[go: up one dir, main page]

WO2001080525A1 - Network access security - Google Patents

Network access security Download PDF

Info

Publication number
WO2001080525A1
WO2001080525A1 PCT/US2001/005261 US0105261W WO0180525A1 WO 2001080525 A1 WO2001080525 A1 WO 2001080525A1 US 0105261 W US0105261 W US 0105261W WO 0180525 A1 WO0180525 A1 WO 0180525A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
server
response
access
communications device
Prior art date
Application number
PCT/US2001/005261
Other languages
French (fr)
Inventor
Sebastian Juergen Hans
Original Assignee
Sun Microsystems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems, Inc. filed Critical Sun Microsystems, Inc.
Priority to AU2001245292A priority Critical patent/AU2001245292A1/en
Publication of WO2001080525A1 publication Critical patent/WO2001080525A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the invention relates to the control of access to a resource via a network.
  • Identifying a user over a network can be a problem where a user wishes to gain access to a resource such as a closed user group and/or to a virtual private network via the public network. It has been proposed to address this problem in a number of ways.
  • this problem has been solved by providing a security token in the form of a smart card, or some other piece of special purpose hardware for encrypting and decrypting data.
  • the user has possession of the token and additionally some further information that only the user knows, for example a Personal Identification Number (PIN).
  • PIN Personal Identification Number
  • the token and the PIN can then be used to identify the user in some secure way using a secure protocol between a client station at which the user is located arid a server.
  • a smart card reader must be provided for interfacing with a smart card, where this is used as the token.
  • the token may be portable, if it is a special smart card or some other form of special purpose hardware, the need for a reader means that this form of solution to the problem is not as flexible as might at first seem to be the case.
  • an aim of the present invention is to provide an improved method, apparatus and system of providing secure access to resources via a network.
  • a client station provides for inputting an access request for access to a resource via a network, for example the Internet, the access request identifying the user.
  • a server holds data regarding users including a contact address for a communications device of the user and is responsive to the access request to issue an authentication request to the communications device.
  • a communications device includes' a receiver for receiving the authentication request from the server, a controller operable to invite a user to input a response to the authentication request and a transmitter to return the response to the server. The server is further operable to evaluate a received response for determining whether the user is permitted to gain access to the resource.
  • An embodiment of the invention enables authentication of requests for access to resources via a network using readily available components in a flexible manner.
  • authentication can be achieved without the use of specific hardware of the types required by prior art approaches described above.
  • the communications device is a mobile (cellular) telephone or the like
  • the actual device used to provide authentication is portable and can be carried by the user. The user can request access to the required resource from any available computer or web access device without needed to carry equipment that he or she would not otherwise carry with him- or herself anyway.
  • At least one of the receiver and the transmitter includes a wireless commtmtcations interface, whereby the communications device is capable of wireless communication.
  • the communications device can be a mobile telephone.
  • the communications device is a GSM (Global System for Mobiles) compatible device
  • the ownership of the device can be achieved by means of a user identification unit such as a Subscriber Identity Module (SIM) card.
  • SIM Subscriber Identity Module
  • a SIM card holds a unique identification that is registered with a network service provider as belonging to a specific user.
  • the authentication request messages and/or the response message can be in the form of a text message, for example in accordance with the Short Message Service messaging protocol.
  • the invention provides a communications device including a receiver for receiving a resource access authentication request from a server, a controller operable to invite a user to input a response to the authentication request and a transmitter to return the response to the server for gaining access to the resource.
  • the invention provides a server including a network message interface for receiving an access request from a client station for access to a resource, the access request identifying the user, a server holding data relating to users including a contact address for a communications device for users, the server being responsive to a received access request to issue an authentication request to the communications device of a user identified in the access request.
  • the server can include a directory holding data relating to users including at least a contact address for a communications device for the user, and a controller responsive to receipt of an access request to retrieve a contact address from the directory for the user and to issue an authentication request to the communications device.
  • the authentication request is directed via a message service for calling the communications device of the user.
  • this function can be integral to the server.
  • the directory can hold required responses to authentication requests, the controller being operable to compare a response from the communications device to a required response to determine whether to permit access to the resource.
  • the invention provides user input equipment for input of a resource access request and a network interface for issuing an access request to a server for access to a network, where the access request identifies the user and the resource to be accessed.
  • a method of controlling access to a network resource includes a number of steps.
  • an access request is sent to a server, the access request identifying the user.
  • receipt of the access request causes a unique contact address for a communications device for the user identified in the access request to be retrieved and an authentication request to be issued to the communications device.
  • a user is invited to input a response to the authentication request.
  • the response is sent to the server.
  • the response is evaluated and, in the event a valid response is received, access to the resource is allowed.
  • a computer program comprising program instructions for controlling a server: to retrieve, from a directory, a contact address for a communications device of a user associated with a user identification in a resource access request received from a client station; to issue an authentication request to the communications device at the retrieved address; and to evaluate a response received from the communications device and to permit access to the requested resource only where a valid response is received.
  • the computer program product can be provided on a carrier medium, for example a storage medium or a transmission medium.
  • a computer program for controlling a proactive validation unit in mobile equipment comprising program instructions to validate an authentication message received from a server, to prompt a user to input a response, to prepare an authentication response message and to forward an authentication response message to the server.
  • Figure 1 is a schematic overview of a system in accordance with an embodiment of the invention.
  • Figure 2 is a flow diagram summarising an example of the operation of the system of Figure 1;
  • Figure 3 is schematic overview of a client station of the system of Figure 1;
  • Figure 4 is a flow diagram summarising an example of the operation of the client station of Figure 3;
  • Figure 5 is schematic overview of a server of the system of Figure 1;
  • Figure 6 is a flow diagram summarising an example of the operation of the server of Figure 5;
  • Figure 7 is schematic overview of a communications device of the system of Figure 1;
  • Figure 8 is a flow diagram summarising an example of the operation of the communications device of
  • Figure 9 is schematic overview of a part of an example of a communications device of Figure 7.
  • Figure 1 illustrates an overview of an embodiment of the present invention implemented using the Internet and a GSM network.
  • An embodiment of the present invention provides secure authentication for a user access to a network resource, for example a service provided by a server on the Internet.
  • a user requests access to a resource (for example for logging on to a secure website) using software at the client station (for example a Web browser).
  • a Web browser for example, the user can use a Web page relating to a resource to be accessed and enter appropriate login information including, for example, a user identification (user-ID).
  • the Web browser sends (12) over the Internet an access message including identification of the resource to which the user requires access and also the user-ID.
  • the access message is received (16) from the Internet at a server 20.
  • the server 20 can, for example, be a Web server.
  • the server 20 includes a directory associated with a resource that can be accessed.
  • the directory includes user-EDs and associates a contact address (in the present example a telephone number) for a user with the appropriate user-ID.
  • the server 20 then causes an SMS (Short Message Service) authentication request to be sent (18) over the GSM network 22.
  • the SMS authentication request includes the user-ID and details of the resource for which an access request has been received by the server 20.
  • the SMS authentication request is received (24) via a wireless link at communications equipment 30.
  • the communications equipment is mobile equipment in the form of a mobile telephone 30 that is owned by the user and includes a proactive SDVI card.
  • a proactive SIM card is meant a SIM card that can comprise active software for carrying out pre-programmed tasks.
  • the communications equipment 30 is configured to alert the user of receipt of the SMS authentication request and to solicit from the user entry of a response.
  • the user enters the response using, for example, a keyboard of the communications equipment 30 and the communications equipment is further configured to compose and send (24), via the wireless link, an SMS authentication response message.
  • the SMS authentication response message includes the user-ID and at least a response field.
  • the SMS authentication response message is received (28) from the GSM network 22 at the server 20.
  • the directory can also contain an identification of an appropriate authentication response that is to be expected in reply to the authentication request message. Accordingly, the server 20 can evaluate and verify whether the response field of the received authentication response corresponds to that expected for the user-ID in question. If a correct response is received, then access to the network service requested by the user is permitted, and an appropriate acknowledgement is sent (32) via the Internet to be received (34) by the user computer 10. If no authentication response is received by the server 20 within a predetermined time, or an authentication response as received is invalid, then an appropriate notification of this is sent 32 via the Internet 14 to be received 34 by the user's computer 10.
  • FIG. 2 is a flow diagram illustrating the main functions performed in operation of the system of Figure 1.
  • the access request is generated at the computer 10 in response to input from the user.
  • step S2 the access requested generated at the user computer 10 is received by the server 20 and the server generates an authentication request message to be sent to the communications equipment 30 of the user.
  • the communications equipment 30 of the user receives the authentication request, solicits a response from the user and provides a response message to be sent to the server 20.
  • the server 20 receives the response message and either permits or refuses access to the resource identified in the original access request depending on whether a valid response is provided, or not.
  • Figure 3 is a schematic overview of components of the user computer 10. This includes a processor 40 that is connected to a display 42 for displaying, among other things, a page from a Web Browser 44.
  • the processor 40 is also connected to storage 46, to user input devices such as a keyboard 48 and a mouse 50 and further to a network interface 52, for example a modem, ISDN terminal adapter or the like.
  • a network interface 52 for example a modem, ISDN terminal adapter or the like.
  • the network interface 52 is operable to send (12) an access request message and to receive (34) a message giving notification as to whether the access request is granted, or not.
  • Figure 4 is a flow diagram illustrating operations performed by the user computer 10 in an example of operation of an embodiment of the invention.
  • step SI 1 the user selects an access request. This can be achieved, in a conventional method, by selecting an icon on a web page displayed 44 by means of a Web Browser, which icon identifies that the user wishes to request access to a particular resource.
  • the software in the user computer 10 is operable to compose an access request message that includes a user-ID for the user concerned and an identification of the resource to be accessed.
  • the user ID can be input by the user as part of a login procedure along with, for example, a password.
  • step S13 the access request message is transmitted 12 to the Internet, to be passed to the server 20. Subsequently, following processing by the server 20, the computer 10 will receive the result of the access request at step S14 by means of an appropriate message from the server.
  • step SI 5 the result of the access request will be displayed to the user. This can take the form of changing the display to one that includes information resulting from the requested access. Alternatively, in the event that access is refused, an appropriate display can be shown indicating the reasons why access is refused (for example, that the authentication response given by the user was invalid).
  • FIG. 5 is a schematic overview of the server 20.
  • the server 20 comprises a number of server components.
  • a World Wide Web (WWW) server 56 is operable to receive (16) the access request message from the Internet 14 and to transmit (32) an appropriate message giving notification of the result of the access request.
  • the WWW server 56 is connected via a link 58 to an application server 60 that contains logic to drive the authentication process of the present invention.
  • the application server 60 is responsive to receipt of an access request message via the WWW server 56 to access the directory 64 which contains information including the user-ID (UID) 61 and, associated therewith, an appropriate contact addresses (for example telephone numbers T#) 63 for the user.
  • UID user-ID
  • T# telephone numbers
  • the application server 60 is operable, in response to receipt of an access request message to compose and issue an authentication request message that is sent via a link 66 to an Over The Air (OTA) server 68 that provides an interface between the server 20 and an element of a GSM network.
