valid (that is, the same as those exchanged in the initial secure association) and the computer is in the white or gray list of the MobiToken device (but not in the black list), the TLS session on Bluetooth is completed, and The computer and the MobiToken device can communicate securely. When the user starts the process of accessing the computer, the computer asks (2) the MobiToken device to provide the appropriate credential to authenticate the user (note that the TLS session only authenticates the devices - that is, the computer and the device MobiToken-, not the user itself). An embodiment of the invention, to allow different MobiToken authentication mechanisms, employs an adapted version of the EAP (Extensible Authentication Protocol) [RFC3748] protocol, which we will call EAP-MT, so that existing EAP authentication methods can be used, such as
    5
    10
    fifteen
    twenty
    25
    30
    35
    challenge-response authentication (EAP MS-CHAPv2 [RFC2759]) or use a user certificate (EAP-TLS [RFC5216]). Finally, after requesting the user to approve (3) the access to the credential necessary to access the computer (normally the user's authorization will only be necessary in the initial access, while in subsequent occasions for a certain period of time it may be automatic ), the MobiToken device uses said credential to send (4) an EAP Response message to the computer to complete the authentication process.
    A variant of this first use case is when the electronic device accessed, the computer in this case, is shared by multiple users (and is not convenient or cannot be pre-configured with the Bluetooth MAC address and the public key of the devices MobiToken of all possible users). In this case, you must first decide with which MobiToken device you should contact from your computer. In one embodiment of the invention, this problem is solved by a dialog screen showing all nearby MobiToken devices using SDP (Service Discovery Protocoí), the Bluetooth service discovery protocol, so that users can choose their MobiToken device for Complete the authentication. However, it is also contemplated in other embodiments to establish correspondences between the logical security mechanisms and the physical actions of the users, such as using a scenario called "Touch-to-access" ("Tap-to-login") ). Thus, users can easily indicate their identity to a shared device, simply by touching with the MobiToken device on an NFC reader connected to the computer. This action only indicates to the computer which authentication device to contact (0), either by providing its Bluetooth MAC address or any other unique identifier (for example, a UUID) by NFC, or more conveniently for large organizations, asking for the address MAC associated with an ID to a centralized database. The rest of the authentication process occurs through the Bluetooth interface as explained above. However, in this case, since the shared device is probably not included in the white list of the user's MobiToken device, but in the gray list, the user can ask the user to explicitly confirm access to his MobiToken from that computer, and Add to the white list of trusted devices to simplify future access.
    An embodiment of the invention contemplates implementing the "Touch-to-access" event using an employee RFID / NFC card, which is associated with the MobiToken device. This is how the cards used by employees for physical access control are reused.
    fifteen
    5
    10
    fifteen
    twenty
    25
    30
    enclosure.
    Use case 2: access to a remote website.
    A practical use case of the present invention relates to accessing a remote website through a local computer. The present invention contemplates this scenario and according to one of its embodiments it is possible to manage access to any logical resource or remote service, including those based on web technologies. The key aspect is how to send, without involving the user in the process, the credentials stored securely in the MobiToken authentication device, to the service being accessed. The solution includes installing a specific extension (which will also be referred to as "MobiToken Extension") in the web browser used to access the website, where said extension communicates with the MobiToken device, either directly or through another local process that establishes TLS / Bluetooth communication with it.
