WO1995019593A1 - A computer security system - Google Patents

A computer security system Download PDF

Info

Publication number
WO1995019593A1
WO1995019593A1 PCT/GB1995/000059 GB9500059W WO9519593A1 WO 1995019593 A1 WO1995019593 A1 WO 1995019593A1 GB 9500059 W GB9500059 W GB 9500059W WO 9519593 A1 WO9519593 A1 WO 9519593A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
user
transformation
transformed
receiver
Prior art date
Application number
PCT/GB1995/000059
Other languages
French (fr)
Inventor
Michael Jeremy Kew
James Simon Love
Original Assignee
Michael Jeremy Kew
James Simon Love
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB9400602A external-priority patent/GB9400602D0/en
Priority claimed from GB9415779A external-priority patent/GB9415779D0/en
Application filed by Michael Jeremy Kew, James Simon Love filed Critical Michael Jeremy Kew
Priority to AU13903/95A priority Critical patent/AU1390395A/en
Priority to GB9614521A priority patent/GB2300288A/en
Publication of WO1995019593A1 publication Critical patent/WO1995019593A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Definitions

  • the present invention relates to a computer security system and comprises a method and apparatus for preventing unauthorized access to a host computer system.
  • a method of preventing unauthorised access to a host computer system by a user at a remote terminal comprising the steps of accepting a user identification code input to the terminal by the user; generating a random code (Code A) ; subjecting Code A to a transformation characteristic of a transformation algorithm identified by the input user identification code so as to generate a transformed code (Code B) ; transmitting Code A via a paging system, to a receiver held by the user, the receiver comprising transformation means adapted to transform the received Code A to a second transformed code (Code C) , and means for displaying Code C to the user; accepting input of Code C to the terminal by the user; comparing Code C with Code B; and permitting access to the host system only if Code C matches Code B.
  • apparatus for preventing unauthorized access to a host computer system by a user at a remote terminal, the apparatus comprising means for accepting a user identification code input to the terminal by the user; means for generating a random code (Code A) , and for subjecting Code A to a transformation to generate a transformed code (Code B) ; a transmitter for transmitting Code A via a paging system; a receiver held by the user, the receiver comprising transformation means adapted to transform the received Code A to a second transformed code (Code C) , and means for displaying Code C to the user; means for accepting input of Code C by the user; means for comparing Code C with Code B; and means for permitting access to the host system if Code C matches Code B.
  • the receiver carried by an authorized user will have logic circuitry programmed with a transformation algorithm which is characteristic of that receiver.
  • the host computer system identifies the corresponding transformation algorithm in a database from the code and transforms the random code (Code A) to a new Code B in such a manner that the Code C, produced by the user's receiver from the transmitted code, will be identical to Code B with which it is compared.
  • the transformation algorithms associated with each receiver may be completely different, or may be the same base algorithm which is convoluted with a code corresponding to the user's identification code so as to generate characteristic transformed codes.
  • the algorithms used are all, so called, one-way algorithms.
  • the user identification code should preferably be treated by the user as a secret code and not be marked on the receiver. It is thus comparable with a personal identification number (PIN) familiar from many other contexts.
  • PIN personal identification number
  • the receiver can only be enabled for a predetermined period to permit it to transform the received Code A to the transformed Code C by input of a second user identification code by the user.
  • This second code may also be in the form of a PIN. In this way additional security is provided since an unauthorised user cannot gain access to the system even if he has possession of the receiver and knows the user identification code without knowledge of the second identification or activation code.
  • the signal incorporating Code A which is transmitted by the paging system also incorporates an identifier to enable the receiver to pick out the signal from a plurality which may be being transmitted at the same time.
  • the receiver is preferably always responsive to reception of its identifier regardless of whether or not it has been enabled by the user.
  • the receiver is responsive to reception of its identifier in circumstances when the authorised user is not attempting to gain access to the host system. In this way the receiver can alert the authorised user that an attempt at unauthorised access is being made. Preferably, therefore, the receiver emits an alarm or otherwise operates to alert the user in these circumstances.
  • the means for displaying Code C on the receiver can be a liquid crystal display or other conventional display means.
  • the means by which the signal is transmitted via the paging system and the means by which the transmitted signal is received by the receiver may both utilise technology which is generally conventional in paging systems.
  • the method preferably comprises the additional steps of generating an access code by the terminal based on the user identification code and at least one of a terminal code for identifying the remote terminal, a network identification code for identifying which of a plurality of networks the remote terminal is connected to, and a software code identifying the presence or absence of particular software stored at the remote terminal site and accessible by its CPU; transmitting the access code to the host computer system; deconstructing the access code to produce at least one computer identification code and the user identification code; generating a second random code (Code D) ; subjecting Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E) ; subjecting Code A to a transformation characteristic of both the transformation algorithm identified by the input user identification code and Code E so as to generate the transformed code (Code B) ; passing Code D to the remote terminal which also subjects Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code F) ; passing Code F to
  • the method comprises the further additional steps of deconstructing the access code to produce the user identification code, a first computer identification code characteristic of the computer hardware identifying portions of the access code and a second computer identification code characteristic of the computer software identifying portions of the access code; generating a second random code (Code Dl) and a third random code (Code D2) ; subjecting Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code El) ; subjecting Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E2) ; and combining in a predetermined fashion Codes El and E2 or parts thereof to produce the transformed code (Code E) ; passing Code Dl and Code D2 to the remote terminal (2) which subjects Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code Fl), and which subjects Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so
  • the system can be used to display sensitive information which, for example, can be made available for viewing only and not for further analysis at the remote terminal.
  • the receiver preferably takes the form of a security key which is linked to the remote terminal.
  • the receiver is linked to the central processing unit either by a plug and socket arrangement or by an infrared transmission system for the passage of information therebetween.
  • Fig. 1 is a schematic view of a first embodiment of a computer security system according to the invention.
  • Fig. 2 is a view similar to Fig. 1 but of a second embodiment of the system and additionally showing logic operations carried out by various components of the system.
  • a host computer system typically one of several arranged in a local area network (LAN) , may be accessed from any one or more of a series of remote terminals 2, 3, 4 via a telephone line link.
  • LAN local area network
  • a user at one of the terminals, say terminal 2 must first verify his or her identity by satisfying a security barrier system or security server 5, which is effectively interposed between the remote terminals 2, 3, 4 and the host system 1.
  • the user carries a receiver unit 6 which includes encryption means for encryption of received codes.
  • the unit will include logic circuitry to do this which preferably itself includes an EPROM or erasable programmable read only memory where the algorithm required is stored. As previously mentioned, this algorithm is preferably a one-way algorithm.
  • the receiver unit 6 also stores in the EPROM an identity code.
  • This identity code is a key for the one-way algorithm and is such that when applied to the algorithm, together with a code to be encrypted the resultant code is characteristic of the particular receiver unit 6.
  • the security server 5 When the user seeks access to the host system 1 via the terminal 2 , he enters his user identification code.
  • This code may take any suitable form, for example his actual name or preferably a more secure code such as a PIN.
  • the security server 5 includes a database of all authorised users and their authorised receiver units 6, and identifies the corresponding identity code for the appropriate receiver unit 6.
  • the security server 5 then generates a random code (Code A) and subjects this number to an encryption using the same one-way algorithm as is stored in the user's receiver 6 together with the corresponding identity code. In this way a transformed code (Code B) is produced.
  • the security server 5 In addition to producing the transformed Code B, the security server 5 also transmits the random code to a paging system 7 along with an indentifier or identifying tag which can be recognized by the receiver unit 6.
