[go: up one dir, main page]

WO2022071789A1 - Socket association for transfer of socket authentication status - Google Patents

Socket association for transfer of socket authentication status Download PDF

Info

Publication number
WO2022071789A1
WO2022071789A1 PCT/MY2020/050157 MY2020050157W WO2022071789A1 WO 2022071789 A1 WO2022071789 A1 WO 2022071789A1 MY 2020050157 W MY2020050157 W MY 2020050157W WO 2022071789 A1 WO2022071789 A1 WO 2022071789A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
action
challenge
user
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/MY2020/050157
Other languages
French (fr)
Inventor
Alwyn Goh
Kang Siong Ng
Kay Win LEE
Muhammad 'Azim MOHD HISHAM
Jessie Richard LEOW
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mimos Bhd
Original Assignee
Mimos Bhd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Bhd filed Critical Mimos Bhd
Publication of WO2022071789A1 publication Critical patent/WO2022071789A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to a system and method to provide socket association for transfer of socket authentication status.
  • the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with pronounce authentication client with user credential.
  • United States Patent No. US 8256664 B1 (hereinafter referred to as the US 664 B1 Patent) entitled “Out-of band Authentication of Browser Sessions” having a filing date of 9 April 2010 (Applicant: Google LLC) relates to systems and methods for providing an authentication for secure access to websites without having to enter login information.
  • a first device may request an access to user information from a server system and thereafter the server system generates a session ID, associate it with the first device, and encode it into a bar code that is displayed at the first device.
  • a second client device may identify and decode the bar code to determine the session ID and transmit to the server system.
  • the server may identify the first client device based on the common session ID and transmit the requested user information to the first device.
  • United States Patent No. US 9003506 B2 (hereinafter referred to as the US 506 B2 Patent) entitled “Mobile Out-of-band Authentication Service” having a filing date of 16 December 2010 (Applicant: SAP PE) relates to an authentication of an application session at a client machine by using authentication values and user-identification values that are received from a mobile communication device. Further, the US 506 B2 Patent discloses that the mobile communication device provides an out-of-band channel for validating the session and enables secure authentication for a variety of applications.
  • US 404 B2 Patent entitled “Out of Band Authentication with User Device” having a filing date of 5 April 2016 (Applicant: Visa International Service Association) relates to systems and methods for conducting an out-of-band authentication process that utilizes minimal user input.
  • US 404 B2 provides that a server computer can receive an authentication request from a first user device associated with a user and subsequently the server computer send a first signal to a second user device associated with the user. Further, the US 404 B2 Patent discloses that the server computer can receive a second signal from the second user device, wherein the second signal is generated based on reading the first signal. Thereafter, the server computer can determine whether the first signal and the second signal match so that to authenticate the user.
  • United States Patent No. US 10432623 B2 (hereinafter referred to as the US 623 B2 Patent) entitled “Companion Out-of-band Authentication” having a filing date of 16 December 2016 (Applicant: Plantronics Inc.) relates to methods and apparatuses for authenticating a user by establishing a first wireless communication link between a headset and a first computing device and a second wireless communication link concurrent with the first wireless communication link between the headset and a second computing device. Further, the US 623 B2 discloses that a user authentication request is received at the first computing device from a secure system and is transmitted from the first computing device to the headset. Thereafter, an authentication response is transmitted to the secure system utilizing the second computing device and the second wireless communication link.
  • the present invention relates to a system and method to provide socket association for transfer of socket authentication status.
  • the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with pronounce authentication client with user credential.
  • One aspect of the invention provides a method (200) for authentication of a first socket, S1 through an authentication status of a second socket, S2 as representative of particular user.
  • the method comprising steps of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202); performing a subsequent establishment through S2 which provides for authentication of the particular user, with successful outcome of such provision presented as service and cryptographic response to corresponding S1 instance (204); and associating the authentication of S2 to authenticate S1 (206); and enabling an initial user registration process and subsequent user authentication process.
  • the step of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202) further comprises steps of undertaking client-server connection by S1 with service client, C1 instance as presumed either incapable of or not sufficiently trustworthy for execution of user authentication and corresponding server-side first handler, H1 instance (208); undertaking client-server connection by S2 with authentication client, C2 instance, as both capable of and trusted with execution of user authentication and corresponding server-side second handler, H2 instance (210); undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 through a server-side handler-to-handler, H2H mechanism as enables handler read and write operations, as presumed secure and exclusive to handler instances (212); undertaking an authentication challenge-response interaction between first web-socket, WS1 and second web-socket, WS2 (214); and undertaking a registration interaction between WS1 and WS2
  • Another aspect of the invention provides that undertaking an authentication challengeresponse interaction between WS1 and WS2 (214).
  • the method comprising steps of first action of C1 request in response to an initiating action by the particular user to a server hosting user authentication service (302) resulting in creation of H1 instance to handle presently established S1 instance; second action of H1 computation and association with a unique first socket identifier, ID1 (304) as presumed secure and exclusive to handler instances and cryptographic challenge token as request for the authentication service; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 and challenge valuations (306); fourth action of C1 representation of challenge token in form amenable to user action and such action resulting in transmission of a particular challenge valuation to C2 instance (308), as previously associated with particular user, on client-to-client, C2C connection, as presumed localised to particular client instances and out-of-band, OOB with respect to S1 ; fifth action of C2 request to the server hosting user authentication
  • a further aspect of the invention provides that undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associted credential and H2 undertaking corresponding action with a server-associated credential (312) comprising steps of C2 and H2 execution of elliptic curve cryptographic, ECC authenticated key establishment AKE interaction; with C2 instance as associated with the particular user characterised by public-key, PK certificate comprising at least UID and PK valuation as signed and issued by particular trusted third party, TTP server; H2 instance as associated with particular service likewise characterised by PK certificate comprising at least server ID, SID and PK valuation as issued by corresponding TTP server; C2 capability for user-specific private-key, sk computation, as corresponds to public-key, PK in issued certificate; such that sk valuation exists only within temporal limitation of AKE interaction; sk computations are undertaken only within spatial limitation of C2 interior; AKE and other cryptographic outcomes are encrypted so as to be accessible only within spatial limitation of H2 interior as character
  • Still another aspect of the invention provides that undertaking mutual authentication based on consequent interaction of C2 and H2 (312) further comprising of C2 and H2 execution of ECC computations for identity, ID based AKE interaction; with C2 instance, as associated with particular user uniquely characterised by DID valuation as user credential; and correspondingly H2 instance, as associated with particular service likewise characterised by SID valuation as server credential.
  • Yet another aspect of the invention provides that C2 and H2 execution of ECC computations for ID based on AKE interaction comprising steps of first action of H2 transmission of request to C2 to initiate AKE interaction (402); second action of C2 computation and transmission of challenge to H2 (404); third action of H2 computation of response to C2 challenge and of reciprocal challenge to C2 (406) and then transmission of SID certificate, response and challenge to C2; fourth action of C2 verification of H2 response to previously issued challenge on such verification outcome computation of response to H2 challenge (408) and then transmission of UID certificate and response to H2; fifth action of H2 verification of C2 response to previously issued challenge (410); and sixth action of H2 on correct verification outcome, extraction of UID valuation from received certificate and addition of such valuation to corresponding H2H record (412).
  • Another aspect of the invention provides that undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 (212) comprising steps of undertaking initiation by H1 (502) comprising ID1 computation as unique output of zero knowledge, ZK cryptographic integration of inputs, at least inclusive of the time of S1 establishment; and challenge token computation as ZK integration of inputs, at least inclusive of ID1 and time of challenge initiation; undertaking reciprocation by H2 (504); comprising ID2 computation as unique output of ZK integration of inputs, at least inclusive of the time of S2 establishment; and response token computation as ZK integration of inputs, at least inclusive of ID2 and challenge token valuation; and undertaking assessment of present H2 response to prior H1 challenge by H1 through equivalent ZK integration of inputs (506) and subsequent comparison of such computation outcome to H2H retrieval of such H2 response.
  • a further aspect of the invention provides that undertaking cryptographic challenge-response interaction by H1 and H2 (212) further comprising cryptographic key derivation function, KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC; and interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as accessible only within H2H mechanism.
  • cryptographic key derivation function KDF for ZK integration of inputs further comprising steps of H2 computation for response token (602) comprising H2 call to HSM with ID1 and ID2 as inputs; HSM computation for interaction-specific authentication key as KDF integration of ID1 , ID2 and internalised msk; HSM return to H2 of authentication key as output (604) as enables H2 computation of response valuation as KDF integration of challenge valuation and authentication key; and H1 assessment of response token (606) comprising equivalent KDF integration of inputs and subsequent comparison of such computation outcome to H2H retrieval of H2 response.
  • Yet another aspect of the invention provides that undertaking a registration interaction by WS1 and WS2 (216) subject to physical and interaction security measures comprising steps of first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) resulting in creation of H1 instance to handle presently established S1 instance and consequent registration actions on C1 comprising submission of machine-readable physical ID credential within spatial limitation of C1 ; verification of user ownership of ID credential through authentication of biometric test data measured against reference originating from ID credential, likewise within spatial limitation of C1 ; extraction of UID information through read of ID credential; and validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration; second action of H1 computation of ID1 and challenge token (704) as equivalent to authentication case; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 , challenge and UID valuations (706); fourth action of C1 representation of challenge token and subsequent transmission to C2 instance (
