[go: up one dir, main page]

WO2008086567A1 - Processus interactif - Google Patents

Processus interactif Download PDF

Info

Publication number
WO2008086567A1
WO2008086567A1 PCT/AU2008/000037 AU2008000037W WO2008086567A1 WO 2008086567 A1 WO2008086567 A1 WO 2008086567A1 AU 2008000037 W AU2008000037 W AU 2008000037W WO 2008086567 A1 WO2008086567 A1 WO 2008086567A1
Authority
WO
WIPO (PCT)
Prior art keywords
input device
information
gatekeeper
data
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/AU2008/000037
Other languages
English (en)
Inventor
Michael Joseph Knight
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2007900241A external-priority patent/AU2007900241A0/en
Application filed by Individual filed Critical Individual
Priority to AU2008207334A priority Critical patent/AU2008207334A1/en
Publication of WO2008086567A1 publication Critical patent/WO2008086567A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to a method and apparatus for performing an interaction, and in particular to performing a secure interaction using an interaction device.
  • a communications system such as the Internet
  • some form of security protocol can include, for example, the use of identifiers, such as a username and password, to allow parties to be identified, as well as the use of encryption or the like, to prevent eavesdropping by third parties.
  • the interaction is between a user and a second party, such as a corporation
  • security is normally controlled by the second party.
  • the second party provides the user with an identifier, so that the second party can subsequently use the identifier to authenticate the user. This allows the user to be identified by the second party, in turn allowing interactions to be performed.
  • the first party the user
  • the user could attempt to interact with the second party using a compromised device, which in turn can again allow third parties to fraudulently obtain the user's identifier, and/or monitor the interaction.
  • a public terminal such as in an Internet cafe or airport lounge.
  • the present invention provides a method of performing a secure interaction, the method including, in an input device: a) performing a checking operation using first information, to thereby confirm input device integrity; b) providing second information received from a user, to a gatekeeper, the gatekeeper being responsive to the second information to: i) perform authentication; and, ii) establish communication between the input device and a service provider in response to a successful authentication; and, c) communicating with the service provider in accordance with user input to thereby perform the secure interaction.
  • the input device is connected to an identity device, and wherein the method includes, in the input device, performing the checking operation at least in part using information provided on the identity device.
  • the method includes, in the input device: a) receiving the first information from the user; b) accessing first data from a first store at least partially using the first information; and, c) in an internal processing system, using the first data to confirm input device integrity.
  • the first data is stored as encrypted first data
  • the method includes, in the internal processing system, decrypting the first data using the first information.
  • the method includes, in the input device: a) accessing an algorithm from a store; b) generating a first key at least in part using the first information and the algorithm; and, c) decrypting the first data using the first key.
  • the method includes, in the input device: a) accessing second data from a second store; and, b) in the internal processing system, comparing at least some of the first and second data to thereby confirm input device integrity.
  • the input device is connected to an identity device via a connection, and wherein the method includes, in the input device accessing at least one of first and second stores via the connection.
  • the method includes, in the input device, updating at least one of a sequence number and an executable file stored in the identity device.
  • the method includes, in the input device, receiving at least one of an updated sequence number and an updated executable file, from the gatekeeper.
  • the method includes, in the input device: a) authenticating the identity device; and, b) performing the checking operation in response to successful authentication.
  • the method includes, in the input device: a) checking the integrity of the identity device; and, b) generating an indication of the integrity using an indicator.
  • the input device is coupled to a computer system, and wherein, the method includes, in the input device and in response to confirming the integrity of the input device: a) determining a service list from a store; and, b) transferring the service list to the computer system, the computer system being responsive to the service list to display a list of available services.
  • the method includes, in the input device: a) determining a service indication in accordance with a user input; and, b) transferring the service indication to the computer system, the computer system being responsive to the service indication to: i) determine a gatekeeper; and, ii) enable communication between the gatekeeper and the input device.
  • the method includes, in the input device, communicating with the gatekeeper via a computer system having a software agent installed thereon.
  • the method includes, in the input device: a) communicating with a computer system to determine if a software agent is installed; and, b) if no software agent is installed; i) accessing a software agent from a second store; and, ii) transferring the software agent to the computer system.
  • the method includes, in the input device: a) receiving the second information from the user; b) receiving a second key from the gatekeeper; c) encrypting the second information using the second key; and, d) transferring the encrypted second information to the gatekeeper, the gatekeeper being responsive to: i) decrypt the encrypted second information; and, ii) compare the second information to predetermined second information to thereby perform the authentication.
  • the method includes, in the input device: a) mutually authenticating the gatekeeper; and, b) transferring the second information in response to a successful mutual authentication.
  • the method includes, in the input device: a) accessing a fourth key from the first store; and, b) performing the mutual authentication at least in part using the fourth key.
  • the method includes, in the input device: a) receiving connection data from the gatekeeper in response to a successful authentication; and, b) communicating with the service provider using the connection data.
  • connection data includes a resource locator
  • the method includes, in the input device, providing the resource locator to a computer system, the computer system using the resource locator to establish the connection with the service provider.
  • the method includes, in the input device: a) determining a second session key; and, b) communicating with the service provider at least in part using the second session key.
  • the method includes, in the input device, communicating with the service provider via a gateway.
  • the method includes, in the input device: a) receiving user inputs; b) encrypting the user inputs; and, c) transferring the encrypted inputs to a gateway, the gateway being responsive to decrypt the inputs and provide the inputs to the service provider.
  • the method includes, in the input device: a) performing encryption using at least one encryptor; and, b) causing an indication of an encryptor status to be displayed using at least one of: i) an indicator provided on the input device; and, ii) a computer system.
  • the method includes, in the input device, using an indicator for indicating at least one of: a) integrity and/or authenticity of an identity device; b) integrity and/or authenticity of the gatekeeper; c) integrity and/or authenticity of a gateway; d) success or otherwise of authentication; and, e) success or otherwise of agent initialisation.
  • the method further includes having the user undergo authentication with the service provider.
  • the method is performed at least in part using an identity device owned by a user, to thereby allow the user to establish a trust relationship with the gateway.
  • the method uses user centric security.
  • the user centric security facilitates the service provider's services in a manner suitable to the service provider's security model.
  • the method includes, having the user self validate using special hardware and software first locally and then remotely.
  • the method assumes a computer system to which the input device is connected is untrusted.
  • the method uses a secure interaction device formed from a secure input device and a secure user identity device.
  • the method creates a secure connection between the interaction device and a gateway mediated by a trusted third party device.
  • the method ensures provenance of the local hardware, local software, keys, and remote devices and their software to a user.
  • the method separates and updates encryption keys in a one-time manner.
  • the first data includes encrypted provenance information, and wherein second data includes public provenance information.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including an input device for: a) performing a checking operation using first information, to thereby confirm input device integrity; b) providing second information received from a user, to a gatekeeper, the gatekeeper being responsive to the second information to: i) perform authentication; and, ii) establish communication between the input device and a service provider in response to a successful authentication; and, c) communicating with the service provider in accordance with user inputs to thereby perform the secure interaction.
  • the input device includes: a) an input, for receiving inputs from a user; b) a connector for allowing connection to a computer system; and, c) an internal processing system for at least one of: i) controlling the operation of the input device; ii) interpreting inputs received via the input device; and, iii) performing encryption; iv) communicating with at least one of:
  • the input device includes an indicator for indicating at least one of: a) integrity and/or authenticity of the identity device; b) integrity and/or authenticity of the gatekeeper; c) integrity and/or authenticity of the gateway; d) success or otherwise of authentication; and, e) success or otherwise of agent initialisation.
  • the input device includes a connector for allowing connection to an identity device.
  • the input device includes an encryptor for encrypting communication.
  • the input device performs the method of the first broad form of the invention.
  • the present invention provides a method of performing a secure interaction, the method including, in an identity device, providing first data to an input device from a first store, the input device being responsive to transfer the first data to an internal processing system, the internal processing system being responsive to use the first data to confirm input device integrity.
  • the method includes, in the identity device, providing second data to an input device from a second store, the input device being responsive to transfer the second data to the internal processing system, the internal processing system being responsive to use the first and second data to confirm input device integrity.
  • the first data is stored as encrypted first data to thereby allow the first data to be decrypted at least in part using first information.
  • the first store stores an algorithm, the first information and the algorithm being used to determine a first key for decrypting the first data.
  • the method includes, in the identity device, interacting with an input device to perform the method of the first broad form of the invention.
  • the method includes, in the identity device, using an indicator for indicating at least one of: a) integrity and/or authenticity of the input device; b) integrity and/or authenticity of a gatekeeper; c) integrity and/or authenticity of a gateway; d) success or otherwise of authentication; and, e) success or otherwise of agent initialisation.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including a first store for storing first data, the first data being provided to an input device, the input device being responsive to transfer the first data to an internal processing system, the internal processing system being responsive to use the first data to confirm input device integrity.
  • the identity device includes a second store for storing second data, the second data being provided to an input device, the input device being responsive to transfer the second data to the internal processing system, the internal processing system being responsive to use the first data to confirm input device integrity.
  • the second store stores at least one of: a) provenance information; and, b) a copy of an agent application.
  • the first store stores at least one of: a) encrypted provenance information; b) encrypted first information; c) an encrypted sequence number; d) encrypted provenance information; e) an encrypted service list; f) a first encryption key; and, g) a fourth encryption key.
  • the identity device includes a connector for connecting to the input device.
  • the apparatus includes an indicator for indicating at least one of: a) integrity and/or authenticity of the input device; b) integrity and/or authenticity of a gatekeeper; c) integrity and/or authenticity of a gateway; d) success or otherwise of authentication; and, e) success or otherwise of agent initialisation.
  • the apparatus is for performing the method of any one of the third broad form of the invention.
  • the present invention provides a method of performing a secure interaction, the method including, in a gatekeeper: a) receiving second information from an input device; b) performing authentication using both the second information and user information; and, c) establishing communication between the input device and a service provider in response to a successful authentication, the input device communicating with the service provider in accordance with user inputs to thereby perform the secure interaction.
  • the method includes, in a gatekeeper: a) providing a second session key to the input device, the input device being responsive to encrypt the second information using the second session key; b) receiving encrypted second information; c) decrypting the encrypted second information; and, d) comparing the second information to predetermined second information to thereby perform the authentication.
  • the method includes, in the gatekeeper: a) mutually authenticating the input device; and, b) providing the second session key in response to a successful mutual authentication.
  • the method includes, in the gatekeeper, communicating with the input device via a computer system.
  • the method includes, in the gatekeeper, providing connection data to the input device in response to a successful authentication, the connection data being used to establish a secure connection between the gateway and the input device.
  • the method includes, in the gatekeeper, receiving the connection data from a gateway.
