[go: up one dir, main page]

GB2408129A - User authentication via short range communication from a portable device (eg a mobile phone) - Google Patents

User authentication via short range communication from a portable device (eg a mobile phone) Download PDF

Info

Publication number
GB2408129A
GB2408129A GB0326594A GB0326594A GB2408129A GB 2408129 A GB2408129 A GB 2408129A GB 0326594 A GB0326594 A GB 0326594A GB 0326594 A GB0326594 A GB 0326594A GB 2408129 A GB2408129 A GB 2408129A
Authority
GB
United Kingdom
Prior art keywords
authentication
computer device
short
request
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0326594A
Other versions
GB0326594D0 (en
Inventor
Marc Poulaud
Nigel Elson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ISOLVE Ltd
Original Assignee
ISOLVE Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ISOLVE Ltd filed Critical ISOLVE Ltd
Priority to GB0326594A priority Critical patent/GB2408129A/en
Publication of GB0326594D0 publication Critical patent/GB0326594D0/en
Publication of GB2408129A publication Critical patent/GB2408129A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A user is authenticated to a computing device (PC) 2 by the transmission of 'credentials' 8 (user ID biometric etc') from a mobilephone 6 (or the like) device via a short range communication link 5 such as 'Bluetooth,' IrDa or WiFI. The user may have to input information for authentication at the mobilephone, for example the mobile phone may include a fingerprint scanner to scan the user's finger. The phone may be used to form a virtual private network.

