초록 ▼

A method and arrangement for utilising a generally available personal data terminal as a secure and reliable authentication factor for user authentication is described. Also, a method for secure transfer of data between two parties, a user and a service provider, where the user generates a unique au

A method and arrangement for utilising a generally available personal data terminal as a secure and reliable authentication factor for user authentication is described. Also, a method for secure transfer of data between two parties, a user and a service provider, where the user generates a unique authentication factor adapted for user authentication (104), called a user code, and the service provider registering the user's user code as an authentication factor is disclosed. The method is useful for various security services involving a user and a service provider in electronic channels where service providers are faced with the challenges of authenticating the users of their services.

대표청구항 ▼

1. A method for secure transfer of data between two parties, a user and a second party comprising: a first session for generating a unique and new authentication factor/user code adapted for user authentication,a second session for registering of the users authentication factor(s)/user code(s) at th

1. A method for secure transfer of data between two parties, a user and a second party comprising: a first session for generating a unique and new authentication factor/user code adapted for user authentication,a second session for registering of the users authentication factor(s)/user code(s) at the second party anda third session for secure user authentication between the two parties for data transfer, the user being registered at the second party and the second party being a service provider, where the user at least uses a personal terminal comprising at least a central processing unit, a communication unit, andat least one client stored in a storage device or partly stored in the storage device adapted for user authentication, and where the at least one client includes capacity to generate and store random numbers,wherein the first session comprises at least the steps of: B.1) the at least one client generates a random number, using a generation capacity in the at least one client,C.1) the at least one client stores the random number in the at least one client and naming the stored random number a client reference,D.1) the at least one client fetches a code being unique, associated with the personal terminal and residing in the personal terminal, and the at least one client fetches the client reference, andE.1) the at least one client uses a one or more calculating algorithms stored in the at least one client where a representation of the code being unique to the personal terminal, and the client reference are inputted to the one or more calculation algorithms, producing an output, a user code representing the user's possession of the personal terminal;wherein the first session further comprises the additional steps of: D.1) comprises the additional steps of requesting the user to enter a pass code on the personal terminal, andE.1) comprises the additional step of inputting the pass code to the calculation algorithm, producing an output, a reproducible user code, which represents the user's possession of the personal terminal and the knowledge of the pass code; andwherein the second session, registering the user code at the second party comprises at least the steps of: A.2) the second party requests the user to register the user code in a user data at the second party,B.2) providing the second party with authenticity information of the one or more clients, andC.2) a terminating step where the said user code is forwarded to the second party and stored as a part of the user data associated with the user at the second party. 2. A method according to claim 1, wherein the third session comprises at least the steps of: B.3) the at least one client fetches a code being unique, associated with the personal terminal and residing in the personal terminal,C.3) the at least one client fetches a client reference, generated in a registration session between the first and the second party, andD.3)uses a one or more calculating algorithms stored in the at least one client where a representation of the code being unique to the personal terminal and the client reference are inputted to the one or more calculation algorithms, producing an output, a user code, which represents the user's possession of the personal terminal to the service provider. 3. A method according to claim 2, wherein the third session further comprises at least an introductory step of: A.3) providing the second party with authenticity information of the one or more clients; andE.3) a terminating step where the output from the one or more calculation algorithms on the personal terminal is forwarded to the second party. 4. A method according to claim 2, wherein step D.3) comprises the additional steps of: the first party enters a pass code on the personal terminal; the said pass code is used as an additional input to the calculation algorithm, producing an output, a user code, which represents the user's possession of the personal terminal and, the knowledge of, the pass code. 5. A method according to claim 1, wherein the at least one client is residing partly on the personal terminal and partly on a proxy server. 6. A method according to claim 5, wherein the first, second and third session comprises on the personal terminal at least the steps of: A.4) providing the proxy server with authenticity information of the at least one client, andB.4) the at least one client fetches a code being unique, associated with the personal terminal and residing in the personal terminal, and forwards the said code to the proxy server. 7. A method according to claim 6, wherein step B.4) comprises the additional steps of: the user enters a pass code on the personal terminal, the said pass code is forwarded to the proxy server. 8. A method according to claim 5, wherein the first, second and third session comprises on the proxy server at least the steps of: A.5) receiving from the at least one client on the personal terminal the code being unique, associated with the personal terminal and residing in the personal terminal,B.5) the at least one client on the proxy server fetches a client reference, generated in the first session, andC.5) use a one or more calculating algorithms stored in the at least one client on the proxy server where a representation of the code being unique to the personal terminal and the client reference are inputted to the one or more calculation algorithms, producing an output, a user code, which represents the user's possession of the personal terminal to the Service provider. 