  • connection data includes a resource locator
  • the input device is responsive to the resource locator to provide the resource location to a computer system, the computer system using the resource locator to establish communication with the gateway.
  • the method includes, in the gatekeeper: a) determining a service indication in accordance with a user input provided via the input device; and, b) determining a gateway using the service indication.
  • the method includes, in the gatekeeper, performing authentication of an input device performing the method of the first broad form of the invention.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including a gatekeeper for: a) receiving second information from an input device; b) receiving user information via an input device; c) performing authentication using the second information; and, d) establishing communication between the input device and a service provider in response to a successful authentication, the input device being responsive to communicate with the service provider in accordance with user inputs to thereby perform the secure interaction.
  • the gatekeeper is a suitably programmed processing system.
  • the apparatus is for performing the method of the fifth broad form of the invention.
  • the present invention provides a method for performing a secure interaction, the method including, in a gateway: a) in response to a successful authentication by a gatekeeper, generating connection data; b) transferring the connection data to the gatekeeper, the gatekeeper being responsive to provide the connection data to an input device, thereby allowing a connection to be established between the input device and a service provider; and, c) transferring communication between the input device and the service provider.
  • the method includes, in the gateway: a) generating the resource locator in accordance with a service selection, the service selection being indicative of a selected service provider; and, b) generating the connection data using the resource locator, thereby allowing an input device to establish a connection via a computer system with the selected service provider via the gateway.
  • the resource locator has a limited life span.
  • the method includes, in the gateway: a) receiving a connection request from a computer system, the connection request being at least partially based on a resource locator; b) establishing a connection in response to the received connection request.
  • the method includes, in the gateway: a) determining if the resource locator has expired; and, b) establishing the connection if the resource locator has not expired.
  • the method includes, in the gateway: a) receiving encrypted communication from the input device; b) decrypting the encrypted communication; and, c) transferring the decrypted communication to the service provider.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including a gateway for: a) in response to a successful authentication by a gatekeeper, generating connection data; b) transferring the connection data to the gatekeeper, the gatekeeper being responsive to provide the connection data to an input device, thereby allowing a connection to be established between the input device and a service provider; and, c) transferring communication between the input device and the service provider.
  • the gatekeeper is a suitably programmed processing system.
  • the apparatus is for performing the method of the seventh broad form of the invention.
  • the present invention provides a method of performing a secure interaction, the method including: a) performing a checking operation using first information provided via an input device, to thereby confirm input device integrity; b) performing remote authentication of second information provided via the input device; c) establishing a connection with a service provider in response to a successful authentication; d) performing secure interaction with the service provider using the established connection.
  • the method includes: a) connecting an identity device to the input device; and, b) performing the checking operating at least in part using first data stored on the identity device.
  • the method includes, performing the remote authentication in a gatekeeper, the gatekeeper being used to establish a connection between the input device and the service provider.
  • the method includes, establishing the connection via a gateway, the gateway and input device being adapted to encrypt information transferred therebetween.
  • the method is performing using an input device performing the method of the first broad form of the invention.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including: a) an input device; b) a processing system for performing a checking operation using first information provided via the input device, to thereby confirm input device integrity; c) a gatekeeper for: i) performing remote authentication of second information provided via the input device; and, ii) establishing a connection with a service provider in response to a successful authentication, the connection being used to perform secure interaction with the service provider using inputs supplied via the input device.
  • the apparatus includes an identity device for storing first and second data, and where the input device is responsive to connection to the identity device to thereby retrieve at least some of the first and second data.
  • the apparatus includes a gateway, the connection being established using the gateway.
  • the input device is for encrypting user inputs
  • the gateway is for: a) decrypting the user inputs; and, b) providing the decrypted user inputs to the service provider.
  • the apparatus is for performing the method of the tenth broad form of the invention.
  • the present invention provides a method of performing a secure interaction, the method including: a) verifying operation of an input device at least in part using an identity device; b) performing remote authentication at least in part using the identity device; and, c) establishing a connection with a service provider in response to a successful authentication.
  • the method includes: a) connecting the identity device to the input device; b) providing first information using the input device, the input device being responsive to the first information to: i) retrieve first and second data from first and second stores in the identity device, at least in part using the first information; ii) providing the first and second data to a processing system, the processing system using the first and second data to verify the operation.
  • the method includes, providing second information via the input device, the input device being responsive to provide the second information to a gateway, the gateway using the second information to perform the remote authentication.
  • the method includes establishing the connection via a gateway.
  • the method is performing using a input device for performing the method of the first broad form of the invention.
  • the present invention provides apparatus for performing a secure interaction, the apparatus including: a) an input device; b) an identity device; c) a processing system for verifying the operation of the input device using the identity device; and, d) a gateway for authentication the user, the gateway being responsive to a successful authentication to establish a connection with a service provider.
  • the apparatus is for performing the method of the eleventh broad form of the invention.
  • Figure 1 is a flow chart of a first example of an interaction process
  • Figure 2 is a schematic diagram of an example of a system for performing an interaction
  • Figure 3 is a schematic diagram of an example of one of the servers of Figure 2;
  • Figure 4A is a schematic diagram of an example of one of the computer systems of Figure 2;
  • Figure 4B is a schematic diagram of a first example of an identity device
  • Figure 4C is a schematic diagram of a first example of an input device
  • Figures 5 A and 5 B are a flow chart of a second example of an interaction process
  • Figure 6 is a flow chart of an example of a registration process
  • Figures 7 A to 7H are a flow chart of a third example of an interaction process
  • Figures 8A and 8B are schematic diagrams of second and third examples of an identity device
  • Figures 9A and 9B are schematic diagrams of second and third examples of an input device
  • Figures 1 OA to 1 OC are schematic diagrams of examples of gatekeeper architectures; and, Figures 1 IA to 1 1C are schematic diagrams of a specific example implementation.
  • the interaction device is a device that is suitable for interacting with a terminal, such as a computer system, or other suitable communications device, in order to control operation of the terminal.
  • a terminal such as a computer system, or other suitable communications device
  • the interaction device may be in the form of a modified computer input device such as a keyboard or mouse.
  • the interaction device could be formed from two separate physical devices such as a modified computer input device, and a separate identity device as will be described in more detail below.
  • the registration process is typically performed by a trusted third party, which is at least partially responsible for operating the interaction process, as will be described below.
  • the registration process may be performed in any one of a number of ways but is typically performed to allow the interaction device to be populated with data required to perform the interactions, and to associate the interaction device with the user in some way.
  • the registration process may also involve the creation of authentication information, such as a username and password, or the like.
  • a checking operation is initially performed to confirm the interaction device integrity.
  • the checking operation may take on any one of a number of forms but typically involves having the interaction device access locked or encrypted data utilising information provided by the user, such as the authentication information. In such a case, failure to correctly access the data implies that the integrity of the interaction device is in some way compromised, in which case the interaction process typically fails. It will be appreciated however that other checking operations may be performed.
  • remote authentication is performed utilising the interaction device.
  • the remote authentication is typically performed by having the user supply authentication information via the interaction device, with this being transferred to an appropriate entity, for authentication. This allows the entity to compare the provided authentication information to that created during registration, to thereby confirm both that the user is a registered user, and that the interaction device is a registered interaction device.
  • the process typically ends.
  • the interaction device may be added to a list of excluded devices, preventing further interaction with the system, as will be described in more detail below.
  • a connection is established with a service provider, such as a corporation, an ISP (Internet Service Provider) or the like, allowing interaction to be performed between the user and the service provider, using the interaction device, at step 140.
  • a service provider such as a corporation, an ISP (Internet Service Provider) or the like, allowing interaction to be performed between the user and the service provider, using the interaction device, at step 140.
  • the establishment of the connection is typically controlled by the authenticating entity, thereby allowing the user to be confident that the interaction is secure. This may be achieved in any one of a number of manners, such as by having the authenticating entity provide a secure controller that creates a secure path between the interaction device and the application server via a secure server, as will be described in more detail below. It will be appreciated from the above that the process consists of a number of separate stages, which when performed aim to establish trust for the user in both the interaction device, and the service provider.
  • the registration process enables the trusted third party to identify the interaction device via the remote authentication process.
  • the use of the integrity check ensures that the interaction device is functioning correctly, and therefore has not been tampered with. Consequently, these checks in combination allow the trusted third party to confirm that the interaction device is a genuine interaction device intended for use with the system (and consequently is manufactured according to required specifications) and that the device is functioning correctly, and has not therefore been compromised.
  • this is referred to as establishing the provenance of the interaction device.
  • provenance generally refers to the ability to establish the origin or source from which something comes, and the term is often used in the sense of place and time of manufacture, production or discovery.
  • the above described process uses the registration, integrity checks and authentication, to establish the provenance of the interaction device. This is achieved by having the interaction device prove its integrity to the user, through an appropriate verification, and then to a trusted third party using the remote authentication.
  • confirming the interaction device integrity at the least allows the user to confirm that the device is functioning properly. This in turn allows the user to be confident that the device has not been tampered with in some way, which in turn helps confirm device security.
  • the integrity check also confirms to the user that the provenance of the interaction device is satisfactory and hence that the interaction device is a genuine device registered to use the system and manufactured according to system operation requirements, which when combined with correct operation ensures device security.
  • security information such as a username or password
  • the user can be confident that the interaction device they are using is secure, and this coupled with appropriate protocols, for example, which allow inputs provided via the interaction device to be encrypted, this allows the user to ensure that interactions can be performed in a safe and secure manner.
  • the above process allows the user to implement secure communication between the interaction device and the service provider, which in turn allows the user to utilise an untrusted computer system or the like to perform secure interactions in a trusted manner.
  • the interaction device is formed from the concomitance between an input device and an identity device.
  • the identity device is associated with the user, and retained by the user at all times.
  • the identity device includes secure data based on the user's authentication information.
  • the input device performs a checking operation, as outlined above, by attempting to access the secure data stored in the identity device. In this instance, as the user can be assured of the security of the identity device; as this physical device is their own responsibility, successful accessing of the secure data stored in the identity device allows the user to establish that operation of the input device is verified.