  • the identifying tag and the random code are then broadcast by the paging system 7, typically using a radiofrequency transmitter, in a fashion similar to conventional paging systems. Whilst the receiver unit 6 will pick up all codes broadcast on a particular frequency, the receiver unit 6 will use the identifier to pick out the appropriate signal meant for it from a plurality which may be being transmitted at the same time.
  • the user After or before entering his identification code into the terminal 2, the user also activates the receiver unit 6 by entering a second user identification code, which is also preferably in the form of a secret PIN, via a keypad 8.
  • a second user identification code which is also preferably in the form of a secret PIN, via a keypad 8.
  • the receiver unit 6 can receive the broadcast signal regardless of whether it has been activated or not, but activation enables the logic circuitry of the receiver unit 6 to permit it to encrypt the received random code.
  • the receiver unit 6 therefore uses the received random number and the identity code stored in its own EPROM to produce a transformed code (Code C) via its own characteristic algorithm.
  • This transformed Code C is then displayed to the user on a display means 9, preferably a liquid crystal display, for a predetermined length of time such as five minutes.
  • the terminal 2 at the behest of the security server 5 prompts the user to input the transformed Code C displayed by the receiver unit 6.
  • the security server 5 compares the input Code C with the transformed code, Code B, it produced by encryption of the random code, Code A. If Code B and Code C are identical, access to the host system 1 is permitted.
  • FIG. 2 A second more sophisticated embodiment of the invention is shown in Fig. 2 and the same reference numbers are used in Fig. 1 as have been used in Fig. 1 to indicate similar features of the system.
  • logic operations carried out by various components of the system are shown in the rounded edged boxes.
  • This second embodiment enables verification of the actual remote terminal 2, the network system to which it is connected, and the software it has access to. In this way, highly secure information can be made available for viewing but not made available to terminals which may have the capability to store or process the information further.
  • the receiver unit 6 would probably, but not necessarily, comprise a stand-alone piece of equipment
  • the receiver unit 6 is intended to be linked to the remote terminal 2 for the passage of information therebetween.
  • This linkage could be by any conventional means, such as a plug/socket arrangement whereby the unit 6 is plugged into one of the output ports of the terminal 2 or an infrared transmission system.
  • the receiver unit 6 forms a security key for the system and must be connected to the terminal 2 before the latter can be used to access the host system 1.
  • the terminal 2 also comprises a central processing unit (CPU) in its own right and is preferably in the form of a personal computer (PC) .
  • CPU central processing unit
  • PC personal computer
  • the terminal 2 will also have its own terminal identity code.
  • security software which monitors other software which can be accessed and run by the terminal.
  • the security software supplies appropriately encrypted software identity codes dependent on this software.
  • the network system to which the terminal 2 is connected can also be verified.
  • the terminal's token ring identification code can be used for this purpose.
  • the system operates as follows.
  • the user first attaches the receiver unit 6 or security key to the terminal 2 and enables the unit 6 by entering his second user identification code in the form of a secret PIN, via the keypad 8.
  • This PIN is known only to the user and the receiver unit 6 could be constructed so that this number can be changed by the user by following a predetermined routine.
  • the user's first identification code (USER ID), which can again comprise the user's name is entered into the terminal 2.
  • the security software running on the terminal 2 which enables the dialogue with the user.
  • This security software now generates an access code or what can be considered as an access "claim” based on the user's identification code (USER ID) and one or more, and preferably all of the terminal identity code (TERMINAL ID), the network identification code (NETWORK ID) , and one or more software identity codes (SOFTWARE ID) .
  • This access code or claim is passed to the security server 5 of the host computer system 1 that it is desired to access.
  • the security server 5 deconstructs the access code or claim into its constituent parts. In the same way as the first embodiment, it uses the user identification code (USER ID) to access its database to locate the corresponding identity code for the appropriate receiver unit 6. As before, the security server 5 then generates a random code (Code A) and subjects this number to an encryption using the same one-way algorithm as is stored in the user's receiver 6 to produce the transformed code (Code B) . However, in this embodiment a third code (Code E) is used as a second encryption key. This third Code E is obtained by using the other identification codes comprising the access claim as will now be described. .
  • the security server takes the terminal identity code and network identity code and combines these or parts of these in a predetermined manner to form a hardware code (HARDWARE ID) or first computer identification code. It then generates a second random number (Code Dl) which is encrypted using a predetermined one-way algorithm, to produce a first transformed code (Code El) .
  • HARDWARE ID hardware code
  • Code Dl second random number
  • Code El first transformed code
  • a similar operation is performed on the software identity codes (SOFTWARE ID) . If more than one of these comprises part of the access claim, then they are combined or parts of them are combined in a predetermined manner to form a single code which comprises the second computer identification code.
  • the security server 5 generates a third random number (Code D2) , which is encrypted using a predetermined one-way algorithm to produce a second transformed code (Code E2) .
  • the first and second transformed codes, Code El and Code E2 are then combined in a predetermined manner to form a single transformed code which comprises the Code E which is used in the production of Code B.
  • the security server 5 transmits the first random code, Code A, along with an indentifier or identifying tag which can be recognized by the security key 6 to the paging system 7.
  • the identifying tag and the random code, Code A are then broadcast by the paging system 7 for the security key 6 to pick up, identity and store.
  • the security server 5 passes the second and third random numbers, Code Dl and Code D2, along with the transformed code, Code B, back to the host computer system 1.
  • the host computer system 1 then passes the second and third random numbers, Code Dl and Code D2, back to the terminal 2.
  • the the security software running on the terminal 2 uses the Codes Dl and D2 along with the hardware and software identification codes, which it constructed as part of the access claim, to produce respectively transformed Codes Fl and F2. These are then are then combined in the same predetermined manner as the Codes El and E2 to produce a single transformed code, Code
  • This single transformed code, Code F is then passed by the terminal 2 to the security key 6.
  • the security key is now able to encrypt the received Code A using the Code F and the user identification code it contains via the one ⁇ way algorithm in its logic circuitry to produce the transformed code, Code C.
  • the resultant code, Code C is then displayed on the display means 9 of the security key for the user to enter into the terminal 2 at the behest of the host computer system 1.
  • the system 1 can then compare the entered transformed code, Code C, with that, Code B, transmitted to it from the security server 5. Access to the system 1 is then only permitted if the two codes, Code B and Code C, are identical.
  • the computer security system not only verifies that the user's identification code and the security key 6 but also the terminal 2 and its network and stored software.
  • Code D can be encrypted to produce a single transformed code, Code E, which can then be used directly in the encryption of Code A.
  • all the algorithms used in the system should comprise one-way algorithms.
  • the receiver unit or security key 6 is preferably always responsive to reception of its identifier regardless of whether or not it has been enabled by the user. Hence, the receiver 6 is responsive to reception of its identifier in circumstances when the authorised user is not attempting to gain access to the host system. In this way the receiver 6 can be used to alert the authorised user that an attempt at unauthorised access is being made as well as act as a conventional pager which can request the user to log into a particular computer system 1 or otherwise receive pager messages.
  • a host computer system 1 can request users to log in to receive, for example, electronic mail, or to carry out other operations.

Abstract

A method of preventing unauthorised access to a host computer system (1) by a user at a remote terminal (2) is provided using paging system technology. In the method, a user inputs his user identification code input into the terminal (2) which transmits same to the host computer system (1). The system then generates a random code (Code A) and subjects Code A to a transformation characteristic of a transformation algorithm identified by the input user identification code so as to generate a transformed code (Code B). Code A is transmitted via a paging system (7), to a receiver (6) held by the user. The receiver (6) comprises transformation means adapted to transform the received Code A to a second transformed code (Code C), and means (9) for displaying Code C to the user. The user then inputs the displayed Code C to the terminal (2) which trasmits it to the host system (1). The input Code C is then compared with Code B and access is only permitted if Code C matches Code B.