  • Another aspect of the invention provides that undertaking a registration interaction by WS1 and WS2 (216) further comprises steps of submission of request to undertake authenticated transaction on third-party service with correct outcome therefor enabling H1 access to user- associated UID information inclusive of without limitation funds transfer from bank account of particular user to account of registration service provider with such third-party service provider deemed sufficiently trustworthy and authoritative; submission of additional UID information inclusive of without limitation national ID or passport information as generally excluded in such third-party transaction; verification of user ownership of third-party account via authentication service of third-party provider with correct outcome resulting in transaction to account of registration provider hosted on third-party server; extraction of UID information from particular transaction; validation of such UID information with external TTP deemed sufficiently authoritative; confirmation of additional UID information with such external TTP; and preparation of all UID information into form suitable for CSR computation.
  • Still another aspect of the invention provides that enabling an initial user registration process and subsequent user authentication processes (207) comprises steps of C1 as exemplified without limitation by web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration;
  • C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt;
  • H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations;
  • H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction;
  • C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by: CSC as optical channel with C1
  • Yet another aspect of the invention provides that performing action of client C2 undertaking user registration with server handler H2 (720) further comprising C2 instance as associated with particular user characterised by presently computed certificate signing request, CSR comprising at least UID and PK valuation as presently signed by user-specific sk corresponding to particular PK; with UID establishment form particular process for user ID verification and validation as deemed sufficiently trustworthy and authoritative; such that H2 assessment of interaction correctness enables conclusion that user characterised by CSR has correctly undertaken authentication; and C2 and H2 undertaking AKE interaction for user registration.
  • Still another aspect of the invention provides that C2 and H2 undertaking AKE interaction for user registration comprising steps of first action of H2 extraction of UID valuation from corresponding H2H record (802); second action of H2 request to TTP ID authority, IDA for validation of such UID valuation (804); third action of H2 on correct validation outcome and C2 to undertake AKE interaction; with H2 input of UID and correct C2 output of CSR comprising at least UID and corresponding PK (806); fourth action of H2 on correct AKE outcome, request to TTP certificate authority, CA for UID certificate corresponding to received CSR (808); and fifth action of H2 on correct certification outcome, and C2 to undertake interaction (810); with H2 input of issued certificate and correct C2 outcome of such certificate inserted into C2 storage for subsequent use in AKE mutual authentication interactions (812).
  • Yet another aspect of the invention provides that first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) further comprising steps of C1 physical instance as tamper-resistent integration of at least reader device for ID credential and biometric device for user input so as to prevent submission without proof of user ownership of unauthorised UID information; and C1 instance as characterised by particular certificate as furthermore subject to check on certificate revocation status so as to prevent submission of UID information from unauthorised C1 instances.
  • Still another aspect of the invention provides that validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration (702) further comprises C1 instance characterised by PK certificate comprising at least client ID, CID and PK valuation as signed and issued by particular TTP server; and correspondingly H1 instance as associated with particular service likewise characterised by PK certificate comprising at least SID and PK valuation as issued by corresponding TTP server; furthermore comprising as enables C1 and H2 to undertake mutual authentication, correctness of which enables conclusion that present registration request originates from previously authorised C1 instance; and check on revocation status of C1 certificate, negative outcome of which enables conclusion that such C1 instance is presently still authorised.
  • Another aspect of the invention provides a system (100) authentication of first socket, S1 via transfer of authentication status of second socket, S2 enabling an initial user registration action and subsequent user authentication actions
  • the system comprising an authentication system having service client, C1 (102) as exemplified without limitation by Web-browser operating on kiosk computing platform; authentication client, C2 (104) as exemplified without limitation by an authentication application, subject to previous installation and registration actions by user on a generic mobile device; web-socket applications handler, H1 and H2 (106, 108) as respectively accessible to C1 request of authentication service on first WS1 , and to C2 response of authentication outcome on second WS2; handle-to-handler coordination mechanism, H2H (110) as exemplified without limitation by generic storage application or service; as enables H1 and H2 to undertake creation, modification and deletion of a particular record; and client-to-client, C2C communication as subject to location of C1 instance with use cases of interest being C1 and C2 on different computing devices, and C1
  • FIG. 1 .0 illustrates a general architecture of the system of the present invention.
  • FIG. 1 .0a illustrates socket association in an authentication interaction.
  • FIG. 1.0b illustrates socket association in a registration interaction.
  • FIG. 1 .0c illustrates H2 and C2 undertaking authenticated key establishment, AKE mutual authentication on WS2.
  • FIG. 1 0d H2 and C2 undertaking authenticated key establishment, AKE interactions for user registration enablement.
  • FIG. 2.0 is a flowchart illustrating a general methodology of the present invention.
  • FIG. 3.0 is a flowchart illustrating steps for undertaking an authentication challenge-response interaction between WS1 and WS2.
  • FIG. 4.0 is a flowchart illustrating steps for C2 and H2 execution of ECO computations for ID based on AKE interaction.
  • FIG. 5.0 is a flowchart illustrating steps for undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2.
  • FIG. 6.0 is a flowchart illustrating steps for cryptographic key derivation function, KDF for zero knowledge, ZK integration of inputs.
  • FIG. 7.0 is a flowchart illustrating steps for undertaking a registration interaction by WS1 and WS2.
  • FIG. 8.0 is a flowchart illustrating steps for C2 and H2 undertaking AKE interaction for user registration.
  • the present invention relates to a system and method to provide socket association for transfer of socket authentication status.
  • the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with pronounce authentication client with user credential.
  • FIG. 1.0 illustrates a general architecture of the system of the present invention.
  • the system for authentication of first socket, S1 via transfer of authentication status of second socket, S2 enabling an initial user registration action and subsequent user authentication actions comprising an authentication system having service client, C1 (102) as exemplified without limitation by a generic web browser operating on kiosk computing platform; authentication client, C2 (104) as exemplified without limitation by an authentication application, subject to previous installation and registration actions by user on a generic mobile device; web socket application handler, H1 and H2 (106, 108) which host authentication server and respectively accessible to C1 request of authentication service on first web-socket WS1 , and to C2 response of authentication outcome on second web-socket WS2; handler-to-handler coordination mechanism, H2H (1 10) at server-side channel as exemplified without limitation by generic storage application, as to enable H1 and H2 to undertake creation, modification and deletion of a particular record; client-to-
  • the registration system having C1 as exemplified without limitation by Web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration;
  • C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt;
  • H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations;
  • H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction;
  • C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera;
  • C2 and H2 undertake an authenticated key establishment, AKE interaction, as previously issued public key, PK certificates associated with a particular user identification, UID and a server identification, SID credentials.
  • Web-socket authentication further requires client-to-client, C2C communications and handler-to-handler, H2H coordinating mechanisms with the latter of which enables embodiment of the web socket interaction as a record-keeping interaction between the respective H1 and H2 handlers.
  • FIG. 1 a illustrates socket association in an authentication interaction.
  • the web-sockets WS1 and WS2 undertake an authentication challengeresponse interaction, initiated by C1 to establish an authentication request, and thereafter H1 undertakes and authentication challenge as key derivation function, KDF output, for establishment of a particular WS1 and corresponding H2H record.
  • WS2 establishment requires user action to challenge transmission of client-to-client, C2C via authenticated key establishment, AKE interaction.
  • the authentication enablement requires 02 and H2 to correctly undertake proofs of possession, POP for their respective certificate of client and server identification valuations.
  • H2 consequently undertakes response as key derivation function, KDF integration of at least challenge and user identification, UID inputs.
  • FIG. 1 .Ob illustrates socket association in a registration interaction between WS1 and WS2. This interaction is similar to an authentication interaction in a broad structure, but with substantive differences whereby at present was issued with a certificate or an ID credential.
  • request of C1 for WS2 establishment occurs in the context of C1 undertaking DID capture, with user proof of possession, POP thereof as necessary for such registration process to be regarded as being high assurance.
  • H1 establishment of the H2H record at this juncture would therefore contain DID information.
  • the proposed arrangement requires a higher degree of operational security in comparison to the authentication case, particularly pertaining to C1 , hence the prescription of C1 certificates so as to enable transport layer security, TLS mutual authentication between C1 and H1.
  • This assumption of higher security on WS1 communications in conjunction with the localisation of the C2C challenge transfer, allows for early termination of WS1 , consequent to WS2 establishment and response correctness.
  • Authentication in the registration case is detached from user authentication from user authentication on WS2, which in any event cannot be presently undertaken. Enablement of such authentication requires 02 to undertake sequential authenticated key establishment, AKE interactions for certificate signing request, CSR computation and certificate receipt; as respective subject to H2 requesting DID validation with a designated identification authority, IDA, and then certificate issue with an equivalently designated certificate authority, CA, with both trusted third party, TTP deemed authoritative and trustworthy.
  • WS2 termination follows, with particular status consequent on correctness of authenticated key establishment, AKE and trusted third party, TTP interactions.
  • FIG. 1 Oc which illustrates H2 and C2 undertaking authenticated key establishment, AKE mutual authentication on WS2.
  • This authentication interaction enables strong protection of C2 which is assigned the opening challenge, and the closing response.
  • H2 must therefore compute response to C2 challenge, which subject to C2 correct assessment, prior to 02 having to compute its response to H2 challenge.
  • H2 correct assessment is then taken as proof of possession, POP for the particular user identification, UID valuation.
  • the response computation of WS2 is then was enabled, prior to WS1 challenge, and also append of the corresponding H2H record.
  • FIG. 1.0d illustrates H2 and 02 undertaking authenticated key establishment, AKE interactions for user registration enablement.
  • the specified arrangement requires H2 to submit a H2H query on the WS1 challenge valuation, and on outcome thereof, read of DID valuation from such H2H record.
  • This valuation of the DID is then subject to the identification authority, IDA validation.
  • first authenticated key establishment, AKE interaction is formed for C2 to submit the certificate signing request, CSR in accordance with the assessment of the UID.
  • the CSR as received in then subject to certificate authority, CA certification, and outcome thereof, second AKE interaction for C2 to receive such certificate corresponding to CSR as previously computed.