  • the user's ability to trust their own physical identity device can be used to enhance the level of trust in operation of the input device beyond that that would otherwise be obtained through the use of an internal check within an integrated interaction device alone.
  • the system includes a number of servers 201, 202, 203, and a number of user computer systems 204, interconnected via communications networks 205, 206 as shown.
  • the computer system 204 In use, users interact with one of the computer systems 204 using the interaction device.
  • the computer system 204 then communicates with the servers 201, 202, 203 via the communications networks 205, 206 utilising appropriate communications protocols, such as TCP/IP, as will be appreciated by persons skilled in the art.
  • the communications networks 205, 206 may be any form of wired or wireless communications networks, such as a Local Area Network (LAN), Wide Area Network (WAN), the Internet or the like. Thus, the communications networks 205, 206 may be any one or combination of public, private, virtual, logical, internal or external networks.
  • LAN Local Area Network
  • WAN Wide Area Network
  • the communications networks 205, 206 may be any one or combination of public, private, virtual, logical, internal or external networks.
  • the servers 201 are adapted to perform the remote authentication and establish the connection between the servers 203 (hereinafter referred to as an "application server”) and the computer systems 204, via a server 202 (hereinafter referred to as a "gateway”), as required.
  • This allows the application servers 203, which are operated by service providers, to provide interaction services, which may be any form of service, depending on the preferred implementation.
  • the terms “gatekeeper” and “gateway” are for the purpose of explanation only, and is not intended to be limiting. Whilst the gateway and gatekeeper are shown as separate hardware devices, this is for the purpose of example only, and it will be appreciated that the gatekeeper 201 and the gateways 202 can be formed from physical or logically separate or common devices.
  • servers 201 , 202, 203 may be any form of physical or logical server and may be implemented using any suitable form of hardware or processing system.
  • the servers 201, 202, 203 include a processor 300, a memory 301, an input/output device (I/O) 302, an external interface 303 interconnected via a bus 304.
  • the external interface 303 allows the servers 201, 202, 203 to be interconnected to the communications networks 205, 206 and/or any peripheral devices, such as the database 21 1, or another one of the servers 201, 202, 203.
  • a single external interface 303 is shown, this is for the purpose of example only, and in practice multiple interfaces using various methods (eg. Ethernet, serial, USB, wireless or the like) may be provided.
  • the servers 201, 202, 203 may be formed from any suitable processing system, such as a suitably programmed PC, Internet terminal, lap-top, hand-held PC, or the like, which is operating applications software to enable required functionality to be implemented.
  • the computer system includes at least one processor 400, a memory 401 , an output device 402, such as a display, and an external interface 403, interconnected via a bus 404 as shown.
  • the external interface 403 can be utilised for connecting the computer system 204 to the communications networks 205, 206, as well as to the interaction device, shown generally at 405.
  • a single external interface 403 is shown, this is for the purpose of example only, and in practice multiple interfaces using various methods (eg. Ethernet, serial, USB, wireless or the like) may be provided.
  • the processor 400 executes application software stored in the memory 401 to allow different processing operations to be performed, including, for example, communicating with the servers 201, 202, 203 via the external interface 403.
  • the computer system 204 may be formed from any suitable processing system, such as a suitably programmed PC, Internet terminal, lap-top, hand-held PC, smart phone, PDA, web server, or the like.
  • the interaction device 405 is formed from an input device 410 and a concomitant identity device 420.
  • the input device 410 includes embedded processing allowing the input device to communicate with memories provided on the identity device 420.
  • the identity device 420 includes a PROM 421 , a secret memory 422, a public memory 423 and a connector 424, for allowing connection to the input device 410.
  • the PROM and the secret memory are connected via a one-way connection shown generically at 425.
  • the identity device 420 also includes an indicator 426.
  • the indicator is typically used to provide a confidence indication, indicative of system and/or device integrity, which may be derived from system integrity checks that are performed.
  • the indicator may provide an indication in any suitable form but generally generates a visual, audible or tactile indication.
  • the indicator may therefore be of any suitable form such as a single multicolour LED, multiple LED's, small LCD, audible tone combination, vibration or any combination thereof.
  • the identity device 420 may be any suitable device, but in one example is formed from a USB style memory key with suitably configured memory. However, this is not essential and any suitable device with embedded memory, such as a SIM (Subscriber Identity Module) card, smartcard, mobile phone (cell phone), or the like.
  • SIM Subscriber Identity Module
  • smartcard smartcard
  • mobile phone cell phone
  • the identity device 420 could be formed from a device that includes embedded processing to allow encryption and authentication processes to be performed within the identity device. Examples of this are shown in Figures 8A and 8B. It will be appreciated that in these examples, indicators may also be provided in a manner similar to that described above with respect to Figure 4B.
  • the input device 410 includes an input 41 1, such as a keypad or the like, a connector 412 to allow connection to the computer 204, and a connector 418, such as a USB (Universal Serial Bus) connector, for connecting to the identity device 420.
  • the input device 410 also includes some form of internal processing system, which in this example includes, a multi-purpose encryptor 413, a CPU 414, a memory 415, a PROM 416, and an input device controller 417. A oneway gap is also provided between the PROM and memory as shown at 419.
  • the input device 410 also includes an indicator 41 1 A, similar to the indicator 426 described above.
  • input commands supplied via the input 41 1 are interpreted by the input device controller 417 and forwarded to the computer system 204 via the connection 412.
  • the CPU 414 is adapted to execute instructions to perform the processes outlined above. For example, when the input device 410 and the identity device 420 are interconnected via the connections 418, 424, the CPU 414 communicates with the PROM 421 , the secret memory 422 and the public memory 423 to access information provided therein.
  • the CPU 414 is also adapted to operate as a multi-purpose encryptor 413 to allow data to be encrypted prior to transfer to the computer 204.
  • the input device 410 can be formed from any suitable device, such as a custom computer keyboard including the required embedded processing and memory. However, alternatively other devices incorporating suitable memory and processing may be used, such as a mobile phone, or the like. Alternative examples of the input devices are shown in Figures 9A and 9B. It will be appreciated that in these examples, indicators may also be provided in a manner similar to that described above with respect to Figure 4C.
  • the input device 410 and the identity device 420 are suitably protected against physical intrusion and may also have electronic methods and other countermeasures incorporated to prevent their integrity and the integrity of the data from being compromised.
  • an example of the process performed by the identity device 420 and the input device 410, in the system of Figure 2 will now be described in more detail with reference to Figures 5 A and 5B.
  • the identity device 420 is connected to the input device 410 that is already connected to the computer system 204.
  • connection of identity device 420 to the input device 410 initiates the integrity and authentication check process, as will now be described.
  • any suitable initiation method may be used.
  • the identity device 420 can check the integrity of the input device 410 and provide an indication of the results using the indicator. This can be achieved in any suitable manner and could include, for example, having the input device 410 generate a checksum based on the content of the PROM 416 and provide an indication of this to the identity device 420, allowing the identity device to validate the checksum and hence confirm the integrity of the input device 410. It will be appreciated however that any suitable check may be performed, such as requiring a predetermined response to a provide query or challenge.
  • the identity device 420 can cause an appropriate confidence indicator to be displayed. This can involve for example, having the indicator 426 generate a positive or negative confidence indication. This may be achieved using any suitable technique depending on the nature of the indicator 426. Thus, for example, the indicator could be a red LED in the event that the integrity check fails, or green in the event that the integrity check succeeds.
  • the input device 410 can check the integrity of the identity device 420 in a similar manner, and provide an indication of the result of the check using the indicator 41 IA.
  • the result of the integrity check of the input device is displayed using the identity device and vice versa. Whilst this is not essential, it is preferable to ensure that a input device 410 or identity device 420 does not attempt to spoof a positive result in the event that the integrity check fails. Thus, for example, if the input device 410 were to display the result of it's own integrity check, if the input device 410 has been compromised, then the input device 410 could be configured to display an indication that the integrity check of the input device 410 is successful, even if this is not the case.
  • the input device 410 detects connection of the identity device 420, and causes the computer system 204 to prompt the user to enter first authentication information at step 505.
  • the authentication information may be in the form of a password which can be entered via the hardware input 41 1.
  • this may be in the form of biometric information or the like which may require the provision of a suitable biometric reader within the input device 410.
  • the input device 410 and in particular the CPU 414 operates to unlock the secret memory 422 using first authentication information.
  • first authentication information This is typically achieved by having first data stored in the secret memory 422 encrypted using a suitable encryption algorithm, which is at least partially based on the authentication information.
  • the input device CPU 414 and/or the encryptor/decryptor 413 operates to generate a decryption key using the first authentication information, allowing the encrypted first data to be decrypted. It will be appreciated that this requires appropriate configuration of the secret memory 422 and in particular the first data stored therein, when the identity device 420 is initially configured as will be described in more detail below.
  • a check is performed to ensure that the secret memory 422 is unlocked. This may be achieved in any one of a number of manners, but typically involves having the input device 410 compare decrypted first data retrieved from the secret memory 422, to second data retrieved from the public memory 423.
  • the first data can include an encrypted version of the second data, so that comparison of the decrypted first data and the second data allows the input device 410 to confirm the first data was successfully decrypted, and hence that the secret memory 422 was successfully unlocked.
  • the first and second data can include at least the following information: • first data - encrypted provenance information
  • the process typically ends. Furthermore, the input or identity devices 410, 420 may be excluded from further interaction using the system, as will be described in more detail below.
  • the user is prompted by the computer system 204 for a service selection, which the computer system 204 uses to establish connection with the appropriate gatekeeper 201, at step 525.
  • a service selection which the computer system 204 uses to establish connection with the appropriate gatekeeper 201, at step 525.
  • These steps are typically achieved by having the input device 410 obtain a list of available services from the first or second data, and forward this to the agent residing on the computer system 204. It will be appreciated that this list is typically created during the registration process as will be described in more detail below.
  • the list of available services includes an indication of a corresponding gatekeeper 201 , so that when the user selects a service via the input device 410, this can be interpreted by the computer system 204 and used to establish a connection with the relevant gatekeeper 201.
  • the input and identity devices 410, 420 undergo mutual authentication with the gatekeeper 201. This may be achieved in any suitable manner, but typically involves exchanging authentication information, such as digital credentials, digital certificates or the like.
  • the authentication information provided by the input device 410 may be obtained either from memory in the input device 410, or from the identity device 420.
  • the input device 410 collects the credentials from the identity device 420, with credentials from both the input and identity devices 410, 420 being sent to the gatekeeper by the identity device 410.
  • an indication of a user identity is collected by the input device 410 from the identity device 420, when the user enters their first authentication information.
  • This information is then "packaged", for example, by providing the first authentication information in an encrypted file together with any other information, ready for transmittal to the gatekeeper 201, once the aforementioned mutual authentication is completed.
  • the indicators 426, 41 IA can be used to display an indication of the integrity and/or authenticity of the gatekeeper. This may be achieved, for example by displaying an appropriate indication depending on the results of the mutual authentication.
  • step 535 the user is prompted to enter second authentication information. Whilst this may be the same as the first authentication information, this is not typical and usually the user simply provides either another password or alternative biometric information, utilising an appropriate technique.
  • the gatekeeper 201 authenticates the second authentication information and this will typically involves at least comparing the received second authentication information to predetermined second authentication information that has previously been stored in a store, such as a database, 21 1, during the registration process, as will be described in more detail below.
  • a store such as a database, 21 1
  • the interaction process typically terminates, with either the identity device 420, or the input device 410, optionally being excluded from further interaction.