Description

2408 1 29 | User Authentication Device The present invention is concerned
with improved apparatus, systems and methods for effecting authentication to a computer application, particularly by means of a short-range wireless connection. In particular, the identity of a user can be authenticated to a computer application.
In order to effect "strong authentication" of a user to a computer application, the user is 0 required to be in possession of a number of identification factors. The more factors that are required, and particularly the greater the number of different types of authentication factors required, the greater the level of authentication which can be attributed to the user.
Examples of such "factors" are knowledge of at least one secret, possession of a hard ' . token, and biometric information. Examples of secrets are a user name and password, and . digital certificates and asymmetric cryptographic keys, and symmetric cryptographic keys.
:. Hard tokens are physical media for storing electronic credentials and include smart card devices, USB tokens and one-time password devices. Biometrics include fingerprint scans, -e retina scans, hand scans, signature scans, voice scans, iris scans, facial scans and keystroke scans.
Each of the individual identification factors has its own strengths and weaknesses. For example, one-time password devices provide a time-limited authentication to a computer, meaning that a third party who copies the password and subsequently uses it outside of the time-limited period (typically no more than a minute or two in duration) will find it to be invalid. However, it is possible for such devices to be stolen and used by unauthorized parties. Therefore some aspects of the device make it highly secure, other aspects mean that it is best combined with another identification factor in order to enhance the level of l - 2 authentication it provides. Thus for example it might be combined with possession of a use name and/or password, or with biometric data such as an iris scan.
However, one disadvantage of such devices, and particularly two-factor devices, is that they require some form of physical reader to be attached to the computer on which the authenticating application is running. Thus for example a smart-card reader or a biometric device may be attached to the computer.
Thus in the case of a portable computer device a user may have to carry with them not only lo the computer device itself (e.g. a laptop computer), but also the appropriate reader. In the case of USB type tokens, although they can be plugged directly into a computer's USB socket, they are still a cause of inconvenience since they must be physically connected to the computer and are an additional item which must be carried by the user and which is relatively easy to forget or lose. :.
:: In the case of one-time password devices, although they are smaller than reader devices such as biometric readers, they have the substantial disadvantage of requiring a network : connection in order to communicate with a remote authentication server to determine whether the information supplied is valid. The use of such systems is also relatively complex and expensive, requiring additional systems hardware and expenditure of resources on configuration and maintenance.
It is known in the prior art to use mobile phone devices as part of an authentication system.
For example, US 2001/0031637 discloses the use of a mobile phone device to authenticate itself to a remote information processing apparatus (e.g. a remote network). WO 02/095689 discloses an access control system which uses a mobile phone device to authenticate a user to an access control device which then provides access for a user's computer to a protected function. WO 01/99369 discloses the authentication of electronic - 3 devices to one another over a short-range wireless link when a user enters authentication information into each device. The devices can then authenticate one another over an alternative communication link (e.g. a long-range network connection). GB 2369205 discloses a personal data device (e.g. mobile phone) and protection system with deletion s of contents, the device securely storing data for a user and deleting it upon any failure of authentication. The securely stored data can also be stored remotely (e.g. on a networked database server) in order that deleted data can be recovered. US 2001/0052075 concerns methods and systems for connecting devices to one another using authentication codes which ensures that when connected, the devices only communicate with one another. EP JO 1168870 concerns an improved method for authentication of a user subscription identity module of a mobile phone over a mobile phone network. WO 02/03177 is concerned with verifying the identity of a person seeking access to a computer on a network by using the person's mobile phone and its unique identification characteristics - its phone number (provided by e.g. a SIM card) and identifiable by the party receiving a call, and its unique : 1 identification (UID) number for which the mobile phone can be interrogated across the : .: mobile phone network to which it is connected. ose
However, none of the prior art authentication devices or systems meet all of the following requirements: i) no need for a user to carry additional hardware; ii) provision of authentication where there is no mobile phone network coverage; iii) low cost of acquisition; iv) easy and inexpensive integration with existing security systems; v) wireless provision of authentication data from a hard token to an authenticating computer device; and vi) storage on a single authentication device of multiple sets of authentication data.
The present invention seeks to overcome the abovementioned prior art disadvantages.
According to the present invention there is provided apparatus for effecting authentication to a computer device, comprising: (a) a computer device comprising: (i) short-range wireless communication means; and (ii) program means comprising a computer device authentication module for communicating with a remote device using said short-range wireless communication means and authenticating said remote device; (b) a portable communication device comprising: 0 (i) mobile phone network communication means; (ii) short-range wireless communication means; (iii) program means comprising a portable communication device .
authentication module for communicating with said computer ..
device using said short-range wireless communication means; and (iv)data storage means providing a credentials store for storing authentication data. A: I:
The present invention makes use of portable communication devices which, in their simplest form, can consist just of a telephone device. However, other devices can be used which incorporate mobile phone technology to allow them to communicate via a mobile phone (cell phone) network, but which provide additional functionality. Thus for example the portable communication device may be a PDA device having mobile phone functionality, or a Nextel Blackberry (RTM) device incorporating shortrange wireless communication means, or a portable communication device provided with an operating system such as the Symbian (RTM) OS or the Microsoft WindowsCE (RTM) OS. - 5
The mobile phone network communication means may be any means which can effect communication with a mobile phone (or cell phone) network. For example, communication may be effected using equipment and protocols so as to effect communication with a 2G or 3G mobile phone network, for example using CDMA and WCDMA protocols etc. as appropriate. The portable communication device may therefore additionally comprise a SIM card.
The present invention provides for a wide range of applications using the authentication data. For example, not only may a user be authenticated to the computer device, but the lo portable communication device with its authentication data may also be used to digitally sign data. Thus for example a user may input data into the computer device, which can then transmit it to the portable communication device using the short-range wireless ë communication means, and the portable communication device can digitally sign the data using the authentication data, and the signed data can then be returned to the computer device and the data used as appropriate. Thus the portable communication device can be A: used not only to authenticate a user to the computer device, but also to digitally sign data for the purposes of data origin authentication. I-:
In its various embodiments, the present invention particularly relates to the authentication of a user to a computer device.
Also provided according to the present invention is a method for effecting authentication to a computer device using a portable communication device, said computer device comprising: (i) short-range wireless communication means; (ii) program means comprising a computer device authentication module for communicating with a remote device using said short-range - 6 wireless communication means and authenticating said remote device; and (iii) data storage means for storing reference data against which authentication is to be effected; and said portable communication device comprising: (i) mobile phone network communication means; (ii) short-range wireless communication means; (iii) program means comprising a portable communication device authentication module for communicating with said computer device lo using said short-range wireless communication means; and (iv) data storage means providing a credentials store for storing authentication data; - said method comprising the steps of: ..