    Figure 2 shows how a MobiToken communication device can be used, according to one of the embodiments of the invention, to access a web service that requires authentication. First, the user tries to access (20) the website through his web browser as he normally would. The web server (21) can show (22) the typical access form requesting the user's name and password, although this step can be skipped in case of websites that implement specific MobiToken functionality to access the user's account directly. The MobiToken web browser extension recognizes the authentication page by the type and / or name in the form fields, and asks (23) the MobiToken device for the list of users registered in that domain. For this, the same EAP-MT / TLS / RFCOMM protocol explained above is used in the case of access to a local computer. It is important to mention that, since both the browser extension and the MobiToken device, check the DNS domain name of the website being accessed (instead of being the responsibility of the user), this mechanism advantageously prevents most phishing attacks ”, Because although a domain could fool a user (for example https://secure.bank.com.evil.com), this would not correspond to any domain registered in the MobiToken device (according to the example: https://secure.bank.com), and thus neither credentials, nor even registered usernames will be provided. In the event that the user does have an account in that service, first the MobiToken device will return (24) the usernames registered for that domain to the Extension of the
    16
    5
    10
    fifteen
    twenty
    25
    30
    35
    browser, which in turn will present them to the user. The user selects (25) the desired account directly in the web browser (in principle it is not necessary to manage the MobiToken device), and the browser extension requests (26) the credentials of the selected user, according to the fields required in the form from the access web page (for example: password and / or OTP single-use code) to the MobiToken device via Bluetooth. Then, depending on the security level chosen, it may be required from the MobiToken device that the user explicitly confirm if he wishes to allow (27) access to the requested credential, using the specified authorization mechanism. Once the user has approved access to the credential, the MobiToken device sends (28) said credential to the browser extension, which fills in the corresponding field (password and / or OTP) (note that although OTPs are normally used as a system of second factor authentication, they could also replace passwords as a single factor, being more secure than these since the shared secret is never sent), and finally the access form is filled in and sent (29) to Original web server that hosts the website.
    If the credential used is a password, the above scenario is like a typical web access with username / password using the auto-fill function present in many browsers today. However, in the case of the present invention, the credentials are not stored in the web browser or on the local computer but are only stored in the MobiToken authentication device, so an attacker would never have access to the user's credentials even if it compromised the user's web browser and / or their computer (which are more vulnerable when used to browse all types of web pages and have direct, continuous and high capacity Internet access).
    In addition, the MobiToken device also allows the use of more advanced authentication mechanisms that prevent credentials from being spied on and stolen at intermediate nodes, for example the use of HTTP authentication or TLS mutual authentication with certificates. Although most websites use custom authentication mechanisms at the application level, HTTP provides its own authentication mechanism [RFC 2617] that does not require the password to be sent but rather a response to a challenge based on it. Therefore, if HTTP authentication is used on the web server, the MobiToken extension installed in the browser handles the authentication request and forwards its parameters (using its own EAP method called EAP-MT-HTTP-DIGEST) to the MobiToken device, which calculate the HTTP summary (after requesting approval from
    5
    10
    fifteen
    twenty
    25
    30
    user if necessary), so that the browser extension can finally send it to the web server. Therefore, the browser never sees the user credential, only its summary, so the credential could not be stolen by malicious software running on the computer.
    In the same way, the TLS protocol [RFC 5246] allows mutual authentication that, in addition to authenticating the server, also requires the client to present his certificate and prove that he is in possession of the corresponding private key. As in the previous case, if mutual authentication is enabled on the server, the Browser Extension manages the request for the client certificate, forwards it to the MobiToken device and returns the certificate and calculates proof of possession of the private key, so the private key never leaves the MobiToken device, so it is not vulnerable if the intermediate computer is compromised.
    The certificate-based authentication scenarios, contemplated by the present invention, are interesting insofar as their utility encompasses not only interactions with web servers, but also with any application level protocol that can be transported over TLS, such as email (for example, SMTP, IMAP, POP3), or other secure protocols such as SSH.
    Use case 3: installation of credentials.
    The use cases described above assume that the MobiToken device already has user credentials. In one of the embodiments of the invention, the installation of out-of-band user credentials is allowed, for example, the installation of a user certificate from file. However, one of the embodiments also contemplates installing the credentials securely by making use of the Internet connection of the MobiToken device. Thus, this third use case covers any of the above, but also adds a particular method and system for the installation of user credentials.
    The threat model (threat model, in English) contemplated by the present invention assumes that the electronic devices accessible by the user could host malicious software (malware), which extracts sensitive information without permission, such as storing all the keys pressed by the user. user (keylogger, in English). Therefore, the
    5
    10
    fifteen
    twenty
    25
    30
    35
    Manual introduction of credentials on the MobiToken device through another electronic device used by the user (for example a computer) may be compromised. To avoid this threat, the present invention allows the secure exchange of credentials directly from the MobiToken device using the Internet connection capability of said device.