  • the gatekeeper 201 establishes a connection between the input device 410 and a gateway 202 via computer system 204.
  • This process will typically include arranging for the gatekeeper 201 to supply session keys to both the input device 410 and the gateway 202, allowing communications therebetween to be encrypted.
  • the indicators 426, 41 IA can be used to display an indication of the integrity and/or authenticity of the gateway, in a manner similar to that described above.
  • the gateway 202 provides onward connectivity to one of the applications servers 203, which is typically operated by a service provider, allowing the selected service or interaction to be performed. This is achieved by controlling client software implemented on the processing computer system 204, using the input device 410, allowing the application software running on computer system 204 to communicate with the respective application server 203, via the gateway 202.
  • the user when it is required to transfer data securely, such as if the user is providing authentication information to the applications server 203, the user can activate an encryption function. This causes the input device 410 to encrypt any information input by the user, using the session key supplied by the gatekeeper 201. This encrypted information is then forwarded by the applications software, to the gateway 202 for decryption, before being transferred to the applications server 203.
  • the above described interaction process involves using an integrity check and remote authentication process to allow a user to establish trust in an input device.
  • the user may not be able to "trust" the computer system 204, for example because this is a public terminal, or the like, the user is still able to perform interactions in a secure and trusted manner.
  • This is achievable because the user utilises their trust in their own identity device 420 to establish trust in the input device 410, using the integrity check and remote authentication.
  • This trust is established by having the process confirm not only input device operation, but also the input device's provenance, which in turn confirms that input device is a genuine device intended for use with the system, and that the device has not been compromised.
  • the user also uses their trust of the trusted third party to confirm the applications server with which they are communicating is administered by a genuine service provider. This in turn that enables the user to perform secure interactions via the computer system 204.
  • any sensitive information transferred to the applications server 203 can be encrypted by the input device 410.
  • the untrusted computer system 204 is unable to decrypt the information, this ensures security of the sensitive information even though it is being transferred via an untrusted computer system 204.
  • the user could be a security device, such as a security camera.
  • the user ID could be, for example, a serial number or the like, with the identity and input devices forming part of the security device.
  • the security device when an individual is installing the camera, the individual could be required to activate the above described procedure, for example, by having the security device provide authentication information from a secure internal store. In this instance, the security device therefore performs the function of both the input and identity devices, allowing the security device to register with the gatekeeper.
  • this ensures that the security device is operating correctly. Furthermore, this allows the gatekeeper to ensure that the security device is a genuine security device, before initiating communication between the security device and a service provider, which in this example may be a monitoring service, allowing the security device to be monitored. This process can also be used to establish encrypted communication between the security device and the service provider, which in turn helps further enhance security.
  • step 600 the user requests an input device and an identity device from an entity that operates the gatekeeper 201, and the gateway 202.
  • the identity and input devices 420, 410 are generally manufactured as separate devices using a separate process, and then populated with required data during the registration process.
  • the manufacturing process typically involves creating the identity and input devices 420, 410 in accordance with predefined specifications to ensure that the identity and input devices 420, 410 are universally compatible with the computer system 204, and to ensure a required level of physical and logical security.
  • the user provides authentication information to the trusted third party, typically by contacting an authentication gatekeeper.
  • the user is identified solely through the use of the identity device 420. It is not necessary for the user's real identity to be known, and accordingly, the authentication information does not need to be linked to the user's proper identity, but rather could be based on a pseudonym, or the like.
  • the authentication information is used to ensure that identity devices 420 in use are being used by their genuine owners, and not necessarily to actually identify the user. This allows the authentication information to be in the form of a password or the like, which would only be known to and which would be unique to the user, but which does not necessarily have to be indicative of the user's identity.
  • authentication information related to the user such as biometric information can be used depending on the implementation.
  • the authentication information may therefore be provided in any suitable manner, such as by the creation of a password, or by scanning relevant portions of the user's anatomy to generate appropriate biometric information.
  • the user has two different instances of authentication information, such as two different passwords, are used to allow independent authentication to be performed at different stages in the interaction process, as will be appreciated by persons skilled in the art.
  • the user may require other instances of authentication information to proceed with the service, but the information known by the user in these cases is typically supplied and secured by the service provider.
  • the user selects required services. This may be achieved in any one of a number of ways but typically involves having the user review an indication of service providers displayed on the computer system 204 currently allowing connection via the interaction process implemented by the gatekeepers 201 and gateways 202. Generally, there will be a unique gatekeeper 201 and unique gateway 202 for each required service, but not unique to the user.
  • secret information is stored by the input device 410, in the secret memory 422 of an identity device 420, whilst public information is stored in the public memory 423, at step 620.
  • the public and secret information may include any suitable information, but in general the secret information is at least partially based on the authentication information, whilst the public information includes at least some information used in performing the integrity checking operation.
  • the information will include the provenance information, which can be used to check the identity device 420 satisfies manufacturing requirements and the like, and this is generally stored in the PROM 421, so that this cannot be subsequently modified.
  • the memories of the identity device 420 include the following information:
  • PROM 421 • provenance information such as:
  • bios revision program for identity device • bios revision program for input device
  • the user may only require an identity device 420, for example, if they are only to use input devices 410 made available with public terminals. More typically however the user would require both an input device 410 and an identity device 420.
  • provenance information and encryption keys are stored in the memories 415, 416.
  • the memories of the input device 410 include the following information:
  • the identity device 420 and input device 410 are associated with the user with an indication of this being stored by the gatekeeper 201, for example in the database 21 1.
  • the gatekeeper will also store any other required information, such as all or part of the secret information stored on the identity device, authentication information, or the like. Thus, this will typically require that the gatekeeper store at least the second authentication information and any other information required to perform communications such as necessary encryption keys or the like. This information may also be distributed to any required gatekeepers as required.
  • the user may use a different input device 410 to that issued during registration, for example if they use an input device in a public environment, such as an Internet cafe.
  • the association between the user and the input device 410 is therefore recorded at the gatekeeper for auditing purposes.
  • any input devices 410 and identity devices 420 they have had commissioned/registered may be excluded.
  • the geographic location of a device and the user may be used to stop fraudulent usage, for example by having GPS (Global Positioning System) information forming an integral part of any of the devices.
  • GPS Global Positioning System
  • the input and identity devices 410, 420 can be registered for use in certain locations, with use in other locations resulting in a failure during the integrity and authentication checking procedure.
  • the user may decide they wish to use an existing identity device 420 with additional services, in which case the user can undergo a supplementary registration process.
  • This can involve repeating any required stages of the registration process using the existing identity device 420, such as having the identity device 420 updated with any information required to perform the additional services. Additionally, and/or alternatively, this can involve having the user contact an appropriate gatekeeper 201 using the interaction process, allowing the user to view and select available services.
  • the user connects the input device 410 to an untrusted terminal 204 before connecting the identity device 420 to the input device 410 at step 710.
  • the input and identity devices 410, 420 perform self initiated mutual authentication.
  • Mutual authentication requires that the identity device 420 include some form of embedded processing, to allow the input device 410 to be authenticated. If such processing is not available, as in the case of the identity device 420 shown in Figure 4A, then step 720 typically involves one way authentication of the identity device 420 by the input device 410. Because the identity device 420 stores encrypted provenance and commissioning data, that can only be recognised by a properly commissioned input device 410, the mutual authentication is completed within the input device 410.
  • the authentication process will typically involve the exchange of the digital credentials or the like, as will be appreciated by persons skilled in the art, and this will not therefore be described in any further detail. However, it will be appreciated that this process will generally be performed without requiring any user intervention.
  • step 730 it is determined if this authentication is successful, and if not the process fails at step 740. Whilst having the process fail may simply halt the process, additionally or alternatively, process failure may result in either one of the identity or input devices 420, 410 being excluded from further interaction with the system.
  • Exclusion of devices is achieved by having the gatekeeper 201 add details of the input and/or identity devices 410, 420 to a list of excluded devices, stored for example in the database 21 1. As will be described in more detail below, if an input or identity device 410, 420 is on the excluded list, it will not be possible for the respective device to be used within the system.
  • the authentication step fails, then an indication of this is provided to the gatekeeper 201, allowing the respective devices 410, 420 to be added to the exclusion list. Since communications with the gatekeeper 201 may not be possible, the indication may be stored in a latent store within the respective device for delivery using an approved method at a later time. Either one or both of the input device 410 and identity device 420 can optionally indicate the success or otherwise of the authentication using the respective indicators 41 IA, 426. Again the nature of the indication will depend on the preferred implementation, as described above.
  • the input device 410 attempts to initialise an agent installed on the computer system 204.
  • the agent is a software application that provides certain functionality, such as interfacing with the computer systems TCP/IP stack, as will be described below and as set out in Appendix A in more detail.
  • the agent is downloaded from the public memory 423 by the input device 410, and installed on the computer system 204 at step 770.
  • the loading of the agent may be achieved using any other suitable mechanism.
  • the agent may be loaded using an "untrusted" computer system port, by downloading the agent from a communications network such as the Internet, or by installing the agent from other physical media such as from a CD, or the like.
  • the agent is checked to determine if it is functioning correctly. This is achieved by having the input device 410 provide a launch command to the agent to cause the agent to start. If it is determined that the agent is not functioning at step 790, for example if the agent does not respond to the launch command, then the process fails at step 800.
  • either one or both of the input device 410 and identity device 420 can optionally indicate the success or otherwise of the agent start up or initialisation process using the respective indicators 41 IA, 426.
  • the agent causes the computer system 204 to prompt the user for first authentication information at step 810. This will typically involve having the computer system 204 generate a dialogue box and display this to the user via the output device 402.
  • the user supplies first authentication information to the input device 410 utilising an appropriate technique. This may include therefore entering a password via the keyboard 41 1 or alternatively presenting a portion of their anatomy to a suitable biometric reader, to thereby allow biometric authentication information to be determined.
  • the input device downloads a software key and optionally an encrypted executable file, from the public memory 423 of the identity device 420.
  • the input device 410 uses the key and executable file, as well as the first authentication information to generate a secret memory access method at 840.
  • the executable file typically represents a unique algorithm that is used in generating the secret memory key, and this will typically be unique to each identity device 420.
  • Using the executable file from the identity device 410 means that the secret memory key can only be generated with the identity device 420 present and correctly operational, thereby further enhancing security.
  • the executable file would ideally be replaced with a new executable file delivered from the gatekeeper 201 to the identity device 420 via the input device 410 after each service session initiation.