(a) transmitting a request for electronic credentials via said shortrange communication means from said computer device to said portable lo. communication device; (b) with said portable communication device authentication module, ..
processing said request for electronic credentials, determining a response to said request for electronic credentials based upon said authentication data, and executing said response; and (c) with said computer device, processing said response to said request for electronic credentials to determine an authentication state.
Thus identification data is stored on the portable communication device and reference data Is is stored on the computer device. Authentication of the portable communication device to the computer device is effected using the short-range wireless communication means and does not require any kind of additional network connection to be effected. Thus a fundamental problem encountered with authentication systems which use remote - 7 authentication servers is bypassed - the present invention does not require a network connection e.g. over a mobile phone network in order for authentication to be effected.
This is particularly useful when a user is outside of their mobile phone service provider's area of network coverage. The cost and inconvenience of running remote authentication s servers across a network is also avoided. Furthermore, authentication is effected via standard wireless communication means shared by the computer device and portable communication device, and requires a user to only have the computer device and a portable communication device, the portable communication device (such as a mobile phone) being a standard piece of equipment carried by an increasingly large proportion of the population. This bypasses the need to carry cumbersome, inconvenient, expensive and easily forgettable tokens and authentication equipment such as USB tokens, smart cards and smart card readers etc. . .
-
., The computer device can be any desired computer device such as a laptop or hand held PC which may e.g. run a range of applications or not be restricted to running specific . applications. Thus for example the computer device may run a standard operating system e.e such as Windows (RTM), Linux (RTM), PalmOS (RTM) etc. Alternatively, it may be a .. computer device which is configured to run only specific programs and perform only : : specific tasks. For example, the computer device may be a building access control device running a proprietary operating system.
The short-range wireless communication means may use any desired shortrange wireless communications system. Standard systems include Bluetooth (RTM), IrDA and WiFi. Thus short-range electromagnetic systems may use Infra Red signals (IrDA) or signals in other parts of the electromagnetic spectrum as appropriate.
The computer device authentication module is configured to communicate via the short- range wireless communication means with the portable communication device - 8 authentication module. The communication between the computer device and the portable communication device is to effect the exchange of data in order to validate the identity of the portable communication device (e. g. a mobile phone) to the computer device. For example, data can be exchanged between them in an unencrypted format. Alternatively, the computer device and portable communication device can effect a key exchange of the public parts of public-private key pairs, and can then encrypt data for one-another using the other device's public key. A wide range of systems, conventions and protocols are well known in which the secure exchange of data can be effected between devices using asymmetric cryptographic algorithms.
Alternatively, the devices can be pre-registered with one another (for example a key exchange having previously been effected by an administrator level user who is able to validate the identity of the portable communication device to the computer device).
Subsequent communications between the devices can then bypass the need for any key e.
exchange. In such cases, symmetric cryptographic algorithms can be used since the secure : exchange of keys has previously been effected. Thus for example initial communications between the computer device and the portable communication device can be the exchange : . of data tokens indicating the identity of the devices to one another, and subsequent data .-.
exchanges can be encrypted, the encryption key or keys having previously been exchanged.
The program means running on the computer device can for example be any application which is used to input credentials from a user in order for them to authenticate themselves.
Thus for example the program means can for example be any desired logon/login application such as operating system logons (Win (RTM) Logon, Unix (RTM) Logon etc.), application logons such as website logons, email system logins, Oracle and SAP), and single sign-on (SSO) systems such as the Trinity product from Envoy Data Corporation and the v-GO product from Passlogix, Inc. (New York, USA). - 9 -
The portable communication device has short-range wireless communication means which are capable of effecting data exchange with the short-range wireless communication means of the computer device.
Although portable communication devices such as mobile phones are already designed to create, store and use electronic credentials, this is only for use across a mobile phone network in order to e.g. authenticate the identity of a mobile phone to the network. As stated above, the present invention bypasses the need for the mobile phone network, and instead uses the short-range wireless communication abilities of the portable lo communication device to effect its authentication.
The portable communication device credentials store may be able to store multiple electronic credentials, for example of different types and strengths, and these may be usable with different applications (program means) on at least one computer device. So, Is for example, a computer device login may use a PKI (public key infrastructure) based :.'. electronic credential, whereas a website login may use an electronic credential based upon : user ID and password. Similarly, a login for another program running on the computer device and which comprises an authentication module may use a previously-exchanged I. symmetric encryption/decryption key, or biometrics.
This can be particularly useful since it allows the portable communication device to act as an authentication store, storing multiple credentials for different systems with which it is to communicate. This means that where the portable communication device authentication module requires input from a user in order to enable transfer of a credential to a computer device then the portable communication device can simply prompt the user for a general authentication input (for example a PIN code, or a "Yes" in response to a request for confirmation that a credential should be transferred) irrespective of the credential which is to be transferred. Thus a user can use a single authentication input to validate transfer 10 of a range of credentials. Alternatively, the portable communication device may provide biometric reader functionality. For example, the portable communication device may comprise a fingerprint reader such as a Sony Puppy fingerprint reader. Examples of models include the FIU-900 which is a Sony memory-stick format device. The output from such s a device may be used as user input to the authentication module of the portable communication device.
The portable communication device may, of course, allow for different authentication inputs for different sets of credentials stored in the credentials store, and the total number lo of stored credentials may be greater than the total number of authentication inputs.
The credentials store itself may be at least one of: an area of memory on the portable communication device, and an area of memory on the portable communication device SIM e tee. card. . a. .-..
The communication between the computer device authentication module and the portable Bear communication device authentication module may effect the transfer of at least one if... credential from the portable communication device to the computer device. .ee. -
The computer device can additionally comprise data input means, for example a keypad or a keyboard, mouse or a touch-screen device. The computer device may additionally comprise a user data input module. Thus the computer device may query the user for the input via the data input means of at least one additional authentication factor, and can process the response to the query in order to determine the authentication state. Is