  • OTA Over The Air
  • the OTA server 68 is connected via a link 72 (for example by a digital network such as an X.25 network) to the Short Message Service (SMS) Service Centre (SMSSC) of a GSM network provider.
  • SMS Short Message Service
  • SSC Short Message Service Centre
  • the authentication request is sent (18) to the SMSSC 70, which in turn causes a SMS message to be sent via the GSM network 22 to the communications equipment 30 of the user at the contact address identified by the telephone number T#.
  • This information can be communicated to the communications equipment 30.
  • the authentication message can be encrypted using any desired encryption protocol; for example an encryption protocol based on P I or symmetric key encryption.
  • the SMSSC 70 will return (28) the response via 72 to the OTA server 68 which in turn sends the response message via link 66 to the application server.
  • the application server is able to identify the authentication request relating thereto.
  • the application server is configured to evaluate the response received, for example by comparing a specific response field in the response message to a valid response VR 65 as held in the directory 64 associated with the user-ID 61. If the response field of the response as received corresponds to the valid response, then access can be granted to the resource requested by the user. Otherwise, access is refused.
  • the application server is configured to return an appropriate result via link 58 to the WWW server 56 to be passed (32) via the Internet back to the user computer 10.
  • the result as communicated will either be the granting of access, or an indication of why access was refused, depending on whether, or not, a valid response to the authentication response is received within a predetermined time.
  • the server 20 can be implemented using conventional server equipment comprising appropriate network interfaces, one or more processors and appropriate memory.
  • the directory 64 could be configured in any appropriate manner, for example as a table, as a link list, and using any appropriate protocol, for example the Lightweight Directory Access Protocol (LDAP). Details of LDAP may be found, for example, in W Yeong, T Howes, and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.
  • LDAP Lightweight Directory Access Protocol
  • FIG. 6 is a flow diagram summarising the operation of the server 20.
  • step S21 the access request message is received from the user.
  • the access request message includes details of the resource to which the user requires access, as well as an identification of the user (UID).
  • step S22 the user is identified from the UID and this is used to identify an appropriate contact address in the directory 64 for the generation of an authentication request.
  • step S23 the authentication request message is sent via the GSM network as a SMS message.
  • the message can be encrypted, if required, using an appropriate protocol.
  • step S24 it is assumed that an authentication response message is received.
  • step S25 the authentication response is verified.
  • the verification can include suitable decryption, if required, and checks to see that the response is from the appropriate user and is as expected. This can be achieved by comparing the received response to a valid authentication response as held in the directory 64. If the received authentication response is shown to be valid, access is permitted in step S26 to the resource and an appropriate result is sent to the user computer 10. If an invalid response is received, then access is refused at step S27 and an appropriate result is sent to the user computer 10.
  • step S27 if no response is received by a given timing (time out 28), access is refused at step S27 to the resource and an appropriate result is sent back to the user computer 10.
  • the operation of the server 20 as described in Figure 6 can be implemented by one or more computer programs comprising computer program instructions that control the operation of one or more processors of the server 20.
  • the computer program(s) can be held in memory of the server 20.
  • a computer program product comprising the computer program(s) can be supplied on a carrier medium.
  • the carrier medium could be a storage medium, such as solid state magnetic optical, magneto-optical or other storage medium.
  • the carrier medium could be a transmission medium such as broadcast, telephonic, computer network, wired, wireless, electrical, electromagnetic, optical or indeed any other transmission medium.
  • FIG. 7 is a schematic block diagram giving an overview of communications equipment 30 in the form of a mobile telephone.
  • an aerial 74 is connected to a radio receiver unit 78 which in turn is connected to a processing unit 80.
  • the processing unit 80 is also connected to the aerial 74 by a radio transmission unit 76.
  • the processing unit and the radio receiving and transmitting unit 78 and 76 could be implemented as separate integrated circuits, or they could be implemented in a single integrated circuit.
  • the processing unit can comprise one or more processors with associated memory and associated circuitry implemented using any appropriate technology. For example, it can be implemented as an ASIC.
  • the processing unit 80 also has access to a chip 92 on a Subscriber Identity Module (SIM) card 90 that is used to validate and activate the communications equipment 30.
  • SIM Subscriber Identity Module
  • the SIM card is a smart card with special applications for use with a GSM network.
  • a SIM card belongs to one person that has a contract with a GSM network provider.
  • a SIM belongs to one telephone number in the GSM network.
  • the owner of the communication equipment including the SIM card can accept the GSM network only if the SIM card is in the mobile phone and active. Typically, if it is active, the user will already have input a PIN (Personal Identification Number) code for the card, which is something he, or she, knows. In this manner, the user is securely identified in the GSM network. If not, then for example the SIM card can be programmed to require entry of PIN (or other user validation code) in response to receipt of an authentication request message. Access to the GSM network can be achieved everywhere that GSM network reception is possible, and not only with the network of his or her own provider. In this manner, the user has a secure smart card and a terminal in his or her hands.
  • PIN Personal Identification Number
  • Figure 8 is a flow diagram illustrating the basic steps provided in operation of the communications equipment 30.
  • step S31 the authentication request message is received as a SMS message.
  • step S32 the user is alerted on receipt of the authentication request message.
  • the receipt of a SMS message will be identified by audio and/or visual indication.
  • the telephone may beep and or a visual indication may be given on the display of the telephone to show that a SMS message has been received.
  • the authentication request is forwarded automatically to the proactive SIM card.
  • the SIM card selects the right application on the SIM card and performs verification and/or decryption of the received message.
  • the verification at the SDVI card can include, for example, verification that the SMS message has been received from a server, the identity of which has been pre-programmed into the SIM card.
  • the SIM card application then causes the communications equipment to prompt the user to enter a response to the authentication request.
  • the SDVI card can then compose a suitable response message.
  • the response message can include the user-ID allowing the server to associate it with the authentication request and, for example, additional information such as a PIN and or a password and/or other information from the SDVI card (for example a contract number) and/or a predetermined response (e.g., simply a yes or no) entered by the user.
  • a SMS response message could then be sent to the server from which the authentication request message was received, whereby the response message will pass back to the server 20.
  • the operation of the communications equipment 30 can be enhanced to provide any desired degree of automation of the messaging.
  • Documents provided by the European Telecommunications Standards Institute (ETSI) of the SIMAPI can be found, for example, in technical specifications identified as ETSI TS 101 267, V 7.3.1 (1999-07), ETSI TS 100977, V 7.4.0 (1999-12), ETSI TS 101 413, V 7.1.0 (1999-07) and ETSI TS 101 476, V 7.0.0 (1999-11), which documents are available from ETSI, F-06921 Hospital Antipolis, Cedex, France.
  • a SIM card application for implementing the program at the SIM card can be provided on the SIM card using any programming language operable under the SIMAPI. Such a program performs steps of: validating an authentication message from a server, prompting a user to input a response, preparing an authentication response message and forwarding an authentication response message to the server.
  • the SDVI card application can be implemented using the Java language. Java is a trademark of Sun Microsystems, Inc.
  • FIG 9 is a schematic overview of the SDVI Toolkit framework provided in accordance with the ETSI technical specifications mentioned above.
  • a GSM framework 94 comprises a GSM applet and a file systems object. It provides a GSM low-level package and a SIM access package that allows applets to access GSM files.
  • a toolkit framework 96 provides for applet triggering, command handling, and the installing and uninstalling of applets, as well as security management.
  • the applets that may be triggered include toolkit applets 104 and application applets 106. Applets may be triggered in response to receipt of a SMS message.
  • an application applet can be provided for providing processing of authentication messages at the communications equipment 30, for example in accordance with the process steps as described with respect to Figure 8.
  • an embodiment of the present invention allows the user with communications equipment such as a GSM mobile telephone, which user has a contract with a communications service provider (e.g., a GSM network provider) that assigns a unique address (e.g., telephone number) to the communications equipment.
  • a communications service provider e.g., a GSM network provider
  • a server is provided with this communications address and links it to a user-ID that is, for example, assigned by the server to the user.
  • the communications equipment thus provides a mechanism for receipt of and response to an authentication message from the server.
  • the server will send an authentication message (e.g., a SMS message) to the communications address, e.g. a telephone number, associated with the user-ID.
  • the communications equipment will receive the authentication request, will request the user to accept the authentication request and to return an appropriate response message to the server with confirmation that the user accepts the authentication request message.
  • the server will receive the response message and complete the login of the user to the secure website, or not, dependent on whether a valid response from the user is received.
  • related messages can easily be linked to one another.
  • another message format could be used with another mechanism (for example a serial number) for identifying related messages.
  • An embodiment of the invention can be implemented by providing the server with a database that links user-EDs to the communications addresses for the user.
  • Readily available communications equipment can be used at the user side. If required, additional information (for example geographic information) can be submitted with the response from the communications equipment to the server.
  • the process can be enhanced through the use of cryptographic keys (for example with symmetric keys using a challenge response, or with public keys using certificates).
  • the invention has been described in the context of the Internet and a GSM network, the invention is not limited thereto and could be implemented over any other network and using any other form of additional network for communication with the user.
  • networks using standards other that GSM are known or planned.
  • Networks that are currently planned for the future include the use of a validation device that confirms the contract between the user and a service provider. The user can only then get access to the network where a valid validation device is present in the equipment.
  • the invention can be applied in such systems, even where the validation device is not a SIM.
  • communication with the user could be via another form of wireless communication network, or by satellites, networks, landlines or indeed any other form of telecommunications network.
  • An embodiment of the invention can also be envisioned that is operable whether or not a validation device such as a SIM card is provided in the communications equipment.
  • a message for example a text message such as a SMS message
  • an automated voice message could be sent to the user on his or her communications equipment.
  • This message could solicit a response from the user to authenticate a resource access request.
  • the entry of a text or voice response could then be analysed by the server, using text comparison or voice recognition technology, to verify that the response corresponds to a predetermined response pre-recorded at the server. If the response checks out, then access to the resource can be permitted.
  • the communications equipment could be by means of a WAP
  • Web Access Protocol Web Access Protocol
  • a personal assistant with a communications interface or indeed by any other form of communications equipment that can be addressed directly by the server to solicit a response to an authentication message.
  • the use of a different channel for communication with the user than that used for the direct web access to verify the access request enhances security of access.
  • a manual input is provided by the user, by linking the communications device to the station that originated the access request (for example by means of a WAP phone), the whole process can be automated, whereby information is passed between the web browser at which access is requested, and a further application provided for responding to the authentication request.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A network security system controls access to a resource. A client station provides for inputting an access request for access to a resource via a network, for example the Internet. The access request identifies the user and the resource to be accessed. A server holds data regarding users including a contact address for a communications device of the user and is responsive to the access request to issue an authentication request to the communications device. A communications device includes a receiver for receiving the authentication request from the network resource, a controller operable to invite a user to input a response to the authentication request and a transmitter to return the response to the server. The server is further operable to evaluate a received response for determining whether the user is permitted to gain access to the resource. Authentication of requests for access to resources via a network is provided in a flexible manner using readily available components in a flexible manner, for example a mobile telephone.