  • the executable delivered from the gatekeeper 201 to the identity device 420 would typically be unique and would be encrypted using the input device 410, the user's first authentication information and the key,
  • the input device 410 would contain a method for performing this action.
  • the method would be transportable, and if the identity device 420 was used with another input device 410 at its next use, the new input device 410 would be capable of accommodating the new files and the user's first authentication information to unlock the identity devices 420 secret memory.
  • the secret memory key is used by an encryptor Zl, which may be a dedicated encryption module, as shown for example in Figure 1 IB, or may be implemented by the multipurpose encryptor 413 shown in Figure 4C. Accordingly, it will be appreciated that the key downloaded from the secret memory 422 is the Zl key mentioned above.
  • the input device 410 uses the secret memory key to unlock the secret memory 422 in the identity device 420. This is generally achieved by having the input device 410 access at least some of the encrypted information stored in the secret memory 422, and then decrypt this using the encryptor Zl .
  • step 860 it is determined if the unlock process is successful, which may be achieved in any one of a number of ways, but typically involves having the input device 410 determine if the encrypted information can be successfully decrypted.
  • this process provides an integrity check to ensure the input and identity devices 410, 420 are functioning correctly. This typically involves performing a calculation based on information extracted from the secret memory 422, and then examining the result to determine if this is as expected. Thus, for example, this can include calculating a checksum or hash value based on information that has been retrieved and decrypted from the secret memory 422 and comparing this to an indication of the checksum or hash value stored in the public memory 423 to confirm these agree. In the event that there is a discrepancy, this indicates that the input device 410 was unable to correctly unlock the secret memory 422, which in turn indicates that the integrity check has failed. If the unlock process is deemed to be unsuccessful, the process fails at step 870.
  • this may be due to the fact that the input device 410 is not an authentic input device 410, that the input device 410 is not registered for use with the system, or that the input device 410 has been tampered with in such a way as to affect it's operation.
  • the input device 410 extracts some of the information from the secret memory 423, and typically extracts at least credentials, the provenance information and the service list.
  • the process then moves onto step 890, with the input device 410 providing the decrypted service list to the agent, to allow the agent to determine available services at step 900.
  • the service list corresponds to the services for which the user is therefore registered. This can include any services selected during the initial registration procedure, or any additional services selected via interaction with an appropriate gatekeeper 201 as described above.
  • the agent causes the computer system 204 to display a list of available services, for example using a suitable user interface, such as a dialogue box or the like.
  • a suitable user interface such as a dialogue box or the like.
  • the user selects a desired service using the input device 410, which in turn transfers an indication of the selection to the agent. It will be appreciated that in fact this may involve having the agent receive signals indicative of user input commands, which are then suitably interpreted to determine the service selection.
  • the agent uses the selection to identify an appropriate gatekeeper 201 from the service list.
  • the agent then initiates communication with this gatekeeper at step 940, allowing the gatekeeper 201 and input device 410 to exchange credentials and perform mutual authentication at step 950.
  • the mutual authentication process may involve having the gatekeeper 201 examine a sequence number obtained from the secret memory of the identity device 420.
  • the sequence number is updated by the gatekeeper 201 each time the identity device 420 is used. Accordingly, comparing the received sequence number to a sequence number stored at the gatekeeper 201 when the identity device 420 was last updated, allows the gatekeeper 201 to confirm the input device 420 has not been duplicated and fraudulently used.
  • the identity device 420 is duplicated, and the duplicate device used, the sequence number on the duplicate device will be updated and consequently, the sequence number in the original device is now out of sequence, allowing this to be determined the next time the original identity device 420 is used.
  • the gatekeeper 201 needs to know whom or what the user is, based on the user ID. Accordingly, the user ID is collected by the input device 410 from the identity device 420, when the user enters their first authentication information. The user ID is then "packaged" before being transferred to the gatekeeper 201. This ensures that gatekeeper 201 knows who is trying to communicate and accordingly, what or other authentication information to expect.
  • the information transferred between the input device 410 and the gatekeeper 201 is typically encrypted utilising an encryptor Z4.
  • the initiation of communication with the gatekeeper 201 involves the exchange of public keys for use in the encryption.
  • the encryptor Z4 will receive a public key of the gatekeeper 201, allowing this to be used to encrypt information transferred from the input device 410 to the gatekeeper 201.
  • information received from the gatekeeper 201 is encrypted using a suitable public key so that the information can be decrypted by the encryptor Z4 using a key obtained from the secret memory of the identity device 420.
  • this allows the credentials to be encrypted utilising the Z4 encryption key and transferred to the gatekeeper 201 for authentication with a reciprocal process also being performed.
  • step 960 it is determined if the check has been successful and if not the process fails at step 970. Otherwise at step 980 the input device 410 indicates to the agent to expect a session key for encryptor Z2. At step 990 the gatekeeper 201 generates a session key, before transferring this to the input device 410 via the agent at step 1000.
  • Either one or both of the input device 410 and identity device 420 can optionally indicate the success or otherwise of the authentication using the respective indicators 41 IA, 426.
  • the agent causes the computer system 204 to prompt the user for second authentication information which the user then supplies via the input device 410 at step 1020. Again, it will be appreciated that the manner in which this is achieved will depend on the nature of the second authentication information, as previously discussed.
  • the input device 410 encrypts the second authentication information using the encryptor Z2 and associated session key.
  • the encrypted second authentication information is sent to the agent at step 1040, which in turn forwards the encrypted second authentication information to the gatekeeper 201 at step 1050.
  • the gatekeeper 201 decrypts the authentication information sent from the input device 410 using the session key generated at step 990, before using the second authentication information to attempt to perform the remote authentication process at step 1070. It will be appreciated that the authentication step this typically involves having the gatekeeper 201 compare the received second authentication information to second authentication information stored in the database 21 1 during the registration process. Accordingly, this operates not only to check that the user is authentic, but also that both the identity device 420 and the input device 410 are functioning as expected, otherwise the second authentication information received from the input device 410 would be incorrect.
  • step 1080 it is determined that the authentication has failed and the process fails at step 1090. Otherwise, at step 1 100 the gatekeeper 201 generates secret session information, and forwards this to both the input device 410 and to a gateway 202.
  • the gateway 202 used will depend on the service selected by the user, and hence the applications server 203 to which connection is ultimately required.
  • the input device 410 configures an encryptor Z3 utilising a key contained in the secret session information, obtained from the gatekeeper 201.
  • the gateway 202 uses the same key to allow an equivalent physical or logical encryption process to be provided that complements the key sent to the input device 410 encryptor Z3.
  • the gatekeeper 201 seeks a unique session token from the gateway 202, which in response to this generates the session token and forwards to the gatekeeper 201 at step 1 150.
  • the gatekeeper 201 then forwards the session token to the input device 410 via computer system 204, with the input device 410 operating to detect a session preamble in the session token at step 1 170.
  • the input device 410 indicates to the agent that the encryption status is "on”, with this being used by the agent to cause the computer system 204 to display an input device 410 encryption "on" status indication at step 1 190.
  • the input device 410 may be provided with an indicator such as an LED or the like, which is activated when the encryption status is "on”.
  • the session token may be in any one of a number of forms but may in one example include information that is used to allow communications to be implemented between the computer system 204 and the respective gateway 202. In one example this may be in the form of a URL including an IP address or the like for the gateway 202, but can include any suitable information, such as a script or the like, which can be used by the computer system 204 to allow the connection to be established. In any event, the returned session token must be honoured by the gateway 202 as a valid, expected access instrument, from a validated device.
  • the session token will have a recognisable time dependency set by the gateway 202, and will not be valid outside this period.
  • the agent launches an application provided on the computer system 204 to allow interaction with the application server 203. In one example, this is Internet web browser, or the like, which is launched using the information provided in the session token, allowing the application to initiate contact with the gateway 202.
  • the application communicates with the gateway 202, allowing the gateway 202 to forward the communication to the application server 203 to allow interaction to proceed at step 1230.
  • the URL is loaded into the Internet browser allowing the browser to access a web page hosted by the application server 203, with this communication being made via the gateway 202.
  • the encryptor Z3 is typically turned off, allowing the input commands supplied by via the input device 410 to be interpreted by the applications software. Similarly, if information transferred between the input device 410 and the applications server 203 is not sensitive and does not need to be encrypted, then again the encryptor Z3 can remain turned off.
  • the encryptor Z3 can be activated.
  • inputs made using the input device 410 are encrypted using the encryptor Z3 and transferred to the gateway 202.
  • the gateway 202 decrypts the inputs and transfers these to the application server 203.
  • the application for example in the form of a web based application, requires industry standard encryption to function with the server application, the computer system 204 may be responsible for encrypting that data and Z3 may be turned off.
  • the software agent may be an adjunct to the computer system 204 application, recognised by that computer system 204 application, and expecting control information to pass to and from both the input device 410 and the computer system 204 application.
  • the identity device 420 can include, for example, updating either the sequence number or executable file, stored in the identity device 420. Failure to update the sequence number or executable file can result in incorrect operation of the identity device 420 the next time the system is used, which can lead to the identity device 420 failing either of the integrity check or the authentication.
  • the identity device 420 may need to remain coupled to the input device 410, at least until the sequence number and executable file are updated, which typically occurs at around the time when the gatekeeper provides the session information at step 1 100.
  • the input device 410 can include a lock that physically locks the identity device 420 into the connection 418, thereby ensuring the identity device 420 cannot be removed until the updating is completed as required.
  • this allows the user to establish trust in the input device 410.
  • the user can then launch a browser application on the public terminal and access a web page hosted by the applications server 203.
  • a browser application When the user is to access their Internet banking, they are typically required to provide a username and password, which are known only to the bank and the user. Accordingly, in this instance, it is important to ensure that the terminal is unable to intercept or at least interpret this information.
  • the terminal may include software that records communications, allowing information such as input usernames and passwords to be subsequently viewed by a third party.
  • the user when the user is asked to enter their password, the user can turn on the encryptor Z3, in which case the password is encrypted before it is transferred from the input device 410, to the gateway 202. Accordingly, any recording software on the terminal would be unable to decrypt the password, thereby rendering it useless to third parties.
  • the terminal would echo to the screen an indication of a keystroke - but not the keystroke itself.
  • this allows the user to perform secure interactions without the risk of confidential information being intercepted and fraudulently used by third parties.
  • the above described processes utilise the replacement of untrusted input devices with verifiable trusted devices, such as the input device 410 and the identity device 420, which can then be used in an architecture similar to that shown in Figure 2.
  • the process empowers the user to establish a trust relationship between their identity device 420 and the input device 410 using authentication such as a passphrase or the like.
  • the trusted input device then establishes a trust relationship with the gatekeeper 201 via the agent.
  • the gatekeeper 201 always has a trust relationship with the gateway 202, by virtue of them being implemented and controlled by the same entity, this allows the gatekeeper 201 to establish a trust relationship between the trusted input device 410 and the gateway 202, which again can be invoked following provision of suitable authentication information.
  • the applications server 203 typically has a trust relationship with the gateway 202, this allows the user to maintain their relationship with the service provider in a manner determined by the service provider.