  • C2 is able; following this sequence of trusted third party, TTP and authenticated key establishment, AKE interactions, and successful outcomes thereof, to undertake authenticated key establishment, AKE interactions.
  • FIG. 2.0 is a flowchart illustrating a general methodology of the present invention.
  • the method comprising steps of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202); performing a subsequent establishment through S2 which provides for authentication of the particular user, with successful outcome of such provision presented as service and cryptographic response to corresponding S1 instance (204); and associating the authentication of S2 to authenticate S1 (206); and enabling an initial user registration process and subsequent user authentication process.
  • the step for performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202) further comprises steps of undertaking client-server connection by S1 with service client, C1 instance as presumed either incapable of or not sufficiently trustworthy for execution of user authentication and corresponding server-side first handler, H1 instance (208); undertaking client-server connection by S2 with authentication client, C2 instance, as both capable of and trusted with execution of user authentication and corresponding server-side second handler, H2 instance (210); undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 through a server-side handler-to-handler, H2H mechanism as enables handler read and write operations, as presumed secure and exclusive to handler instances (212); undertaking an authentication challenge-response interaction between first web-socket, WS1 and second web-socket, WS2 (214); and undertaking a registration interaction between WS1 and WS
  • FIG. 3.0 is a flowchart illustrating steps for undertaking an authentication challenge-response interaction between WS1 and WS2.
  • undertaking an authentication challenge-response interaction between WS1 and WS2 further comprising steps of (300) first action of C1 request in response to an initiating action by the particular user to a server hosting user authentication service (302) resulting in creation of H1 instance to handle presently established S1 instance; second action of H1 computation and association with a unique first socket identifier, ID1 (304) as presumed secure and exclusive to handler instances and cryptographic challenge token as request for the authentication service; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 and challenge valuations (306); fourth action of C1 representation of challenge token in form amenable to user action and such action resulting in transmission of a particular challenge valuation to C2 instance (308), as previously associated with particular user, on client-to-client, 020 connection, as presume
  • the C2 and H2 undertaking mutual authentication (312) comprising steps of C2 and H2 execution of elliptic curve cryptographic, ECO authenticated key establishment AKE interaction; with C2 instance as associated with the particular user characterised by publickey, PK certificate comprising at least DID and PK valuation as signed and issued by particular trusted third party, TTP server; H2 instance as associated with particular service likewise characterised by PK certificate comprising at least server ID, SID and PK valuation as issued by corresponding TTP server; C2 capability for user-specific private-key, sk computation, as corresponds to public-key, PK in issued certificate; such that sk valuation exists only within temporal limitation of AKE interaction; sk computations are undertaken only within spatial limitation of C2 interior; AKE and other cryptographic outcomes are encrypted so as to be accessible only within spatial limitation of H2 interior as characterised by the server PK certificate, with PK therein subject to C2 initiation of client-to-server challenge, such that such outcomes regardless of correctness can only be obtained within H2 instances deemed
  • the C2 and H2 undertaking mutual authentication (312) further comprising of C2 and H2 execution of ECC computations for identity, ID based AKE interaction; with C2 instance, as associated with particular user uniquely characterised by DID valuation as user credential; and correspondingly H2 instance, as associated with particular service likewise characterised by SID valuation as server credential.
  • FIG. 4.0 is a flowchart illustrating steps for C2 and H2 execution of ECC computations for ID based on AKE interaction.
  • the steps comprises of first action of H2 transmission of request to C2 to initiate AKE interaction (402); second action of C2 computation and transmission of challenge to H2 (404); third action of H2 computation of response to C2 challenge and of reciprocal challenge to C2 (406) and then transmission of SID certificate, response and challenge to C2; fourth action of C2 verification of H2 response to previously issued challenge on such verification outcome computation of response to H2 challenge (408) and then transmission of DID certificate and response to H2; fifth action of H2 verification of C2 response to previously issued challenge (410); and sixth action of H2 on correct verification outcome, extraction of UID valuation from received certificate and addition of such valuation to corresponding H2H record (412).
  • FIG. 5.0 is a flowchart illustrating steps for H1 and H2 undertaking authentication request-response and cryptographic challenge-response interactions.
  • the steps comprises of undertaking initiation by H1 (502) comprising ID1 computation as unique output of zero knowledge, ZK cryptographic integration of inputs, at least inclusive of the time of S1 establishment; and challenge token computation as ZK integration of inputs, at least inclusive of ID1 and time of challenge initiation; undertaking reciprocation by H2 (504); comprising ID2 computation as unique output of ZK integration of inputs, at least inclusive of the time of S2 establishment; and response token computation as ZK integration of inputs, at least inclusive of ID2 and challenge token valuation; and undertaking assessment of present H2 response to prior H1 challenge by H1 through equivalent ZK integration of inputs (506) and subsequent comparison of such computation outcome to H2H retrieval of such H2 response.
  • the steps for undertaking cryptographic challenge-response interaction by H1 and H2 further comprising cryptographic key derivation function, KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC; and interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as accessible only within H2H mechanism.
  • cryptographic key derivation function KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC
  • interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as
  • FIG. 6.0 is a flowchart illustrating steps for cryptographic key derivation function, KDF for ZK integration of inputs.
  • KDF for ZK integration of inputs comprising steps of H2 computation for response token (602) comprising H2 call to HSM with ID1 and ID2 as inputs; HSM computation for interaction-specific authentication key as KDF integration of ID1 , ID2 and internalised msk; HSM return to H2 of authentication key as output (604) as enables H2 computation of response valuation as KDF integration of challenge valuation and authentication key; and H1 assessment of response token (606) comprising equivalent KDF integration of inputs and subsequent comparison of such computation outcome to H2H retrieval of H2 response.
  • FIG. 7.0 is a flowchart illustrating steps for undertaking a registration interaction by WS1 and WS2.
  • WS1 and WS2 undertaking a registration interaction subject to physical and interaction security measures (216) further comprising steps of first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) resulting in creation of H1 instance to handle presently established S1 instance and consequent registration actions on C1 comprising submission of machine-readable physical ID credential within spatial limitation of C1 ; verification of user ownership of ID credential through authentication of biometric test data measured against reference originating from ID credential, likewise within spatial limitation of C1 ; extraction of DID information through read of ID credential; and validation of DID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration; second action of H1 computation of ID1 and challenge token (704) as equivalent to authentication case; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising
  • the process for undertaking a registration interaction by WS1 and WS2 further comprises steps of submission of request to undertake authenticated transaction on third- party service with correct outcome therefor enabling H1 access to user-associated UID information inclusive of without limitation funds transfer from bank account of particular user to account of registration service provider with such third-party service provider deemed sufficiently trustworthy and authoritative; submission of additional DID information inclusive of without limitation national ID or passport information as generally excluded in such third- party transaction; verification of user ownership of third-party account via authentication service of third-party provider with correct outcome resulting in transaction to account of registration provider hosted on third-party server; extraction of DID information from particular transaction; validation of such DID information with external TTP deemed sufficiently authoritative; confirmation of additional DID information with such external TTP; and preparation of all UID information into form suitable for GSR computation.
  • C1 as exemplified without limitation by web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration
  • C2 as exemplified equivalently to authentication case as undertakes initial GSR submission and consequent certificate receipt
  • H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to 02 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations
  • H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction
  • C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such
  • client C2 undertaking user registration with server handler H2 (720) further comprising C2 instance as associated with particular user characterised by presently computed certificate signing request, CSR comprising at least UID and PK valuation as presently signed by user-specific sk corresponding to particular PK; with UID establishment form particular process for user ID verification and validation as deemed sufficiently trustworthy and authoritative; such that H2 assessment of interaction correctness enables conclusion that user characterised by CSR has correctly undertaken authentication; and C2 and H2 undertaking AKE interaction for user registration.
  • FIG. 8.0 is a flowchart illustrating steps for C2 and H2 undertaking AKE interaction for user registration. As illustrated in FIG.
  • the first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) further comprising steps of C1 physical instance as tamper-resistent integration of at least reader device for ID credential and biometric device for user input so as to prevent submission without proof of user ownership of unauthorised UID information; and C1 instance as characterised by particular certificate as furthermore subject to check on certificate revocation status so as to prevent submission of UID information from unauthorised C1 instances.
  • the process of validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration further comprises C1 instance characterised by PK certificate comprising at least client ID, CID and PK valuation as signed and issued by particular TTP server; and correspondingly H1 instance as associated with particular service likewise characterised by PK certificate comprising at least SID and PK valuation as issued by corresponding TTP server; furthermore comprising as enables C1 and H2 to undertake mutual authentication, correctness of which enables conclusion that present registration request originates from previously authorised C1 instance; and check on revocation status of C1 certificate, negative outcome of which enables conclusion that such C1 instance is presently still authorised.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a system (100) and method (200) to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with specialise authentication client with user credential. In particular, the present invention system for authentication of S1 via transfer of authentication status of S2 comprising of a service client, C1 (102) by a generic web browser operating on kiosk computing platform; authentication client, C2 (104) by an authentication application on a generic mobile device; web-socket application handler, H1 and H2 (106, 108) to host authentication server and respectively accessible to C1 request of authentication service on WS1, and to C2 response of authentication outcome on WS2; handler-to-handler coordination mechanism, H2H (110) at server-side channel by generic storage application, as to enable H1 and H2 to undertake creation, modification and deletion of a particular record which corresponds to a particular registration request-response interaction.