Description

TITLE: NETWORK ACCESS SECURITY
BACKGROUND OF THE INVENTION
The invention relates to the control of access to a resource via a network.
Identifying a user over a network, for example over a public network such as the Internet, can be a problem where a user wishes to gain access to a resource such as a closed user group and/or to a virtual private network via the public network. It has been proposed to address this problem in a number of ways.
Typically, this problem has been solved by providing a security token in the form of a smart card, or some other piece of special purpose hardware for encrypting and decrypting data. The user has possession of the token and additionally some further information that only the user knows, for example a Personal Identification Number (PIN). The token and the PIN can then be used to identify the user in some secure way using a secure protocol between a client station at which the user is located arid a server.
However, such a solution requires the client stέtion to have suitable equipment for interfacing with the token. For example, a smart card reader must be provided for interfacing with a smart card, where this is used as the token. Although the token may be portable, if it is a special smart card or some other form of special purpose hardware, the need for a reader means that this form of solution to the problem is not as flexible as might at first seem to be the case.
Accordingly, an aim of the present invention is to provide an improved method, apparatus and system of providing secure access to resources via a network.
SUMMARY OF THE INVENTION
Particular and preferred aspects of the invention are set out in the accompanying independent and dependent claims. Combinations of features from the dependent claims may be combined with features of the independent claims as appropriate and not merely as explicitly set out in the claims.
In accordance with one aspect of the invention, there is provided a network access security system. A client station provides for inputting an access request for access to a resource via a network, for example the Internet, the access request identifying the user. A server holds data regarding users including a contact address for a communications device of the user and is responsive to the access request to issue an authentication request to the communications device. A communications device includes' a receiver for receiving the authentication request from the server, a controller operable to invite a user to input a response to the authentication request and a transmitter to return the response to the server. The server is further operable to evaluate a received response for determining whether the user is permitted to gain access to the resource.
An embodiment of the invention enables authentication of requests for access to resources via a network using readily available components in a flexible manner. Thus, authentication can be achieved without the use of specific hardware of the types required by prior art approaches described above. Where the communications device is a mobile (cellular) telephone or the like, the actual device used to provide authentication is portable and can be carried by the user. The user can request access to the required resource from any available computer or web access device without needed to carry equipment that he or she would not otherwise carry with him- or herself anyway.
Thus, in an advantageous embodiment, at least one of the receiver and the transmitter includes a wireless commtmtcations interface, whereby the communications device is capable of wireless communication. For example the communications device can be a mobile telephone.
Where, for example the communications device is a GSM (Global System for Mobiles) compatible device, the ownership of the device can be achieved by means of a user identification unit such as a Subscriber Identity Module (SIM) card. A SIM card holds a unique identification that is registered with a network service provider as belonging to a specific user. In an embodiment of the invention the authentication request messages and/or the response message can be in the form of a text message, for example in accordance with the Short Message Service messaging protocol.
In accordance with another aspect, the invention provides a communications device including a receiver for receiving a resource access authentication request from a server, a controller operable to invite a user to input a response to the authentication request and a transmitter to return the response to the server for gaining access to the resource.
In accordance with a further aspect, the invention provides a server including a network message interface for receiving an access request from a client station for access to a resource, the access request identifying the user, a server holding data relating to users including a contact address for a communications device for users, the server being responsive to a received access request to issue an authentication request to the communications device of a user identified in the access request.
The server can include a directory holding data relating to users including at least a contact address for a communications device for the user, and a controller responsive to receipt of an access request to retrieve a contact address from the directory for the user and to issue an authentication request to the communications device.
In an embodiment of the invention, the authentication request is directed via a message service for calling the communications device of the user. Alternatively, this function can be integral to the server.
The directory can hold required responses to authentication requests, the controller being operable to compare a response from the communications device to a required response to determine whether to permit access to the resource.
In accordance with yet a further aspect of the invention, the invention provides user input equipment for input of a resource access request and a network interface for issuing an access request to a server for access to a network, where the access request identifies the user and the resource to be accessed.
In accordance with a yet another aspect of the invention, there is provided a method of controlling access to a network resource. The method includes a number of steps. In response to input of an access request by a user for access to a resource at a network client, an access request is sent to a server, the access request identifying the user. At the server, receipt of the access request causes a unique contact address for a communications device for the user identified in the access request to be retrieved and an authentication request to be issued to the communications device. At the communications device, on receipt of the authentication request, a user is invited to input a response to the authentication request. On input of a response by the user, the response is sent to the server. At the server, the response is evaluated and, in the event a valid response is received, access to the resource is allowed.
In accordance with a further aspect of the invention, there is provided a computer program, the computer program comprising program instructions for controlling a server: to retrieve, from a directory, a contact address for a communications device of a user associated with a user identification in a resource access request received from a client station; to issue an authentication request to the communications device at the retrieved address; and to evaluate a response received from the communications device and to permit access to the requested resource only where a valid response is received. The computer program product can be provided on a carrier medium, for example a storage medium or a transmission medium. In accordance with a further aspect of the invention, there is provided a computer program for controlling a proactive validation unit in mobile equipment, the computer program comprising program instructions to validate an authentication message received from a server, to prompt a user to input a response, to prepare an authentication response message and to forward an authentication response message to the server.
DESCRIPTION OF PARTICULAR EMBODIMENTS
Exemplary embodiments of the present invention will be described hereinafter, by way of example only, with reference to the accompanying drawings in which like reference signs relate to like elements and in which:
Figure 1 is a schematic overview of a system in accordance with an embodiment of the invention;
Figure 2 is a flow diagram summarising an example of the operation of the system of Figure 1; Figure 3 is schematic overview of a client station of the system of Figure 1;
Figure 4 is a flow diagram summarising an example of the operation of the client station of Figure 3;
Figure 5 is schematic overview of a server of the system of Figure 1;
Figure 6 is a flow diagram summarising an example of the operation of the server of Figure 5;
Figure 7 is schematic overview of a communications device of the system of Figure 1; Figure 8 is a flow diagram summarising an example of the operation of the communications device of
Figure 7;
Figure 9 is schematic overview of a part of an example of a communications device of Figure 7.
DESCRIPTION OF PARTICULAR EMBODIMENTS A particular embodiment of the present invention is described hereinafter based on the Internet and a GSM
(Global System for Mobiles) mobile communication network. It should be understood that the present invention is applicable to other computer and communication networks and that the particular embodiment described herein is merely one specific implementation.
Figure 1 illustrates an overview of an embodiment of the present invention implemented using the Internet and a GSM network. An embodiment of the present invention provides secure authentication for a user access to a network resource, for example a service provided by a server on the Internet.
At a user computer 10 (for example a personal computer (PC)), a user requests access to a resource (for example for logging on to a secure website) using software at the client station (for example a Web browser). For example, the user can use a Web page relating to a resource to be accessed and enter appropriate login information including, for example, a user identification (user-ID). In response to the user access request, the Web browser sends (12) over the Internet an access message including identification of the resource to which the user requires access and also the user-ID. The access message is received (16) from the Internet at a server 20. The server 20 can, for example, be a Web server. The server 20 includes a directory associated with a resource that can be accessed. The directory includes user-EDs and associates a contact address (in the present example a telephone number) for a user with the appropriate user-ID. The server 20 then causes an SMS (Short Message Service) authentication request to be sent (18) over the GSM network 22. The SMS authentication request includes the user-ID and details of the resource for which an access request has been received by the server 20. The SMS authentication request is received (24) via a wireless link at communications equipment 30.