  • the establishment of trust is performed on the basis of provenance by ensuring that the input device 410, the identity device 420 and the agent are manufactured in such a manner as to allow the user (provenance user) to establish and be satisfied of their provenance.
  • software can be provided that can be used to establish provenance checks & produce reports.
  • the process operates by using a number of different data checks to ensure security is maintained. In particular, this is performed to empower the user to the trust the interaction device used in performing the interaction.
  • This empowerment can be achieved by checking the provenance of the interaction device, and by using the data checks to ensure correct operation. In the event that the provenance and operation are confirmed, this allows the user to trust that the interaction device has not been tampered with, or otherwise compromised, and that it meets requirements for secure interaction. Furthermore, by establishing the trust via an independent trusted third party, this allows the user to trust a connection established between the input device and a gateway. This obviates the need to trust the terminal to which the input device is connected, or the applications software installed thereon.
  • system can be used to prevent unwanted interactions occurring, and can be used to exclude interaction devices that have been compromised, further enhancing the provided security.
  • the process uses a separation of powers between different devices, so that the user can be provided with a portable identity device 420 that can be used in establishing trust in any input device 410.
  • the input device 410 can then be used to allow the user to be authenticated by the gatekeeper 201 , thereby separating powers between the input and identity devices 410, 420, so that both devices are required to perform an interaction.
  • the process can provide an identity balance, so that trust is established by users providing user centric security. This involves the user self verifying the input device 410 using the identity device 420.
  • the lost device can simply be excluded from further interaction, and a new identity device 420 provided, thereby maintaining the user's trust.
  • this allows the user to ensure that trust is established between the service provider and the authenticating entity or gatekeeper 201. As a result, the user can absolutely trust that the connection is established with a genuine trusted service provider and not a spoof service provider.
  • the above described process is not generally used to establish the user's identity to the service provider, and this is typically achieved using existing authentication techniques, such as through the use of usernames and passwords or biometric information.
  • This is performed via the gateway 202, so sensitive information transferred from the input device 410 to the service provider can be encrypted, thereby maintaining secrecy of the passwords, biometric information or the like.
  • the trust is established via the gatekeeper 201 , which is in turn implemented by the trusted third party.
  • the gatekeeper 201 operates to establish the required trust and then establish a connection between the input device 410 and the gateway 202. Once this is complete, no further intervention by the gatekeeper 201 is required.
  • agent installed on the terminal to which the input device 410 is connected, allows operation of the agent to be verified by the input device 410 without requiring that applications software provided thereon is secure.
  • the agent also allows routing of data between the input device 410, gatekeeper 201 and gateway 202.
  • the system uses a provenance hierarchy to establish trust between the entities, with the trust being established via the gatekeeper 201.
  • the above described process also uses a combination of hardware and software processes, so that the user can be confident that if their hardware interacts correctly, the interaction will be secure. This avoids issues associated with trust established solely by software processes which can be circumvented by spoofing using software that mimics and/or records the operation of the software process.
  • user is intended to cover any one or more individuals, organisations, groups, companies, or the like. In addition to this, however, users can be formed from appropriately configured systems, such as hardware devices. This can be used, for example, in validating a device for use within a system.
  • Software Agent This is an application that resides on the computer system 420 and which operates to relay Communications between the input device 410 and the gatekeeper 201 and gateway 202. The software agent only ever operates based on instructions received from the input device 410.
  • the gatekeepers 201 operate to perform the remote authentication, and therefore stores any data required to perform this in the database 21 1.
  • the remote authentication may include authenticating any one or more of the following:
  • the gatekeepers 201 may also operate to check the provenance of the input and/or identity devices 410, 420, as well as to check the sequence and session numbers. Example operation of the gatekeeper is described in more detail in Appendix B.
  • Gateway 202 operate to provide onward connectivity to applications servers 203.
  • the gateways 202 authenticate to gatekeepers 201, and operate to transfer application opening information to the software agent.
  • the opening information is unique to each user session, so that each time a session is launched, the opening information is updated. Consequently, when a new session is to be commenced, the opening information can be compared to the updated opening information supplied during the previous session. This helps to provide an additional level of security.
  • Connectivity via the gateways 202 can only be activated in response to an encrypted request for user access from a known, trusted gatekeeper 201.
  • the gateway 202 also acts to allow encrypted communications with the input device 410 using session encryption keys received from the gatekeeper 201.
  • Example operation of the gatekeeper 201 is described in more detail in Appendix C.
  • the input device 410 is used to allow the user to provide input commands to the computer system 204, as well as to provide information to the gatekeepers 201 or gateways 202, via the computer system 204.
  • may be connected to a device 204 with an untrusted operating system using any appropriate physical or wireless medium. This includes, but is not limited to usb, ethernet, 802.1 1, smartcard, bluetooth and any other proprietary method.
  • may be connected to a device 204 with an untrusted operating system using any appropriate communications method. This includes, but is not limited to usb methods, wireless methods
  • only creates a trust relationship with the provenance gatekeeper 201 and provenance gateway 202 after the trust and validation have been established. • may have one or more physical keys, displays or indicators associated with the engagement process
  • the input device 410 may be controlled by a user and includes, but not limited to digital or analogue, keyboards, handsets, headsets, sensors, readers, scanners, signature pads, smart pens, biometric methods and mobile communications devices (e.g. cell phones, wireless devices).
  • digital or analogue keyboards, handsets, headsets, sensors, readers, scanners, signature pads, smart pens, biometric methods and mobile communications devices (e.g. cell phones, wireless devices).
  • a provenance user may have more than one provenance identity
  • a provenance identity may be associated with a trusted hierarchy
  • the identity device 420 is used to maintain the user's provenance identity, and is used to allow the integrity of the input device 410 to be checked.
  • Features of the identity device include:
  • may transfer data in either unencrypted or encrypted modes • may be, but is not limited to a usb flash or cellphone device.
  • may be connected to a device 204 with an untrusted operating system using any appropriate physical or wireless medium, this includes, but is not limited to usb, ethernet, 802.1 1 , bluetooth and any other proprietary method for the purpose of upgrades when not in session or insecure read-write memory use during session • may be connected to a device 204 with an untrusted operating system using any appropriate communications method, this includes, but is not limited to usb and ethernet methods or wireless methods
  • may have one or more physical keys, displays or indicators associated with the engagement process
  • the identity device 420 can be any secure device that contains information pertinent to the users requirements, including, but not limited to: encryption keys, application server permissions, biometric information and personal information.
  • the identity device 420 normally requires an input device 410 to allow communications with a gatekeeper 201.
  • the identity device 420 is typically constructed in such a manner as to allow proper security protocols between the gatekeeper 201 or gateway 202. In this case the identity device 420 only communicates with a gateway 202 after being given permission through the gatekeeper 201.
  • FIG. HA An example hardware implementation of system utilising currently available hardware is shown in Figures HA to HC.
  • the identity device 420 and input device 410 are formed from respective computer systems implementing executable code to provide the functionality outlined above with respect to Figures 4B and 4C, such as required encryption and control.
  • Required passcodes can be provided on removable media such as USB keys or the like.
  • the computer systems can be connected via a suitable connection, such as an Ethernet connection, or the like.
  • the input device 410 can then be coupled to an untrusted computer system 204 (not shown), via an Ethernet connection, or the like.
  • the gatekeeper 201 can also be formed from a suitably programmed computer system.
  • the gatekeeper is coupled to a provenance database via a private network, such as a LAN or the like, via connections 14.
  • the gatekeeper and database can be coupled to the untrusted computer system 204 via a network connection 12, such as via an Ethernet network.
  • the gatekeeper is also coupled to a gateway 202 via an Ethernet connection 13.
  • the gateway 202 is also formed from a suitably programmed computer system, which is in turn coupled to a merchant application implemented on a further computer system 203, via an Ethernet connection.
  • the gatekeeper 201 is a device that manages the connection between the remote terminal 204 and the gateway 202.
  • the gatekeeper 201 is a secure device, with all data files on the device encrypted and secured.
  • the gatekeeper 201 is typically a computer server or cluster of computer servers that facilitate the purposeful allowance of communications between remote users and a secure gateway 202 or cluster of secure gateway 202s.
  • a single gatekeeper 201 may consist of one or more of the following combinations: a single CPU, multiple CPUs, multiple motherboards with single CPUs, and multiple motherboards with multiple CPUs.
  • the gatekeeper 201 model is scalable both in the following terms:
  • the gatekeeper 201 can consist of a single operating system or a host operating system with multiple virtual guest operating systems. Physical security is typically maintained by combining physical mechanisms and logical processes.
  • the gatekeeper 201 typically has four or more communications ports used for the following purposes:
  • a gateway 202 port through which secure communications with the gateway 202 are directed and maintained. Although multiple gateway 202s in the same gateway 202 cluster may be contacted, there is only ever one gateway 202 port. This suggests the use of a load balancing mechanism.
  • Provenance port through which the gatekeeper 201 receives software updates, maintains audit processes and maintains communications in order to allow registration checks to take place.
  • a gatekeeper 201 will have a port or ports dedicated to maintaining communications with other gatekeeper 201 cluster members.
  • the gatekeeper 201 may also be maintained from an industry standard console consisting of an external keyboard, pointing device and a monitor.
  • FIG. 1OA An example of a single motherboard model gatekeeper 201 is shown in Figure 1OA.
  • the gatekeeper 201 includes a network I/O 1000, coupled to a monitor 1001 , a keyboard 1002 and a pointer device 1003, such as a mouse.
  • the network I/O is coupled via a bus 1004 to a computer controller 1005.
  • five network encryptors 1010, 101 1, 1012, 1013, 1014 are also provided for encrypting communications via the communications ports described above, thereby allowing encrypted communication with remote users, application gateways 202, the provenance network and management, via one or more physical, logical or virtual networks.
  • the single motherboard model gatekeeper 201 typically uses either hardware or software encryption onto the data bus 1004.
  • the network encryptors 1010, 101 1, 1012, 1013, 1014 are controlled by the control computer 1005, allowing encryption to be performed using a different key on each port.
  • the network encryptors 1010, 1011, 1012, 1013, 1014 may be separate computer systems in their own right or a dedicated encryptor engine (hardware or software), controlled by the control computer 1005.
  • the gatekeeper 201 is normally an exclusive device that will only pair with one gateway system 202. However, in some circumstances, the gatekeeper 201 may associate with more than one gateway 202 system.
  • FIG. 1OB An example of a multiple motherboard gatekeeper 201 is shown in Figure 1OB.
  • the gatekeeper 201 includes multiple motherboards that are mounted in the same chassis providing physical isolation between gatekeeper 201 processes.
  • the system includes a control board 1020, and four encryptor motherboards 1021, 1022, 1023, 1024.
  • each motherboard operates a separate process, with the control board 1020 providing connectivity to the monitor 1001 , keyboard 1002 and pointer device 1003.
  • the control board 1020 uses a KVM or the like to allow local console access to each motherboard.
  • An example of a virtual motherboard model gatekeeper 201 is shown in Figure 1 OC.
  • the gatekeeper 201 includes a host server 1030 capable of implementing a number of virtual machines, with four shown at 1031 , 1032, 1033, 1034 in this example.
  • the virtual machines 1031, 1032, 1033, 1034 are generated by an application running on the host server 1030. Their configuration is derived from encrypted files stored on the host server 1030, with the host server 1030 only being accessible from the console.
  • the gatekeeper 201 typically maintains software processes such as:
  • the gatekeeper 201 can be a single server or a cluster of servers. These servers may be located in a single place or in the case of a cluster of servers, they may be geographically disperse in a building, city, country or global configuration. A collection of geographically distributed servers will hereinafter be referred to as a geograsp of servers. In the case of a geograsp of servers, load sharing (balancing) is maintained by a cluster synchronisation method. Geograsps already exist in many forms, and are typically Domain Name Services (DNS) or virtual IP based. In this example, the system will accommodate redirection of gatekeeper 201 requests using IPv4 and/or IPv6. The terminal device will be prepared to accept redirection commands via the network. Where a geograsp exists any gatekeeper 201 within that geograsp will be prepared via a private network dedicated to that geograsp to respond to a terminals request for authentication.