Description

A COMPUTER SECURITY SYSTEM
The present invention relates to a computer security system and comprises a method and apparatus for preventing unauthorized access to a host computer system.
Many large computer systems require users to gain access via a remote terminal using a telephone link. In cases where access to the computer system is restricted to authorised personnel, attempts by unauthorised persons to gain access are referred to as "hacking". It is common practice for security systems to be installed in the computer system in an attempt to verify the identity of a user. However, to date no completely successful computer security system has been devised.
There has now been devised an improved computer security system based on pager technology.
According to a first aspect of the present invention there is provided a method of preventing unauthorised access to a host computer system by a user at a remote terminal comprising the steps of accepting a user identification code input to the terminal by the user; generating a random code (Code A) ; subjecting Code A to a transformation characteristic of a transformation algorithm identified by the input user identification code so as to generate a transformed code (Code B) ; transmitting Code A via a paging system, to a receiver held by the user, the receiver comprising transformation means adapted to transform the received Code A to a second transformed code (Code C) , and means for displaying Code C to the user; accepting input of Code C to the terminal by the user; comparing Code C with Code B; and permitting access to the host system only if Code C matches Code B.
According to a second aspect of the present invention there is provided apparatus for preventing unauthorized access to a host computer system by a user at a remote terminal, the apparatus comprising means for accepting a user identification code input to the terminal by the user; means for generating a random code (Code A) , and for subjecting Code A to a transformation to generate a transformed code (Code B) ; a transmitter for transmitting Code A via a paging system; a receiver held by the user, the receiver comprising transformation means adapted to transform the received Code A to a second transformed code (Code C) , and means for displaying Code C to the user; means for accepting input of Code C by the user; means for comparing Code C with Code B; and means for permitting access to the host system if Code C matches Code B.
It will be appreciated that the receiver carried by an authorized user will have logic circuitry programmed with a transformation algorithm which is characteristic of that receiver. When the user enters his user identification code, the host computer system identifies the corresponding transformation algorithm in a database from the code and transforms the random code (Code A) to a new Code B in such a manner that the Code C, produced by the user's receiver from the transmitted code, will be identical to Code B with which it is compared. Thus, only a user both with knowledge of the user identification code and holding the corresponding receiver can gain access to the host system. The transformation algorithms associated with each receiver may be completely different, or may be the same base algorithm which is convoluted with a code corresponding to the user's identification code so as to generate characteristic transformed codes. Preferably, the algorithms used are all, so called, one-way algorithms.
The user identification code should preferably be treated by the user as a secret code and not be marked on the receiver. It is thus comparable with a personal identification number (PIN) familiar from many other contexts.
Preferably also, the receiver can only be enabled for a predetermined period to permit it to transform the received Code A to the transformed Code C by input of a second user identification code by the user. This second code may also be in the form of a PIN. In this way additional security is provided since an unauthorised user cannot gain access to the system even if he has possession of the receiver and knows the user identification code without knowledge of the second identification or activation code.
Preferably also, the signal incorporating Code A which is transmitted by the paging system also incorporates an identifier to enable the receiver to pick out the signal from a plurality which may be being transmitted at the same time.
In addition, the receiver is preferably always responsive to reception of its identifier regardless of whether or not it has been enabled by the user. Hence, the receiver is responsive to reception of its identifier in circumstances when the authorised user is not attempting to gain access to the host system. In this way the receiver can alert the authorised user that an attempt at unauthorised access is being made. Preferably, therefore, the receiver emits an alarm or otherwise operates to alert the user in these circumstances.
The means for displaying Code C on the receiver can be a liquid crystal display or other conventional display means. Also, the means by which the signal is transmitted via the paging system and the means by which the transmitted signal is received by the receiver may both utilise technology which is generally conventional in paging systems.
In a second more sophisticated embodiment, the method preferably comprises the additional steps of generating an access code by the terminal based on the user identification code and at least one of a terminal code for identifying the remote terminal, a network identification code for identifying which of a plurality of networks the remote terminal is connected to, and a software code identifying the presence or absence of particular software stored at the remote terminal site and accessible by its CPU; transmitting the access code to the host computer system; deconstructing the access code to produce at least one computer identification code and the user identification code; generating a second random code (Code D) ; subjecting Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E) ; subjecting Code A to a transformation characteristic of both the transformation algorithm identified by the input user identification code and Code E so as to generate the transformed code (Code B) ; passing Code D to the remote terminal which also subjects Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code F) ; passing Code F to the receiver from the remote terminal which also subjects Code A to a transformation characteristic of both the transformation algorithm identified by the input user identification code and Code F so as to generate the transformed code (Code C) .
As before the terminal compares Code C with Code B and only permits access to the host system if Code C matches Code B, However, it will be appreciated that this embodiment can be used to verify that the actual remote terminal being used is an authorised terminal. This will mean that in practice if the terminal is authorised, Code F will also equal Code E.
Preferably also, the method comprises the further additional steps of deconstructing the access code to produce the user identification code, a first computer identification code characteristic of the computer hardware identifying portions of the access code and a second computer identification code characteristic of the computer software identifying portions of the access code; generating a second random code (Code Dl) and a third random code (Code D2) ; subjecting Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code El) ; subjecting Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E2) ; and combining in a predetermined fashion Codes El and E2 or parts thereof to produce the transformed code (Code E) ; passing Code Dl and Code D2 to the remote terminal (2) which subjects Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code Fl), and which subjects Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code F2) ; and combining in a predetermined fashion Codes Fl and F2 or parts thereof to produce the transformed code (Code F) .
It will be appreciated, therefore, that not only can the actual terminal be verified but the network system it is connected to can be verified too along with software which is accessible to the terminal. The latter can be checked by running security software which monitors the type of software which can be run by the terminal and supplies appropriately encrypted identification codes dependent on this software.
Hence, in this way the system can be used to display sensitive information which, for example, can be made available for viewing only and not for further analysis at the remote terminal.
In this second embodiment, the receiver preferably takes the form of a security key which is linked to the remote terminal. Preferably, the receiver is linked to the central processing unit either by a plug and socket arrangement or by an infrared transmission system for the passage of information therebetween.
The various aspects of the present invention will now be described by way of example with reference to the accompanying drawings, in which:-
Fig. 1 is a schematic view of a first embodiment of a computer security system according to the invention; and
Fig. 2 is a view similar to Fig. 1 but of a second embodiment of the system and additionally showing logic operations carried out by various components of the system.
With reference first to Fig. 1, a host computer system 1, typically one of several arranged in a local area network (LAN) , may be accessed from any one or more of a series of remote terminals 2, 3, 4 via a telephone line link. To gain access to the host system 1, a user at one of the terminals, say terminal 2, must first verify his or her identity by satisfying a security barrier system or security server 5, which is effectively interposed between the remote terminals 2, 3, 4 and the host system 1.
The user carries a receiver unit 6 which includes encryption means for encryption of received codes. Typically, the unit will include logic circuitry to do this which preferably itself includes an EPROM or erasable programmable read only memory where the algorithm required is stored. As previously mentioned, this algorithm is preferably a one-way algorithm.
The receiver unit 6 also stores in the EPROM an identity code. This identity code is a key for the one-way algorithm and is such that when applied to the algorithm, together with a code to be encrypted the resultant code is characteristic of the particular receiver unit 6.