Description

SOCKET ASSOCIATION FOR TRANSFER OF SOCKET AUTHENTICATION STATUS
FIELD OF INVENTION
The present invention relates to a system and method to provide socket association for transfer of socket authentication status. In particular, the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with specialise authentication client with user credential.
BACKGROUND OF INVENTION
Current challenges lie in providing a high assurance authentication session between a generic service client, C1 as exemplified without limitation by web-browser operating on kiosk to a web-socket application handler, H1 on the first socket, S1 . Further, authentication client, C2 as exemplified without limitation by an authentication application on a generic mobile device having a mutual public key authenticated key establishment but does not have a clear association with the service client C1. Apart from that, there are problems with respect to the means of communication with which to pass the authentication challenge from S1 to S2, to translate the authenticated key establishment outcome into an authentication response and then to pass authentication response from S2 back to S1. Resolving these problems is necessary to support the use cases, of user registration, REG(user) within the basic framework of user authentication, AUTH(user) and furthermore the translation of REG(user) identity credential interactions into basic framework of AKE(user).
United States Patent No. US 8256664 B1 (hereinafter referred to as the US 664 B1 Patent) entitled “Out-of band Authentication of Browser Sessions” having a filing date of 9 April 2010 (Applicant: Google LLC) relates to systems and methods for providing an authentication for secure access to websites without having to enter login information. In the US 664 B1 Patent, a first device may request an access to user information from a server system and thereafter the server system generates a session ID, associate it with the first device, and encode it into a bar code that is displayed at the first device. A second client device may identify and decode the bar code to determine the session ID and transmit to the server system. The server may identify the first client device based on the common session ID and transmit the requested user information to the first device. United States Patent No. US 9003506 B2 (hereinafter referred to as the US 506 B2 Patent) entitled “Mobile Out-of-band Authentication Service” having a filing date of 16 December 2010 (Applicant: SAP PE) relates to an authentication of an application session at a client machine by using authentication values and user-identification values that are received from a mobile communication device. Further, the US 506 B2 Patent discloses that the mobile communication device provides an out-of-band channel for validating the session and enables secure authentication for a variety of applications.
United States Patent No. US 9706404 B2 (hereinafter referred to as the US 404 B2 Patent) entitled “Out of Band Authentication with User Device” having a filing date of 5 April 2016 (Applicant: Visa International Service Association) relates to systems and methods for conducting an out-of-band authentication process that utilizes minimal user input. US 404 B2 provides that a server computer can receive an authentication request from a first user device associated with a user and subsequently the server computer send a first signal to a second user device associated with the user. Further, the US 404 B2 Patent discloses that the server computer can receive a second signal from the second user device, wherein the second signal is generated based on reading the first signal. Thereafter, the server computer can determine whether the first signal and the second signal match so that to authenticate the user.
United States Patent No. US 10432623 B2 (hereinafter referred to as the US 623 B2 Patent) entitled “Companion Out-of-band Authentication” having a filing date of 16 December 2016 (Applicant: Plantronics Inc.) relates to methods and apparatuses for authenticating a user by establishing a first wireless communication link between a headset and a first computing device and a second wireless communication link concurrent with the first wireless communication link between the headset and a second computing device. Further, the US 623 B2 discloses that a user authentication request is received at the first computing device from a secure system and is transmitted from the first computing device to the headset. Thereafter, an authentication response is transmitted to the secure system utilizing the second computing device and the second wireless communication link.
Due to the drawbacks and limitation of the conventional system and method, there is a need to provide a socket association for transfer of socket authentication status via a client-to- server session with corresponding handler in high-assurance authentication session with specialise authentication client with user credential. SUMMARY OF INVENTION
The present invention relates to a system and method to provide socket association for transfer of socket authentication status. In particular, the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with specialise authentication client with user credential.
One aspect of the invention provides a method (200) for authentication of a first socket, S1 through an authentication status of a second socket, S2 as representative of particular user. The method comprising steps of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202); performing a subsequent establishment through S2 which provides for authentication of the particular user, with successful outcome of such provision presented as service and cryptographic response to corresponding S1 instance (204); and associating the authentication of S2 to authenticate S1 (206); and enabling an initial user registration process and subsequent user authentication process. The step of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202) further comprises steps of undertaking client-server connection by S1 with service client, C1 instance as presumed either incapable of or not sufficiently trustworthy for execution of user authentication and corresponding server-side first handler, H1 instance (208); undertaking client-server connection by S2 with authentication client, C2 instance, as both capable of and trusted with execution of user authentication and corresponding server-side second handler, H2 instance (210); undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 through a server-side handler-to-handler, H2H mechanism as enables handler read and write operations, as presumed secure and exclusive to handler instances (212); undertaking an authentication challenge-response interaction between first web-socket, WS1 and second web-socket, WS2 (214); and undertaking a registration interaction between WS1 and WS2 subject to physical and interaction security measures (216).
Another aspect of the invention provides that undertaking an authentication challengeresponse interaction between WS1 and WS2 (214). The method comprising steps of first action of C1 request in response to an initiating action by the particular user to a server hosting user authentication service (302) resulting in creation of H1 instance to handle presently established S1 instance; second action of H1 computation and association with a unique first socket identifier, ID1 (304) as presumed secure and exclusive to handler instances and cryptographic challenge token as request for the authentication service; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 and challenge valuations (306); fourth action of C1 representation of challenge token in form amenable to user action and such action resulting in transmission of a particular challenge valuation to C2 instance (308), as previously associated with particular user, on client-to-client, C2C connection, as presumed localised to particular client instances and out-of-band, OOB with respect to S1 ; fifth action of C2 request to the server hosting user authentication service (310) resulting in creation of H2 instance to handle presently established S2 instance with such client-server connection likewise presumed insecure; sixth action of H2 computation and association with a unique second socket identifier, ID2 (312) as likewise presumed secure and exclusive to handler instances, and undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associated credential and H2 undertaking corresponding action with a server-associated credential; seventh action, on correct outcome of mutual authentication interaction, of H2 computation of cryptographic response token (314), as enables consequent association with particular H1 instance and corresponding challenge valuation; eight action of H2 undertaking query of H2H based on challenge valuation, to access H2H record as previously written by particular H1 instance (316) consequently append to a particular record comprising a particular ID2, response valuation and unique user identifier, UID as extracted from credential correctly authenticated and subsequent notification to C2 for S2 termination; ninth action of H2H transmission to particular H1 instance (318) of notification to undertake assessment of corresponding H2 action; and tenth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record, a notification to C1 for S1 termination (320), and on correct outcome thereof consequent use of UID in post-authentication service provision.
A further aspect of the invention provides that undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associted credential and H2 undertaking corresponding action with a server-associated credential (312) comprising steps of C2 and H2 execution of elliptic curve cryptographic, ECC authenticated key establishment AKE interaction; with C2 instance as associated with the particular user characterised by public-key, PK certificate comprising at least UID and PK valuation as signed and issued by particular trusted third party, TTP server; H2 instance as associated with particular service likewise characterised by PK certificate comprising at least server ID, SID and PK valuation as issued by corresponding TTP server; C2 capability for user-specific private-key, sk computation, as corresponds to public-key, PK in issued certificate; such that sk valuation exists only within temporal limitation of AKE interaction; sk computations are undertaken only within spatial limitation of C2 interior; AKE and other cryptographic outcomes are encrypted so as to be accessible only within spatial limitation of H2 interior as characterised by the server PK certificate, with PK therein subject to C2 initiation of client-to-server challenge, such that such outcomes regardless of correctness can only be obtained within H2 instances deemed sufficiently trustworthy to be issued an associated PK certificate; sk computations in C2 are only undertaken upon correct assessment of the H2 server-response to the C2 client-challenge with the outcome of such computation instances being C2 client-response to H2 reciprocation of server-to-client challenge; and H2 assessment of C2 response, correctness of which enables conclusion that user characterised by PK certificate has correctly undertaken authentication.
Still another aspect of the invention provides that undertaking mutual authentication based on consequent interaction of C2 and H2 (312) further comprising of C2 and H2 execution of ECC computations for identity, ID based AKE interaction; with C2 instance, as associated with particular user uniquely characterised by DID valuation as user credential; and correspondingly H2 instance, as associated with particular service likewise characterised by SID valuation as server credential.
Yet another aspect of the invention provides that C2 and H2 execution of ECC computations for ID based on AKE interaction comprising steps of first action of H2 transmission of request to C2 to initiate AKE interaction (402); second action of C2 computation and transmission of challenge to H2 (404); third action of H2 computation of response to C2 challenge and of reciprocal challenge to C2 (406) and then transmission of SID certificate, response and challenge to C2; fourth action of C2 verification of H2 response to previously issued challenge on such verification outcome computation of response to H2 challenge (408) and then transmission of UID certificate and response to H2; fifth action of H2 verification of C2 response to previously issued challenge (410); and sixth action of H2 on correct verification outcome, extraction of UID valuation from received certificate and addition of such valuation to corresponding H2H record (412). Another aspect of the invention provides that undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 (212) comprising steps of undertaking initiation by H1 (502) comprising ID1 computation as unique output of zero knowledge, ZK cryptographic integration of inputs, at least inclusive of the time of S1 establishment; and challenge token computation as ZK integration of inputs, at least inclusive of ID1 and time of challenge initiation; undertaking reciprocation by H2 (504); comprising ID2 computation as unique output of ZK integration of inputs, at least inclusive of the time of S2 establishment; and response token computation as ZK integration of inputs, at least inclusive of ID2 and challenge token valuation; and undertaking assessment of present H2 response to prior H1 challenge by H1 through equivalent ZK integration of inputs (506) and subsequent comparison of such computation outcome to H2H retrieval of such H2 response.
A further aspect of the invention provides that undertaking cryptographic challenge-response interaction by H1 and H2 (212) further comprising cryptographic key derivation function, KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC; and interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as accessible only within H2H mechanism.
Yet another aspect of the invention provides that cryptographic key derivation function KDF for ZK integration of inputs further comprising steps of H2 computation for response token (602) comprising H2 call to HSM with ID1 and ID2 as inputs; HSM computation for interaction-specific authentication key as KDF integration of ID1 , ID2 and internalised msk; HSM return to H2 of authentication key as output (604) as enables H2 computation of response valuation as KDF integration of challenge valuation and authentication key; and H1 assessment of response token (606) comprising equivalent KDF integration of inputs and subsequent comparison of such computation outcome to H2H retrieval of H2 response.
Yet another aspect of the invention provides that undertaking a registration interaction by WS1 and WS2 (216) subject to physical and interaction security measures comprising steps of first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) resulting in creation of H1 instance to handle presently established S1 instance and consequent registration actions on C1 comprising submission of machine-readable physical ID credential within spatial limitation of C1 ; verification of user ownership of ID credential through authentication of biometric test data measured against reference originating from ID credential, likewise within spatial limitation of C1 ; extraction of UID information through read of ID credential; and validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration; second action of H1 computation of ID1 and challenge token (704) as equivalent to authentication case; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 , challenge and UID valuations (706); fourth action of C1 representation of challenge token and subsequent transmission to C2 instance (708) as equivalent; fifth action of C2 request to server hosting user registration service (710) resulting in creation of H2 instance to handle presently established S2 instance as equivalent; sixth action of H2 computation of ID2 and response token (712); seventh action of H2 undertaking query of H2H based on challenge valuation to access H2H record (714) as previously written by particular H1 instance; consequent read from particular record of UID information and then append to such record comprising particular ID2 and response valuation; eighth action of H2H transmission to particular H1 instance of notification to undertake assessment of corresponding H2 action (716); ninth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record and notification to C1 for S1 termination (718); and tenth action of C2 undertaking user registration interaction with server handler H2 (720) comprising transmission to C2 of UID information; interaction of C2 and H2 in first mutual authentication with C2 undertaking action with CSR comprising at least previously received UID information and presently computed PK; transmission on correct outcome of such interaction to TTP certificate issuer of CSR; receipt on correct outcome of TTP validation action of PK certificate comprising at least UID and PK corresponding to CSR; interaction of C2 and H2 in second mutual authentication with C2 undertaking action with certificate as previously issued with correct outcome resulting in write to C2 of certificate; and notification to C2 for S2 termination.