  • DNS Domain Name Services
  • the terminal initiates the requirement, and the first point of external contact is the gatekeeper 201 the details of which are stored in the service information stored in the identity device 420.
  • the gatekeeper 201 be a member of a geograsp, that gatekeeper 201 will have the ability to modify the first contact information stored in the input device 410.
  • this first point of contact in the geograsp be non-operational, other points of contact that are stored in the identity device 420 will be contacted.
  • the geograsp synchronises its database over its own private network.
  • the gatekeepers 201 are also used for user registrations. Registration is a process where the user enables their identity device 420 with the gatekeeper 201. This registration process will occur in the following manner:
  • the identity device 420 already contains the information necessary to register the user.
  • the input device 410 already contains the information necessary to be registered.
  • Continuance - The provenance hierarchy (the governance authority) will always maintain Identity 420 and input device 410 registration should the manufacturer of the device cease to honor the registration process. o Should the initial registration information become corrupted, the information for both the Input 410 and Identity device 420 can be reconstructed via the public storage store in the identity device 420.
  • An input device 410 cannot be registered without an identity device 420. o Whenever a device is "first - time" use, the device cannot be used until registration is completed. The device will continue to prompt until registration is successful.
  • the identity device 420 will be coupled with the input device 410 and the identity device will be registered first. This registration will not be completed until the input device 410 has also been registered - during the same session and the registrants identity device 420 information has been stored in the input device 410.
  • Receive a unique file from the web site via email o
  • the input device 410 will only function as an input device 410 in concert with an identity device 420. This characteristic is reciprocated.
  • Input devices 410 are only ever registered with their manufacturers respective gatekeeper 201. There is an association stored in this gatekeeper 201 between the input device 410 and the registering identity device 420.
  • the unique service file is loaded into the public storage area of the identity device 420 using a public port on the terminal.
  • the identity device 420 is then removed from the public port and coupled with the input device 410.
  • the public port and Provenance port of the identity device 420 may be physically the same port. They may alternatively be different physical ports.
  • the identity device 420 cannot work with both interfaces simultaneously. Attempting to do so may corrupt the device.) o After user authentication, the input device 410 downloads the unique service file and "Services” from the identity device 420 and the input device 410 then "reconstructs” the "Services” file and returns the new form of the "Services” file to the identity device 420.
  • the gatekeeper 201 "listens" using an appropriate communications port to the communications networks for valid identity registrants requiring access to a gateway 202 o
  • the gatekeeper 201 having received a request, responds allowing the remote terminal communications to check provenance.
  • the gatekeeper 201 checks the provenance of the user, identity device 420 and input device 410 in the following manner: ⁇
  • the user has been identified to the gatekeeper 201 during the service registration process.
  • the real user identity is only known to the registrant. In the case of a corporate user, it makes sense for the corporation to know the real identity of the user.
  • the identity device 420 - if not already registered in the gatekeeper 201 database, the gatekeeper 201 contacts the manufacturers database, and establishes the provenance of the identity device 420 from the data supplied via the input device 410.
  • the input device 410 - if not already registered in the gatekeeper 201 database, the gatekeeper 201 contacts the manufacturers database, and establishes the provenance of the input device 410 from the data supplied by the input device 410.
  • An input device 410 cannot contact the gatekeeper 201 without being conjoined with an identity device 420.
  • the gatekeeper 201 requests the gateway 202 to allow a new session directly between the input device 410 and the gateway 202. o If the gateway 202 allows the request, the gatekeeper 201 passes a unique data string, described in more detail in Appendix C to the input device 410. o Having established provenance, the gatekeeper 201 passes the unique data string received from the gateway 202 to the input device 410.
  • the gatekeeper 201 retires from the process. If the input device 410 fails to communicate with the gateway 202 the communications may cease and the process may restart. o The gatekeeper 201 maintains a watch of the link between the terminal and the gateway 202 in the following manner. The gatekeeper 201, having delivered the required information from the gateway 202 to the input device 410 awaits either a "connection established" signal from the gateway 202 or a "connection cannot be established” signal from the input device 410. Appendix C
  • the gateway 202 is a device that facilitates communications between the terminal and the applications server 203.
  • the gateway 202 is a secure device. All data files on the device are encrypted and secure.
  • the gateway 202 is a computer server or cluster of computer servers that share a common purpose. Their purpose is to facilitate purposeful allowance of communications between terminals 204 and applications servers 203.
  • a single gateway 202 can have a single CPU, multiple CPUs, multiple motherboards with single CPUs, multiple motherboards with multiple CPUs. These hardware devices may be capable of virtual isation of unique operating systems.
  • the gateway 202 model is scalable both in the following terms:
  • the gateway 202 can consist of a single operating system or a home operating system with multiple virtual orthogonal operating systems.
  • Physical security is maintained by combining physical mechanisms and logical processes.
  • the gateway 202 typically has four or more communications ports for the following purposes: • External port through which communications to the remote user systems are directed. The number of external ports in place is dependent upon the system requirements. • The gatekeeper 201 port through which secure communications with the gatekeeper 201 are directed. Furthermore, the gateway 202 receives software updates, maintains audit processes and maintains communications in order to allow registration checks to take place.
  • Application server port through which the gateway 202 communicates with the application server. There may be more than one Application server port.
  • a gateway 202 may have a port dedicated to maintaining communications with other cluster members.
  • the gateway 202 may also be maintained from an industry standard console consisting of an external keyboard, pointing device and a monitor.
  • the gateway 202 typically maintains software processes such as:
  • the gateway 202 typically performs the following functions:
  • the gateway 202 can only be upgraded/commissioned/provenanced via a gatekeeper 201.
  • the gateway 202 facilitates communications between the applications server 203 and the terminal 204. Direct communications with the applications server 203 is not possible. Communications between the terminal 204 and the gateway 202 is controlled by the gatekeeper 201.
  • the gateway 202 maintains constant communications with the gatekeeper 201.
  • the gatekeeper 201 When the gatekeeper 201 signals the gateway 202 that a new gateway 202 session is required, the same encryption key is sent from the gatekeeper 201 to both the input device 410 and the gateway 202. The gateway 202 in return, generates a unique access key which is relayed via the gatekeeper 201 to the input device 410.
  • the gateway 202 is now in a position to expect communications using a unique access key from a particular input device 410 using a unique encryption key.
  • gateway 202 is as a single operating system server, which is typically based on IP sockets. Another implementation involves the "base” server “popping” (generating) virtual machines as required.
  • Popping Virtual Machines involves the following: • When the gateway 202 receives a request for a session from the gatekeeper 201 , the gateway
  • this unique access key will involve a unique IP number o
  • this unique access key will involve Network Address
  • the identity device 420 contains the following data: 1 ) Secret information a) sequence number - this is rewritten each time the identity device 420 is used b) user registration information (user identity) c) private key of identity device 420 d) encryption code sheet e) other registration information 2) Public information a) encrypted executable to download to and run on the input device 410 which is rewritten each time the identity device 420 is used b) public key of manufacturer - this may be periodically rewritten as required c) public key of service - this is rewritten each time the identity device 420 is used d) provenance information in cleartext (ROM) fixed e) other registration information
  • the input device 410 contains the following data:
  • the process for authenticating is as follows: • When the input device 410 and identity device 420 are first "coupled” (joined by a communications method), and mutual provenance has been established using the public provenance information, the input device 410 can now accept a user passphrase.
  • the algorithm (or part thereof) to establish this base level of provenance is always present in input device 410, and may be present in identity device 420 if identity device 420 has a CPU and encryptor. (the term encryptor always refers to a process that can encrypt and decrypt.)
  • input device 410 downloads the encrypted executable (unique every session), the public provenance and public keys for the manufacturer (normally fixed) and service list from identity device 420.
  • the encrypted executable was created and stored during the last successful logon interchange with the gatekeeper 201.
  • the 410 uses a new service public key generated by the gatekeeper 201.
  • the encrypted executable can be fully downloaded from the gatekeeper 201 together with the new service public key, sequence number and other secret data, or it can be concocted using these parameters using the program in the input device.
  • the encrypted executable and public key for the service changes with every successful authentication between the gatekeeper 201 and (any) input device 410/identity device 420.
  • the input device 410 passes this information on to be stored in the identity device 420 and retains no knowledge or storage of the encrypted executable and public key for the service.
  • the identity device 420 encrypted executable, the identity device 420 sequence number and the identity device 420 public key of service are "re-encrypted" after successful authentication of the input device 410/identity device 420 provenance and user passphrase #2 by the gatekeeper 201. This process happens every time a service is used.
  • the identity device 420 stores a different encrypted executable, sequence number and public key of service for each service.
  • the input device 410 is programmed to decrypt the identity device 420 executable code using a key concocted from the user passphrase, the identity device 420 sequence number, the identity device 420 public key from manufacturer and the input device 410 provenance information. • The executable code is written differently for each service. Consequently if the encryption key is cracked for one service, it cannot be cracked for other services stored in the identity device 420.
  • identity device 420 When the encrypted executable contained in identity device 420 is downloaded to input device 410 and is decrypted, it is then used by input device 410 to unlock the secret memory in the identity device 420.
  • a mutually exclusive split key system between input device 410 and identity device 420 may be used for certain services. The user sets this service to only be allowed when paired on these input device's 410 using this singular particular identity device 420. This system is used if the user wants to isolate the use of a particular identity device 420 to certain input devices
  • Two or more identity device's 420 may be required to access some services.
  • the input device 410 may have to accommodate more than one identity device 420.
  • the public key for the input and identity devices 410, 420 is established at provenance and can only be reset by resetting the respective input and identity devices 410, 420 with their respective "home" (manufacturers) provenance gatekeeper 201 s.
  • Each gatekeeper 201 may keep different records for each individual registrant. Each gatekeeper 201 typically only contains the "details" of registrants. These details are only of interest to the registrant. The gatekeeper 201, does not need to know the proper identity of the registrant. Registration details should not be shared amongst gatekeeper 201s.
  • the identity device 420 must store the appropriate data in a secure manner for every gatekeeper 201 with which it has registered. • The gatekeeper 201 must be able to communicate with a manufacturers database in order to ensure input device 410 provenance allowing registration of that input device 410.
  • the software agent accommodating the interchange between input device 410 and the gatekeeper 201 takes no part in decoding, it merely passes the data traffic between the input device 410 and the gatekeeper 201 via the untrusted device 204.
  • Initial registration with a gatekeeper 201 may involve the identity device 410 provenance, the software agent, and some third party "return to user - communications method" (sms, email, special website using https, etc.) that gives the user a special permission to create an account on that gatekeeper 201 system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Procédé d'établissement d'une interactions sûre, faisant intervenir un dispositif d'entrée qui exécute une première opération de vérification au moyen de premières informations destinée à vérifier sa propre intégrité, fournit des secondes informations émanant d'un l'utilisateur à un portier qui, en réponse à ces secondes informations, effectue une authentification et, si cette authentification aboutit, établit une communication entre le dispositif d'entrée et le fournisseur, et communique avec ce dernier conformément à l'entrée utilisateur, ce qui établit une interaction sûre.
PCT/AU2008/000037 2007-01-18 2008-01-15 Processus interactif Ceased WO2008086567A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2008207334A AU2008207334A1 (en) 2007-01-18 2008-01-15 Interaction process