    Figure 3 illustrates the procedure contemplated in one of the embodiments of the invention for the secure exchange of credentials. If a user accesses (31) a certain website to register, they fill in (32) the user information as usual, but without specifying a password, since this could be potentially weak and is likely to be intercepted by resident malicious software on the local computer, as explained above. Instead, when the user finishes entering his registration data, the Registration Server (37), sends (33) the information of the new user (or some identifier that allows him to relate it to the new credential) to a Credential Server (38), and generates and presents (34) an image with a QR code to the user (alternatively the corresponding URL can be displayed in case the MobiToken device did not have a camera to capture the QR code). The user then proceeds to scan (35) the QR code with the MobiToken device camera and explicitly confirms that he wants to register on the corresponding website. In that case, the MobiToken device connects (36) with the URL address encoded in the QR code, and which points to the Credential Server, to negotiate the new credential. Depending on the type of credentials stored by the MobiToken device and supported by the credential server, one or more compatible credential types are chosen and begin to be exchanged securely.
    Since the connection between the device and the Credential Server is protected by TLS, in one of the embodiments of the invention, the introduction of credentials is simply to create a random password or an OTP seed and send them to the other end. But, according to other embodiments of the invention, other more complex mechanisms are contemplated, such as implementing a Diffie-Hellman (DH) key exchange or using the PKI registration protocol on Secure Transport (PKI-EST) [RFC 7030] . In the latter case, the MobiToken Credentials server would have the role of a certification authority (CA) that can provide certificates to users, either by generating the corresponding pair of keys directly, or ideally using a public key provided by the MobiToken device ( generated by the secure hardware element).
    5
    10
    fifteen
    twenty
    25
    30
    35
    Note that in the event that a service deploys a private certification authority (CA) dedicated to give certificates to its users, and this is only used to authenticate them, then the CA can generate certificates on demand, without verifying the real identity of the users. users (similar to having anonymous accounts in a service, with a username that does not identify the real person). The certificates generated cannot be used for any other purpose except to authenticate the users of said service. In that case, the TLS servers must be configured to request client certificates generated by that private CA of the service itself, while the server itself can continue to be validated with a certificate issued by a public CA.
    The Registration Server and the Credential Server are logical entities, in one embodiment of the invention both are implemented in the same physical element.
    Although the scenario described in this section requires servers with the functionalities described above, one of the embodiments of the invention also contemplates using the MobiToken communication device with traditional servers. In that case, the MobiToken device generates a random password and asks the user to enter it in the corresponding registration field on the server. It is a less secure mechanism against malicious software running on the user's computer, but allows the use of MobiToken in legacy services that do not support the secure exchange of credentials.
    Highlighting some of the advantageous effects of the present invention, it should be noted that, unlike traditional security tokens (such as OTP keychains or smart cards) that normally only support a specific type of credentials, the present invention is flexible and allows to implement different types of authentication mechanisms, so it is able to store and manage all the credentials of users (regardless of their type). Additionally, it can include features such as a graphical user interface, cameras, accelerometer, location systems, biometric sensors, or Internet access, which can be used to improve security and adapt to different access control scenarios according to the requirements of the users For example, for sites where security requirements are low (such as a social network) access can be automatic or simply ask the user to confirm access to the associated credential (with a Allow / Deny dialog, or by shaking the phone ). For services that require greater security (such as access to the corporate network),
    twenty
    5
    10
    fifteen
    twenty
    25
    30
    35
    You can ask the user to confirm access to the credential by entering a PIN at least once a day, when accessing outside working hours, or when the user moves away more than, for example, 1 km from his office.
    Additionally, a high security remote service or the local computer can ask the user, through the authentication device of the present invention, to be reauthenticated every 5 minutes (i.e. continuous authentication) so that the user session is blocked automatically if the user moves away with their authentication device beyond the short range radius of the computer.
    Finally, for high security services (for example, an electronic banking service), user confirmation can be based on biometric authentication mechanisms available on the user's authentication device, such as a fingerprint reader or recognition of face using a front camera.
    On the other hand, the versatility and flexibility of the present invention is also reflected in its ability to operate in authentication scenarios based on digital certificates, as well as its integration into physical access control systems using an NFC interface.
    Some preferred embodiments of the invention are described in the dependent claims that are included below.