Another aspect of the invention provides that undertaking a registration interaction by WS1 and WS2 (216) further comprises steps of submission of request to undertake authenticated transaction on third-party service with correct outcome therefor enabling H1 access to user- associated UID information inclusive of without limitation funds transfer from bank account of particular user to account of registration service provider with such third-party service provider deemed sufficiently trustworthy and authoritative; submission of additional UID information inclusive of without limitation national ID or passport information as generally excluded in such third-party transaction; verification of user ownership of third-party account via authentication service of third-party provider with correct outcome resulting in transaction to account of registration provider hosted on third-party server; extraction of UID information from particular transaction; validation of such UID information with external TTP deemed sufficiently authoritative; confirmation of additional UID information with such external TTP; and preparation of all UID information into form suitable for CSR computation.
Still another aspect of the invention provides that enabling an initial user registration process and subsequent user authentication processes (207) comprises steps of C1 as exemplified without limitation by web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration; C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt; H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations; H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by: CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission.
Yet another aspect of the invention provides that performing action of client C2 undertaking user registration with server handler H2 (720) further comprising C2 instance as associated with particular user characterised by presently computed certificate signing request, CSR comprising at least UID and PK valuation as presently signed by user-specific sk corresponding to particular PK; with UID establishment form particular process for user ID verification and validation as deemed sufficiently trustworthy and authoritative; such that H2 assessment of interaction correctness enables conclusion that user characterised by CSR has correctly undertaken authentication; and C2 and H2 undertaking AKE interaction for user registration. Still another aspect of the invention provides that C2 and H2 undertaking AKE interaction for user registration comprising steps of first action of H2 extraction of UID valuation from corresponding H2H record (802); second action of H2 request to TTP ID authority, IDA for validation of such UID valuation (804); third action of H2 on correct validation outcome and C2 to undertake AKE interaction; with H2 input of UID and correct C2 output of CSR comprising at least UID and corresponding PK (806); fourth action of H2 on correct AKE outcome, request to TTP certificate authority, CA for UID certificate corresponding to received CSR (808); and fifth action of H2 on correct certification outcome, and C2 to undertake interaction (810); with H2 input of issued certificate and correct C2 outcome of such certificate inserted into C2 storage for subsequent use in AKE mutual authentication interactions (812).
Yet another aspect of the invention provides that first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) further comprising steps of C1 physical instance as tamper-resistent integration of at least reader device for ID credential and biometric device for user input so as to prevent submission without proof of user ownership of unauthorised UID information; and C1 instance as characterised by particular certificate as furthermore subject to check on certificate revocation status so as to prevent submission of UID information from unauthorised C1 instances.
Still another aspect of the invention provides that validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration (702) further comprises C1 instance characterised by PK certificate comprising at least client ID, CID and PK valuation as signed and issued by particular TTP server; and correspondingly H1 instance as associated with particular service likewise characterised by PK certificate comprising at least SID and PK valuation as issued by corresponding TTP server; furthermore comprising as enables C1 and H2 to undertake mutual authentication, correctness of which enables conclusion that present registration request originates from previously authorised C1 instance; and check on revocation status of C1 certificate, negative outcome of which enables conclusion that such C1 instance is presently still authorised.
Another aspect of the invention provides a system (100) authentication of first socket, S1 via transfer of authentication status of second socket, S2 enabling an initial user registration action and subsequent user authentication actions The system comprising an authentication system having service client, C1 (102) as exemplified without limitation by Web-browser operating on kiosk computing platform; authentication client, C2 (104) as exemplified without limitation by an authentication application, subject to previous installation and registration actions by user on a generic mobile device; web-socket applications handler, H1 and H2 (106, 108) as respectively accessible to C1 request of authentication service on first WS1 , and to C2 response of authentication outcome on second WS2; handle-to-handler coordination mechanism, H2H (110) as exemplified without limitation by generic storage application or service; as enables H1 and H2 to undertake creation, modification and deletion of a particular record; and client-to-client, C2C communication as subject to location of C1 instance with use cases of interest being C1 and C2 on different computing devices, and C1 and C2 on the same mobile device; as respectively exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen, and C2 input of such barcode via camera; and C2C as mobile device system call with C1 output of such call to C2 containing challenge valuation, and C2 input via receipt of such call from C1 ; and a registration system having C1 as exemplified without limitation by Web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration; C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt; H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations; H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by: CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission.
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing an of the advantages of the present invention. BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings.
FIG. 1 .0 illustrates a general architecture of the system of the present invention.
FIG. 1 .0a illustrates socket association in an authentication interaction.
FIG. 1.0b illustrates socket association in a registration interaction.
FIG. 1 .0c illustrates H2 and C2 undertaking authenticated key establishment, AKE mutual authentication on WS2.
FIG. 1 .0d H2 and C2 undertaking authenticated key establishment, AKE interactions for user registration enablement.
FIG. 2.0 is a flowchart illustrating a general methodology of the present invention.
FIG. 3.0 is a flowchart illustrating steps for undertaking an authentication challenge-response interaction between WS1 and WS2.
FIG. 4.0 is a flowchart illustrating steps for C2 and H2 execution of ECO computations for ID based on AKE interaction.
FIG. 5.0 is a flowchart illustrating steps for undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2.
FIG. 6.0 is a flowchart illustrating steps for cryptographic key derivation function, KDF for zero knowledge, ZK integration of inputs.
FIG. 7.0 is a flowchart illustrating steps for undertaking a registration interaction by WS1 and WS2. FIG. 8.0 is a flowchart illustrating steps for C2 and H2 undertaking AKE interaction for user registration.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to a system and method to provide socket association for transfer of socket authentication status. In particular, the present invention relates to a system and method to provide association for transfer of socket authentication status via a client-to-server session with corresponding handler in high-assurance authentication session with specialise authentication client with user credential. Thereinafter, it is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Reference is first made to FIG. 1.0 which illustrates a general architecture of the system of the present invention. As illustrated in Figure 1 , the system for authentication of first socket, S1 via transfer of authentication status of second socket, S2 enabling an initial user registration action and subsequent user authentication actions comprising an authentication system having service client, C1 (102) as exemplified without limitation by a generic web browser operating on kiosk computing platform; authentication client, C2 (104) as exemplified without limitation by an authentication application, subject to previous installation and registration actions by user on a generic mobile device; web socket application handler, H1 and H2 (106, 108) which host authentication server and respectively accessible to C1 request of authentication service on first web-socket WS1 , and to C2 response of authentication outcome on second web-socket WS2; handler-to-handler coordination mechanism, H2H (1 10) at server-side channel as exemplified without limitation by generic storage application, as to enable H1 and H2 to undertake creation, modification and deletion of a particular record; client-to-client, C2C communication as subject to location of C1 instance with use cases of interest being C1 and C2 on different computing devices, and C1 and C2 on the same mobile device; as respectively exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen, and C2 input of such barcode via camera; and C2C as mobile device system call with C1 output of such call to C2 containing challenge valuation, and C2 input via receipt of such call from C1 ; and a registration system. The registration system having C1 as exemplified without limitation by Web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration; C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt; H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations; H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission.
The web-socket WS1 as an authentication requestor, and the web-socket WS2 as an authentication provider, undertaking challenge-response interaction, as the system initiates and depends on authentication client, C2 and server-side handler H2. C2 and H2 undertake an authenticated key establishment, AKE interaction, as previously issued public key, PK certificates associated with a particular user identification, UID and a server identification, SID credentials. Web-socket authentication further requires client-to-client, C2C communications and handler-to-handler, H2H coordinating mechanisms with the latter of which enables embodiment of the web socket interaction as a record-keeping interaction between the respective H1 and H2 handlers.
Reference is now made to FIG. 1 a which illustrates socket association in an authentication interaction. The web-sockets WS1 and WS2 undertake an authentication challengeresponse interaction, initiated by C1 to establish an authentication request, and thereafter H1 undertakes and authentication challenge as key derivation function, KDF output, for establishment of a particular WS1 and corresponding H2H record. WS2 establishment requires user action to challenge transmission of client-to-client, C2C via authenticated key establishment, AKE interaction. The authentication enablement requires 02 and H2 to correctly undertake proofs of possession, POP for their respective certificate of client and server identification valuations. H2 consequently undertakes response as key derivation function, KDF integration of at least challenge and user identification, UID inputs. Thereafter, H2 query on challenge and append of response into particular handler-to-handler, H2H record, as subject to previous H1 establishment and present notification. WS2 is then terminated with a particular authenticated key establishment, AKE status. H1 subsequently undertakes assessment of response, and finally WS1 undergo termination with a particular authentication status. Reference is now made to FIG. 1 .Ob which illustrates socket association in a registration interaction between WS1 and WS2. This interaction is similar to an authentication interaction in a broad structure, but with substantive differences whereby at present was issued with a certificate or an ID credential. To this end, request of C1 for WS2 establishment occurs in the context of C1 undertaking DID capture, with user proof of possession, POP thereof as necessary for such registration process to be regarded as being high assurance. H1 establishment of the H2H record at this juncture would therefore contain DID information. The proposed arrangement requires a higher degree of operational security in comparison to the authentication case, particularly pertaining to C1 , hence the prescription of C1 certificates so as to enable transport layer security, TLS mutual authentication between C1 and H1. This assumption of higher security on WS1 communications, in conjunction with the localisation of the C2C challenge transfer, allows for early termination of WS1 , consequent to WS2 establishment and response correctness.
Authentication in the registration case is detached from user authentication from user authentication on WS2, which in any event cannot be presently undertaken. Enablement of such authentication requires 02 to undertake sequential authenticated key establishment, AKE interactions for certificate signing request, CSR computation and certificate receipt; as respective subject to H2 requesting DID validation with a designated identification authority, IDA, and then certificate issue with an equivalently designated certificate authority, CA, with both trusted third party, TTP deemed authoritative and trustworthy. WS2 termination follows, with particular status consequent on correctness of authenticated key establishment, AKE and trusted third party, TTP interactions.
Reference is now made to FIG. 1 .Oc which illustrates H2 and C2 undertaking authenticated key establishment, AKE mutual authentication on WS2. This authentication interaction enables strong protection of C2 which is assigned the opening challenge, and the closing response. H2 must therefore compute response to C2 challenge, which subject to C2 correct assessment, prior to 02 having to compute its response to H2 challenge. H2 correct assessment is then taken as proof of possession, POP for the particular user identification, UID valuation. The response computation of WS2 is then was enabled, prior to WS1 challenge, and also append of the corresponding H2H record.
Reference is now made to FIG. 1.0d which illustrates H2 and 02 undertaking authenticated key establishment, AKE interactions for user registration enablement. The specified arrangement requires H2 to submit a H2H query on the WS1 challenge valuation, and on outcome thereof, read of DID valuation from such H2H record. This valuation of the DID is then subject to the identification authority, IDA validation. As an outcome thereof, first authenticated key establishment, AKE interaction is formed for C2 to submit the certificate signing request, CSR in accordance with the assessment of the UID. The CSR as received in then subject to certificate authority, CA certification, and outcome thereof, second AKE interaction for C2 to receive such certificate corresponding to CSR as previously computed. C2 is able; following this sequence of trusted third party, TTP and authenticated key establishment, AKE interactions, and successful outcomes thereof, to undertake authenticated key establishment, AKE interactions.