When the user seeks access to the host system 1 via the terminal 2 , he enters his user identification code. This code may take any suitable form, for example his actual name or preferably a more secure code such as a PIN. The security server 5 includes a database of all authorised users and their authorised receiver units 6, and identifies the corresponding identity code for the appropriate receiver unit 6. The security server 5 then generates a random code (Code A) and subjects this number to an encryption using the same one-way algorithm as is stored in the user's receiver 6 together with the corresponding identity code. In this way a transformed code (Code B) is produced.
In addition to producing the transformed Code B, the security server 5 also transmits the random code to a paging system 7 along with an indentifier or identifying tag which can be recognized by the receiver unit 6. The identifying tag and the random code are then broadcast by the paging system 7, typically using a radiofrequency transmitter, in a fashion similar to conventional paging systems. Whilst the receiver unit 6 will pick up all codes broadcast on a particular frequency, the receiver unit 6 will use the identifier to pick out the appropriate signal meant for it from a plurality which may be being transmitted at the same time.
After or before entering his identification code into the terminal 2, the user also activates the receiver unit 6 by entering a second user identification code, which is also preferably in the form of a secret PIN, via a keypad 8. Preferably, the receiver unit 6 can receive the broadcast signal regardless of whether it has been activated or not, but activation enables the logic circuitry of the receiver unit 6 to permit it to encrypt the received random code. The receiver unit 6 therefore uses the received random number and the identity code stored in its own EPROM to produce a transformed code (Code C) via its own characteristic algorithm. This transformed Code C is then displayed to the user on a display means 9, preferably a liquid crystal display, for a predetermined length of time such as five minutes.
The terminal 2, at the behest of the security server 5 prompts the user to input the transformed Code C displayed by the receiver unit 6. After input, the security server 5 compares the input Code C with the transformed code, Code B, it produced by encryption of the random code, Code A. If Code B and Code C are identical, access to the host system 1 is permitted.
A second more sophisticated embodiment of the invention is shown in Fig. 2 and the same reference numbers are used in Fig. 1 as have been used in Fig. 1 to indicate similar features of the system. In addition, logic operations carried out by various components of the system are shown in the rounded edged boxes.
This second embodiment enables verification of the actual remote terminal 2, the network system to which it is connected, and the software it has access to. In this way, highly secure information can be made available for viewing but not made available to terminals which may have the capability to store or process the information further.
However, whereas in the first embodiment, the receiver unit 6 would probably, but not necessarily, comprise a stand-alone piece of equipment, in this embodiment the receiver unit 6 is intended to be linked to the remote terminal 2 for the passage of information therebetween. This linkage could be by any conventional means, such as a plug/socket arrangement whereby the unit 6 is plugged into one of the output ports of the terminal 2 or an infrared transmission system. In this way, the receiver unit 6 forms a security key for the system and must be connected to the terminal 2 before the latter can be used to access the host system 1.
The terminal 2 also comprises a central processing unit (CPU) in its own right and is preferably in the form of a personal computer (PC) . In a similar fashion to the security key 6, the terminal 2 will also have its own terminal identity code. In addition, it runs security software which monitors other software which can be accessed and run by the terminal. The security software supplies appropriately encrypted software identity codes dependent on this software.
The network system to which the terminal 2 is connected can also be verified. For example, the terminal's token ring identification code can be used for this purpose.
With reference to Fig. 2, the system operates as follows. The user first attaches the receiver unit 6 or security key to the terminal 2 and enables the unit 6 by entering his second user identification code in the form of a secret PIN, via the keypad 8. This PIN is known only to the user and the receiver unit 6 could be constructed so that this number can be changed by the user by following a predetermined routine.
The user's first identification code (USER ID), which can again comprise the user's name is entered into the terminal 2. In this embodiment, it is the security software running on the terminal 2 which enables the dialogue with the user. This security software now generates an access code or what can be considered as an access "claim" based on the user's identification code (USER ID) and one or more, and preferably all of the terminal identity code (TERMINAL ID), the network identification code (NETWORK ID) , and one or more software identity codes (SOFTWARE ID) . This access code or claim is passed to the security server 5 of the host computer system 1 that it is desired to access.
The security server 5 deconstructs the access code or claim into its constituent parts. In the same way as the first embodiment, it uses the user identification code (USER ID) to access its database to locate the corresponding identity code for the appropriate receiver unit 6. As before, the security server 5 then generates a random code (Code A) and subjects this number to an encryption using the same one-way algorithm as is stored in the user's receiver 6 to produce the transformed code (Code B) . However, in this embodiment a third code (Code E) is used as a second encryption key. This third Code E is obtained by using the other identification codes comprising the access claim as will now be described. .
The security server takes the terminal identity code and network identity code and combines these or parts of these in a predetermined manner to form a hardware code (HARDWARE ID) or first computer identification code. It then generates a second random number (Code Dl) which is encrypted using a predetermined one-way algorithm, to produce a first transformed code (Code El) .
A similar operation is performed on the software identity codes (SOFTWARE ID) . If more than one of these comprises part of the access claim, then they are combined or parts of them are combined in a predetermined manner to form a single code which comprises the second computer identification code. The security server 5 generates a third random number (Code D2) , which is encrypted using a predetermined one-way algorithm to produce a second transformed code (Code E2) . The first and second transformed codes, Code El and Code E2, are then combined in a predetermined manner to form a single transformed code which comprises the Code E which is used in the production of Code B.
As in the first embodiment, the security server 5 transmits the first random code, Code A, along with an indentifier or identifying tag which can be recognized by the security key 6 to the paging system 7. The identifying tag and the random code, Code A, are then broadcast by the paging system 7 for the security key 6 to pick up, identity and store.
In addition however, the security server 5 passes the second and third random numbers, Code Dl and Code D2, along with the transformed code, Code B, back to the host computer system 1. The host computer system 1 then passes the second and third random numbers, Code Dl and Code D2, back to the terminal 2. The the security software running on the terminal 2 uses the Codes Dl and D2 along with the hardware and software identification codes, which it constructed as part of the access claim, to produce respectively transformed Codes Fl and F2. These are then are then combined in the same predetermined manner as the Codes El and E2 to produce a single transformed code, Code
F.
This single transformed code, Code F, is then passed by the terminal 2 to the security key 6. The security key is now able to encrypt the received Code A using the Code F and the user identification code it contains via the one¬ way algorithm in its logic circuitry to produce the transformed code, Code C.
The resultant code, Code C, is then displayed on the display means 9 of the security key for the user to enter into the terminal 2 at the behest of the host computer system 1. The system 1 can then compare the entered transformed code, Code C, with that, Code B, transmitted to it from the security server 5. Access to the system 1 is then only permitted if the two codes, Code B and Code C, are identical.
It will be appreciated that for Code B and Code C to be identical, then Codes E and F will also be identical assuming that the one-way algorithms used to produce same are also equivalent.
Thus, the computer security system not only verifies that the user's identification code and the security key 6 but also the terminal 2 and its network and stored software.
It will be appreciated that a less complex security system code could simply verify the computer hardware being used and not the software. In this case a single random generated code, Code D, can be encrypted to produce a single transformed code, Code E, which can then be used directly in the encryption of Code A.
As in the first embodiment, preferably all the algorithms used in the system should comprise one-way algorithms.
In addition, in both embodiments the receiver unit or security key 6 is preferably always responsive to reception of its identifier regardless of whether or not it has been enabled by the user. Hence, the receiver 6 is responsive to reception of its identifier in circumstances when the authorised user is not attempting to gain access to the host system. In this way the receiver 6 can be used to alert the authorised user that an attempt at unauthorised access is being made as well as act as a conventional pager which can request the user to log into a particular computer system 1 or otherwise receive pager messages. Thus, a host computer system 1 can request users to log in to receive, for example, electronic mail, or to carry out other operations.

