DE102010018237A1 - Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer - Google Patents
Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer Download PDFInfo
- Publication number
- DE102010018237A1 DE102010018237A1 DE201010018237 DE102010018237A DE102010018237A1 DE 102010018237 A1 DE102010018237 A1 DE 102010018237A1 DE 201010018237 DE201010018237 DE 201010018237 DE 102010018237 A DE102010018237 A DE 102010018237A DE 102010018237 A1 DE102010018237 A1 DE 102010018237A1
- Authority
- DE
- Germany
- Prior art keywords
- consumer
- security code
- pin
- authentication
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Abstract
Description
Gebiet der ErfindungField of the invention
Die vorliegende Erfindung bezieht sich im Allgemeinen auf ein Verfahren zur Authentisierung/Authentifizierung von Konsumenten gegenüber geschützten Ressourcen mithilfe von Kommunikationssystemen.The present invention generally relates to a method for authenticating / authenticating consumers to protected resources using communication systems.
Beschreibungdescription
Benutzername und Passwort sind nach wie vor die Standardkombination zur Authentisierung gegenüber den unterschiedlichsten Systemen in der Informationstechnologie. Ihre Anfälligkeiten gegenüber Weitergabe und Ausspähung (z. B. Keylogger, Man-in-the-Middle Angriffe, Phishing) sind hinlänglich bekannt.Username and password are still the standard combination for authentication against the most diverse systems in information technology. Their vulnerabilities to disclosure and spying (eg keyloggers, man-in-the-middle attacks, phishing) are well known.
Diesen Nachteilen wurde bislang in der Regel mit Token basierenden Authentisierungssystemen begegnet (z. B. RSA SecurID „Method and apparatus for positively identifying an individual” US Patent
Der im Patentanspruch 1 angegebenen Erfindung liegen die Probleme zugrunde, die Angriffsvektoren zu vermindern, den Betrieb des Authentisierungssystems zu vereinfachen und dessen Kosten zu verringern.The invention specified in
Diesen Problemen wird durch die im Patentanspruch 1 aufgeführten Merkmale entgegengetreten.These problems are counteracted by the features listed in
Die mit der Erfindung erzielten Vorteile bestehen insbesondere darin, dass statt eines statischen Passwortes ein Einmalpasswort (= Authentisierungscodes) verwandt wird und keine, in Anschaffung und Betrieb, kostenintensiven Tokens zum Einsatz kommen. Dabei kann, durch die Symbolanzahl der PIN und des Sicherheitscodes, durch unterschiedliche Übertragungswege des Sicherheitscodes und des Authentisierungscodes, die Sicherheitsstufe flexibel und Konsumentenabhängig variiert werden.The advantages achieved by the invention are, in particular, that instead of a static password, a one-time password (= authentication codes) is used and none, in acquisition and operation, cost-intensive tokens are used. In this case, by the number of symbols of the PIN and the security code, by different transmission paths of the security code and the authentication code, the security level can be varied flexibly and consumer-dependent.
Ein Ausführungsbeispiel der Erfindung ist in der Zeichnung dargestellt und wird im Folgenden näher beschrieben.An embodiment of the invention is illustrated in the drawing and will be described in more detail below.
Es zeigenShow it
Es folgt die Erläuterung der Erfindung anhand der Zeichnungen nach Aufbau und ggf. auch nach Wirkungsweise der dargestellten Erfindung.There follows the explanation of the invention with reference to the drawings according to the structure and possibly also after the operation of the illustrated invention.
Fig. 1 – GesamtvorgangFig. 1 - overall operation
- Lage: Der Konsument möchte auf die Ressource zugreifen.Location: The consumer wants to access the resource.
- Problem: Hierzu muss er sich Authentisieren.Problem: For this he has to authenticate himself.