Reference is now made to FIG. 2.0 which is a flowchart illustrating a general methodology of the present invention. As illustrated in FIG. 2.0, the method (200) for authentication of first socket, S1 through an authentication status of a second socket, S2 as representative of particular user. The method comprising steps of performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202); performing a subsequent establishment through S2 which provides for authentication of the particular user, with successful outcome of such provision presented as service and cryptographic response to corresponding S1 instance (204); and associating the authentication of S2 to authenticate S1 (206); and enabling an initial user registration process and subsequent user authentication process. The step for performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself, such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202) further comprises steps of undertaking client-server connection by S1 with service client, C1 instance as presumed either incapable of or not sufficiently trustworthy for execution of user authentication and corresponding server-side first handler, H1 instance (208); undertaking client-server connection by S2 with authentication client, C2 instance, as both capable of and trusted with execution of user authentication and corresponding server-side second handler, H2 instance (210); undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 through a server-side handler-to-handler, H2H mechanism as enables handler read and write operations, as presumed secure and exclusive to handler instances (212); undertaking an authentication challenge-response interaction between first web-socket, WS1 and second web-socket, WS2 (214); and undertaking a registration interaction between WS1 and WS2 subject to physical and interaction measures (216). Reference is made to FIG. 3.0 which is a flowchart illustrating steps for undertaking an authentication challenge-response interaction between WS1 and WS2. As illustrated in FIG. 3.0, undertaking an authentication challenge-response interaction between WS1 and WS2 further comprising steps of (300) first action of C1 request in response to an initiating action by the particular user to a server hosting user authentication service (302) resulting in creation of H1 instance to handle presently established S1 instance; second action of H1 computation and association with a unique first socket identifier, ID1 (304) as presumed secure and exclusive to handler instances and cryptographic challenge token as request for the authentication service; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 and challenge valuations (306); fourth action of C1 representation of challenge token in form amenable to user action and such action resulting in transmission of a particular challenge valuation to C2 instance (308), as previously associated with particular user, on client-to-client, 020 connection, as presumed localised to particular client instances and out-of-band, OOB with respect to S1 ; fifth action of 02 request to the server hosting user authentication service (310) resulting in creation of H2 instance to handle presently established S2 instance with such client-server connection likewise presumed insecure; sixth action of H2 computation and association with a unique second socket identifier, ID2 (312) as likewise presumed secure and exclusive to handler instances, and undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associated credential and H2 undertaking corresponding action with a server-associated credential; seventh action, on correct outcome of mutual authentication interaction, of H2 computation of cryptographic response token (314), as enables consequent association with particular H1 instance and corresponding challenge valuation; eight action of H2 undertaking query of H2H based on challenge valuation, to access H2H record as previously written by particular H1 instance (316) consequently append to a particular record comprising a particular ID2, response valuation and unique user identifier, UID as extracted from credential correctly authenticated and subsequent notification to C2 for S2 termination; ninth action of H2H transmission to particular H1 instance (318) of notification to undertake assessment of corresponding H2 action; and tenth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record, a notification to C1 for S1 termination (320), and on correct outcome thereof consequent use of UID in postauthentication service provision.
The C2 and H2 undertaking mutual authentication (312) comprising steps of C2 and H2 execution of elliptic curve cryptographic, ECO authenticated key establishment AKE interaction; with C2 instance as associated with the particular user characterised by publickey, PK certificate comprising at least DID and PK valuation as signed and issued by particular trusted third party, TTP server; H2 instance as associated with particular service likewise characterised by PK certificate comprising at least server ID, SID and PK valuation as issued by corresponding TTP server; C2 capability for user-specific private-key, sk computation, as corresponds to public-key, PK in issued certificate; such that sk valuation exists only within temporal limitation of AKE interaction; sk computations are undertaken only within spatial limitation of C2 interior; AKE and other cryptographic outcomes are encrypted so as to be accessible only within spatial limitation of H2 interior as characterised by the server PK certificate, with PK therein subject to C2 initiation of client-to-server challenge, such that such outcomes regardless of correctness can only be obtained within H2 instances deemed sufficiently trustworthy to be issued an associated PK certificate; sk computations in C2 are only undertaken upon correct assessment of the H2 server-response to the C2 client-challenge with the outcome of such computation instances being C2 clientresponse to H2 reciprocation of server-to-client challenge; and H2 assessment of C2 response, correctness of which enables conclusion that user characterised by PK certificate has correctly undertaken authentication.
The C2 and H2 undertaking mutual authentication (312) further comprising of C2 and H2 execution of ECC computations for identity, ID based AKE interaction; with C2 instance, as associated with particular user uniquely characterised by DID valuation as user credential; and correspondingly H2 instance, as associated with particular service likewise characterised by SID valuation as server credential.
Reference is now made to FIG. 4.0 which is a flowchart illustrating steps for C2 and H2 execution of ECC computations for ID based on AKE interaction. As illustrated in FIG. 4.0, the steps comprises of first action of H2 transmission of request to C2 to initiate AKE interaction (402); second action of C2 computation and transmission of challenge to H2 (404); third action of H2 computation of response to C2 challenge and of reciprocal challenge to C2 (406) and then transmission of SID certificate, response and challenge to C2; fourth action of C2 verification of H2 response to previously issued challenge on such verification outcome computation of response to H2 challenge (408) and then transmission of DID certificate and response to H2; fifth action of H2 verification of C2 response to previously issued challenge (410); and sixth action of H2 on correct verification outcome, extraction of UID valuation from received certificate and addition of such valuation to corresponding H2H record (412). Reference is made to FIG. 5.0 which is a flowchart illustrating steps for H1 and H2 undertaking authentication request-response and cryptographic challenge-response interactions. As illustrated in FIG. 5.0, the steps comprises of undertaking initiation by H1 (502) comprising ID1 computation as unique output of zero knowledge, ZK cryptographic integration of inputs, at least inclusive of the time of S1 establishment; and challenge token computation as ZK integration of inputs, at least inclusive of ID1 and time of challenge initiation; undertaking reciprocation by H2 (504); comprising ID2 computation as unique output of ZK integration of inputs, at least inclusive of the time of S2 establishment; and response token computation as ZK integration of inputs, at least inclusive of ID2 and challenge token valuation; and undertaking assessment of present H2 response to prior H1 challenge by H1 through equivalent ZK integration of inputs (506) and subsequent comparison of such computation outcome to H2H retrieval of such H2 response.
The steps for undertaking cryptographic challenge-response interaction by H1 and H2 (212) further comprising cryptographic key derivation function, KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC; and interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as accessible only within H2H mechanism.
Reference is now made to FIG. 6.0 which is a flowchart illustrating steps for cryptographic key derivation function, KDF for ZK integration of inputs. As illustrated in FIG. 6.0 cryptographic key derivation function, KDF for ZK integration of inputs comprising steps of H2 computation for response token (602) comprising H2 call to HSM with ID1 and ID2 as inputs; HSM computation for interaction-specific authentication key as KDF integration of ID1 , ID2 and internalised msk; HSM return to H2 of authentication key as output (604) as enables H2 computation of response valuation as KDF integration of challenge valuation and authentication key; and H1 assessment of response token (606) comprising equivalent KDF integration of inputs and subsequent comparison of such computation outcome to H2H retrieval of H2 response.
Reference is made to FIG. 7.0 which is a flowchart illustrating steps for undertaking a registration interaction by WS1 and WS2. As illustrated in FIG. 7.0, WS1 and WS2 undertaking a registration interaction subject to physical and interaction security measures (216) further comprising steps of first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) resulting in creation of H1 instance to handle presently established S1 instance and consequent registration actions on C1 comprising submission of machine-readable physical ID credential within spatial limitation of C1 ; verification of user ownership of ID credential through authentication of biometric test data measured against reference originating from ID credential, likewise within spatial limitation of C1 ; extraction of DID information through read of ID credential; and validation of DID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration; second action of H1 computation of ID1 and challenge token (704) as equivalent to authentication case; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 , challenge and UID valuations (706); fourth action of C1 representation of challenge token and subsequent transmission to C2 instance (708) as equivalent; fifth action of C2 request to server hosting user registration service (710) resulting in creation of H2 instance to handle presently established S2 instance as equivalent; sixth action of H2 computation of ID2 and response token (712); seventh action of H2 undertaking query of H2H based on challenge valuation to access H2H record (714) as previously written by particular H1 instance; consequent read from particular record of UID information and then append to such record comprising particular ID2 and response valuation; eighth action of H2H transmission to particular H1 instance of notification to undertake assessment of corresponding H2 action (716); ninth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record and notification to C1 for S1 termination (718); and tenth action of C2 undertaking user registration interaction with server handler H2 (720) comprising transmission to C2 of UID information; interaction of C2 and H2 in first mutual authentication with C2 undertaking action with CSR comprising at least previously received UID information and presently computed PK; transmission on correct outcome of such interaction to TTP certificate issuer of CSR; receipt on correct outcome of TTP validation action of PK certificate comprising at least UID and PK corresponding to CSR; interaction of C2 and H2 in second mutual authentication with C2 undertaking action with certificate as previously issued with correct outcome resulting in write to C2 of certificate; and notification to C2 for S2 termination.
The process for undertaking a registration interaction by WS1 and WS2 (216) further comprises steps of submission of request to undertake authenticated transaction on third- party service with correct outcome therefor enabling H1 access to user-associated UID information inclusive of without limitation funds transfer from bank account of particular user to account of registration service provider with such third-party service provider deemed sufficiently trustworthy and authoritative; submission of additional DID information inclusive of without limitation national ID or passport information as generally excluded in such third- party transaction; verification of user ownership of third-party account via authentication service of third-party provider with correct outcome resulting in transaction to account of registration provider hosted on third-party server; extraction of DID information from particular transaction; validation of such DID information with external TTP deemed sufficiently authoritative; confirmation of additional DID information with such external TTP; and preparation of all UID information into form suitable for GSR computation.
In enabling an initial user registration process and subsequent user authentication processes (207) comprises steps of C1 as exemplified without limitation by web-browser operating on kiosk computing platform comprising reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration; C2 as exemplified equivalently to authentication case as undertakes initial GSR submission and consequent certificate receipt; H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to 02 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations; H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission.
The action of client C2 undertaking user registration with server handler H2 (720) further comprising C2 instance as associated with particular user characterised by presently computed certificate signing request, CSR comprising at least UID and PK valuation as presently signed by user-specific sk corresponding to particular PK; with UID establishment form particular process for user ID verification and validation as deemed sufficiently trustworthy and authoritative; such that H2 assessment of interaction correctness enables conclusion that user characterised by CSR has correctly undertaken authentication; and C2 and H2 undertaking AKE interaction for user registration. Reference is made to FIG. 8.0 which is a flowchart illustrating steps for C2 and H2 undertaking AKE interaction for user registration. As illustrated in FIG. 8.0, C2 and H2 undertaking AKE interaction for user registration comprising steps of first action of H2 extraction of UID valuation from corresponding H2H record (802); second action of H2 request to TTP ID authority, IDA for validation of such UID valuation (804); third action of H2 on correct validation outcome and C2 to undertake AKE interaction; with H2 input of UID and correct C2 output of CSR comprising at least UID and corresponding PK (806); fourth action of H2 on correct AKE outcome, request to TTP certificate authority, CA for UID certificate corresponding to received CSR (808); and fifth action of H2 on correct certification outcome, and C2 to undertake interaction (810); with H2 input of issued certificate and correct C2 outcome of such certificate inserted into C2 storage for subsequent use in AKE mutual authentication interactions (812).
The first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) further comprising steps of C1 physical instance as tamper-resistent integration of at least reader device for ID credential and biometric device for user input so as to prevent submission without proof of user ownership of unauthorised UID information; and C1 instance as characterised by particular certificate as furthermore subject to check on certificate revocation status so as to prevent submission of UID information from unauthorised C1 instances.
The process of validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration (702) further comprises C1 instance characterised by PK certificate comprising at least client ID, CID and PK valuation as signed and issued by particular TTP server; and correspondingly H1 instance as associated with particular service likewise characterised by PK certificate comprising at least SID and PK valuation as issued by corresponding TTP server; furthermore comprising as enables C1 and H2 to undertake mutual authentication, correctness of which enables conclusion that present registration request originates from previously authorised C1 instance; and check on revocation status of C1 certificate, negative outcome of which enables conclusion that such C1 instance is presently still authorised.
Unless the context requires otherwise or specifically stated to the contrary, integers, steps or elements of the invention recited herein as singular integers, steps or elements clearly encompass both singular and plural forms of the recited integers, steps or elements. Throughout this specification, unless the context requires otherwise, the word “comprise”, or variations such as “comprises” or “comprising”, will be understood to imply the inclusion of a stated step or element or integer or group of steps or elements or integers, but not the exclusion of any other step or element or integer or group of steps, elements or integers. Thus, in the context of this specification, the term “comprising” is used in an inclusive sense and thus should be understood as meaning “including principally, but not necessarily solely”.