Claims

1. A method of preventing unauthorised access to a host computer system (1) by a user at a remote terminal (2) comprising the steps of accepting a user identification code input to the terminal by the user; generating a random code (Code A) ; subjecting Code A to a transformation characteristic of a transformation algorithm identified by the input user identification code so as to generate a transformed code (Code B) ; transmitting Code A via a paging system (7) , to a receiver (6) held by the user, the receiver (6) comprising transformation means adapted to transform the received Code
A to a second transformed code (Code C) , and means (9) for displaying Code C to the user; accepting input of Code C to the terminal (2) by the user; comparing Code C with Code B; and permitting access to the host system (1) only if Code C matches Code B.
2. A method as claimed in Claim 1, wherein the transformation algorithm identified by the input user identification code comprises a one-way algorithm.
3. A method as claimed Claim 1 or Claim 2, wherein the receiver (6) can only be enabled for a predetermined period to permit it to transform the received Code A to the transformed Code C by input of a second user identification code by the user.
4. A method as claimed in any one of Claims 1 to 3, wherein the signal incorporating Code A which is transmitted by the paging system (7) also incorporates an identifier to enable the receiver to pick out the signal from a plurality which may be being transmitted at the same time.
5. A method as claimed in Claim 4, wherein the receiver (6) is always responsive to reception of its identifier regardless of whether or not it has been enabled by the user.
6. A method as claimed in any one of Claims 1 to 5, wherein the remote terminal (2) comprises a central processing unit (CPU) and the method comprises the additional steps of generating an access code by the terminal (2) based on the user identification code and at least one of a terminal code for identifying the remote terminal, a network identification code for identifying which of a plurality of networks the remote terminal is connected to, and a software code identifying the presence or absence of particular software stored at the remote terminal site and accessible by its CPU; transmitting the access code to the host computer system (1) ; deconstructing the access code to produce at least one computer identification code and the user identification code; generating a second random code (Code D) ; subjecting Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E) ; subjecting Code A to a transformation characteristic of both the transformation algorithm identified by the input user identification code and Code E so as to generate the transformed code (Code B) ; passing Code D to the remote terminal (2) which also subjects Code D and the computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code F) ; passing Code F to the receiver (6) from the remote terminal which also subjects Code A to a transformation characteristic of both the transformation algorithm identified by the input user identification code and Code F so as to generate the transformed code (Code C) ; .
7. A method as claimed in Claim 6, comprising the additional steps of deconstructing the access code to produce the user identification code, a first computer identification code characteristic of the computer hardware identifying portions of the access code and a second computer identification code characteristic of the computer software identifying portions of the access code; generating a second random code (Code Dl) and a third random code (Code D2) ; subjecting Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code El) ; subjecting Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code E2) ; combining in a predetermined fashion Codes El and E2 or parts thereof to produce the transformed code (Code E) ; passing Code Dl and Code D2 to the remote terminal (2) which subjects Code Dl and the first computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code Fl), and which subjects Code D2 and the second computer identification code to a transformation characteristic of a transformation algorithm so as to generate a transformed code (Code F2) ; and combining in a predetermined fashion Codes Fl and F2 or parts thereof to produce the transformed code (Code F) .
8. A method as claimed in Claim 6 or Claim 7, wherein the receiver (6) can be releasably connected to the remote terminal (2) by means of a plug and socket arrangement or an infrared transmission system for the passage of information therebetween.
9. A method as claimed in any one of Claims 1 to 8, wherein the host computer system (1) comprises a security server system (5) which generates each of the random codes, stores the transformation algorithms identified by the input user identification codes, and transmits codes to the receiver (6) via the paging system (7) .
10. Apparatus for preventing unauthorized access to a host computer system (1) by a user at a remote terminal (2), the apparatus comprising means for accepting a user identification code input to the terminal by the user; means for generating a random code (Code A) , and for subjecting Code A to a transformation to generate a transformed code (Code B) ; a transmitter for transmitting Code A via a paging system (7) ; a receiver (6) held by the user, the receiver (6) comprising transformation means adapted to transform the received Code A to a second transformed code (Code C) , and means (9) for displaying Code C to the user; means (8) for accepting input of Code C by the user; means for comparing Code C with Code B; and means for permitting access to the host system if Code C matches Code B.
11. Apparatus as claimed in Claim 10, wherein the remote terminal (2) comprises a central processing unit (CPU) .
12. Apparatus as claimed in Claim 11, wherein the receiver (6) can be linked to the central processing unit (2) either by a plug/socket arrangement or by an infrared transmission system for the passage of information therebetween.
13. Apparatus as claimed in Claim 11 or 12, wherein the remote terminal (2) comprises a terminal connected into a token ring network.
14. Apparatus as claimed in any one fo Claims 10 to 13, comprising a security server system (5) which generates each of the random codes, stores the transformation algorithms identified by the input user identification codes, and transmits codes to the receiver (6) via the paging system (7) .
PCT/GB1995/000059 1994-01-14 1995-01-12 A computer security system WO1995019593A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU13903/95A AU1390395A (en) 1994-01-14 1995-01-12 A computer security system
GB9614521A GB2300288A (en) 1994-01-14 1995-01-12 A computer security system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB9400602A GB9400602D0 (en) 1994-01-14 1994-01-14 Computer security system
GB9400602.0 1994-01-14
GB9415779A GB9415779D0 (en) 1994-08-04 1994-08-04 Computer security system
GB9415779.9 1994-08-04

Publications (1)

Publication Number Publication Date
WO1995019593A1 true WO1995019593A1 (en) 1995-07-20

Family

ID=26304162

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB1995/000059 WO1995019593A1 (en) 1994-01-14 1995-01-12 A computer security system

Country Status (2)

Country Link
AU (1) AU1390395A (en)
WO (1) WO1995019593A1 (en)