    In this text, the word "comprises" and its variants (such as "understanding", etc.) should not be construed as excluding, that is, they do not exclude the possibility that what is described includes other elements, steps, etc.
    The description and drawings simply illustrate the principles of the invention. Therefore, it should be appreciated that those skilled in the art will be able to devise various provisions that, although not explicitly described or shown herein, represent the principles of the invention and are included within its scope. In addition, all the examples described in this document are provided primarily for pedagogical reasons to help the reader understand the principles of the invention and the concepts contributed by the inventor (s) to improve the technique, and should be considered as non-limiting with respect to such examples and conditions specifically described. In addition, everything stated in this document related to the principles, aspects and embodiments of the invention, as well as the specific examples thereof, cover
    5
    10
    fifteen
    twenty
    25
    30
    35
    equivalences thereof.
    Although the present invention has been described with reference to specific embodiments, those skilled in the art should understand that the foregoing and various other changes, omissions and additions in the form and detail thereof can be made without departing from the scope of the invention such as defined by the following claims.
    权利要求:
    Claims (16)
    [1]
    5
    10
    fifteen
    twenty
    25
    30
    35
    1. - Method to automatically authenticate a user who understands the following steps:
    a) install user credentials on an authentication device;
    b) check, from an electronic device, the authentication devices accessible by a short-range radio interface;
    c) establish, between the electronic device and the authentication device, a communication via the short-range radio interface;
    d) send, from the electronic device to the authentication device, an authentication request through the short-range radio interface;
    e) check the authentication device for compliance with a set of previously defined access parameters;
    f) if the previously defined access parameters are met, send, from the authentication device to the electronic device, a response message to the authentication request received, according to the user's credentials, through the short radio interface scope;
    g) authenticate the user in the electronic device according to the response message received.
    [2]
    2. - Method according to claim 1 further comprising:
    - send, by the user from the electronic device, a request for access to a website, through a web browser;
    - identify, through an extension of the web browser, an access form associated to the requested website;
    - send, from the extension of the web browser to the authentication device, a request for the user names registered on the website;
    - check, on the authentication device, that the website corresponds to a previously registered website;
    - If the website corresponds to a previously registered website, send the usernames registered for that website to the web browser extension;
    - select, by the user, one of the registered user names that have been sent to the web browser extension;
    - send, from the extension of the web browser to the authentication device, an authentication request through the short-range radio interface;
    - send, from the authentication device to the web browser extension, a
    5
    10
    fifteen
    twenty
    25
    30
    35
    response message to the authentication request received, according to the user's credentials, through the short-range radio interface;
    - fill in the access form to authenticate the user on the website that hosts the web service according to the response message received.
    [3]
    3. - Method according to any of the preceding claims, wherein installing user credentials in the authentication device previously comprises the following steps:
    - provide, by the user, a registration information for a website to a registration server;
    - send the registration information from the registration server to a credential server;
    - generate a QR code on the registration server;
    - generate, on the credential server, user credentials associated with the registration information;
    - scan, using the authentication device, a QR code generated by the registration server;
    - as a result of scanning the QR code, displaying a request for confirmation of registration on the website on the authentication device;
    - in case the user confirms the registration, establish a secure connection between the authentication device and an address encoded in the QR code that points to the credential server;
    - provide, from the credential server to the authentication device, the user credentials generated, through the established connection.
    [4]
    4. - Method according to claim 3, wherein providing the credentials generated comprises at least one of the following techniques:
    - provide a random password;
    - provide a seed for a single-use password generator;
    - perform a Diffie-Hellman key exchange;
    - provide a certificate for the user.
    [5]
    5. - Method according to claim 3, wherein the user credentials are based on digital certificates, and the step of installing said credentials comprises using a public key infrastructure registration protocol on secure transport
    5
    10
    fifteen
    twenty
    25
    30
    EST - Enrolment over Secure Transport ’according to RFC 7030.
    [6]
    6. Method according to any of the claims of the invention where, the step of establishing a communication between the electronic device and the authentication device, through the short-range radio interface, previously comprises the steps of:
    - pair both devices, where the pairing includes an explicit consent of the user, in which both devices exchange digital certificates;
    - verify, by the authentication device, the authenticity of the certificate of the electronic device obtained through the short-range radio interface by comparing the summary of its public key with a value shown by the electronic device;
    - save in the authentication device the certificate of the new paired device in a first list of trusted electronic devices that do not require user confirmation to connect to the authentication device, or in a second list of electronic devices that require user confirmation to Connect with the authentication device.