In the present instance the communications equipment is mobile equipment in the form of a mobile telephone 30 that is owned by the user and includes a proactive SDVI card. By a proactive SIM card is meant a SIM card that can comprise active software for carrying out pre-programmed tasks. The communications equipment 30 is configured to alert the user of receipt of the SMS authentication request and to solicit from the user entry of a response. The user enters the response using, for example, a keyboard of the communications equipment 30 and the communications equipment is further configured to compose and send (24), via the wireless link, an SMS authentication response message. The SMS authentication response message includes the user-ID and at least a response field. The SMS authentication response message is received (28) from the GSM network 22 at the server 20. As well as containing contact addresses associated with the user-IDs, the directory can also contain an identification of an appropriate authentication response that is to be expected in reply to the authentication request message. Accordingly, the server 20 can evaluate and verify whether the response field of the received authentication response corresponds to that expected for the user-ID in question. If a correct response is received, then access to the network service requested by the user is permitted, and an appropriate acknowledgement is sent (32) via the Internet to be received (34) by the user computer 10. If no authentication response is received by the server 20 within a predetermined time, or an authentication response as received is invalid, then an appropriate notification of this is sent 32 via the Internet 14 to be received 34 by the user's computer 10.
Figure 2 is a flow diagram illustrating the main functions performed in operation of the system of Figure 1. In step SI, the access request is generated at the computer 10 in response to input from the user.
In step S2, the access requested generated at the user computer 10 is received by the server 20 and the server generates an authentication request message to be sent to the communications equipment 30 of the user. At step S3, the communications equipment 30 of the user receives the authentication request, solicits a response from the user and provides a response message to be sent to the server 20. At step S4, the server 20 receives the response message and either permits or refuses access to the resource identified in the original access request depending on whether a valid response is provided, or not.
Figure 3 is a schematic overview of components of the user computer 10. This includes a processor 40 that is connected to a display 42 for displaying, among other things, a page from a Web Browser 44. The processor 40 is also connected to storage 46, to user input devices such as a keyboard 48 and a mouse 50 and further to a network interface 52, for example a modem, ISDN terminal adapter or the like. It will be noted that Figure 3 is schematic only, and the components of the computer 10 can be arranged in any conventional manner, for example with various functional components connected via a bus (not shown). The network interface 52 is operable to send (12) an access request message and to receive (34) a message giving notification as to whether the access request is granted, or not.
Figure 4 is a flow diagram illustrating operations performed by the user computer 10 in an example of operation of an embodiment of the invention.
At step SI 1, the user selects an access request. This can be achieved, in a conventional method, by selecting an icon on a web page displayed 44 by means of a Web Browser, which icon identifies that the user wishes to request access to a particular resource. In step SI 2, the software in the user computer 10 is operable to compose an access request message that includes a user-ID for the user concerned and an identification of the resource to be accessed. As mentioned above, the user ID can be input by the user as part of a login procedure along with, for example, a password.
In step S13, the access request message is transmitted 12 to the Internet, to be passed to the server 20. Subsequently, following processing by the server 20, the computer 10 will receive the result of the access request at step S14 by means of an appropriate message from the server.
In step SI 5, the result of the access request will be displayed to the user. This can take the form of changing the display to one that includes information resulting from the requested access. Alternatively, in the event that access is refused, an appropriate display can be shown indicating the reasons why access is refused (for example, that the authentication response given by the user was invalid).
Figure 5 is a schematic overview of the server 20. As shown in Figure 5, the server 20 comprises a number of server components. Thus a World Wide Web (WWW) server 56 is operable to receive (16) the access request message from the Internet 14 and to transmit (32) an appropriate message giving notification of the result of the access request. The WWW server 56 is connected via a link 58 to an application server 60 that contains logic to drive the authentication process of the present invention. In particular, the application server 60 is responsive to receipt of an access request message via the WWW server 56 to access the directory 64 which contains information including the user-ID (UID) 61 and, associated therewith, an appropriate contact addresses (for example telephone numbers T#) 63 for the user. In addition, an indication of a valid response (VR) 65 to an authentication request message could be included, as well as other data (not represented) relating to the user. The application server 60 is operable, in response to receipt of an access request message to compose and issue an authentication request message that is sent via a link 66 to an Over The Air (OTA) server 68 that provides an interface between the server 20 and an element of a GSM network. In the instance shown, the OTA server 68 is connected via a link 72 (for example by a digital network such as an X.25 network) to the Short Message Service (SMS) Service Centre (SMSSC) of a GSM network provider. The authentication request is sent (18) to the SMSSC 70, which in turn causes a SMS message to be sent via the GSM network 22 to the communications equipment 30 of the user at the contact address identified by the telephone number T#. By including the user-ID in an authentication request message, this information can be communicated to the communications equipment 30. The authentication message can be encrypted using any desired encryption protocol; for example an encryption protocol based on P I or symmetric key encryption. On subsequent receipt of a SMS message providing a response to the authentication request, the SMSSC 70 will return (28) the response via 72 to the OTA server 68 which in turn sends the response message via link 66 to the application server. By including the user-ID in the response message, the application server is able to identify the authentication request relating thereto. Moreover, the application server is configured to evaluate the response received, for example by comparing a specific response field in the response message to a valid response VR 65 as held in the directory 64 associated with the user-ID 61. If the response field of the response as received corresponds to the valid response, then access can be granted to the resource requested by the user. Otherwise, access is refused.
The application server is configured to return an appropriate result via link 58 to the WWW server 56 to be passed (32) via the Internet back to the user computer 10. The result as communicated will either be the granting of access, or an indication of why access was refused, depending on whether, or not, a valid response to the authentication response is received within a predetermined time.
The server 20 can be implemented using conventional server equipment comprising appropriate network interfaces, one or more processors and appropriate memory. The directory 64 could be configured in any appropriate manner, for example as a table, as a link list, and using any appropriate protocol, for example the Lightweight Directory Access Protocol (LDAP). Details of LDAP may be found, for example, in W Yeong, T Howes, and S. Kille, "Lightweight Directory Access Protocol", RFC 1777, March 1995.
Figure 6 is a flow diagram summarising the operation of the server 20.
In step S21, the access request message is received from the user. The access request message includes details of the resource to which the user requires access, as well as an identification of the user (UID).
In step S22, the user is identified from the UID and this is used to identify an appropriate contact address in the directory 64 for the generation of an authentication request.
In step S23, the authentication request message is sent via the GSM network as a SMS message. This includes details of the server, the access request and a request for authentication of the access request. The message can be encrypted, if required, using an appropriate protocol.
In step S24, it is assumed that an authentication response message is received.
In step S25, the authentication response is verified. The verification can include suitable decryption, if required, and checks to see that the response is from the appropriate user and is as expected. This can be achieved by comparing the received response to a valid authentication response as held in the directory 64. If the received authentication response is shown to be valid, access is permitted in step S26 to the resource and an appropriate result is sent to the user computer 10. If an invalid response is received, then access is refused at step S27 and an appropriate result is sent to the user computer 10.
Similarly, if no response is received by a given timing (time out 28), access is refused at step S27 to the resource and an appropriate result is sent back to the user computer 10. The operation of the server 20 as described in Figure 6 can be implemented by one or more computer programs comprising computer program instructions that control the operation of one or more processors of the server 20. The computer program(s) can be held in memory of the server 20.
A computer program product comprising the computer program(s) can be supplied on a carrier medium. The carrier medium could be a storage medium, such as solid state magnetic optical, magneto-optical or other storage medium. The carrier medium could be a transmission medium such as broadcast, telephonic, computer network, wired, wireless, electrical, electromagnetic, optical or indeed any other transmission medium.