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2007900241A AU2007900241A0 (en) 2007-01-18 Interaction process
AU2007900241 2007-01-18

Publications (1)

Publication Number Publication Date
WO2008086567A1 true WO2008086567A1 (fr) 2008-07-24

Family

ID=39635574

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2008/000037 Ceased WO2008086567A1 (fr) 2007-01-18 2008-01-15 Processus interactif

Country Status (2)

Country Link
AU (1) AU2008207334A1 (fr)
WO (1) WO2008086567A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110771185A (zh) * 2017-06-19 2020-02-07 奥兰治 用于标识已传输帧的运营商和用于检查运营商成员资格的方法、通信设备和通信网关
US20230045486A1 (en) * 2019-12-13 2023-02-09 Iothic Ltd Apparatus and Methods for Encrypted Communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000054126A1 (fr) * 1999-03-05 2000-09-14 Hewlett-Packard Company Interface d'utilisateur de carte intelligente pour plate-forme de calcul securisee
WO2002017048A2 (fr) * 2000-08-18 2002-02-28 Hewlett-Packard Company Dispositif securise
US20040123133A1 (en) * 2002-12-24 2004-06-24 Difalco Robert A. Environment integrity assured transactions
WO2004114048A2 (fr) * 2003-06-24 2004-12-29 Nokia Inc. Appareil, systeme, procede et programme informatique pour mettre en oeuvre la verification de l'integrite d'un client distant
US20060294380A1 (en) * 2005-06-28 2006-12-28 Selim Aissi Mechanism to evaluate a token enabled computer system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000054126A1 (fr) * 1999-03-05 2000-09-14 Hewlett-Packard Company Interface d'utilisateur de carte intelligente pour plate-forme de calcul securisee
WO2002017048A2 (fr) * 2000-08-18 2002-02-28 Hewlett-Packard Company Dispositif securise
US20040123133A1 (en) * 2002-12-24 2004-06-24 Difalco Robert A. Environment integrity assured transactions
WO2004114048A2 (fr) * 2003-06-24 2004-12-29 Nokia Inc. Appareil, systeme, procede et programme informatique pour mettre en oeuvre la verification de l'integrite d'un client distant
US20060294380A1 (en) * 2005-06-28 2006-12-28 Selim Aissi Mechanism to evaluate a token enabled computer system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110771185A (zh) * 2017-06-19 2020-02-07 奥兰治 用于标识已传输帧的运营商和用于检查运营商成员资格的方法、通信设备和通信网关
CN110771185B (zh) * 2017-06-19 2023-03-24 奥兰治 用于标识已传输帧的运营商和用于检查运营商成员资格的方法、通信设备和通信网关
US20230045486A1 (en) * 2019-12-13 2023-02-09 Iothic Ltd Apparatus and Methods for Encrypted Communication

Also Published As

Publication number Publication date
AU2008207334A1 (en) 2008-07-24

Similar Documents

Publication Publication Date Title
US10826882B2 (en) Network-based key distribution system, method, and apparatus
US20250272728A1 (en) Securing In-App Purchases
US11716312B1 (en) Platform for optimizing secure communications
US10432600B2 (en) Network-based key distribution system, method, and apparatus
US9338156B2 (en) System and method for integrating two-factor authentication in a device
JP5635978B2 (ja) 人間が介入しないアプリケーションのための認証されたデータベース接続
US10601813B2 (en) Cloud-based multi-factor authentication for network resource access control
US10397008B2 (en) Management of secret data items used for server authentication
US20100313018A1 (en) Method and system for backup and restoration of computer and user information
JP4993122B2 (ja) プラットフォーム完全性検証システムおよび方法
US20080148046A1 (en) Real-Time Checking of Online Digital Certificates
KR20170129866A (ko) 블록 체인을 사용하여 디바이스 무결성의 자동화된 입증
EP2070249A1 (fr) Dispositif portable utilisé pour établir une confiance
WO2011119300A2 (fr) Systèmes et procédé d'entretien à distance dans un réseau électroniques à clients multiples
MX2008011277A (es) Pase digital para la descripcion funcional de la red.
TW200423661A (en) Methods and systems for authentication of a user for sub-locations of a network location
CN116781359B (zh) 一种使用网络隔离和密码编译的门户安全设计方法
JP2017531951A (ja) セキュリティチェックのための方法、デバイス、端末およびサーバ
CN108121904B (zh) 解锁方法、装置、电子设备及服务器
JP5186648B2 (ja) 安全なオンライン取引を容易にするシステム及び方法
US20070098175A1 (en) Security enabler device and method for securing data communications
WO2008086567A1 (fr) Processus interactif
RU2712650C1 (ru) Программно-аппаратный комплекс подтверждения подлинности электронных документов и электронных подписей
CN108885651B (zh) 凭证许可服务
Grammatopoulos FIDO2/WebAuthn implementation and analysis in terms of PSD2

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700335

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2008207334

Country of ref document: AU

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2008207334

Country of ref document: AU

Date of ref document: 20080115

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 08700335

Country of ref document: EP

Kind code of ref document: A1