    [7]
    7. Method according to any of the preceding claims wherein establishing a communication between the electronic device and the authentication device through the short-range radio interface also comprises the steps of:
    - initiate a TLS session from the authentication device;
    - validate on the authentication device a first certificate sent from the electronic device;
    - provide a second certificate from the authentication device to the electronic device;
    - establish a TLS session in case the first and second certificates are valid.
    [8]
    8. Method according to any of the preceding claims where to send, from the authentication device to the electronic device, the response message according to the user's credentials through the short-range radio interface, also comprises requesting, in the authentication device, user authorization to access
    5
    10
    fifteen
    twenty
    25
    30
    35
    to the credentials provided.
    [9]
    9. - Method according to claim 8, wherein the authorization for access to credentials comprises a user touch on a touch screen of the authentication device, shake the authentication device, use a biometric sensor, and / or enter in the authentication device a PIN or password associated with the corresponding credential.
    [10]
    10. - Method according to any of the preceding claims wherein the set of access parameters comprises a schedule parameter and a location parameter and where to verify compliance with said set of access parameters comprises determining whether the associated time and location the authentication request received by the first communication device meets the previously defined time and location requirements.
    [11]
    11. - Method according to any of the preceding claims wherein the step of checking the authentication devices accessible from the electronic device, further comprises selecting by the user their authentication device through an interaction with the electronic device.
    [12]
    12. - Method according to any of the preceding claims wherein the step of the selection of the authentication device, when there are several accessible from the electronic device, comprises the following steps:
    - bring the authentication device closer to a certain distance from an RFID / NFC reader in the electronic device;
    - provide a physical address of the authentication device to the electronic device, where the physical address is provided directly or by a unique identifier.
    [13]
    13. - System to automatically authenticate a user that includes:
    - an authentication device configured to install user credentials; establish communication with an electronic device through a short-range radio interface; check compliance with a set of previously defined access parameters; and, if the previously defined access parameters are met, send to the electronic device, a response message to an authentication request received, according to the user's credentials, through the short-range radio interface;
    5
    10
    fifteen
    twenty
    25
    30
    35
    - an electronic device configured to check the authentication devices accessible by the short-range radio interface; establish communication with the authentication device via the short-range radio interface; send an authentication request to the authentication device through the short-range radio interface; and authenticate the user according to the response message received.
    [14]
    14. - System according to claim 13 further comprising:
    - a registration server configured to receive registration information on a website; send the registration information to a credential server; generate a QR code with an address associated with the credential server;
    - a credential server configured to receive registration information from the registration server; generate user credentials associated with the registration information; establish a connection with the authentication device; provide the authentication device, the user credentials generated, through the established connection;
    where the authentication device is also configured to:
    - scan the QR code generated by the registration server; As a result of the QR code scan, display a request for confirmation of registration on the website; If the user confirms the registration, establish a connection with an address encoded in the QR code that points to the credential server;
    - receive, from the credential server, the generated user credentials, through the established connection and store them in a secure credential repository within the device.
    [15]
    15. - System according to any one of claims 13 and 14, wherein the authentication device further comprises a clock that provides a time parameter and location means that provide a location parameter, and where the authentication device is also configured to determine if the time parameters and location, provided by the clock and the location means respectively, associated with the authentication request received, meet previously defined time and location requirements for said credential or credential repository.
    [16]
    16. Computer program product comprising computer program code, adapted to perform the method according to any of claims 1 to 12 when said program code is executed on a computer, a digital signal processor, a formation of field-programmable gates, an application-specific integrated circuit 5, a microprocessor, a micro-controller or any other form of programmable hardware.