The computer device of the present invention can allow for the input of data to confirm that data should be requested from the portable communication device.
When the short-range wireless communication means does not use line-ofsight communication (such as infra-red) then it can be desirable to ensure that any response received to the request from the computer device for authentication data is in fact from the correct portable communication device. For example, when using Bluetooth as the short range wireless communication means, a large number of portable communication devices may receive the transmitted request. In order to ensure that any response is from the correct portable communication device, a challenge-response technique may be used in which either the user inputs data to the computer device to identify the portable communication device, or the computer device knows the identity of the correct portable communication lo device. With that information, a challenge block of data can be transmitted and responses verified against data held by the computer device in order to identify the correct portable communication device. ë.e e
. The last stages of the authentication process are the determination by the portable .
communication device of a response to the request for electronic credentials, the executing .e-.
of the response by the portable communication device, and the processing of the response ë by the computer device to determine an authentication state. Depending upon how the portable communication device is configured, a range of responses may be available. For : : example, if the portable communication device detects that a credential is being requested which it does not have, it may provide no response to the request, or it may return a response indicating that the requested credential is not available. Where the requested credential is available then it may return an appropriate response including credentials data as appropriate.
The computer device authentication module may comprise a short-range communications manager, an authentication request processor and an authentication response processor.
The short-range communications manager may manage communications over the short- range wireless communications device; the authentication request processor may effect the - 12 request of at least one electronic credential from the portable communication device; and the authentication response processor may process any response from the portable communication device to extract any electronic credential in it.
The portable communication device authentication module may comprise a short-range communications controller, an authentication responder, a secure response processor, a credentials manager and a crypto manager. The short-range communications controller may effect the transfer of data from the portable communication device to the computer device; the authentication responder may determine from the data transmitted from the lo computer device the identity of a requested credential (for example, it may identify which application running on the computer device is requesting a credential); the credentials manager may effect the retrieval of credentials from the credentials store, and may request a user of the portable communication device to confirm that the requested credential . should be transferred; the crypto manager may act to encrypt the credential returned from ë the credential store and pass it to the authentication responder such that when transmitted using the short-range wireless communication means, the encrypted credential can be Ale....
decrypted by the computer device using a decryption key in its possession but cannot be
. readily decrypted without the decryption key; the authentication responder may act to .. transmit a response message to the computer device via the short- range wireless communication means...DTD: Thus the portable communication device authentication module may process the request for electronic credentials, retrieve any relevant electronic credentials, formulate a response to the request for electronic credentials, and transmit the response to the computer device via the short-range wireless communication means.
Thus the authentication state may be determined by the computer device authentication module effecting communications with the portable communication device via the short - 13 range wireless communication means, transmitting the request for electronic credentials, and processing the response to the request for electronic credentials to determine the authentication state.
In particular, the computer device authentication module comprising a short-range communications manager, an authentication request processor and an authentication response processor, can instruct: (i) the short-range communications manager to effect communications with the portable communication device via the short-range wireless communication means; (ii) the authentication request processor to instruct transmission of the request for electronic credentials; and (iii) the authentication response processor to process the response to the request for electronic credentials to determine the authentication state. ë
: The present invention also provides the ability to allow the portable communication device to establish a VPN (virtual private network) session with a remote computer across a A. mobile phone network connection. Thus, for example, upon the authentication of a user A. to the computer device, the computer device can initiate a connection with a remote zo network across a mobile phone network using the portable communication device. For example, the authentication step can be the establishment of a VPN session. This VPN session can be established using the portable communication device, the session being established across a mobile phone network (as above) or it can be established via an alternative network connection not provided by the portable communication device, e.g. a network access point such as a WiFi connection or a wired network connection. This use of the portable communication device to authenticate the user of the computer device means that not only must the user be in possession of the computer, but also the portable communication device in order to effect the VPN connection. In addition, the computer - 14 device and/or the portable communication device may require a further authentication factor such as a secret to be provided by the user.
Network access points are points to which a computer device can connect in order to gain access to a network, particularly to the internet. Examples of network access points are: a telephone socket for a modem connection to the internet over a telephone line; a broadband connection point for a cable modem or access via a cable TV set-top box; and a local area network (LAN) socket, either wired or wireless (WLAN).
lo Another aspect of the present invention is that in supplying an electronic credential to the computer device, the portable communication device can act to digitally sign data for the purposes of non-repudiation. Thus for example upon the authentication of a user to the computer device upon the basis of an electronic credential supplied by the portable e communication device, data for digitally signing could then be passed to the portable ë communication device, which could then effect its signing and return the signed data to the computer device. So for example the contents of an email could be passed to the portable communication device for digital signature, and it could then be returned to the A. . computer device for sending to third parties.
I
The invention will be further apparent from the following description, with reference to the several figures of the accompanying drawings, which show, by way of example only, one form of apparatus and method for authenticating a user to a computer device. Of the Figures: Figure 1 shows the general interactions between the user, computer device and portable communication device to effect authentication; Figure 2 shows the component parts of the computer device used in authenticating a user to it; - 15 Figure 3 shows the component parts of a portable communication device used in effecting authentication of a user to a computer device; Figure 4 shows an architecture of a VPN (virtual private network) s connection effected from the computer device via the portable communication device which also effects authentication of the user to the computer, Figure 5 shows an alternative architecture of a VPN connection with authentication of a user being effected via the portable lo communication device, but with the computer device using alternative network communication means (e.g. a LAN connection) to establish a VPN connection; and Figure 6 shows the digital signing of a document on a computer device using a credential supplied by a portable communication e.
device. He
.-*en .,. Authenticating to a Computer Application *. As shown in Figure 1, a person l wishes to access a computer application 3 on a computer device 2, e.g. the computer device login. The person I initiates the start-up of the computer application 3 and positions their mobile phone 6 within wireless range of computer device 2. Computer application 3 requests the person I to input their electronic credentials of the specific type required for application 3, before access to it is allowed. At this point computer device authentication module 4 enables a short-range wireless connection 5 and transmits a request for electroniccredentials across the short-range wireless connection 5 to a phone authentication module 7 on the mobile phone 6. - 16