Figure 7 is a schematic block diagram giving an overview of communications equipment 30 in the form of a mobile telephone. As shown in Figure 7, an aerial 74 is connected to a radio receiver unit 78 which in turn is connected to a processing unit 80. The processing unit 80 is also connected to the aerial 74 by a radio transmission unit 76. The processing unit and the radio receiving and transmitting unit 78 and 76 could be implemented as separate integrated circuits, or they could be implemented in a single integrated circuit. The processing unit can comprise one or more processors with associated memory and associated circuitry implemented using any appropriate technology. For example, it can be implemented as an ASIC. The processing unit 80 also has access to a chip 92 on a Subscriber Identity Module (SIM) card 90 that is used to validate and activate the communications equipment 30. Also shown in Figure 7 is a display 82, a keyboard 84, a loud speaker 86 and a microphone 87.
The SIM card is a smart card with special applications for use with a GSM network. A SIM card belongs to one person that has a contract with a GSM network provider. A SIM belongs to one telephone number in the GSM network. The owner of the communication equipment including the SIM card can accept the GSM network only if the SIM card is in the mobile phone and active. Typically, if it is active, the user will already have input a PIN (Personal Identification Number) code for the card, which is something he, or she, knows. In this manner, the user is securely identified in the GSM network. If not, then for example the SIM card can be programmed to require entry of PIN (or other user validation code) in response to receipt of an authentication request message. Access to the GSM network can be achieved everywhere that GSM network reception is possible, and not only with the network of his or her own provider. In this manner, the user has a secure smart card and a terminal in his or her hands.
Figure 8 is a flow diagram illustrating the basic steps provided in operation of the communications equipment 30.
In step S31, the authentication request message is received as a SMS message. In step S32, the user is alerted on receipt of the authentication request message. In normal operation of a
GSM telephone, the receipt of a SMS message will be identified by audio and/or visual indication. Thus, the telephone may beep and or a visual indication may be given on the display of the telephone to show that a SMS message has been received. The authentication request is forwarded automatically to the proactive SIM card. The SIM card selects the right application on the SIM card and performs verification and/or decryption of the received message. The verification at the SDVI card can include, for example, verification that the SMS message has been received from a server, the identity of which has been pre-programmed into the SIM card. The SIM card application then causes the communications equipment to prompt the user to enter a response to the authentication request. This can be, for example, the entry of a single yes or no for accepting or rejecting the authentication and/or to enter some other information in the form, for example of a personal identification number PIN. In step S33, the SDVI card can then compose a suitable response message. The response message can include the user-ID allowing the server to associate it with the authentication request and, for example, additional information such as a PIN and or a password and/or other information from the SDVI card (for example a contract number) and/or a predetermined response (e.g., simply a yes or no) entered by the user. In step S34, a SMS response message could then be sent to the server from which the authentication request message was received, whereby the response message will pass back to the server 20.
If the SIM card is provided with a Subscriber Identity Module Toolkit Application Programming Interface (SIMAPI), the operation of the communications equipment 30 can be enhanced to provide any desired degree of automation of the messaging. Documents provided by the European Telecommunications Standards Institute (ETSI) of the SIMAPI can be found, for example, in technical specifications identified as ETSI TS 101 267, V 7.3.1 (1999-07), ETSI TS 100977, V 7.4.0 (1999-12), ETSI TS 101 413, V 7.1.0 (1999-07) and ETSI TS 101 476, V 7.0.0 (1999-11), which documents are available from ETSI, F-06921 Sophia Antipolis, Cedex, France.
A SIM card application for implementing the program at the SIM card can be provided on the SIM card using any programming language operable under the SIMAPI. Such a program performs steps of: validating an authentication message from a server, prompting a user to input a response, preparing an authentication response message and forwarding an authentication response message to the server. In an example implementation, the SDVI card application can be implemented using the Java language. Java is a trademark of Sun Microsystems, Inc.
Figure 9 is a schematic overview of the SDVI Toolkit framework provided in accordance with the ETSI technical specifications mentioned above. A GSM framework 94 comprises a GSM applet and a file systems object. It provides a GSM low-level package and a SIM access package that allows applets to access GSM files. A toolkit framework 96 provides for applet triggering, command handling, and the installing and uninstalling of applets, as well as security management. The applets that may be triggered include toolkit applets 104 and application applets 106. Applets may be triggered in response to receipt of a SMS message. Thus, on receipt of a SMS message, an application applet can be provided for providing processing of authentication messages at the communications equipment 30, for example in accordance with the process steps as described with respect to Figure 8.
In summary, an embodiment of the present invention allows the user with communications equipment such as a GSM mobile telephone, which user has a contract with a communications service provider (e.g., a GSM network provider) that assigns a unique address (e.g., telephone number) to the communications equipment. A server is provided with this communications address and links it to a user-ID that is, for example, assigned by the server to the user. The communications equipment thus provides a mechanism for receipt of and response to an authentication message from the server.
For example, where the user requests a secure website with his or her user-ID, the server will send an authentication message (e.g., a SMS message) to the communications address, e.g. a telephone number, associated with the user-ID. The communications equipment will receive the authentication request, will request the user to accept the authentication request and to return an appropriate response message to the server with confirmation that the user accepts the authentication request message. The server will receive the response message and complete the login of the user to the secure website, or not, dependent on whether a valid response from the user is received. By including the user- D, and possibly also an identification of the resource to be accessed in each message sent, related messages can easily be linked to one another. Alternatively, another message format could be used with another mechanism (for example a serial number) for identifying related messages.
An embodiment of the invention can be implemented by providing the server with a database that links user-EDs to the communications addresses for the user. Readily available communications equipment can be used at the user side. If required, additional information (for example geographic information) can be submitted with the response from the communications equipment to the server. The process can be enhanced through the use of cryptographic keys (for example with symmetric keys using a challenge response, or with public keys using certificates). Although a particular embodiment of the invention has been described, it will be appreciated that many modifications, additions and substitutions may be made within the spirit and scope of the invention.
Thus, for example, although the invention has been described in the context of the Internet and a GSM network, the invention is not limited thereto and could be implemented over any other network and using any other form of additional network for communication with the user. For example, networks using standards other that GSM are known or planned. Networks that are currently planned for the future include the use of a validation device that confirms the contract between the user and a service provider. The user can only then get access to the network where a valid validation device is present in the equipment. It will be appreciated that the invention can be applied in such systems, even where the validation device is not a SIM. More generally, communication with the user could be via another form of wireless communication network, or by satellites, networks, landlines or indeed any other form of telecommunications network.
An embodiment of the invention can also be envisioned that is operable whether or not a validation device such as a SIM card is provided in the communications equipment. Thus, for example, a message (for example a text message such as a SMS message), or an automated voice message, could be sent to the user on his or her communications equipment. This message could solicit a response from the user to authenticate a resource access request. The entry of a text or voice response could then be analysed by the server, using text comparison or voice recognition technology, to verify that the response corresponds to a predetermined response pre-recorded at the server. If the response checks out, then access to the resource can be permitted.
Although an implementation of the invention has been described in the context of a mobile telephone forming the user communications equipment, it will be appreciated that other forms of user communications equipment can be employed. Thus, for example, the communications equipment could be by means of a WAP
(Web Access Protocol) telephone, by a personal assistant with a communications interface, or indeed by any other form of communications equipment that can be addressed directly by the server to solicit a response to an authentication message. The use of a different channel for communication with the user than that used for the direct web access to verify the access request enhances security of access. Also, although a manual input is provided by the user, by linking the communications device to the station that originated the access request (for example by means of a WAP phone), the whole process can be automated, whereby information is passed between the web browser at which access is requested, and a further application provided for responding to the authentication request.