-
Lösung: Der Authentisierungsvorgang
1 .1 Der Konsument gibt am Client seine eineindeutige Konsumentenkennung ein und veranlasst den Client diese an die Authentifizierungsinstanz zu übermitteln.1 .2 Der Client übermittelt die Konsumentenkennung an die Authentifizierungsinstanz1 .3 Die Authentifizierungsinstanz liest aus dem Konsumentenbestand die Konsumentenspezifischen Parameter (PIN und Sicherheitscodelänge) aus und generiert einen zufälligen Sicherheitscode.1 .4 Die Authentifizierungsinstanz liefert den Sicherheitscode an den Client.1 .5 Der Konsument kombiniert den auf dem Client dargestellten Sicherheitscode mit seiner PIN und erhält (gem.2 ) den Authentisierungscode.1 .6 Der Konsument übermittelt der Ressource den Authentisierungscode.1 .7 Die Ressource übermittelt der Authentifizierungsinstanz ihre eineindeutige RessourcenID und den Authentisierungscode des Konsumenten.1 .8 Die Authentifizierungsinstanz ermittelt durch Kombination des Authentisierungscodes und des Sicherheitscodes die normalisierte Konsumenten-PIN. Die normalisierte Konsumenten-PIN wird verschlüsselt und mit der im Konsumentenbestand hinterlegten und verschlüsselten normalisierten PIN verglichen.1 .9 Die Authentifizierungsinstanz liefert das Resultat dieses Vergleichs (True = Erfolgreich, False = gescheitert) an die Ressource zurück.1 .10 Die Ressource gewährt oder verweigert dem Konsumenten entsprechend des Resultates (aus1 .9 ) ihre Nutzung.Solution: Theauthentication process 1 ,1 The consumer enters his one-to-one consumer identifier at the client and causes the client to submit it to the authentication instance.1 ,2 The client transmits the consumer identifier to theauthentication instance 1 ,3 The authentication instance reads the consumer-specific parameters (PIN and security code length) from the consumer stock and generates a random security code.1 ,4 The authentication instance delivers the security code to the client.1 ,5 The consumer combines the security code displayed on the client with his PIN and receives (acc.2 ) the authentication code.1 ,6 The consumer transmits the authentication code to the resource.1 ,7 The resource sends the authentication instance its unique resource ID and the consumer's authentication code.1 ,8th The authentication instance determines the normalized consumer PIN by combining the authentication code and the security code. The normalized consumer PIN is encrypted and compared to the normalized PIN stored and encrypted in the consumer database.1 ,9 The authentication instance returns the result of this comparison (True = Successful, False = Failed) to the resource.1 ,10 The resource grants or denies the consumer according to the result (out1 ,9 ) their use.
Fig. 2 – Streich-VerfahrenFig. 2 - prank method
- Lage: Der Konsument kennt nur seine PIN und verfügt über einen Client zum Abruf eines Sicherheitscodes von der Authentifizierungsinstanz.Situation: The consumer only knows his PIN and has a client to retrieve a security code from the authentication instance.
- Problem: Der Konsument muss den Authentisierungscode zu seiner Authentisierung ermitteln.Problem: The consumer must determine the authentication code for his authentication.
- Lösung: Das Streich-Verfahren Der Konsument streicht vom Dargestellten Sicherheitscode alle Symbole, die der Positionen seiner PIN entsprechen. Die verbleibenden Symbole bilden den Authentisierungscode.Solution: The prank method The consumer deletes from the displayed security code all symbols corresponding to the positions of his PIN. The remaining symbols form the authentication code.
Fig. 3 – PIN-NormalisierungFig. 3 - PIN normalization
-
Lage: In
4 ermittelt die Authentifizierungsinstanz die PIN-Stellen in einer implementierungsabhängigen festen Reihenfolge.Location: In4 The authentication entity determines the PIN locations in an implementation-dependent fixed order. -
Problem: Beim Streich-Verfahren führen PINs mit gleichen Symbolen unterschiedlicher Reihenfolge zum identischen Authentisierungscode, daher wird die in
4 ermittelte PIN von der Ursprungs-PIN abweichen.Problem: In the prank method, PINs with the same symbols of different order lead to the same authentication code, so the in4 determined PIN deviate from the original PIN. - Lösung: Die Ursprungs-PIN wird Normalisiert, d. h. ihre Symbole werden in einer vorher festgelegten Reihenfolge sortiert. Im Konsumentendatenbestand wird die verschlüsselte Ursprungs-PIN und die verschlüsselte Normalisierte-PIN abgelegt.Solution: The source PIN is normalized, i. H. their symbols are sorted in a predetermined order. The encrypted source PIN and the encrypted normalized PIN are stored in the consumer database.
Die in
Fig. 4 – PIN-GewinnungFig. 4 - PIN extraction
- Lage: Die Authentifizierungsinstanz erhält von der Resource den Authentisierungscode des Konsumenten und hat den zugehörigen Sicherheitscode hinterlegt.Location: The authentication authority receives the authentication code of the consumer from the resource and has stored the corresponding security code.
- Problem: Ermittlung der PIN.Problem: Determination of the PIN.
- Lösung: Stellenweiser Vergleich des Authentisierungscodes mit dem Sicherheitscode. Jede Fehlstelle entspricht einer PIN-Stelle. Die Gesamtheit der Fehlstellen ergibt somit die PIN in normalisierter Form.Solution: In-place comparison of the authentication code with the security code. Each defect corresponds to a PIN location. The totality of the defects thus gives the PIN in a normalized form.