The phone authentication module 7 presents a notification of the request to the person 1 and asks them to confirm the request to transmit electronic credentials. On confirming the request, phone authentication module 7 then retrieves the previously stored electronic credentials 8 from the mobile phone 6 and transmits them back to the computer device 2 using the short-range wireless connection 5.
On receipt of the electronic credentials 8, the computer device authentication module 4 structures and presents them back to the computer application 3 in the required format, authentication is effected and access to the application is granted/denied as appropriate.
The above processes are described in further detail below.
Apparatus: a Computer Device Abbe Computer device 2 shown in Figure 2 is a laptop computer running Windows (RTM). It is capable of establishing a short-range wireless connection S using Bluetooth (RTM) a.eC ' across a wireless interface 23. Has
* * As is shown in Figure 2, computer device authentication module 4 is a computer program forming an integral part of computer application 3. In other embodiments of the present invention, computer device authentication module 4 is a discrete application on computer device 2 which interfaces with computer application 3.
Computer device authentication module 4 comprises the following components: - a short-range communications manager 20; - an authentication request processor 21; and - an authentication response processor 22. - 17
The person 1 using computer device 2 interfaces with computer application 3 and computer device authentication module 4 by means of display 24 which displays messages, and by keyboard 25 which is used for keying in responses to the messages. Communication between computer device 2 and mobile phone 6 is effected (on the side of computer device 3) via wireless interface 23 and short-range wireless connection 5.
Configuration of the Mobile Phone Figure 3 shows mobile phone 6 which is capable of connecting to a mobile (or cell) phone network for the purpose of making person to person or person to information (Internet) 0 calls. Mobile phone 6 has an Operating System 37, namely the Symbian (RTM) OS, which is capable of performing cryptographic functions and storing electronic credentials in memory on mobile phone 6. Mobile phone 6 is also capable of effecting a short-range wireless connection 5 using Bluetooth (RTM) across a wireless interface 36. ë ë
As can be seen from Figure 3, mobile phone 6 comprises a phone authentication module 7 (which is a computer program that runs on mobile phone 6), a credentials store 35, a cheese wireless interface 36, an OS 37, a keypad 3B and display 39. Phone authentication module Ale7 comprises: - a short-range communications controller 30; - an authentication responder 31; - a secure response processor 32; - a credentials manager 33; and - a crypto manager 34.
Phone authentication module 7 interfaces with the person 1 using the mobile phone 6 by means of display 39, and by keypad 38. The credentials store 35 is an area of memory on the mobile phone. Communication between the mobile phone and the computer device is effected via wireless interface 36 and short-range wireless connection 5. - 18
In use, and as shown by Figures 2 and 3, computer device authentication module 4 on computer device 2 is executed whenever computer application 3 shows a message on display 24 requesting person l to present their electronic credentials. When the request for electronic credentials is made, computer device authentication module 4 instructs short s range communications manager 20 to enable wireless communications via wireless interface 23.
Computer device authentication module 4 then instructs authentication request processor 21 to request the electronic credentials for computer application 3. In the event that the authentication request involves digitally signing data, then the authentication request . includes the data to be signed. Authentication request processor 21 transmits a request via ..... wireless interface 23 and short-range wireless connection 5 to phone authentication module 7 on mobile phone device 6. A.. :
resee.
Phone authentication module 7 receives the request from computer device authentication ë module 4 where it is intercepted by authentication responder 31 which determines from the ...
request which application is requesting the electronic credentials and instructs credentials manager 33 to retrieve the electronic credentials for that application.
Credentials manager 33 then sends a message to mobile phone display 39 asking person l to confirm the request to retrieve electronic credentials from credential store 35. The person confirms the request by typing in the appropriate response using keypad 38. The nature of the confirmation may vary - where the credentials are PKI based this can be e.g. a pass- phrase used to gain access to the private key, or if a UserID and password then a simple key depression may suffice.
On receipt of confirmation, credentials manager 33 retrieves the electronic credentials from credentials store 35 and instructs crypto manager 34 to perform the appropriate - 19 action. If the authentication request involves signing then crypto manager 34 will digitally sign the data in the authentication request using the private key and certificate retrieved from credentials store 35. If the authentication request involves an encrypted UserID and password then crypto manager 34 decrypts them.
Control is then passed to secure response processor 32 that protects the message to be sent back to computer device 2, such that the credentials are not revealed if intercepted by another person's wireless device. Secure response processor 32 passes the response message to authentication responder 31, which in turn sends it back via wireless interface lo 36 and wireless connection 5 to computer device authentication module 4. ë ë
Authentication response processor 22 intercepts the authentication response message. It then reformats the response message so that the credentials can be passed to computer -e application 3 in the required format - this can include removing the protection added by .
the mobile phone 6 secure response processor 32. ë
..-.e Finally, authentication response processor 22 responds to the authentication request from computer application 3, and person 1 gains access to the computer application, or is denied access as appropriate.
Establishing a VPN Session via the Mobile Phone As shown in Figure 4, having completed the authentication to computer device 2, a person 1 may wish to establish a VPN session 40 with a remote network 41. Person 1 initiates VPN session 40 from computer device 2, which sends a command across short-range wireless connection 5 to initiate the modem function of mobile phone 6, and establishes an Tnternet connection 42 with remote network 41. This in effect creates a seamless electronic channel between computer device 2 and remote network 41. -
On establishing this channel, remote network 41 requests person 1 to present their electronic credentials 8 at computer device 2. Using shortrange wireless connection 5, the person accesses electronic credentials 8 on mobile phone 6 and presents these to remote network 41. On confirming the authenticity of the credentials and therefore the authentication of computer device 2, remote network 41 establishes VPN session 40 between computer device 2 and the remote network 41.
Establishing a VPN Session via a Network Access Point As shown in Figure 5, an alternative to establishing a VPN session 40 via internet connection 42 provided through mobile phone 6 is to use an alternative network access .
point. Upon completing authenticating to computer device 2, person 1 connects to network access point 43 (a cable connection) to establish an Internet connection 42 with remote network 41. Remote network 41 requests person 1 to present their electronic credentials 8 at computer device 2. Using short-range wireless connection 5, person 1 accesses the .
electronic credentials 8 on the mobile phone 4 and presents these to computer network 41. A.
On confirming the authenticity of credentials 8 and hence of computer device 2, remote network 41 establishes VPN session 40 between itself and computer device 2.
Digitally Signing For Non-Repudiation As shown in Figure 6, person 1 wishes to sign electronic document 11 on computer device 2. The computer application 3 used to do this on computer device 2 is signing computer application 10, and it digitally signs electronic document 11 using electronic credentials 8 stored on mobile phone 6.
It will be appreciated that it is not intended to limit the invention to the above example only, many variations, such as might readily occur to one skilled in the art, being possible, without departing from the scope thereof as defined by the appended claims. 1) - 21