    Or [Touch NFC | RFID = MAC | ID]
    1 Mutual authentication: TLS / Bluetooth (RFCOMM)
    2 Application EAP-MT {Key | Summary | OTP | Cert}
    4 Answer EAP-MT {Key | Summary | OTP | Cert}
    FIG. one
    GO
    OR
    image 1
    23 EAP-MT Identity Application______________
    24 EAP-MT Identity Response_____________
    26 EAP-MT Application {Key | Summary | OTP | Cert} 28 Answer EAP-MT {Carnation Summary | OTP | Cert}
    >
    image2
    FIG. 2
    类似技术:
    公开号 | 公开日 | 专利标题
    US10091195B2|2018-10-02|System and method for bootstrapping a user binding
    US10237070B2|2019-03-19|System and method for sharing keys across authenticators
    CA2968051C|2020-07-14|Systems and methods for authentication using multiple devices
    EP3420677B1|2021-08-11|System and method for service assisted mobile pairing of password-less computer login
    ES2564128T3|2016-03-18|A computer-implemented system to provide users with secure access to application servers
    US8595810B1|2013-11-26|Method for automatically updating application access security
    Grosse et al.2012|Authentication at scale
    JP5844001B2|2016-01-13|Secure authentication in multi-party systems
    US8881257B2|2014-11-04|Method and apparatus for trusted federated identity management and data access authorization
    Dodson et al.2010|Secure, consumer-friendly web authentication and payments with a phone
    US8769289B1|2014-07-01|Authentication of a user accessing a protected resource using multi-channel protocol
    Das et al.2014|On the security of SSL/TLS-enabled applications
    US9635022B2|2017-04-25|Method of allowing establishment of a secure session between a device and a server
    Choi et al.2011|A mobile based anti-phishing authentication scheme using QR code
    ES2754198T3|2020-04-16|A computer-implemented method of improving security in authentication / authorization systems and their software products
    KR20140037263A|2014-03-26|Method and apparatus for trusted authentication and logon
    US10810295B2|2020-10-20|Unified authentication management system
    Abdurrahman et al.2013|A new mobile-based multi-factor authentication scheme using pre-shared number, GPS location and time stamp
    Laka et al.2018|User perspective and security of a new mobile authentication method
    Boujezza et al.2015|A taxonomy of identities management systems in IOT
    WO2019226115A1|2019-11-28|Method and apparatus for user authentication
    Binu et al.2015|A mobile based remote user authentication scheme without verifier table for cloud based services
    ES2671196B1|2019-03-12|Method and system to automatically authenticate a user through an authentication device
    KR102139589B1|2020-07-30|An authentication and key establishment protocol for internet of things using digitalseal
    Suoranta et al.2012|Strong authentication with mobile phone
    同族专利:
    公开号 | 公开日
    WO2018104571A1|2018-06-14|
    ES2671196B1|2019-03-12|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20140317708A1|2011-12-16|2014-10-23|Farid Adrangi|Login via near field communication with automatically generated login information|
    US20140344904A1|2013-05-16|2014-11-20|Symantec, Inc.|Supporting proximity based security code transfer from mobile/tablet application to access device|
    US20150143508A1|2013-08-28|2015-05-21|Moishe Halibard|Systems and methods for authenticating access to an operating system by a user before the operating system is booted using a wireless communication token|
    US20150096001A1|2013-10-01|2015-04-02|Motorola Mobility Llc|Systems and Methods for Credential Management Between Electronic Devices|
    US20150281227A1|2014-03-31|2015-10-01|Symple ID Inc.|System and method for two factor user authentication using a smartphone and nfc token and for the automatic generation as well as storing and inputting of logins for websites and web applications|
    US20160212141A1|2015-01-21|2016-07-21|Onion ID, Inc.|Invisible password reset protocol|
    法律状态:
    2019-03-12| FG2A| Definitive protection|Ref document number: 2671196 Country of ref document: ES Kind code of ref document: B1 Effective date: 20190312 |
    优先权:
    申请号 | 申请日 | 专利标题
    ES201631551A|ES2671196B1|2016-12-05|2016-12-05|Method and system to automatically authenticate a user through an authentication device|ES201631551A| ES2671196B1|2016-12-05|2016-12-05|Method and system to automatically authenticate a user through an authentication device|
    PCT/ES2017/070785| WO2018104571A1|2016-12-05|2017-11-29|Method and system for automatically authenticating a user by means of an authentication device|
    [返回顶部]