Cited By (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997031306A1 (en) * 1996-02-23 1997-08-28 Nokia Mobile Phones Ltd. Method for obtaining at least one item of user authentication data
EP0817518A2 (en) * 1996-07-03 1998-01-07 AT&T Corp. Method for controlled access to a secured system
EP0844551A2 (en) * 1996-10-28 1998-05-27 Brian J. Veneklase Computer security system
WO1999026124A1 (en) * 1997-11-19 1999-05-27 Telefonaktiebolaget Lm Ericsson (Publ) Method, and associated apparatus, for selectively permitting access by a mobile terminal to a packet data network
WO1999023617A3 (en) * 1997-11-04 1999-07-15 Gilles Kremer Method for transmitting data and implementing server
EP0875871A3 (en) * 1997-04-29 1999-07-21 Kim Schmitz Authorization method in data transfer systems
WO1999044114A1 (en) * 1998-02-25 1999-09-02 Telefonaktiebolaget Lm Ericsson Method, arrangement and apparatus for authentication through a communications network
WO1999056520A2 (en) * 1998-04-23 1999-11-11 House Of Added Value Ab A method of storing and retrieving personal codes
WO2000003316A1 (en) * 1997-05-28 2000-01-20 Telefonaktiebolaget Lm Ericsson (Publ) A method for securing access to a remote system
WO2000079366A1 (en) * 1999-06-21 2000-12-28 Catherin Mitta Method for the personal identification of mobile users
EP1107089A1 (en) * 1999-12-11 2001-06-13 Connectotel Limited Strong authentication method using a telecommunications device
GB2360860A (en) * 2000-03-29 2001-10-03 Ncr Int Inc Facilitating on-line transactions
GB2361558A (en) * 1997-05-28 2001-10-24 Ericsson Telefon Ab L M A method for securing access to a remote system
WO2001080525A1 (en) * 2000-04-14 2001-10-25 Sun Microsystems, Inc. Network access security
GB2362489A (en) * 2000-05-15 2001-11-21 Tom Com Entpr Ltd Secure communication
WO2001099382A2 (en) * 2000-06-19 2001-12-27 Allen Robert Yaxley A method and system of controlling access to a remote location
WO2002013154A1 (en) * 2000-08-09 2002-02-14 Vodafone Holding Gmbh Method of payment at any sales or service establishment by mobile telephone
DE10040644A1 (en) * 2000-08-14 2002-02-28 Arndt Jablonowski Data transmitting method for Internet-based payment system, involves sending divided frames of payment data, to processor through two channels using different protocols
GB2366966A (en) * 2000-09-07 2002-03-20 Swivel Technologies Ltd Verifying the identity of a device or user in an electronic communications environment
GB2369469A (en) * 2000-11-28 2002-05-29 Swivel Technologies Ltd Secure data transfer method
NL1015398C2 (en) * 2000-06-07 2002-07-16 Helger Christian Bouterse User authentication in computer and telephone network, based on authorisation code transmitted as part of telephone number
DE10102779A1 (en) * 2001-01-22 2002-08-29 Utimaco Safeware Ag Mobile phone transaction authorisation system has separate encrypted password link
WO2002084456A2 (en) * 2001-04-12 2002-10-24 Netdesigns Limited User identity verification system
EP1253500A1 (en) * 2001-04-26 2002-10-30 Nokia Corporation Method and device for authenticating a user on a remote server
EP1282044A1 (en) * 2000-03-03 2003-02-05 Kabushiki Kaisha Eighting Authenticating method
GB2379040A (en) * 2001-08-22 2003-02-26 Int Computers Ltd Controlling user access to a remote service by sending a one-time password to a portable device after normal login
AU759955B2 (en) * 1998-07-08 2003-05-01 Telefonaktiebolaget Lm Ericsson (Publ) A method for securing access to a remote system
EP1313075A2 (en) * 2001-11-19 2003-05-21 Fujitsu Limited Electronic money processing method and program
GB2387002A (en) * 2002-02-20 2003-10-01 1Revolution Group Plc Personal identification system and method using a mobile device
WO2003083793A2 (en) * 2002-04-03 2003-10-09 Swivel Secure Limited System and method for secure credit and debit card transactions
GB2391646A (en) * 2002-08-06 2004-02-11 James Andrew Groves Secure web page authenication method using a telephone number or SMS message
EP1424617A1 (en) * 2002-11-26 2004-06-02 Siemens Aktiengesellschaft Method for authentication and charging for a sucbriber in a wireless network
US6747755B1 (en) * 1999-04-14 2004-06-08 Canon Kabushiki Kaisha Code generation method, terminal apparatus, code processing method, issuing apparatus, and code issuing method
WO2004054196A1 (en) 2002-12-09 2004-06-24 Research In Motion Limited System and method of secure authentication information distribution
WO2005062613A1 (en) * 2003-12-18 2005-07-07 Nptv Method for accessing an interactive television session by short message (sms)
US6971027B1 (en) 1999-04-01 2005-11-29 Veneklase Brian J Computer security system
US7043635B1 (en) 2000-09-15 2006-05-09 Swivel Secure Limited Embedded synchronous random disposable code identification method and system
EP1578155A3 (en) * 2004-03-16 2006-08-23 Broadcom Corporation Integration of secure identification logic into cell phone
WO2007006771A1 (en) * 2005-07-13 2007-01-18 Gemplus Transaction authorization method and device
CN1319000C (en) * 2001-10-19 2007-05-30 环球速度有限公司 System and method for controlling transmission of data packets over an information network
EP1840814A1 (en) * 2006-03-17 2007-10-03 Hitachi Software Engineering Co., Ltd. Verification system
US7289799B1 (en) 1999-04-14 2007-10-30 Canon Kabushiki Kaisha Portable terminal apparatus and terminal apparatus
EP1868125A1 (en) * 2006-06-16 2007-12-19 Savernova S.A. Method for identifying a user of a computer system
US7392388B2 (en) 2000-09-07 2008-06-24 Swivel Secure Limited Systems and methods for identity verification for secure transactions
US7395050B2 (en) 2002-04-16 2008-07-01 Nokia Corporation Method and system for authenticating user of data transfer device
WO2010115795A1 (en) 2009-04-06 2010-10-14 Giesecke & Devrient Gmbh Method for carrying out an application with the aid of a portable data storage medium
US8462920B2 (en) 2005-01-11 2013-06-11 Telesign Corporation Registration, verification and notification system
EP2738996A1 (en) * 2012-11-30 2014-06-04 Gemalto SA Method, device and system for accessing a server
US8973109B2 (en) 2011-11-29 2015-03-03 Telesign Corporation Dual code authentication system
CN104429036A (en) * 2011-10-12 2015-03-18 科技商业管理有限公司 System for secure ID authentication
US9161222B2 (en) 2012-08-26 2015-10-13 Vokee Applications, Ltd. Verifying an association between an application and a mobile device through a telecommunication network
US9166967B2 (en) 2012-09-26 2015-10-20 Telesign Corporation Comprehensive authentication and identity system and method
US9275211B2 (en) 2013-03-15 2016-03-01 Telesign Corporation System and method for utilizing behavioral characteristics in authentication and fraud prevention
US9703938B2 (en) 2001-08-29 2017-07-11 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US9727864B2 (en) 2001-08-29 2017-08-08 Nader Asghari-Kamrani Centralized identification and authentication system and method
US9762576B2 (en) 2006-11-16 2017-09-12 Phonefactor, Inc. Enhanced multi factor authentication
US10567385B2 (en) 2010-02-25 2020-02-18 Secureauth Corporation System and method for provisioning a security token

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4679236A (en) * 1984-12-21 1987-07-07 Davies Richard E Identification verification method and system
WO1990013213A1 (en) * 1989-04-14 1990-11-01 Blick Communications Limited Radio pagers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4679236A (en) * 1984-12-21 1987-07-07 Davies Richard E Identification verification method and system
WO1990013213A1 (en) * 1989-04-14 1990-11-01 Blick Communications Limited Radio pagers