Claims (14)

  1. Apparatus for effecting authentication to a computer device, comprising: (a) a computer device comprising: (i) short-range wireless communication means; and (ii) program means comprising a computer device authentication module for communicating with a remote device using said short-range wireless communication means and authenticating said remote device; lo (b) a portable communication device comprising: (i) mobile phone network communication means; (ii) short-range wireless communication means; : (iii) program means comprising a portable communication device *. authentication module for communicating with said computer device using said short-range wireless communication means; .
    and * ..
    (iv) data storage means providing a credentials store for storing authentication data.
  2. 2. Apparatus according to claim l, said computer device additionally comprising data input means.
  3. 3. Apparatus according to claim 2, said data input means being selected from the group consisting of keyboard, mouse and touch-screen.
  4. 4. Apparatus according to any of the preceding claims, said computer device program means additionally comprising a user data input module. 22
  5. 5. Apparatus according to claim 1, said computer device authentication module comprising a short-range communications manager, an authentication request processor and an authentication response processor.
  6. 6. Apparatus according to any of the preceding claims, said portable communication device authentication module comprising a short-range communications controller, an authentication responder, a secure response processor, a credentials manager, and a crypto manager.
    lo
  7. 7. A method for effecting authentication to a computer device using a portable communication device, said computer device comprising: (i) short-range wireless communication means; (ii) program means comprising a computer device authentication module e. e for communicating with a remote device using said short-range
    I
    IS wireless communication means and authenticating said remote device; .
    and -e (iii) data storage means for storing reference data against which authentication is to be effected; and said portable communication device comprising: (i) mobile phone network communication means; (ii) short-range wireless communication means; (iii) program means comprising an authentication module for communicating with said computer device using said short-range wireless communication means; and (iv) data storage means providing a credentials store for storing authentication data; said method comprising the steps of: - 23 (a) transmitting a request for electronic credentials via said short- range communication means from said computer device to said portable communication device; (b) with said portable communication device authentication module, processing said request for electronic credentials, determining a response to said request for electronic credentials based upon said authentication data, and executing said response; and (c) with said computer device, processing said response to said request for electronic credentials to determine an authentication state.
    .
  8. 8. A method according to claim 7, said step of executing said response comprising transmitting a response message via said short-range wireless communication means from said portable communication device to said computer device.
    I : a-
  9. 9. A method according to either of claims 7 or 8, said computer device .
    . additionally comprising data input means, said method additionally comprising with said
    I
    program means querying said user for input via said data input means of at least one additional authentication factor, and processing the response to said query to determine said authentication state.
  10. 10. A method according to claim 9, said data input means being selected from the group consisting of keyboard, mouse and touch-screen.
  11. 11. A method according to any of claims 7-10, said program means additionally comprising a user data input module.
  12. 1 2. A method according to any of claims 7- 11, said computer device authentication module effecting communications with said portable communication device - 24 via said short-range wireless communication means, transmitting said request for electronic credentials, and processing the response to said request for electronic credentials to determine said authentication state.
  13. 13. A method according to claim 12, said computer device authentication module comprising a short-range communications manager, an authentication request processor and an authentication response processor, said computer device authentication module instructing: (i) said short-range communications manager to effect communications lo with said portable communication device via said short-range wireless - . . . commumcahon means; (ii) said authentication request processor to instruct transmission of said request for electronic credentials; and a-e (iii) said authentication response processor to process the response to said request for electronic credentials to determine said authentication .
    state. .-.e
  14. 14. A method according to any of claims 7-13, said portable communication device authentication module processing said request for electronic credentials, retrieving any relevant electronic credentials, formulating a response to said request for electronic credentials, and transmitting said response to said computer device via said short-range wireless communication means.
    IS. A method according to claim 14, said portable communication device authentication module comprising a short-range communication controller, an authentication responder, a secure response processor, a credentials manager and a crypto manager.
GB0326594A 2003-11-14 2003-11-14 User authentication via short range communication from a portable device (eg a mobile phone) Withdrawn GB2408129A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0326594A GB2408129A (en) 2003-11-14 2003-11-14 User authentication via short range communication from a portable device (eg a mobile phone)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0326594A GB2408129A (en) 2003-11-14 2003-11-14 User authentication via short range communication from a portable device (eg a mobile phone)