ZITATE ENTHALTEN IN DER BESCHREIBUNG QUOTES INCLUDE IN THE DESCRIPTION
Diese Liste der vom Anmelder aufgeführten Dokumente wurde automatisiert erzeugt und ist ausschließlich zur besseren Information des Lesers aufgenommen. Die Liste ist nicht Bestandteil der deutschen Patent- bzw. Gebrauchsmusteranmeldung. Das DPMA übernimmt keinerlei Haftung für etwaige Fehler oder Auslassungen.This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.
Zitierte PatentliteraturCited patent literature
- US 4720860 [0003] US 4720860 [0003]
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE201010018237 DE102010018237A1 (en) | 2010-04-23 | 2010-04-23 | Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE201010018237 DE102010018237A1 (en) | 2010-04-23 | 2010-04-23 | Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer |
Publications (1)
Publication Number | Publication Date |
---|---|
DE102010018237A1 true DE102010018237A1 (en) | 2011-10-27 |
Family
ID=44751392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
DE201010018237 Ceased DE102010018237A1 (en) | 2010-04-23 | 2010-04-23 | Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer |
Country Status (1)
Country | Link |
---|---|
DE (1) | DE102010018237A1 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4720860A (en) | 1984-11-30 | 1988-01-19 | Security Dynamics Technologies, Inc. | Method and apparatus for positively identifying an individual |
US20080028447A1 (en) * | 2006-02-10 | 2008-01-31 | Rsa Security Inc. | Method and system for providing a one time password to work in conjunction with a browser |
US20090259588A1 (en) * | 2006-04-24 | 2009-10-15 | Jeffrey Dean Lindsay | Security systems for protecting an asset |
-
2010
- 2010-04-23 DE DE201010018237 patent/DE102010018237A1/en not_active Ceased
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4720860A (en) | 1984-11-30 | 1988-01-19 | Security Dynamics Technologies, Inc. | Method and apparatus for positively identifying an individual |
US20080028447A1 (en) * | 2006-02-10 | 2008-01-31 | Rsa Security Inc. | Method and system for providing a one time password to work in conjunction with a browser |
US20090259588A1 (en) * | 2006-04-24 | 2009-10-15 | Jeffrey Dean Lindsay | Security systems for protecting an asset |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3574625B1 (en) | Method for carrying out an authentication | |
EP3175384B1 (en) | Method and apparatus for logging into medical devices | |
DE112008000298B4 (en) | A method for generating a digital fingerprint by means of a pseudorandom number code | |
DE102011089580B3 (en) | Method for reading e.g. attribute stored in passport, for electronic-commerce application, involves examining whether attribute of security assertion markup language response fulfills criterion as premiss for contribution of service | |
DE13771788T1 (en) | Secure authentication in a multiparty system | |
EP3528159B1 (en) | Method for generating a pseudonym with the help of an id token | |
EP1964042A1 (en) | Method for the preparation of a chip card for electronic signature services | |
EP3767513B1 (en) | Method for secure execution of a remote signature, and security system | |
EP3435265A1 (en) | Method for secure authentication for devices which can be connected to a server connectible devices, in particular for access control devices or payment or vending machine of an access control system | |
EP3244360A1 (en) | Method for registration of equipment, in particular for access control devices or payment or vending machines in a server of a system comprising several such devices | |
EP2631837B1 (en) | Method for generating a pseudonym with the help of an ID token | |
DE102010018237A1 (en) | Method for granting access of protected resources in communication system, involves generating one-time password which is combination of consumer personal identification number (PIN) and security code and transmitting password to consumer | |
DE112005002423B4 (en) | Method, apparatus and system for maintaining a permanent wireless network connection | |
DE102015210294A1 (en) | Client device and server device for secure activation of functions of a client | |
DE102010031932A1 (en) | Method for access control to building or room of building for automation system, involves releasing access in case of successful authentication when safety token is authenticated at controller within preset time span | |
DE102009044173A1 (en) | Cross-matching of typing behavior data to authenticate and / or identify a person | |
EP3210357B1 (en) | Method for authenticating a user device during the process of logging into a server | |
DE102019200925A1 (en) | Method and device for generating and checking a one-time password | |
DE102021125572B9 (en) | Method for performing an authentication process by an individual system user | |
EP2230648A1 (en) | Single-use code mask for deriving a single-use code | |
EP3792794B1 (en) | Fingerprint detection device | |
EP3279821A1 (en) | Method and device for authenticating a user for using a plurality of applications or services in a computer network | |
DE102005025447A1 (en) | Wireless authentication login system`s accessing method, involves transmitting authentication request message to wireless authentication device by authentication module, and receiving access codes from device by module | |
EP2774075A1 (en) | Method and system for authenticating a user by an application | |
DE102017109832A1 (en) | Method and data processing system for providing and using a session PIN for a safety-critical process for authenticating a user and / or a data object |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
R002 | Refusal decision in examination/registration proceedings | ||
R003 | Refusal decision now final |
Effective date: 20120412 |