Cited By (108)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997031306A1 (en) * 1996-02-23 1997-08-28 Nokia Mobile Phones Ltd. Method for obtaining at least one item of user authentication data
US6112078A (en) * 1996-02-23 2000-08-29 Nokia Mobile Phones, Ltd. Method for obtaining at least one item of user authentication data
EP0817518A2 (en) * 1996-07-03 1998-01-07 AT&T Corp. Method for controlled access to a secured system
EP0817518A3 (en) * 1996-07-03 1999-09-08 AT&T Corp. Method for controlled access to a secured system
US6609206B1 (en) 1996-10-28 2003-08-19 Brian J. Veneklase Computer security system
EP0844551A2 (en) * 1996-10-28 1998-05-27 Brian J. Veneklase Computer security system
EP0844551A3 (en) * 1996-10-28 1998-07-01 Brian J. Veneklase Computer security system
US5881226A (en) * 1996-10-28 1999-03-09 Veneklase; Brian J. Computer security system
US9053316B2 (en) 1996-10-28 2015-06-09 C.H.I. Development Mgmt. Ltd. Iii, Llc Secure access computer system
EP0875871A3 (en) * 1997-04-29 1999-07-21 Kim Schmitz Authorization method in data transfer systems
US6078908A (en) * 1997-04-29 2000-06-20 Schmitz; Kim Method for authorizing in data transmission systems
WO2000003316A1 (en) * 1997-05-28 2000-01-20 Telefonaktiebolaget Lm Ericsson (Publ) A method for securing access to a remote system
GB2361558A (en) * 1997-05-28 2001-10-24 Ericsson Telefon Ab L M A method for securing access to a remote system
GB2361558B (en) * 1997-05-28 2003-07-23 Ericsson Telefon Ab L M A method for securing access to a remote system
WO1999023617A3 (en) * 1997-11-04 1999-07-15 Gilles Kremer Method for transmitting data and implementing server
EP1107203A3 (en) * 1997-11-04 2001-11-14 Magicaxess Method for data transmission and implementing server
AU753318B2 (en) * 1997-11-19 2002-10-17 Telefonaktiebolaget Lm Ericsson (Publ) Method, and associated apparatus, for selectively permitting access by a mobile terminal to a packet data network
US6230002B1 (en) 1997-11-19 2001-05-08 Telefonaktiebolaget L M Ericsson (Publ) Method, and associated apparatus, for selectively permitting access by a mobile terminal to a packet data network
WO1999026124A1 (en) * 1997-11-19 1999-05-27 Telefonaktiebolaget Lm Ericsson (Publ) Method, and associated apparatus, for selectively permitting access by a mobile terminal to a packet data network
WO1999044114A1 (en) * 1998-02-25 1999-09-02 Telefonaktiebolaget Lm Ericsson Method, arrangement and apparatus for authentication through a communications network
EP1058872B2 (en) 1998-02-25 2011-04-06 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Method, arrangement and apparatus for authentication through a communications network
KR100683976B1 (en) * 1998-02-25 2007-02-15 텔레폰악티에볼라겟 엘엠 에릭슨(펍) Method, arrangement and apparatus for authentication
CN100380267C (en) * 1998-02-25 2008-04-09 艾利森电话股份有限公司 Method, arrangement and apparatus for authentication through communications network
US6430407B1 (en) 1998-02-25 2002-08-06 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus, and arrangement for authenticating a user to an application in a first communications network by means of a mobile station communicating with the application through a second communications network
AU755054B2 (en) * 1998-02-25 2002-12-05 Telefonaktiebolaget Lm Ericsson (Publ) Method, arrangement and apparatus for authentication through a communications network
WO1999056520A3 (en) * 1998-04-23 1999-12-16 House Of Added Value Ab A method of storing and retrieving personal codes
WO1999056520A2 (en) * 1998-04-23 1999-11-11 House Of Added Value Ab A method of storing and retrieving personal codes
AU759955B2 (en) * 1998-07-08 2003-05-01 Telefonaktiebolaget Lm Ericsson (Publ) A method for securing access to a remote system
US6971027B1 (en) 1999-04-01 2005-11-29 Veneklase Brian J Computer security system
US7289799B1 (en) 1999-04-14 2007-10-30 Canon Kabushiki Kaisha Portable terminal apparatus and terminal apparatus
US6747755B1 (en) * 1999-04-14 2004-06-08 Canon Kabushiki Kaisha Code generation method, terminal apparatus, code processing method, issuing apparatus, and code issuing method
WO2000079366A1 (en) * 1999-06-21 2000-12-28 Catherin Mitta Method for the personal identification of mobile users
EP1107089A1 (en) * 1999-12-11 2001-06-13 Connectotel Limited Strong authentication method using a telecommunications device
EP1282044A4 (en) * 2000-03-03 2003-05-02 Eighting Kk Authenticating method
EP1980967A3 (en) * 2000-03-03 2009-01-28 Kabushiki Kaisha Eighting Individual certification method using musical sound data
EP2110768A1 (en) * 2000-03-03 2009-10-21 Kabushiki Kaisha Eighting Individual certification method using bar code
EP1282044A1 (en) * 2000-03-03 2003-02-05 Kabushiki Kaisha Eighting Authenticating method
GB2360860B (en) * 2000-03-29 2004-10-13 Ncr Int Inc A method of and apparatus for facilitating on-line transactions
GB2360860A (en) * 2000-03-29 2001-10-03 Ncr Int Inc Facilitating on-line transactions
WO2001080525A1 (en) * 2000-04-14 2001-10-25 Sun Microsystems, Inc. Network access security
GB2362489A (en) * 2000-05-15 2001-11-21 Tom Com Entpr Ltd Secure communication
NL1015398C2 (en) * 2000-06-07 2002-07-16 Helger Christian Bouterse User authentication in computer and telephone network, based on authorisation code transmitted as part of telephone number
WO2001099382A3 (en) * 2000-06-19 2002-03-21 Allen Robert Yaxley A method and system of controlling access to a remote location
WO2001099382A2 (en) * 2000-06-19 2001-12-27 Allen Robert Yaxley A method and system of controlling access to a remote location
WO2002013154A1 (en) * 2000-08-09 2002-02-14 Vodafone Holding Gmbh Method of payment at any sales or service establishment by mobile telephone
DE10040644A1 (en) * 2000-08-14 2002-02-28 Arndt Jablonowski Data transmitting method for Internet-based payment system, involves sending divided frames of payment data, to processor through two channels using different protocols
GB2366966B (en) * 2000-09-07 2002-08-07 Swivel Technologies Ltd Embedded synchronous random disposable code identification method and system
GB2366966A (en) * 2000-09-07 2002-03-20 Swivel Technologies Ltd Verifying the identity of a device or user in an electronic communications environment
US7392388B2 (en) 2000-09-07 2008-06-24 Swivel Secure Limited Systems and methods for identity verification for secure transactions
US7043635B1 (en) 2000-09-15 2006-05-09 Swivel Secure Limited Embedded synchronous random disposable code identification method and system
GB2369469B (en) * 2000-11-28 2002-10-23 Swivel Technologies Ltd Secure file transfer method and system
GB2369469A (en) * 2000-11-28 2002-05-29 Swivel Technologies Ltd Secure data transfer method
DE10102779A1 (en) * 2001-01-22 2002-08-29 Utimaco Safeware Ag Mobile phone transaction authorisation system has separate encrypted password link
WO2002084456A2 (en) * 2001-04-12 2002-10-24 Netdesigns Limited User identity verification system
GB2377523B (en) * 2001-04-12 2003-11-26 Netdesigns Ltd User identity verification system
WO2002084456A3 (en) * 2001-04-12 2003-10-30 Netdesigns Ltd User identity verification system
GB2377523A (en) * 2001-04-12 2003-01-15 Netdesigns Ltd User identity verification system
EP1253500A1 (en) * 2001-04-26 2002-10-30 Nokia Corporation Method and device for authenticating a user on a remote server
GB2379040A (en) * 2001-08-22 2003-02-26 Int Computers Ltd Controlling user access to a remote service by sending a one-time password to a portable device after normal login
US10083285B2 (en) 2001-08-29 2018-09-25 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US9727864B2 (en) 2001-08-29 2017-08-08 Nader Asghari-Kamrani Centralized identification and authentication system and method
US9703938B2 (en) 2001-08-29 2017-07-11 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US9870453B2 (en) 2001-08-29 2018-01-16 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US10769297B2 (en) 2001-08-29 2020-09-08 Nader Asghari-Kamrani Centralized identification and authentication system and method
CN1319000C (en) * 2001-10-19 2007-05-30 环球速度有限公司 System and method for controlling transmission of data packets over an information network
EP1313075A3 (en) * 2001-11-19 2005-07-13 Fujitsu Limited Electronic money processing method and program
EP1313075A2 (en) * 2001-11-19 2003-05-21 Fujitsu Limited Electronic money processing method and program
GB2387002A (en) * 2002-02-20 2003-10-01 1Revolution Group Plc Personal identification system and method using a mobile device
WO2003083793A2 (en) * 2002-04-03 2003-10-09 Swivel Secure Limited System and method for secure credit and debit card transactions
WO2003083793A3 (en) * 2002-04-03 2003-12-31 Swivel Technologies Ltd System and method for secure credit and debit card transactions
US7395050B2 (en) 2002-04-16 2008-07-01 Nokia Corporation Method and system for authenticating user of data transfer device
GB2391646A (en) * 2002-08-06 2004-02-11 James Andrew Groves Secure web page authenication method using a telephone number or SMS message
WO2004049139A1 (en) * 2002-11-26 2004-06-10 Siemens Aktiengesellschaft Method for authenticating and charging a subscriber of a radio network
EP1424617A1 (en) * 2002-11-26 2004-06-02 Siemens Aktiengesellschaft Method for authentication and charging for a sucbriber in a wireless network
CN100335987C (en) * 2002-11-26 2007-09-05 西门子公司 Method for authenticating and charging a subscriber of a radio network
US7809953B2 (en) 2002-12-09 2010-10-05 Research In Motion Limited System and method of secure authentication information distribution
WO2004054196A1 (en) 2002-12-09 2004-06-24 Research In Motion Limited System and method of secure authentication information distribution
US8677138B2 (en) 2002-12-09 2014-03-18 Blackberry Limited System and method of secure authentication information distribution
WO2005062613A1 (en) * 2003-12-18 2005-07-07 Nptv Method for accessing an interactive television session by short message (sms)
EP1578155A3 (en) * 2004-03-16 2006-08-23 Broadcom Corporation Integration of secure identification logic into cell phone
US7308250B2 (en) 2004-03-16 2007-12-11 Broadcom Corporation Integration of secure identification logic into cell phone
US7526295B2 (en) * 2004-03-16 2009-04-28 Broadcom Corporation Integration of secure identification logic into cell phone
US9106738B2 (en) 2005-01-11 2015-08-11 Telesign Corporation Registration, verification and notification system
US9300792B2 (en) 2005-01-11 2016-03-29 Telesign Corporation Registration, verification and notification system
US8462920B2 (en) 2005-01-11 2013-06-11 Telesign Corporation Registration, verification and notification system
US8687038B2 (en) 2005-01-11 2014-04-01 Telesign Corporation Registration, verification and notification system
US9049286B2 (en) 2005-01-11 2015-06-02 Telesign Corporation Registration, verification and notification system
FR2888691A1 (en) * 2005-07-13 2007-01-19 Gemplus Sa TRANSACTION AUTHORIZATION METHOD AND DEVICE
WO2007006771A1 (en) * 2005-07-13 2007-01-18 Gemplus Transaction authorization method and device
EP1840814A1 (en) * 2006-03-17 2007-10-03 Hitachi Software Engineering Co., Ltd. Verification system
EP1868125A1 (en) * 2006-06-16 2007-12-19 Savernova S.A. Method for identifying a user of a computer system
US10122715B2 (en) 2006-11-16 2018-11-06 Microsoft Technology Licensing, Llc Enhanced multi factor authentication
US9762576B2 (en) 2006-11-16 2017-09-12 Phonefactor, Inc. Enhanced multi factor authentication
WO2010115795A1 (en) 2009-04-06 2010-10-14 Giesecke & Devrient Gmbh Method for carrying out an application with the aid of a portable data storage medium
US9147064B2 (en) 2009-04-06 2015-09-29 Giescke & Devrient Gmbh Method for carrying out an application with the aid of a portable data storage medium
US10567385B2 (en) 2010-02-25 2020-02-18 Secureauth Corporation System and method for provisioning a security token
CN104429036A (en) * 2011-10-12 2015-03-18 科技商业管理有限公司 System for secure ID authentication
US8973109B2 (en) 2011-11-29 2015-03-03 Telesign Corporation Dual code authentication system
US9553864B2 (en) 2011-11-29 2017-01-24 Telesign Corporation Dual code authentication system
US9635026B2 (en) 2012-08-26 2017-04-25 Vokee Applications, Ltd. Verifying an application identifier on a mobile device through a telecommunication network
US9161222B2 (en) 2012-08-26 2015-10-13 Vokee Applications, Ltd. Verifying an association between an application and a mobile device through a telecommunication network
US9584512B2 (en) 2012-08-26 2017-02-28 Vokee Applications, Ltd. Verifying an association between an application and a mobile device through a telecommunication network
US9167431B2 (en) 2012-08-26 2015-10-20 Vokee Applications, Ltd. Verifying an application identifier on a mobile device through a telecommunication network
US9161223B2 (en) 2012-08-26 2015-10-13 Vokee Applications, Inc. Authorizing mobile application access to a service through a telecommunication network
US9166967B2 (en) 2012-09-26 2015-10-20 Telesign Corporation Comprehensive authentication and identity system and method
EP2738996A1 (en) * 2012-11-30 2014-06-04 Gemalto SA Method, device and system for accessing a server
WO2014083167A1 (en) * 2012-11-30 2014-06-05 Gemalto Sa Method, device and system for accessing a server
US9275211B2 (en) 2013-03-15 2016-03-01 Telesign Corporation System and method for utilizing behavioral characteristics in authentication and fraud prevention