Publications (2)

Publication Number Publication Date
GB0326594D0 GB0326594D0 (en) 2003-12-17
GB2408129A true GB2408129A (en) 2005-05-18

Family

ID=29726570

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0326594A Withdrawn GB2408129A (en) 2003-11-14 2003-11-14 User authentication via short range communication from a portable device (eg a mobile phone)

Country Status (1)

Country Link
GB (1) GB2408129A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7130584B2 (en) * 2003-03-07 2006-10-31 Nokia Corporation Method and device for identifying and pairing Bluetooth devices
EP1752902A1 (en) * 2005-08-12 2007-02-14 Initialesonline Digital identity authentication server
GB2430332A (en) * 2005-09-20 2007-03-21 David James Multifunction processor for mobile digital devices
DE102006006804A1 (en) * 2006-02-14 2007-08-16 Siemens Ag Mobile device for authorizing user for access to automation equipment, has memory for storing authorization data, and transmitting device providing wireless transmission of authorization data within limited zone that encloses equipment
DE102007006851A1 (en) 2007-02-12 2008-08-14 Vodafone Holding Gmbh Biometric data detecting and transmitting device for use in e.g. mobile telephone, has fastening unit, and close range communication unit including interface to scanner unit and another interface to electronic device
WO2008095866A3 (en) * 2007-02-05 2008-11-27 Siemens Ag Method for authorizing the access to at least one automation component of a technical system
GB2412154B (en) * 2004-03-20 2009-02-11 Hewlett Packard Development Co A digital pen and a method of storing digital records of the use made of the digital pen
DE102008063864A1 (en) * 2008-12-19 2010-06-24 Charismathics Gmbh A method for authenticating a person to an electronic data processing system by means of an electronic key
US7818571B2 (en) * 2007-02-09 2010-10-19 Microsoft Corporation Securing wireless communications between devices
WO2009057147A3 (en) * 2007-11-04 2011-03-24 Rajendra Kumar Khare Method and system for user authentication
DE102011089525A1 (en) * 2011-12-22 2013-06-27 Rohde & Schwarz Gmbh & Co. Kg Method for activating access to confidential data of mobile data processing unit e.g. laptop, involves deactivating access to confidential data when distance between processing and authentification units exceeds determined threshold value
EP2028786A4 (en) * 2006-05-11 2013-09-11 Inelcan S L External signature device for a pc, with wireless communication capacity
US20150188891A1 (en) * 2013-12-30 2015-07-02 Vasco Data Security, Inc. Authentication apparatus with a bluetooth interface
FR3017730A1 (en) * 2014-02-18 2015-08-21 Evidian SECURE SESSION OPENING METHOD
GB2523430A (en) * 2014-02-24 2015-08-26 Mobbu Ltd Method & system for enabling authenticated operation of a data processing device
DE202022100435U1 (en) 2022-01-25 2022-02-11 Binda Mridula Balakrishnan Intelligent management security system to protect against fraud when accessing a mobile unit with authentication options
US20220286803A1 (en) * 2005-08-03 2022-09-08 Resight, Llc Automatically Accessing an Internet Session Using Transferred Network Login Information
US11609940B2 (en) 2005-08-03 2023-03-21 Resight, Llc Realtime, interactive and geographically defined computerized personal identification and matching methods

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10228327A (en) * 1997-02-17 1998-08-25 Nippon Telegr & Teleph Corp <Ntt> Personal computer user identification system and personal computer user identification method
WO2000031608A2 (en) * 1998-11-24 2000-06-02 Telefonaktiebolaget Lm Ericsson (Publ) Mobile telephone auto pc logon
WO2002032151A2 (en) * 2000-10-11 2002-04-18 Lci Smartpen Nv Verification system and method
US20020078362A1 (en) * 2000-12-20 2002-06-20 Nec Corporation Security system
WO2002095689A1 (en) * 2001-05-22 2002-11-28 Ericsson Inc. Security system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10228327A (en) * 1997-02-17 1998-08-25 Nippon Telegr & Teleph Corp <Ntt> Personal computer user identification system and personal computer user identification method
WO2000031608A2 (en) * 1998-11-24 2000-06-02 Telefonaktiebolaget Lm Ericsson (Publ) Mobile telephone auto pc logon
WO2002032151A2 (en) * 2000-10-11 2002-04-18 Lci Smartpen Nv Verification system and method
US20020078362A1 (en) * 2000-12-20 2002-06-20 Nec Corporation Security system
WO2002095689A1 (en) * 2001-05-22 2002-11-28 Ericsson Inc. Security system