9. A method according to claim 8, wherein step B.5) comprises the additional step of receiving from the at least one client on the personal terminal a pass code, and step C.5) comprises the additional step of using the said pass code as additional input to the calculation algorithm, producing an output, a user code, representing the user's possession of the personal terminal and the knowledge of the pass code. 10. A method according to claim 1, wherein the third session comprises at least the steps of: A.6) inputting an information element to the personal terminal;B.6) producing the said user code on the at least one client;C.6) inputting the said user code and the information element to the one or more calculation algorithm, producing an output, the signature code. 11. A method according to claim 10, wherein where the second party has stored in a user file the user name and one or more user codes of the user, and has access to the same one or more calculation algorithms as the one or more clients present on the proxy or on the personal terminal of the user, and has access to the information element, and there is at least one communication channel between the personal terminal and the second party, then the third session further comprises at least the step of: D.6) the user name is forwarded from the user to the second party,E.6) the signed element is forwarded to the second party,F.6) the second party inputs the user code stored in the user file and the information element to the one or more calculation algorithm, producing an output, the signature code,G.6) the second party comparing the signature code outputted from the one or more calculation algorithms and the signature code forwarded from the user, and if the two signature codes are equal, the information received from the user is authentic. 12. A method according to claim 10, further comprising establishing for the second and third session a two channel communication between the first and the second party where the first channel, channel1, is between the personal terminal and the second party, the second channel, channel2, is between a second terminal accessible for the first party and the second party. 13. A method according to claim 12, further comprising forwarding the user name from the user to the second party in channel2, forwarding the information element from the second party to the user in channel2 and forwarding the signed element from the first party to the second party in channel1. 14. A method according to claim 12, further comprising forwarding the user name from the user to the second party in channel2, forwarding the information element from the second party to the user in channel1 and forwarding the signed element from the user to the second party in channel1. 15. A method according to claim 12, further comprising forwarding the user name from the user to the second party in channel2, forwarding the information element from the second party to the user in channel1 and forwarding the signed element from the user to the second party in channel2. 16. A method according to claim 1, further comprising using an IMEI number, a MAC, a processor number, an Electronic Product Code -EPC or a SIM serial number - SSN, as the code being unique, associated with the personal terminal and residing in the personal terminal. 17. A method according to claim 1, wherein the user uses any user input to the personal terminal such as alphanumeric and numeric characters, representation of voice or biometric data as the pass code. 18. A system for secure user authentication between two parties, where the first party is a user which at least uses a personal terminal comprising at least a central processing unit, a communication unit, and a storage device adapted to store one or more clients or adapted to partly store one or more clients adapted for user authentication, where the second party is a service provider, wherein the one or more clients at least comprises: one or more calculation algorithms,input parameters from a code being unique, associated with the personal terminal and residing in the personal terminal, the code being IMEI number, a MAC, a processor number, an electronic product code - EPC or a SIM serial number - SSN, anda processor and a memory to perform the steps of:generating a random number, using a generation capacity in the at least one client;storing the random number in the at least one client and naming the stored random number a client reference;fetching a code being unique, associated with the personal terminal and residing in the personal terminal;requesting the user to enter a pass code on the personal terminal,inputting a representation of the code being unique to the personal terminal, the client reference, and the pass code to the one or more calculation algorithms stored in the at least one client, producing an output, a reproducible user code representing the user's possession of the personal terminal and the knowledge of the pass code,receiving a request from the second party to register the user code in a user data at the second party;providing the second party with authenticity information of the one or more clients;forwarding the user code to the second party, and storing it as a part of the user data associated with the user at the second party; andsecuring communication with a server. 19. The system according to claim 18, further comprising input parameters from the user, the input parameters being alphanumeric and numeric characters, representation of voice or biometric data. 20. The system according to claim 18, further comprising a second terminal for unidirectional or bidirectional communication between the user and the second party. 21. The system according to claim 18, further comprising a proxy server comprising at least: a receiving device configured to receive input parameters from the one or more clients on the personal terminal,a one or more calculation algorithms,a generating device adapted to generate and store random numbers in the one or more client,a first identification device adapted to identify itself to the one or more clients on the personal terminal and to identify the one or more clients on the personal terminal,a second identification device adapted to identify itself to the second party and to identify the second party,a communication device configured for secure communication with a server. 22. The system according to claim 18, wherein the personal terminal one of the following: a mobile telephone, a PDA comprising communication unit, a computer entertainment terminal compromising communication unit or a portable computer comprising communication unit. 23. The system according to claim 18, wherein the personal terminal is adapted to download the one or more clients using wireless or wired communication unit.