Claims

WHAT IS CLAIMED IS:
1. Network access security system comprising: a client station for inputting an access request for access to a resource via a network, the access request identifying the user and the resource to be accessed; a server holding data relating to users including a contact address for a communications device for users, the server being responsive to a received access request to issue an authentication request to the communications device of a user identified in the access request, and a said communications device including a receiver for receiving the authentication request from the server, a controller operable to invite a response to the authentication request and a transmitter to return the response to the server; wherein the server is further operable to evaluate a received response for deteπnining whether the user is permitted to gain access to the resource.
2. The system of claim 1, wherein at least one of the receiver and the transmitter includes a wireless communications interface.
3. The system of claim 2, wherein the communications device is a mobile telephone.
4. The system of claim 1, wherein the communications device includes a user identification unit.
5. The system of claim 4, wherein the user identification unit is a SIM card.
6. The system of claim 5, wherein the communications device is a GSM telephone.
7. The system of claim 1, wherein the authentication request messages is a text message.
8. The system of claim 1, wherein the response message is a text message.
9. The system of claim 1, wherein at least one of the authentication message and the response message is a Short Message Service message.
10. The system of claim 1, wherein the network is the Internet.
11. A communications device including a receiver for receiving a resource access authentication request from a server, a controller operable to invite a response to the authentication request, and a transmitter to return the response to the server.
12. The device of claim 11, wherein the receiver comprises a wireless signal receiver.
13. The device of claim 11, wherein the transmitter comprises a wireless signal transmitter.
14. The system of claim 11 , wherein the communications device is a mobile telephone.
15. The system of claim 11 , wherein the communications device includes a user identification unit.
16. The system of claim 15, wherein the user identification unit is a SIM card.
17. The system of claim 16, wherein the communications device is a GSM telephone.
18. The system of claim 11, wherein the authentication request messages is a text message.
19. The system of claim 11, wherein the response message is a text message.
20. The system of claim 11 , wherein at least one of the authentication message and the response message is a
Short Message Service message.
21. A server including a network message interface for receiving an access request from a client station for access to a resource, the access request identifying the user, a server holding data relating to users including at least a contact address for a communications device for users, the server being responsive to a received access request to issue an authentication request to the communications device of a user identified in the access request.
22. The server of claim 21, comprising a directory holding the data relating to users, and a controller responsive to receipt of an access request to retrieve a contact address from the directory for the user and to issue an authentication request to the communications device.
23. The server of claim 21, wherein the authentication request is directed via a message service for calling the communications device of the user.
24. The server of claim 21, wherein the directory holds required responses to authentication requests, the controller being operable to evaluate a response received from the communications device to determine whether to permit access to the resource.
25. The server of claim 21, wherein the network is the Internet.
26. A network client comprising user input equipment for input of a resource access request, a mechanism for composing an access request identifying the user and the resource to be accessed, and a network interface for issuing an access request to a server for access to a network.
27. A method of controlling access to a network resource, comprising: in response to the input of an access request by a user for access to a resource at a network client, issuing an access request to a server, the access request identifying the user and the resource to be accessed; at the server, responding to receipt of the access request to retrieve a contact address for a communications device for the user identified in the access request to issue an authentication request to the communications device; at the communications device, responding to receipt of the authentication request to invite a response to the authentication request and transmitting the response to the server; and at the server, evaluating the response and, in the event of a valid response, permitting access to the resource.
28. The method of claim 27, communications device is a device for wireless communication.
29. The method of claim 28, wherein the communications device is a mobile telephone.
30. The method of claim 29, comprising, at the communications device, extracting user information from a user identification unit.
31. The method of claim 30, wherein the user identification unit is a SIM card.
32. The method of claim 31, wherein mobile telephone is a GSM telephone.
33. The method of claim 27, wherein the authentication request messages is a text message.
34. The method of claim 27, wherein the response message is a text message input by a user via the mobile telephone.
35. The method of claim 27, wherein at least one of the authentication message and the response message is a Short Message Service message.
36. The method of claim 27, wherein the network is the Internet.
37. A computer program product on a carrier medium, the computer program product comprising program instructions for controlling a server: to determine a contact address for a communications device of a user associated with a user identification in a resource access request received from a client station; to issue an authentication request to the communications device at the retrieved address; to evaluate a response received from the communications device and to permit access to the requested resource only where a valid response is received. A computer program product on a carrier medium for controlling a proactive validation unit in mobile equipment, the computer program comprising program instructions to validate an authentication message received from a server, to prompt a user to input a response, to prepare an authentication response message and to forward an authentication response message to the server.
PCT/US2001/005261 2000-04-14 2001-02-16 Network access security WO2001080525A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001245292A AU2001245292A1 (en) 2000-04-14 2001-02-16 Network access security

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US54962200A 2000-04-14 2000-04-14
US09/549,622 2000-04-14

Publications (1)

Publication Number Publication Date
WO2001080525A1 true WO2001080525A1 (en) 2001-10-25

Family

ID=24193775

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/005261 WO2001080525A1 (en) 2000-04-14 2001-02-16 Network access security

Country Status (2)