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7130584B2 (en) * 2003-03-07 2006-10-31 Nokia Corporation Method and device for identifying and pairing Bluetooth devices
GB2412154B (en) * 2004-03-20 2009-02-11 Hewlett Packard Development Co A digital pen and a method of storing digital records of the use made of the digital pen
US8081171B2 (en) 2004-03-20 2011-12-20 Hewlett-Packard Development Company, L.P. Digital pen and a method of storing digital records of the use made of the digital pen
US11609940B2 (en) 2005-08-03 2023-03-21 Resight, Llc Realtime, interactive and geographically defined computerized personal identification and matching methods
US20220286803A1 (en) * 2005-08-03 2022-09-08 Resight, Llc Automatically Accessing an Internet Session Using Transferred Network Login Information
US12323872B2 (en) 2005-08-03 2025-06-03 Resight, Llc Routing communications by scanning visible codes
US11490219B2 (en) * 2005-08-03 2022-11-01 Resight, Llc Automatically accessing an internet session using transferred network login information
FR2889781A1 (en) * 2005-08-12 2007-02-16 Initialesonline Sa AUTHENTICATION SERVER FOR DIGITAL IDENTITY
EP1752902A1 (en) * 2005-08-12 2007-02-14 Initialesonline Digital identity authentication server
GB2430332A (en) * 2005-09-20 2007-03-21 David James Multifunction processor for mobile digital devices
GB2430332B (en) * 2005-09-20 2010-08-18 David James Multifunction processor for mobile digital devices
DE102006006804A1 (en) * 2006-02-14 2007-08-16 Siemens Ag Mobile device for authorizing user for access to automation equipment, has memory for storing authorization data, and transmitting device providing wireless transmission of authorization data within limited zone that encloses equipment
DE102006006804B4 (en) * 2006-02-14 2010-08-19 Siemens Ag Authorization of a user for an automation device
EP2028786A4 (en) * 2006-05-11 2013-09-11 Inelcan S L External signature device for a pc, with wireless communication capacity
WO2008095866A3 (en) * 2007-02-05 2008-11-27 Siemens Ag Method for authorizing the access to at least one automation component of a technical system
US7818571B2 (en) * 2007-02-09 2010-10-19 Microsoft Corporation Securing wireless communications between devices
EP1970828A1 (en) 2007-02-12 2008-09-17 Vodafone Holding GmbH Device for capturing and transferring biometric information and electronic device
DE102007006851A1 (en) 2007-02-12 2008-08-14 Vodafone Holding Gmbh Biometric data detecting and transmitting device for use in e.g. mobile telephone, has fastening unit, and close range communication unit including interface to scanner unit and another interface to electronic device
WO2009057147A3 (en) * 2007-11-04 2011-03-24 Rajendra Kumar Khare Method and system for user authentication
US9154948B2 (en) * 2007-11-04 2015-10-06 IndusEdge Innovations Private Limited Method and system for user authentication
US20110154460A1 (en) * 2007-11-04 2011-06-23 IndusEdge Innovations Private Limited Method and system for user authentication
EP2199944A3 (en) * 2008-12-19 2010-09-01 Charismathics GmbH Method for authenticating a person for an electronic data processing assembly with an electronic key
DE102008063864A1 (en) * 2008-12-19 2010-06-24 Charismathics Gmbh A method for authenticating a person to an electronic data processing system by means of an electronic key
DE102011089525A1 (en) * 2011-12-22 2013-06-27 Rohde & Schwarz Gmbh & Co. Kg Method for activating access to confidential data of mobile data processing unit e.g. laptop, involves deactivating access to confidential data when distance between processing and authentification units exceeds determined threshold value
US20150188891A1 (en) * 2013-12-30 2015-07-02 Vasco Data Security, Inc. Authentication apparatus with a bluetooth interface
US9614815B2 (en) * 2013-12-30 2017-04-04 Vasco Data Security, Inc. Authentication apparatus with a bluetooth interface
US11026085B2 (en) 2013-12-30 2021-06-01 Onespan North America Inc. Authentication apparatus with a bluetooth interface
FR3017730A1 (en) * 2014-02-18 2015-08-21 Evidian SECURE SESSION OPENING METHOD
GB2523430A (en) * 2014-02-24 2015-08-26 Mobbu Ltd Method & system for enabling authenticated operation of a data processing device
DE202022100435U1 (en) 2022-01-25 2022-02-11 Binda Mridula Balakrishnan Intelligent management security system to protect against fraud when accessing a mobile unit with authentication options

Also Published As

Publication number Publication date
GB0326594D0 (en) 2003-12-17

Similar Documents

Publication Publication Date Title
US10645581B2 (en) Method and apparatus for remote portable wireless device authentication
US8165299B2 (en) Network authentication
US11026085B2 (en) Authentication apparatus with a bluetooth interface
US9323915B2 (en) Extended security for wireless device handset authentication
GB2408129A (en) User authentication via short range communication from a portable device (eg a mobile phone)
US11144621B2 (en) Authentication system
US20140068744A1 (en) Surrogate Secure Pairing of Devices
US20110119745A1 (en) Network authentication
CN102215221A (en) Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
CN104303481A (en) Method and apparatus for remote portable wireless device authentication
CA2905373C (en) Method and apparatus for remote portable wireless device authentication
KR20050023050A (en) Method for generating encryption key using divided biometric information and user authentication method using the same
US20070165582A1 (en) System and method for authenticating a wireless computing device
US20070136604A1 (en) Method and system for managing secure access to data in a network
TWI696963B (en) Ticket issuing and admission verification system and method, and user terminal device used in ticket issuing and admission verification system
JP2017045192A (en) Authentication system, authentication device, information terminal, and program
JP2000224162A (en) Client authentication method using irreversible function
JP7042292B2 (en) Information processing systems, information processing methods, and programs
JP4895288B2 (en) Authentication system and authentication method
GB2366139A (en) Network authentication
HK40094708A (en) Establishing authentication persistence
JP2008097110A (en) Client PC registration apparatus, information exchange system, and client PC registration method

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)