Claims

24
1. A method (200) for authentication of a first socket, S1 through an authentication status of a second socket, S2 as representative of a particular user comprising steps of: performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202); performing a subsequent establishment through S2 which provides for authentication of the particular user with successful outcome of such provision presented as service and cryptographic responses to corresponding S1 instance (204); associating the authentication status of S2 to authenticate S1 (206); enabling an initial user registration process and subsequent user authentication processes (207); characterized in that performing prior establishment through S1 which requires authentication of the particular user undertaken external to itself such requirement presented as a service and a cryptographic challenge to any and all S2 instance (202) further comprises steps of: undertaking client-server connection by S1 with service client, C1 instance as presumed either incapable of or not sufficiently trustworthy for execution of user authentication and corresponding server-side first handler, H1 instance (208); undertaking client-server connection by S2 with authentication client, C2 instance, as both capable of and trusted with execution of user authentication and corresponding server-side second handler, H2 instance (210); undertaking authentication request-response and cryptographic challenge-response interactions by H1 and H2 through a server-side handler-to-handler, H2H mechanism as enables handler read and write operations, as presumed secure and exclusive to handler instances (212); undertaking an authentication challenge-response interaction between first web-socket, WS1 and second web-socket, WS2 (214); and undertaking a registration interaction between WS1 and WS2 subject to physical and interaction security measures (216). The method (200) according to claim 1 , wherein undertaking an authentication challenge-response interaction between WS1 and WS2 (214) further comprising steps of (300): first action of C1 request in response to an initiating action by the particular user to a server hosting user authentication service (302) resulting in creation of H1 instance to handle presently established S1 instance; second action of H1 computation and association with a unique first socket identifier, ID1 (304) as presumed secure and exclusive to handler instances and a cryptographic challenge token as request for the authentication service; third action of H1 transmission on S1 to C1 of the challenge token and consequent write to H2H of a new record comprising particular ID1 and challenge valuations (306); fourth action of C1 representation of the challenge token in form of amenable to user action and such action resulting in transmission of a particular challenge valuation to C2 instance (308) as previously associated with the particular user on client-to-client, C2C connection as presumed localised to the particular client instances and out-of-band, OOB with respect to S1 ; fifth action of C2 request to the server hosting user authentication service (310) resulting in creation of H2 instance to handle presently established S2 instance with such client-server connection likewise presumed insecure; sixth action of H2 computation and association with a unique second socket identifier, ID2 (312) as likewise presumed secure and exclusive to handler instances and undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associated credential and H2 undertaking corresponding action with a server-associated credential; seventh action on correct outcome of mutual authentication interaction of H2 computation of cryptographic response token (314) as enables consequent association with particular H1 instance and corresponding challenge valuation; eight action of H2 undertaking query of H2H based on challenge valuation to access H2H record as previously written by particular H1 instance (316) consequently append to a particular record comprising a particular ID2, response valuation and unique user identifier, DID as extracted from credential correctly authenticated and subsequent notification to C2 for S2 termination; ninth action of H2H transmission to particular H1 instance (318) of notification to undertake assessment of corresponding H2 action; and tenth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record, a notification to C1 for S1 termination (320), and on correct outcome thereof consequent use of UID in post-authentication service provision. The method (200) according to claim 2, wherein undertaking mutual authentication based on consequent interaction of C2 and H2, with C2 undertaking action with a user-associted credential and H2 undertaking corresponding action with a server- associated credential (312) comprising steps of:
02 and H2 execution of elliptic curve cryptographic, ECO authenticated key establishment AKE interaction; with
02 instance as associated with the particular user characterised by publickey, PK certificate comprising at least UID and PK valuation as signed and issued by particular trusted third party, TTP server;
H2 instance as associated with particular service likewise characterised by PK certificate comprising at least server ID, SID and PK valuation as issued by corresponding TTP server;
C2 capability for user-specific private-key, sk computation as corresponds to public-key, PK in issued certificate; such that sk valuation exists only within temporal limitation of AKE interaction; sk computations are undertaken only within spatial limitation of C2 interior;
AKE and other cryptographic outcomes are encrypted so as to be accessible only within spatial limitation of H2 interior as characterised by the server PK certificate with PK therein subject to C2 initiation of client-to-server challenge, such that such outcomes regardless of correctness can only be obtained within H2 instances deemed sufficiently trustworthy to be issued an associated PK certificate; sk computations in 02 are only undertaken upon correct assessment of the H2 server-response to the C2 client-challenge with the outcome 27 of such computation instances being C2 client-response to H2 reciprocation of server-to-client challenge; and
H2 assessment of C2 response, correctness of which enables conclusion that user characterised by PK certificate has correctly undertaken authentication. The method (200) according to claim 2, wherein undertaking mutual authentication based on consequent interaction of C2 and H2 (312) further comprising:
C2 and H2 execution of ECC computations for identity, ID based AKE interaction; with
C2 instance as associated with particular user uniquely characterised by UID valuation as user credential; and correspondingly H2 instance as associated with particular service likewise characterised by SID valuation as server credential. The method according to claim 3, wherein C2 and H2 execution of ECC computations for ID based on AKE interaction comprising steps of (400): first action of H2 transmission of request to C2 to initiate AKE interaction (402); second action of C2 computation and transmission of challenge to H2 (404); third action of H2 computation of response to C2 challenge and of reciprocal challenge to C2 (406) and then transmission of SID certificate, response and challenge to C2; fourth action of C2 verification of H2 response to previously issued challenge on such verification outcome computation of response to H2 challenge (408) and then transmission of UID certificate and response to H2; fifth action of H2 verification of C2 response to previously issued challenge (410); and sixth action of H2 on correct verification outcome, extraction of UID valuation from received certificate and addition of such valuation to corresponding H2H record (412). The method (200) according to claim 1 , wherein undertaking authentication requestresponse and cryptographic challenge-response interactions by H1 and H2 (212) comprising steps of (500): undertaking initiation by H1 (502) comprising: 28
ID1 computation as unique output of zero knowledge, ZK cryptographic integration of inputs, at least inclusive of the time of S1 establishment; and challenge token computation as ZK integration of inputs, at least inclusive of ID1 and time of challenge initiation; undertaking reciprocation by H2 (504) comprising:
ID2 computation as unique output of ZK integration of inputs, at least inclusive of the time of S2 establishment; and response token computation as ZK integration of inputs, at least inclusive of ID2 and challenge token valuation; and undertaking assessment of present H2 response to prior H1 challenge by H1 through equivalent ZK integration of inputs (506) and subsequent comparison of such computation outcome to H2H retrieval of such H2 response.
7. The method (200) according to claim 1 , wherein undertaking cryptographic challenge-response interaction by H1 and H2 (212) further comprising: cryptographic key derivation function, KDF for ZK integration of inputs inclusive of without limitation such derivation as outcome of hash message authentication code, HMAC; and interaction-specific and pairwise-specific authentication key as KDF integration of inputs, at least inclusive of ID1 and ID2, and additionally master secret-key, msk such that msk valuation and computations are undertaken only within spatial limitation of H2H mechanism as exemplified by hardware security module, HSM as accessible only within H2H mechanism.
8. The method (200) according to claim 7, wherein cryptographic key derivation function, KDF for ZK integration of inputs further comprising steps of (600):
H2 computation for response token (602) comprising:
H2 call to HSM with ID1 and ID2 as inputs;
HSM computation for interaction-specific authentication key as KDF integration of ID1 , ID2 and internalised msk;
HSM return to H2 of authentication key as output (604) as enables H2 computation of response valuation as KDF integration of challenge valuation and authentication key; and 29
H1 assessment of response token (606) comprising equivalent KDF integration of inputs and subsequent comparison of such computation outcome to H2H retrieval of H2 response.
9. The method (200) according to claim 1 , wherein undertaking a registration interaction by WS1 and WS2 (216) subject to physical and interaction security measures, comprising steps of (700): first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) resulting in creation of H1 instance to handle presently established S1 instance and consequent registration actions on C1 comprising: submission of machine-readable physical ID credential within spatial limitation of C1 ; verification of user ownership of ID credential through authentication of biometric test data measured against reference originating from ID credential likewise within spatial limitation of C1 ; extraction of UID information through read of ID credential; and validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration; second action of H1 computation of ID1 and challenge token (704) as equivalent to authentication case; third action of H1 transmission on S1 to C1 of challenge token and consequent write to H2H of new record comprising particular ID1 , challenge and UID valuations (706); fourth action of C1 representation of challenge token and subsequent transmission to C2 instance (708) as equivalent; fifth action of C2 request to server hosting user registration service (710) resulting in creation of H2 instance to handle presently established S2 instance as equivalent; sixth action of H2 computation of ID2 and response token (712); seventh action of H2 undertaking query of H2H based on challenge valuation to access H2H record (714) as previously written by particular H1 instance; consequent read from particular record of UID information and then append to such record comprising particular ID2 and response valuation; 30 eighth action of H2H transmission to particular H1 instance of notification to undertake assessment of corresponding H2 action (716); ninth action of H1 undertaking H2H read of corresponding record, assessment of H2 response to H1 challenge, deletion of such record and notification to C1 for S1 termination (718); and tenth action of C2 undertaking user registration interaction with server handler H2 (720) comprising: transmission to C2 of DID information; interaction of C2 and H2 in first mutual authentication with C2 undertaking action with CSR comprising at least previously received UID information and presently computed PK; transmission on correct outcome of such interaction to TTP certificate issuer of CSR; receipt on correct outcome of TTP validation action of PK certificate comprising at least UID and PK corresponding to CSR; interaction of C2 and H2 in second mutual authentication with C2 undertaking action with certificate as previously issued with correct outcome resulting in write to C2 of certificate; and notification to C2 for S2 termination. The method (200) according to claim 9, wherein undertaking a registration interaction by WS1 and WS2 (216) further comprises steps of: submission of request to undertake authenticated transaction on third-party service with correct outcome therefor enabling H1 access to user-associated UID information inclusive of without limitation funds transfer from bank account of particular user to account of registration service provider with such third-party service provider deemed sufficiently trustworthy and authoritative; submission of additional UID information inclusive of without limitation national ID or passport information as generally excluded in such third-party transaction; verification of user ownership of third-party account via authentication service of third-party provider with correct outcome resulting in transaction to account of registration provider hosted on third-party server; extraction of UID information from particular transaction; validation of such UID information with external TTP deemed sufficiently authoritative; 31 confirmation of additional DID information with such external TTP; and preparation of all UID information into form suitable for CSR computation. The method (200) according to claim 1 , wherein enabling an initial user registration process and subsequent user authentication processes (207), comprises steps of :
C1 as exemplified without limitation by Web-browser operating on kiosk computing platform comprising: reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration;
C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt;
H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations;
H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and
C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by: CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and
C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission. The method (200) according to claim 11 , wherein performing action of client C2 undertaking user registration with server handler H2 (720) further comprising:
C2 instance as associated with particular user characterised by presently computed certificate signing request, CSR comprising at least UID and PK valuation as presently signed by user-specific sk corresponding to particular PK; with
UID establishment form particular process for user ID verification and validation as deemed sufficiently trustworthy and authoritative; such that 32
H2 assessment of interaction correctness enables conclusion that user characterised by CSR has correctly undertaken authentication; and C2 and H2 undertaking AKE interaction for user registration.
13. The method (200) according to claim 12, wherein C2 and H2 undertaking AKE interaction for user registration comprising steps of (800): first action of H2 extraction of UID valuation from corresponding H2H record (802); second action of H2 request to TTP ID authority, IDA for validation of such UID valuation (804); third action of H2 on correct validation outcome and C2 to undertake AKE interaction with H2 input of UID and correct C2 output of CSR comprising at least UID and corresponding PK (806); fourth action of H2 on correct AKE outcome, request to TTP certificate authority, CA for UID certificate corresponding to received CSR (808); and fifth action of H2 on correct certification outcome and C2 to undertake interaction (810); with
H2 input of issued certificate and correct C2 outcome of such certificate inserted into C2 storage for subsequent use in AKE mutual authentication interactions (812).
14. The method (200) according to claim 9, wherein first action of C1 request in response to initiating action by particular user to server hosting user registration service (702) further comprising steps of:
C1 physical instance as tamper-resistent integration of at least reader device for ID credential and biometric device for user input so as to prevent submission without proof of user ownership of unauthorised UID information; and
C1 instance as characterised by particular certificate as furthermore subject to check on certificate revocation status so as to prevent submission of UID information from unauthorised C1 instances.
15. The method (200) according to claim 9, wherein validation of UID information with TTP deemed sufficiently authoritative with C1 subject to security measures to protect against unauthorised registration (702) further comprises: 33
C1 instance characterised by PK certificate comprising at least client ID, CID and PK valuation as signed and issued by particular TTP server; and correspondingly
H1 instance as associated with particular service likewise characterised by PK certificate comprising at least SID and PK valuation as issued by corresponding TTP server; furthermore comprising as enables C1 and H2 to undertake mutual authentication, correctness of which enables conclusion that present registration request originates from previously authorised C1 instance; and check on revocation status of C1 certificate, negative outcome of which enables conclusion that such C1 instance is presently still authorised. A system (100) for authentication of first socket, S1 via transfer of authentication status of second socket, S2 enabling an initial user registration action and subsequent user authentication actions comprising: an authentication system having: service client, C1 (102) as exemplified without limitation by Web-browser operating on kiosk computing platform; authentication client, C2 (104) as exemplified without limitation by an authentication application, subject to previous installation and registration actions by user on a generic mobile device; web-socket applications handlers, H1 and H2 (106, 108) as respectively accessible to C1 request of authentication service on first WS1 , and to C2 response of authentication outcome on second WS2; handle-to-handler coordination mechanism, H2H (110) as exemplified without limitation by generic storage application or service; as enables H1 and H2 to undertake creation, modification and deletion of a particular record; and client-to-client, C2C communication as subject to location of C1 instance with use cases of interest being C1 and C2 on different computing devices, and C1 and C2 on the same mobile device; as respectively exemplified without limitation by:
CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen, and C2 input of such barcode via camera; and 34
C2C as mobile device system call with C1 output of such call to C2 containing challenge valuation, and C2 input via receipt of such call from C1 ; and a registration system having:
C1 as exemplified without limitation by Web-browser operating on kiosk computing platform comprising: reader device for physical ID credential; biometric device for input of user biometric data; and physical and interaction security measures to protect against unauthorised registration;
C2 as exemplified equivalently to authentication case as undertakes initial CSR submission and consequent certificate receipt;
H1 and H2 as WS applications as respectively accessible to C1 request of registration service on first WS1 and to C2 response of registration outcome on second WS2 as both hosted on registration server at their respective application locations;
H2H as exemplified equivalently and as enables H1 and H2 to undertake creation, modification and deletion of a particular record as corresponds to particular registration request-response interaction; and
C2C as subject to location of C1 instance with use case of interest being C1 and C2 on different computing devices; as exemplified without limitation by:
CSC as optical channel with C1 output of optical barcode containing challenge valuation via screen and C2 input of such barcode via camera; and
C2C as localised radio frequency, RF channel with C1 transmission of challenge valuation and C2 receipt of such transmission.
PCT/MY2020/050157 2020-09-30 2020-11-17 Socket association for transfer of socket authentication status Ceased WO2022071789A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2020005133A MY206283A (en) 2020-09-30 2020-09-30 Socket association for transfer of socket authentication status
MYPI2020005133 2020-09-30