Also Published As

Publication number Publication date
AU1390395A (en) 1995-08-01

Similar Documents

Publication Publication Date Title
WO1995019593A1 (en) A computer security system
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
US8060753B2 (en) Biometric platform radio identification anti-theft system
US9269208B2 (en) Remote entry system
US5528231A (en) Method for the authentication of a portable object by an offline terminal, and apparatus for implementing the process
US5491752A (en) System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
CA2023872C (en) Databaseless security system
US5371796A (en) Data communication system
US4310720A (en) Computer accessing system
US5499297A (en) System and method for trusted path communications
US5636280A (en) Dual key reflexive encryption security system
US4691355A (en) Interactive security control system for computer communications and the like
US6134661A (en) Computer network security device and method
US6130621A (en) Method and apparatus for inhibiting unauthorized access to or utilization of a protected device
CA2183629C (en) Method and apparatus for utilizing a token for resource access
US5317637A (en) Data exchange system with a check of the apparatus for its authentication status
US20060101047A1 (en) Method and system for fortifying software
EP0246823A2 (en) Data communication systems and methods
JPH10341224A (en) Authentication method in data transmission system and system to execute the authentication method
AU5157600A (en) Method of authenticating a tag
CN1561506A (en) Portable device and method for accessing data key actuated devices
US5208447A (en) Method for testing a terminal communicating with chip cards
EP0645688A1 (en) Method for the identification of users of telematics servers
US20040181673A1 (en) Method and apparatus for preventing unauthorized access to data and for destroying data upon receiving an unauthorized data access attempt
EP1188104A1 (en) Identification device for authenticating a user

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AM AT AU BB BG BR BY CA CH CN CZ DE DK EE ES FI GB GE HU JP KE KG KP KR KZ LK LR LT LU LV MD MG MN MW MX NL NO NZ PL PT RO RU SD SE SI SK TJ TT UA US UZ VN

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): KE MW SD SZ AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref country code: US

Ref document number: 1996 682504

Date of ref document: 19960909

Kind code of ref document: A

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA

NENP Non-entry into the national phase

Ref country code: GB

Free format text: 950112 A 9614521