Country Link
AU (1) AU2001245292A1 (en)
WO (1) WO2001080525A1 (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003047301A1 (en) * 2001-11-21 2003-06-05 Qualcomm Incorporated Authentication of a mobile telephone
GB2384396A (en) * 2002-01-16 2003-07-23 Sure On Sight Ltd Authentication messaging in a mobile communications network
FR2835129A1 (en) * 2002-01-23 2003-07-25 Sagem TWO-FACTOR AUTHENTICATION PROCESS WITH SINGLE-USE EPHEMERIC PASSWORD
WO2003065676A1 (en) * 2002-01-28 2003-08-07 Philip Morris Products S.A. Method and authentication server for controlling access to a resource accessible through a communications network
WO2003091860A1 (en) * 2002-04-26 2003-11-06 Andawari Gmbh Method for authenticating and/or authorising a person
WO2003075540A3 (en) * 2002-02-28 2004-03-04 Hewlett Packard Co Robust multi-factor authentication for secure application environments
GB2394327A (en) * 2002-10-17 2004-04-21 Vodafone Plc A device for authenticating data communications over a network using a Smart or SIM card
WO2004043107A1 (en) * 2002-11-08 2004-05-21 Nokia Corporation Context linking scheme
WO2007074319A1 (en) * 2005-12-28 2007-07-05 France Telecom Method for authenticating a user in relation to a remote server, system implementing said method, client terminal and computer program
US7245902B2 (en) 2002-01-16 2007-07-17 2 Ergo Limited Secure messaging via a mobile communications network
WO2007129345A1 (en) * 2006-05-10 2007-11-15 Worldwide Gpms Ltd. Process and system for confirming transactions by means of mobile units
EP1919157A1 (en) * 2006-11-06 2008-05-07 Axalto SA Authentication based on a single message
WO2008060300A1 (en) * 2006-11-16 2008-05-22 Dynomedia, Inc. Systems and methods for distributed digital rights management
EP1971161A1 (en) * 2007-02-02 2008-09-17 Vodafone Holding GmbH Secure data exchange method
EP1975837A1 (en) * 2007-03-30 2008-10-01 Accenture Global Services GmbH Non-repudiation for digital content delivery
NL2001710C2 (en) * 2008-06-23 2009-12-24 West 6 B V Method for securing access between gateway and authentication server for allowing person to access e.g. confined space of parking garage, involves sending electronic message to mobile phone to confirm authorization of person
WO2009122302A3 (en) * 2008-04-01 2010-01-14 Leap Marketing Technologies Inc. Systems and methods for implementing and tracking identification tests
EP2372597A1 (en) * 2010-04-02 2011-10-05 Intel Corporation (INTEL) Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
EP2434719A1 (en) * 2010-09-23 2012-03-28 Vodafone Holding GmbH Server and method for providing user information
WO2012072430A1 (en) * 2010-11-30 2012-06-07 Gemalto Sa Method for providing a user with an authenticated remote access to a remote secure device
EP2400689A4 (en) * 2009-03-09 2012-08-15 Huawei Tech Co Ltd Method, device and system for authentication
WO2013054073A1 (en) * 2011-10-12 2013-04-18 The Technology Business Management Limited System for secure id authentication
EP2611097A1 (en) * 2011-12-28 2013-07-03 Gemalto SA Method for authenticating a user using a second mobile device
US8825928B2 (en) 2002-10-17 2014-09-02 Vodafone Group Plc Facilitating and authenticating transactions through the use of a dongle interfacing a security card and a data processing apparatus
FR3015821A1 (en) * 2013-12-24 2015-06-26 Trustelem SECURE MEANS OF AUTHENTICATION
US9648034B2 (en) 2015-09-05 2017-05-09 Nudata Security Inc. Systems and methods for detecting and scoring anomalies
EP3201817A4 (en) * 2014-09-30 2017-08-23 Tokon Security AB Method for providing information from an electronic device to a central server
US9832649B1 (en) 2011-10-12 2017-11-28 Technology Business Management, Limted Secure ID authentication
US9842204B2 (en) 2008-04-01 2017-12-12 Nudata Security Inc. Systems and methods for assessing security risk
US9990487B1 (en) 2017-05-05 2018-06-05 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots
US10007776B1 (en) 2017-05-05 2018-06-26 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots
US10127373B1 (en) 2017-05-05 2018-11-13 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots
US10361716B2 (en) 2014-07-02 2019-07-23 Agilepq, Inc. Data recovery utilizing optimized code table signaling
US10523490B2 (en) * 2013-08-06 2019-12-31 Agilepq, Inc. Authentication of a subscribed code table user utilizing optimized code table signaling
US10567385B2 (en) 2010-02-25 2020-02-18 Secureauth Corporation System and method for provisioning a security token
US11018854B2 (en) 2016-06-06 2021-05-25 Agilepq, Inc. Data conversion systems and methods
GB2523710B (en) * 2012-12-28 2021-12-22 Lookout Inc Multi-factor authentication and comprehensive login system for client-server networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995019593A1 (en) * 1994-01-14 1995-07-20 Michael Jeremy Kew A computer security system
NL1007409C1 (en) * 1997-10-31 1997-11-18 Nederland Ptt Authentication system for electronic transactions
FR2795264A1 (en) * 1999-06-16 2000-12-22 Olivier Lenoir SYSTEM AND METHODS FOR SECURE ACCESS TO A COMPUTER SERVER USING THE SYSTEM

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1995019593A1 (en) * 1994-01-14 1995-07-20 Michael Jeremy Kew A computer security system
NL1007409C1 (en) * 1997-10-31 1997-11-18 Nederland Ptt Authentication system for electronic transactions
FR2795264A1 (en) * 1999-06-16 2000-12-22 Olivier Lenoir SYSTEM AND METHODS FOR SECURE ACCESS TO A COMPUTER SERVER USING THE SYSTEM