Publications (1)

Publication Number Publication Date
WO2022071789A1 true WO2022071789A1 (en) 2022-04-07

Family

ID=80951557

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2020/050157 Ceased WO2022071789A1 (en) 2020-09-30 2020-11-17 Socket association for transfer of socket authentication status

Country Status (2)

Country Link
MY (1) MY206283A (en)
WO (1) WO2022071789A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7975139B2 (en) * 2001-05-01 2011-07-05 Vasco Data Security, Inc. Use and generation of a session key in a secure socket layer connection
EP2672667A2 (en) * 2011-03-11 2013-12-11 ZTE Corporation Method and system for implementing ip-based vvm
US9363578B2 (en) * 2009-09-09 2016-06-07 Sony Corporation Communication system, communication device, communication method, and computer program
US9438699B1 (en) * 2012-09-30 2016-09-06 Juniper Networks, Inc. TCP proxying of network sessions mid-flow
US20200014694A1 (en) * 2017-03-08 2020-01-09 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7975139B2 (en) * 2001-05-01 2011-07-05 Vasco Data Security, Inc. Use and generation of a session key in a secure socket layer connection
US9363578B2 (en) * 2009-09-09 2016-06-07 Sony Corporation Communication system, communication device, communication method, and computer program
EP2672667A2 (en) * 2011-03-11 2013-12-11 ZTE Corporation Method and system for implementing ip-based vvm
US9438699B1 (en) * 2012-09-30 2016-09-06 Juniper Networks, Inc. TCP proxying of network sessions mid-flow
US20200014694A1 (en) * 2017-03-08 2020-01-09 Bank Of America Corporation Certificate system for verifying authorized and unauthorized secure sessions

Also Published As

Publication number Publication date
MY206283A (en) 2024-12-06

Similar Documents

Publication Publication Date Title
US11178128B2 (en) Integrating sensitive data from a data provider into instances of third-party applications executed on user devices
US11258777B2 (en) Method for carrying out a two-factor authentication
US10797879B2 (en) Methods and systems to facilitate authentication of a user
AU2018206414B2 (en) Confirming authenticity of a user to a third-party system
JP6586446B2 (en) Method for confirming identification information of user of communication terminal and related system
EP3175578B1 (en) System and method for establishing trust using secure transmission protocols
US8112787B2 (en) System and method for securing a credential via user and server verification
CN108834144B (en) Method and system for managing association of operator number and account
US20170244676A1 (en) Method and system for authentication
US11595215B1 (en) Transparently using macaroons with caveats to delegate authorization for access
US11997207B2 (en) Identifying group membership through discharge macaroon access tokens
US10812467B2 (en) Method for managing a secure channel between a server and a secure element
US20100250949A1 (en) Generation, requesting, and/or reception, at least in part, of token
US11595389B1 (en) Secure deployment confirmation of IOT devices via bearer tokens with caveats
TW202207667A (en) Authentication and validation procedure for improved security in communications systems
CN103560887A (en) Intelligent terminal remote attestation method and system
CN115150098A (en) Identity authentication method based on challenge response mechanism and related equipment
CN104753879A (en) Method and system for authenticating cloud service provider through terminal and method and system for authenticating terminal through cloud service provider
CN114329426B (en) A client authentication method, apparatus, device, and storage medium
WO2022071789A1 (en) Socket association for transfer of socket authentication status
US20250220002A1 (en) Mobile device management including features of passwordless authentication
US20240007272A1 (en) Secure device pairing
WO2025237851A1 (en) System and method to mitigate storage overload during web authentication
WO2025231423A1 (en) Device binding using cryptographic keys
CN119696823A (en) Login verification method, device, related equipment, storage medium and program product

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20956399

Country of ref document: EP

Kind code of ref document: A1