Cited By (69)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003047301A1 (en) * 2001-11-21 2003-06-05 Qualcomm Incorporated Authentication of a mobile telephone
GB2384396A (en) * 2002-01-16 2003-07-23 Sure On Sight Ltd Authentication messaging in a mobile communications network
GB2384396B (en) * 2002-01-16 2007-01-03 Sure On Sight Ltd Secure messaging via a mobile communications network
US7245902B2 (en) 2002-01-16 2007-07-17 2 Ergo Limited Secure messaging via a mobile communications network
FR2835129A1 (en) * 2002-01-23 2003-07-25 Sagem TWO-FACTOR AUTHENTICATION PROCESS WITH SINGLE-USE EPHEMERIC PASSWORD
WO2003063411A1 (en) * 2002-01-23 2003-07-31 Sagem Sa Two-factor authentication method with a one-time password
WO2003065676A1 (en) * 2002-01-28 2003-08-07 Philip Morris Products S.A. Method and authentication server for controlling access to a resource accessible through a communications network
WO2003075540A3 (en) * 2002-02-28 2004-03-04 Hewlett Packard Co Robust multi-factor authentication for secure application environments
WO2003091860A1 (en) * 2002-04-26 2003-11-06 Andawari Gmbh Method for authenticating and/or authorising a person
GB2394327B (en) * 2002-10-17 2006-08-02 Vodafone Plc Device for facilitating and authenticating transactions
US8825928B2 (en) 2002-10-17 2014-09-02 Vodafone Group Plc Facilitating and authenticating transactions through the use of a dongle interfacing a security card and a data processing apparatus
GB2394327A (en) * 2002-10-17 2004-04-21 Vodafone Plc A device for authenticating data communications over a network using a Smart or SIM card
WO2004043107A1 (en) * 2002-11-08 2004-05-21 Nokia Corporation Context linking scheme
KR100755981B1 (en) * 2002-11-08 2007-09-06 노키아 코포레이션 Context linking scheme
CN1711793B (en) * 2002-11-08 2015-03-11 诺基亚公司 Method and apparatus for linking a service context to a terminal connection
WO2007074319A1 (en) * 2005-12-28 2007-07-05 France Telecom Method for authenticating a user in relation to a remote server, system implementing said method, client terminal and computer program
WO2007129345A1 (en) * 2006-05-10 2007-11-15 Worldwide Gpms Ltd. Process and system for confirming transactions by means of mobile units
JP2009536494A (en) * 2006-05-10 2009-10-08 ワールドワイド ジーピーエムエス リミテッド Process and system for confirming a transaction by a portable unit
EP1919157A1 (en) * 2006-11-06 2008-05-07 Axalto SA Authentication based on a single message
WO2008060300A1 (en) * 2006-11-16 2008-05-22 Dynomedia, Inc. Systems and methods for distributed digital rights management
EP1971161A1 (en) * 2007-02-02 2008-09-17 Vodafone Holding GmbH Secure data exchange method
CN103647646A (en) * 2007-03-30 2014-03-19 埃森哲环球服务有限公司 Non-repudiation for digital content delivery
EP1975837A1 (en) * 2007-03-30 2008-10-01 Accenture Global Services GmbH Non-repudiation for digital content delivery
US9842204B2 (en) 2008-04-01 2017-12-12 Nudata Security Inc. Systems and methods for assessing security risk
US9275215B2 (en) 2008-04-01 2016-03-01 Nudata Security Inc. Systems and methods for implementing and tracking identification tests
US9946864B2 (en) 2008-04-01 2018-04-17 Nudata Security Inc. Systems and methods for implementing and tracking identification tests
US9633190B2 (en) 2008-04-01 2017-04-25 Nudata Security Inc. Systems and methods for assessing security risk
US9378354B2 (en) 2008-04-01 2016-06-28 Nudata Security Inc. Systems and methods for assessing security risk
US11036847B2 (en) 2008-04-01 2021-06-15 Mastercard Technologies Canada ULC Systems and methods for assessing security risk
US10997284B2 (en) 2008-04-01 2021-05-04 Mastercard Technologies Canada ULC Systems and methods for assessing security risk
WO2009122302A3 (en) * 2008-04-01 2010-01-14 Leap Marketing Technologies Inc. Systems and methods for implementing and tracking identification tests
US10839065B2 (en) 2008-04-01 2020-11-17 Mastercard Technologies Canada ULC Systems and methods for assessing security risk
NL2001710C2 (en) * 2008-06-23 2009-12-24 West 6 B V Method for securing access between gateway and authentication server for allowing person to access e.g. confined space of parking garage, involves sending electronic message to mobile phone to confirm authorization of person
EP2400689A4 (en) * 2009-03-09 2012-08-15 Huawei Tech Co Ltd Method, device and system for authentication
US10567385B2 (en) 2010-02-25 2020-02-18 Secureauth Corporation System and method for provisioning a security token
EP2372597A1 (en) * 2010-04-02 2011-10-05 Intel Corporation (INTEL) Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
US8375220B2 (en) 2010-04-02 2013-02-12 Intel Corporation Methods and systems for secure remote wake, boot, and login to a computer from a mobile device
EP2434719A1 (en) * 2010-09-23 2012-03-28 Vodafone Holding GmbH Server and method for providing user information
WO2012072430A1 (en) * 2010-11-30 2012-06-07 Gemalto Sa Method for providing a user with an authenticated remote access to a remote secure device
US9401916B2 (en) 2010-11-30 2016-07-26 Gemalto Sa Method for providing a user with an authenticated remote access to a remote secure device
EP2466522A1 (en) * 2010-11-30 2012-06-20 Gemalto SA Method for providing a user with an authentificated remote access to a remote secure device
CN104429036A (en) * 2011-10-12 2015-03-18 科技商业管理有限公司 System for secure ID authentication
WO2013054073A1 (en) * 2011-10-12 2013-04-18 The Technology Business Management Limited System for secure id authentication
JP2015501572A (en) * 2011-10-12 2015-01-15 テクノロジー・ビジネス・マネジメント・リミテッド System for secure ID authentication
US9832649B1 (en) 2011-10-12 2017-11-28 Technology Business Management, Limted Secure ID authentication
EP2611097A1 (en) * 2011-12-28 2013-07-03 Gemalto SA Method for authenticating a user using a second mobile device
GB2523710B (en) * 2012-12-28 2021-12-22 Lookout Inc Multi-factor authentication and comprehensive login system for client-server networks
US10523490B2 (en) * 2013-08-06 2019-12-31 Agilepq, Inc. Authentication of a subscribed code table user utilizing optimized code table signaling
FR3015821A1 (en) * 2013-12-24 2015-06-26 Trustelem SECURE MEANS OF AUTHENTICATION
US10361716B2 (en) 2014-07-02 2019-07-23 Agilepq, Inc. Data recovery utilizing optimized code table signaling
US10587598B2 (en) 2014-09-30 2020-03-10 Surfboard Payments Ab Method for providing information from an electronic device to a central server
EP3201817A4 (en) * 2014-09-30 2017-08-23 Tokon Security AB Method for providing information from an electronic device to a central server
US9813446B2 (en) 2015-09-05 2017-11-07 Nudata Security Inc. Systems and methods for matching and scoring sameness
US10749884B2 (en) 2015-09-05 2020-08-18 Mastercard Technologies Canada ULC Systems and methods for detecting and preventing spoofing
US9749356B2 (en) 2015-09-05 2017-08-29 Nudata Security Inc. Systems and methods for detecting and scoring anomalies
US10129279B2 (en) 2015-09-05 2018-11-13 Mastercard Technologies Canada ULC Systems and methods for detecting and preventing spoofing
US10212180B2 (en) 2015-09-05 2019-02-19 Mastercard Technologies Canada ULC Systems and methods for detecting and preventing spoofing
US9648034B2 (en) 2015-09-05 2017-05-09 Nudata Security Inc. Systems and methods for detecting and scoring anomalies
US9680868B2 (en) 2015-09-05 2017-06-13 Nudata Security Inc. Systems and methods for matching and scoring sameness
US9979747B2 (en) 2015-09-05 2018-05-22 Mastercard Technologies Canada ULC Systems and methods for detecting and preventing spoofing
US9749357B2 (en) 2015-09-05 2017-08-29 Nudata Security Inc. Systems and methods for matching and scoring sameness
US10805328B2 (en) 2015-09-05 2020-10-13 Mastercard Technologies Canada ULC Systems and methods for detecting and scoring anomalies
US9749358B2 (en) 2015-09-05 2017-08-29 Nudata Security Inc. Systems and methods for matching and scoring sameness
US9800601B2 (en) 2015-09-05 2017-10-24 Nudata Security Inc. Systems and methods for detecting and scoring anomalies
US10965695B2 (en) 2015-09-05 2021-03-30 Mastercard Technologies Canada ULC Systems and methods for matching and scoring sameness
US11018854B2 (en) 2016-06-06 2021-05-25 Agilepq, Inc. Data conversion systems and methods
US9990487B1 (en) 2017-05-05 2018-06-05 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots
US10007776B1 (en) 2017-05-05 2018-06-26 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots
US10127373B1 (en) 2017-05-05 2018-11-13 Mastercard Technologies Canada ULC Systems and methods for distinguishing among human users and software robots

Also Published As

Publication number Publication date
AU2001245292A1 (en) 2001-10-30

Similar Documents

Publication Publication Date Title
WO2001080525A1 (en) Network access security
EP1058872B2 (en) Method, arrangement and apparatus for authentication through a communications network
CN101523859B (en) System and method for authenticating remote server access
CN101366234B (en) System, device and method for terminal user identity verification
EP1504561B1 (en) Methods and systems for secure transmission of information using a mobile device
US6334056B1 (en) Secure gateway processing for handheld device markup language (HDML)
EP1807966B1 (en) Authentication method
US20050101307A1 (en) Method for performing a voting by mobile terminals
US20020097876A1 (en) Communication methods, communication systems and to personal communication devices
US20020056044A1 (en) Security system
US7865719B2 (en) Method for establishing the authenticity of the identity of a service user and device for carrying out the method
KR20070108365A (en) Remote access system and method for allowing a user to remotely access a terminal device from a subscriber terminal
WO2011083867A1 (en) Authentication device, authentication method, and program
CN1330827A (en) Accessing server computer
RU2411670C2 (en) Method to create and verify authenticity of electronic signature
JP2001500711A (en) Method for delivering a service key to a terminal device and apparatus for implementing the method
JP2003248659A (en) Method for controlling access to content and system for controlling access to content
KR20170055665A (en) User authentication system and user authentication method therefor
KR102300021B1 (en) Authentication method and telecommunication server using IP address and SMS
KR100367777B1 (en) secure service system and method of supporting secure service
JP2025038380A (en) Resource server and service providing system
KR20030069155A (en) Method for providing alarm-service using SMS message and position information about users using wireless terminal including mobile phone,PDA and wireless device employing the same
JP2005341226A (en) Service providing system and communication terminal device
HK1036344B (en) Method, arrangement and apparatus for authentication through a communications network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP