US20150244695A1 - Network authentication method for secure user identity verification - Google Patents
Network authentication method for secure user identity verification Download PDFInfo
- Publication number
- US20150244695A1 US20150244695A1 US14/187,903 US201414187903A US2015244695A1 US 20150244695 A1 US20150244695 A1 US 20150244695A1 US 201414187903 A US201414187903 A US 201414187903A US 2015244695 A1 US2015244695 A1 US 2015244695A1
- Authority
- US
- United States
- Prior art keywords
- identity verification
- user terminal
- servers
- verification servers
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Definitions
- the invention relates to network identity authentication, and more particularly to a network authentication method for secure verification of identity of a user.
- an Internet content provider needs to provide to each user an identity verification device, e.g., a USB device loaded with a public key infrastructure (PKI) certificate, an integrated circuit (IC) electronic card or a dynamic token.
- PKI public key infrastructure
- IC integrated circuit
- an object of the present invention is to provide a network authentication method for secure verification of the identity of a user that can overcome the aforesaid drawbacks of the prior art.
- a network authentication method to be implemented using a user terminal, a downloading unit, a content-provider server and a plurality of identity verification servers for secure verification of the identity of a user of the user terminal.
- the network authentication method of this invention comprises the following steps of:
- each of the identity verification server downloading from the downloading unit a respective set of encrypted information that is signed with an asymmetrical private key and that includes an encrypted web address of the identity verification server, and storing reference hardware scan data that is associated with the user terminal and that corresponds uniquely to a user identifier of the user;
- the content-provider server in response to a user login request from the user terminal for accessing the content-provider server through a first communication link, the content-provider server transmitting to one of the identity verification servers a verification notification that the identity of the user needs to be verified, and redirecting the user terminal for connecting with said one of the identity verification servers through a second communication link;
- step d) said one of the identity verification servers transmitting to the user terminal the respective set of encrypted information downloaded in step b) through the second communication link;
- step e) the user terminal determining, based on the respective set of encrypted information transmitted in step d) and the asymmetrical public key downloaded in step a), whether said one of the identity verification servers is currently valid to perform identity verification;
- step f) upon determining that said one of the identity verification servers is currently valid to perform identity verification, the user terminal executing the scan program downloaded in step a) to obtain hardware scan data associated with the user terminal, and transmitting the hardware scan data thus obtained to said one of the identity verification servers through the second communication link;
- step g) said one of the identity verification servers verifying the identity of the user based on relationship between the hardware scan data received from the user terminal in step f) and the reference hardware scan data stored in step b), and notifying the content-provider server of a verification result.
- FIG. 1 is a schematic block diagram illustrating a network authentication system that is configured for implementing a network authentication method according to the preferred embodiment of the present invention
- FIG. 2 is a flowchart illustrating a registration procedure of the network authentication method of the preferred embodiment
- FIG. 3 is a flow chart illustrating a login procedure of the network authentication method of the preferred embodiment
- FIG. 4 is a flowchart of a procedure illustrating how one of identity verification servers is determined to perform identity verification in the preferred embodiment.
- FIG. 5 is a flowchart of a procedure illustrating how a user terminal determines whether said one of the identity verification servers is currently valid to perform identity verification in the preferred embodiment.
- a network authentication system is used to implement a network authentication method for secure verification of the identity of a user 5 according to the preferred embodiment of the present invention.
- the network authentication system includes a downloading unit 1 , a user terminal 2 owned by the user 5 , a content-provider server 3 (e.g., an internet content provider or ICP), and a plurality of identity verification servers 4 .
- the user terminal 2 is owned by the user 5 , and may be an electronic device capable of Internet browsing or data communication, such as a notebook computer, a smart phone, a personal digital assistant, etc.
- the user terminal 2 includes a plurality of hardware components (not shown), such as a central processing unit, a basic input/output system (BIOS) unit, a storage device, a network interface, a motherboard, etc., each of which has a unique identification code.
- the content-provider server 3 may be, but is not limited to, a web bank server, an online game server, or any other server that provides a network service requiring identity verification, such as a portal website.
- the identity verification servers 4 are ideally authorized by the downloading unit 1 to perform third-party identity verification, and may be, but are not limited to, social networking websites, such as Google, Yahoo, Facebook, etc.
- the downloading unit 1 includes a database unit (not shown) for storing at least one scan program, at least one pair of asymmetrical public and private keys, and a plurality of sets of encrypted information corresponding respectively to the identity verification servers 4 .
- Each set of encrypted information is signed with the asymmetrical private key, and includes an encrypted web address of a respective one of the identity verification servers 4 .
- each set of encrypted information has been processed with the asymmetrical private key to create a digital signature, and the asymmetrical public key is used to verify the digital signature.
- the downloading unit 1 , the user terminal 2 , the content-provider server 3 and the identity verification servers 4 are connected to a communication network 100 .
- the downloading unit cooperates with the user terminal 2 and the content-provider server 3 to implement a registration procedure of the network authentication method of the preferred embodiment according to the present invention.
- the registration procedure of the network authentication method of the preferred embodiment includes the following steps. It is noted that, prior to the registration procedure, each of the identity verification servers 4 is connected to the downloading unit 1 through the communication network 100 for downloading a respective set of encrypted information from the downloading unit 1 .
- step S 21 the user 5 inputs a user identification (ID) serving as a user identifier, and a password using a user input interface (not shown) of the user terminal 2 at a website provided by the content-provider server 3 .
- the user ID and the password are then transmitted from the user terminal 2 to the content-provider server 3 via the communication network 100 .
- step S 22 in response to receipt of the user ID and the password, the content-provider server 3 is operable to check whether the user ID and the password are correct. If the result is affirmative, the flow proceeds to step S 23 . Otherwise, the content-provider server 3 is operable to send an error message to the user terminal 2 for displaying on a display device (not shown) of the user terminal 2 (step S 20 ).
- step S 23 the content-provider server 3 is operable to redirect the user terminal 2 for connection with the downloading unit 1 .
- step S 24 the downloading unit 1 is operable to enable the user terminal 2 to download the scan program and the asymmetrical public key therefrom.
- step S 25 after the user terminal 2 stores the scan program and the asymmetrical public key, the user terminal 2 is operable to execute the scan program for scanning the hardware components of the user terminal 2 to obtain the identification codes of the hardware components, and for establishing reference hardware scan data according to the identification codes of the hardware components thus obtained.
- the reference hardware scan data is associated with the user terminal 2 , and corresponds uniquely to the user identifier of the user 5 .
- step S 26 the user terminal 2 is operable to transmit the reference hardware scan data to each of the identity verification servers 4 via the communication network 100 , so that each of the identity verification servers 4 stores the reference hardware scan data received from the user terminal 2 .
- the network authentication system implements a login procedure of the network authentication method of the preferred embodiment.
- the login procedure of the network authentication method of the preferred embodiment includes the following steps.
- step S 31 the user 5 inputs the user ID and the password using the user input interface of the user terminal 2 at the service website provided by the content-provider server 3 , and the user terminal 2 is operable to transmit the user ID and the password to the content-provider server 3 through a first communication link over the communication network 100 .
- step S 32 in response to receipt of the user ID and the password from the user terminal 2 , the content-provider server 3 is operable to check whether the user ID and the password are correct. If the result is affirmative, the flow proceeds to step S 33 . Otherwise, the content-provider server 3 is operable to send an error message to the user terminal 2 for displaying on the display device of the user terminal 2 (step S 30 ).
- the content-provider server 3 is operable to transmit to one of the identity verification servers 4 a verification notification that the identity of the user 5 needs to be verified.
- the content-provider server 3 is further operable to redirect the user terminal 2 for connecting with said one of the identity verification servers 4 through a second communication link that is separate from the first communication link.
- said one of the identity verification servers 4 is determined by the content-provider server 3 .
- said one of the identity verification servers 4 may be determined by the user 5 .
- a procedure is shown to illustrate how one of the identity verification servers 4 for performing identity verification is determined by the user 5 .
- the content-provider server 3 is operable to send to the user terminal 2 a selection request that includes a list of option items, which represent respectively the identity verification servers 4 .
- the user terminal 2 is operable to send to the content-provider server 3 a selection reply that indicates a desired one of the option items representing a corresponding one of the identity verification servers (sub-step S 42 ). Therefore, the content-provider server 3 is operable to determine the corresponding one of the identity verification servers 4 for performing identity verification in accordance with the selection reply (sub-step S 43 ).
- step S 34 in response to receipt of the verification notification from the content-provider server 3 , said one of the identity verification servers 4 is operable to transmit the respective set of encrypted information stored therein to the user terminal 2 through the second communication link.
- step S 35 upon receipt of the respective set of encrypted information from said one of the identity verification servers 4 , the user terminal 2 is operable to determine, based on the respective set of encrypted information and the asymmetrical public key stored in step S 24 of the registration procedure, whether said one of the identity verification servers 4 is currently valid to perform identity verification.
- the user terminal 2 is operable to decrypt the encrypted web address of the respective set of encrypted information using the asymmetrical public key. Upon successful decryption of the encrypted web address, the user terminal 2 determines that said one of the identity verification servers 4 is currently valid to perform identity verification. Then, the flow proceeds to step S 36 . On the other hand, upon failed decryption of the encrypted web address of the encrypted information, it is determined by the user terminal 2 that said one of the identity verification servers 4 is currently invalid to perform identity verification. Then, the user terminal 2 is operable to send to the content-provider server 3 an invalid notification that said one of the identity verification servers 4 is invalid to perform identity verification (step S 40 ).
- each set of encrypted information which is stored in the database unit of the downloading unit 1 and corresponds to one of the identity verification servers 4 , further includes an encrypted authorization period associated with the identity verification server 4 .
- FIG. 5 a procedure is shown to illustrate how the user terminal 2 determines, in step S 35 , whether said one of the identity verification servers 4 is currently valid to perform identity verification.
- the user terminal 2 is operable to determine whether the encrypted web address and the encrypted authorization period (i.e., the set of encrypted information) of said one of the identity verification servers 4 are successfully decrypted using the asymmetrical public key. If the result is negative, the flow goes to step S 40 of FIG. 3 .
- the user terminal 2 upon successful decryption of the encrypted web address and the encrypted authorization period associated with said one of the identity verification servers 4 , the user terminal 2 is operable to determine whether the current date is within the decrypted authorization period associated with said one of the identity verification servers 4 (sub-step S 52 ). If the result is affirmative, the user terminal 2 determines that said one of the identity verification servers 4 is currently valid to perform identity verification (step S 53 ). Then, the flow goes to step 36 of FIG. 3 .
- step S 54 when the user terminal 2 determines that the current date is not within the decrypted authorization period associated with said one of the identity verification servers 4 , the user terminal 2 is operable to send to the downloading unit 1 an expiration notification that the authorization period associated with said one of the identity verification servers 4 has expired (step S 54 ). Then, the flow goes to step S 40 of FIG. 3 .
- step S 36 the user terminal 2 is operable to execute the scan program for scanning the hardware components of the user terminal 2 to obtain the identification codes of the hardware components that serve as hardware scan data associated with the user terminal 2 , and to transmit the hardware scan data thus obtained to said one of the identity verification servers 4 .
- step S 37 upon receipt of the hardware scan data from the user terminal 2 , said one of the identity verification servers 4 is operable to compare the hardware scan data with the reference hardware scan data stored therein during the registration procedure of the user 5 for verifying the identity of the user 5 associated with the user terminal 2 , and to send a verification result to the content-provider server 3 .
- the verification result indicates that the verification of the identity of the user 5 has failed.
- the hardware scan data obtained in step S 36 conforms with the reference hardware scan data stored in said one of the identity verification servers 4
- the verification result indicates that the verification of the identity of the user 5 is successful.
- step S 38 the content-provider server 3 is operable to determine, based on the verification result from said one of the identity verification servers 4 , whether the identity of the user 5 is authenticated.
- the verification result indicates that the verification of the identity of the user 5 has failed, it is determined by the content-provider server 3 that the identity of the user 5 is not authenticated.
- the flow goes to step S 30 .
- the user terminal 2 is denied access to the service website provided by the content-provider server 3 .
- the content-provider server 3 is operable to redirect the user terminal 2 for connecting with the service website provided by the content-provider server 3 (step S 39 ). Therefore, the user terminal 2 is authorized to access the service website.
- the network authentication method according to this invention has the following advantages:
- the user terminal 2 is dynamically directed to one of the identify verification servers 4 for further identity verification (i.e., the user terminal 2 may be directed to a different identify verification server 4 every time), and since the respective set of encrypted information stored in each identity verification server 4 and the asymmetrical public key stored in the user terminal 2 may be randomly updated in response to notification from the downloading unit 1 as required, multi-authentication for user identity can be achieved using the downloading unit 1 that provides the respective set of encrypted information to each identity verification server 4 , and the asymmetrical public key and the scan program to the user terminal 2 .
- the user terminal 2 may execute the scan program for scanning the hardware components of the user terminal 2 to obtain the hardware scan data according to the identification codes of the hardware components, and the hardware scan data thus obtained for subsequent use in authenticating the identity of the user by said one of the identity verification servers 4 is dynamic data.
- a network content provider does not need to purchase additional equipment for identity authentication, and does not need to provide the user with a dynamic token, an IC electronic card, or a USB device with a PKI certificate.
- the user 5 does not need to have additional authentication devices for different service websites.
- the user terminal 2 Since the user terminal 2 is connected to the content-provider server 3 through the first communication link and is connected to said one of the identity verification servers 4 through the second communication link, it is relatively difficult to attack the first and second communication links simultaneously for stealing and/or tampering the data sent by the user terminal 2 .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
- 1. Field of the Invention
- The invention relates to network identity authentication, and more particularly to a network authentication method for secure verification of identity of a user.
- 2. Description of the Related Art
- Currently, a variety of web services, such as cloud services, have become increasingly popular. In order to secure the web services, user identity verification is absolutely necessary.
- However, due to increasing numbers of web users and web crimes, and continuous progress of criminal techniques, for example, an Internet content provider (ICP) needs to provide to each user an identity verification device, e.g., a USB device loaded with a public key infrastructure (PKI) certificate, an integrated circuit (IC) electronic card or a dynamic token. Thus, the cost of customer service for personalization, distribution and troubleshooting is considerable. Further, it is quite inconvenient that the user needs to remember the user ID and the password for each of different ICPs and to have different identity verification devices for the different ICPs. Moreover, for the different ICPs, duplication of investment in user identity authentication may occur.
- Therefore, an object of the present invention is to provide a network authentication method for secure verification of the identity of a user that can overcome the aforesaid drawbacks of the prior art.
- According to the present invention, there is provided a network authentication method to be implemented using a user terminal, a downloading unit, a content-provider server and a plurality of identity verification servers for secure verification of the identity of a user of the user terminal. The network authentication method of this invention comprises the following steps of:
- a) the user terminal downloading a scan program and an asymmetrical public key from the downloading unit;
- b) each of the identity verification server downloading from the downloading unit a respective set of encrypted information that is signed with an asymmetrical private key and that includes an encrypted web address of the identity verification server, and storing reference hardware scan data that is associated with the user terminal and that corresponds uniquely to a user identifier of the user;
- c) in response to a user login request from the user terminal for accessing the content-provider server through a first communication link, the content-provider server transmitting to one of the identity verification servers a verification notification that the identity of the user needs to be verified, and redirecting the user terminal for connecting with said one of the identity verification servers through a second communication link;
- d) said one of the identity verification servers transmitting to the user terminal the respective set of encrypted information downloaded in step b) through the second communication link;
- e) the user terminal determining, based on the respective set of encrypted information transmitted in step d) and the asymmetrical public key downloaded in step a), whether said one of the identity verification servers is currently valid to perform identity verification;
- f) upon determining that said one of the identity verification servers is currently valid to perform identity verification, the user terminal executing the scan program downloaded in step a) to obtain hardware scan data associated with the user terminal, and transmitting the hardware scan data thus obtained to said one of the identity verification servers through the second communication link; and
- g) said one of the identity verification servers verifying the identity of the user based on relationship between the hardware scan data received from the user terminal in step f) and the reference hardware scan data stored in step b), and notifying the content-provider server of a verification result.
- Other features and advantages of the present invention will become apparent in the following detailed description of the preferred embodiment with reference to the accompanying drawings, of which:
-
FIG. 1 is a schematic block diagram illustrating a network authentication system that is configured for implementing a network authentication method according to the preferred embodiment of the present invention; -
FIG. 2 is a flowchart illustrating a registration procedure of the network authentication method of the preferred embodiment; -
FIG. 3 is a flow chart illustrating a login procedure of the network authentication method of the preferred embodiment; -
FIG. 4 is a flowchart of a procedure illustrating how one of identity verification servers is determined to perform identity verification in the preferred embodiment; and -
FIG. 5 is a flowchart of a procedure illustrating how a user terminal determines whether said one of the identity verification servers is currently valid to perform identity verification in the preferred embodiment. - Referring to
FIG. 1 , a network authentication system is used to implement a network authentication method for secure verification of the identity of auser 5 according to the preferred embodiment of the present invention. The network authentication system includes adownloading unit 1, auser terminal 2 owned by theuser 5, a content-provider server 3 (e.g., an internet content provider or ICP), and a plurality ofidentity verification servers 4. For exemplary purposes, theuser terminal 2 is owned by theuser 5, and may be an electronic device capable of Internet browsing or data communication, such as a notebook computer, a smart phone, a personal digital assistant, etc. Theuser terminal 2 includes a plurality of hardware components (not shown), such as a central processing unit, a basic input/output system (BIOS) unit, a storage device, a network interface, a motherboard, etc., each of which has a unique identification code. The content-provider server 3 may be, but is not limited to, a web bank server, an online game server, or any other server that provides a network service requiring identity verification, such as a portal website. Theidentity verification servers 4 are ideally authorized by the downloadingunit 1 to perform third-party identity verification, and may be, but are not limited to, social networking websites, such as Google, Yahoo, Facebook, etc. Thedownloading unit 1 includes a database unit (not shown) for storing at least one scan program, at least one pair of asymmetrical public and private keys, and a plurality of sets of encrypted information corresponding respectively to theidentity verification servers 4. Each set of encrypted information is signed with the asymmetrical private key, and includes an encrypted web address of a respective one of theidentity verification servers 4. In particular, each set of encrypted information has been processed with the asymmetrical private key to create a digital signature, and the asymmetrical public key is used to verify the digital signature. Thedownloading unit 1, theuser terminal 2, the content-provider server 3 and theidentity verification servers 4 are connected to acommunication network 100. - Referring to
FIGS. 1 and 2 , the downloading unit cooperates with theuser terminal 2 and the content-provider server 3 to implement a registration procedure of the network authentication method of the preferred embodiment according to the present invention. The registration procedure of the network authentication method of the preferred embodiment includes the following steps. It is noted that, prior to the registration procedure, each of theidentity verification servers 4 is connected to thedownloading unit 1 through thecommunication network 100 for downloading a respective set of encrypted information from thedownloading unit 1. - In step S21, the
user 5 inputs a user identification (ID) serving as a user identifier, and a password using a user input interface (not shown) of theuser terminal 2 at a website provided by the content-provider server 3. The user ID and the password are then transmitted from theuser terminal 2 to the content-provider server 3 via thecommunication network 100. - In step S22, in response to receipt of the user ID and the password, the content-
provider server 3 is operable to check whether the user ID and the password are correct. If the result is affirmative, the flow proceeds to step S23. Otherwise, the content-provider server 3 is operable to send an error message to theuser terminal 2 for displaying on a display device (not shown) of the user terminal 2 (step S20). - In step S23, the content-
provider server 3 is operable to redirect theuser terminal 2 for connection with thedownloading unit 1. - In step S24, the
downloading unit 1 is operable to enable theuser terminal 2 to download the scan program and the asymmetrical public key therefrom. - In step S25, after the
user terminal 2 stores the scan program and the asymmetrical public key, theuser terminal 2 is operable to execute the scan program for scanning the hardware components of theuser terminal 2 to obtain the identification codes of the hardware components, and for establishing reference hardware scan data according to the identification codes of the hardware components thus obtained. The reference hardware scan data is associated with theuser terminal 2, and corresponds uniquely to the user identifier of theuser 5. - In step S26, the
user terminal 2 is operable to transmit the reference hardware scan data to each of theidentity verification servers 4 via thecommunication network 100, so that each of theidentity verification servers 4 stores the reference hardware scan data received from theuser terminal 2. - Referring to
FIGS. 1 and 3 , the network authentication system implements a login procedure of the network authentication method of the preferred embodiment. The login procedure of the network authentication method of the preferred embodiment includes the following steps. - In step S31, the
user 5 inputs the user ID and the password using the user input interface of theuser terminal 2 at the service website provided by the content-provider server 3, and theuser terminal 2 is operable to transmit the user ID and the password to the content-provider server 3 through a first communication link over thecommunication network 100. - In step S32, in response to receipt of the user ID and the password from the
user terminal 2, the content-provider server 3 is operable to check whether the user ID and the password are correct. If the result is affirmative, the flow proceeds to step S33. Otherwise, the content-provider server 3 is operable to send an error message to theuser terminal 2 for displaying on the display device of the user terminal 2 (step S30). - In step S33, the content-
provider server 3 is operable to transmit to one of the identity verification servers 4 a verification notification that the identity of theuser 5 needs to be verified. The content-provider server 3 is further operable to redirect theuser terminal 2 for connecting with said one of theidentity verification servers 4 through a second communication link that is separate from the first communication link. It is noted that, in one embodiment, said one of theidentity verification servers 4 is determined by the content-provider server 3. In another embodiment, said one of theidentity verification servers 4 may be determined by theuser 5. Referring further toFIG. 4 , a procedure is shown to illustrate how one of theidentity verification servers 4 for performing identity verification is determined by theuser 5. In sub-step S41, the content-provider server 3 is operable to send to the user terminal 2 a selection request that includes a list of option items, which represent respectively theidentity verification servers 4. In response to the selection request from the content-provider server 3, theuser terminal 2 is operable to send to the content-provider server 3 a selection reply that indicates a desired one of the option items representing a corresponding one of the identity verification servers (sub-step S42). Therefore, the content-provider server 3 is operable to determine the corresponding one of theidentity verification servers 4 for performing identity verification in accordance with the selection reply (sub-step S43). - In step S34, in response to receipt of the verification notification from the content-
provider server 3, said one of theidentity verification servers 4 is operable to transmit the respective set of encrypted information stored therein to theuser terminal 2 through the second communication link. - In step S35, upon receipt of the respective set of encrypted information from said one of the
identity verification servers 4, theuser terminal 2 is operable to determine, based on the respective set of encrypted information and the asymmetrical public key stored in step S24 of the registration procedure, whether said one of theidentity verification servers 4 is currently valid to perform identity verification. - In one embodiment, the
user terminal 2 is operable to decrypt the encrypted web address of the respective set of encrypted information using the asymmetrical public key. Upon successful decryption of the encrypted web address, theuser terminal 2 determines that said one of theidentity verification servers 4 is currently valid to perform identity verification. Then, the flow proceeds to step S36. On the other hand, upon failed decryption of the encrypted web address of the encrypted information, it is determined by theuser terminal 2 that said one of theidentity verification servers 4 is currently invalid to perform identity verification. Then, theuser terminal 2 is operable to send to the content-provider server 3 an invalid notification that said one of theidentity verification servers 4 is invalid to perform identity verification (step S40). - In another embodiment, each set of encrypted information, which is stored in the database unit of the
downloading unit 1 and corresponds to one of theidentity verification servers 4, further includes an encrypted authorization period associated with theidentity verification server 4. Referring further toFIG. 5 , a procedure is shown to illustrate how theuser terminal 2 determines, in step S35, whether said one of theidentity verification servers 4 is currently valid to perform identity verification. In sub-step S51, theuser terminal 2 is operable to determine whether the encrypted web address and the encrypted authorization period (i.e., the set of encrypted information) of said one of theidentity verification servers 4 are successfully decrypted using the asymmetrical public key. If the result is negative, the flow goes to step S40 ofFIG. 3 . On the other hand, upon successful decryption of the encrypted web address and the encrypted authorization period associated with said one of theidentity verification servers 4, theuser terminal 2 is operable to determine whether the current date is within the decrypted authorization period associated with said one of the identity verification servers 4 (sub-step S52). If the result is affirmative, theuser terminal 2 determines that said one of theidentity verification servers 4 is currently valid to perform identity verification (step S53). Then, the flow goes to step 36 ofFIG. 3 . On the other hand, when theuser terminal 2 determines that the current date is not within the decrypted authorization period associated with said one of theidentity verification servers 4, theuser terminal 2 is operable to send to thedownloading unit 1 an expiration notification that the authorization period associated with said one of theidentity verification servers 4 has expired (step S54). Then, the flow goes to step S40 ofFIG. 3 . - In step S36, the
user terminal 2 is operable to execute the scan program for scanning the hardware components of theuser terminal 2 to obtain the identification codes of the hardware components that serve as hardware scan data associated with theuser terminal 2, and to transmit the hardware scan data thus obtained to said one of theidentity verification servers 4. - In step S37, upon receipt of the hardware scan data from the
user terminal 2, said one of theidentity verification servers 4 is operable to compare the hardware scan data with the reference hardware scan data stored therein during the registration procedure of theuser 5 for verifying the identity of theuser 5 associated with theuser terminal 2, and to send a verification result to the content-provider server 3. When the hardware scan data obtained in step S36 does not conform with the reference hardware scan data stored in said one of theidentity verification servers 4, the verification result indicates that the verification of the identity of theuser 5 has failed. On the other hand, when the hardware scan data obtained in step S36 conforms with the reference hardware scan data stored in said one of theidentity verification servers 4, the verification result indicates that the verification of the identity of theuser 5 is successful. - In step S38, the content-
provider server 3 is operable to determine, based on the verification result from said one of theidentity verification servers 4, whether the identity of theuser 5 is authenticated. When the verification result indicates that the verification of the identity of theuser 5 has failed, it is determined by the content-provider server 3 that the identity of theuser 5 is not authenticated. Thus, the flow goes to step S30. In this case, theuser terminal 2 is denied access to the service website provided by the content-provider server 3. On the other hand, when the verification result indicates that the verification of the identity of theuser 5 is successful, it is determined by the content-provider server 3 that the identity of theuser 5 is authenticated. Then, the content-provider server 3 is operable to redirect theuser terminal 2 for connecting with the service website provided by the content-provider server 3 (step S39). Therefore, theuser terminal 2 is authorized to access the service website. - In sum, the network authentication method according to this invention has the following advantages:
- 1. Since the
user terminal 2 is dynamically directed to one of theidentify verification servers 4 for further identity verification (i.e., theuser terminal 2 may be directed to a differentidentify verification server 4 every time), and since the respective set of encrypted information stored in eachidentity verification server 4 and the asymmetrical public key stored in theuser terminal 2 may be randomly updated in response to notification from the downloadingunit 1 as required, multi-authentication for user identity can be achieved using thedownloading unit 1 that provides the respective set of encrypted information to eachidentity verification server 4, and the asymmetrical public key and the scan program to theuser terminal 2. - 2. Every time the
user terminal 2 implements step S36 of the login procedure of the network authentication method, theuser terminal 2 may execute the scan program for scanning the hardware components of theuser terminal 2 to obtain the hardware scan data according to the identification codes of the hardware components, and the hardware scan data thus obtained for subsequent use in authenticating the identity of the user by said one of theidentity verification servers 4 is dynamic data. Thus, a network content provider does not need to purchase additional equipment for identity authentication, and does not need to provide the user with a dynamic token, an IC electronic card, or a USB device with a PKI certificate. Also, theuser 5 does not need to have additional authentication devices for different service websites. - 3. Since the
user terminal 2 is connected to the content-provider server 3 through the first communication link and is connected to said one of theidentity verification servers 4 through the second communication link, it is relatively difficult to attack the first and second communication links simultaneously for stealing and/or tampering the data sent by theuser terminal 2. - While the present invention has been described in connection with what is considered the most practical and preferred embodiment, it is understood that this invention is not limited to the disclosed embodiment but is intended to cover various arrangements included within the spirit and scope of the broadest interpretation so as to encompass all such modifications and equivalent arrangements.
Claims (9)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/187,903 US9124571B1 (en) | 2014-02-24 | 2014-02-24 | Network authentication method for secure user identity verification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/187,903 US9124571B1 (en) | 2014-02-24 | 2014-02-24 | Network authentication method for secure user identity verification |
Publications (2)
Publication Number | Publication Date |
---|---|
US20150244695A1 true US20150244695A1 (en) | 2015-08-27 |
US9124571B1 US9124571B1 (en) | 2015-09-01 |
Family
ID=53883381
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/187,903 Active US9124571B1 (en) | 2014-02-24 | 2014-02-24 | Network authentication method for secure user identity verification |
Country Status (1)
Country | Link |
---|---|
US (1) | US9124571B1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656993A (en) * | 2016-11-04 | 2017-05-10 | ***股份有限公司 | Dynamic verification code verifying method and apparatus |
CN109214159A (en) * | 2018-08-31 | 2019-01-15 | 武汉文楚智信科技有限公司 | A kind of user information protection system and method for terminal recognition of face cloud service |
CN110119626A (en) * | 2019-05-14 | 2019-08-13 | 长讯通信服务有限公司 | The communication engineering project life cycle credible management method based on Intelligent mobile equipment cloud service |
CN110611913A (en) * | 2019-09-24 | 2019-12-24 | 中广核工程有限公司 | Wireless network access method, system management platform and access system for nuclear power plant |
CN111132155A (en) * | 2019-12-30 | 2020-05-08 | 江苏全链通信息科技有限公司 | 5G secure communication method, equipment and storage medium |
CN111726324A (en) * | 2019-03-20 | 2020-09-29 | 上海御行信息技术有限公司 | Block chain technology-based alliance multi-node network identity authentication system |
CN111836085A (en) * | 2020-07-15 | 2020-10-27 | 北京奇艺世纪科技有限公司 | Television screen projection method and device, cloud server and terminal equipment |
CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9294475B2 (en) * | 2013-05-13 | 2016-03-22 | Hoyos Labs Ip, Ltd. | System and method for generating a biometric identifier |
CN117475533A (en) * | 2022-07-21 | 2024-01-30 | 广州汽车集团股份有限公司 | Data transmission method and device, equipment and computer readable storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130159704A1 (en) * | 2010-01-11 | 2013-06-20 | Scentrics Information Security Technologies Ltd | System and method of enforcing a computer policy |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030105966A1 (en) | 2001-05-02 | 2003-06-05 | Eric Pu | Authentication server using multiple metrics for identity verification |
KR100464755B1 (en) | 2002-05-25 | 2005-01-06 | 주식회사 파수닷컴 | User authentication method using user's e-mail address and hardware information |
US7861077B1 (en) | 2005-10-07 | 2010-12-28 | Multiple Shift Key, Inc. | Secure authentication and transaction system and method |
JP4470069B2 (en) | 2007-11-29 | 2010-06-02 | Necビッグローブ株式会社 | Input assist device, input assist system, input assist method, and input assist program |
TW201121280A (en) | 2009-12-10 | 2011-06-16 | Mao-Cong Lin | Network security verification method and device and handheld electronic device verification method. |
TW201225697A (en) | 2010-09-20 | 2012-06-16 | Interdigital Patent Holdings | Identity management on a wireless device |
-
2014
- 2014-02-24 US US14/187,903 patent/US9124571B1/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130159704A1 (en) * | 2010-01-11 | 2013-06-20 | Scentrics Information Security Technologies Ltd | System and method of enforcing a computer policy |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656993A (en) * | 2016-11-04 | 2017-05-10 | ***股份有限公司 | Dynamic verification code verifying method and apparatus |
CN109214159A (en) * | 2018-08-31 | 2019-01-15 | 武汉文楚智信科技有限公司 | A kind of user information protection system and method for terminal recognition of face cloud service |
CN111726324A (en) * | 2019-03-20 | 2020-09-29 | 上海御行信息技术有限公司 | Block chain technology-based alliance multi-node network identity authentication system |
CN110119626A (en) * | 2019-05-14 | 2019-08-13 | 长讯通信服务有限公司 | The communication engineering project life cycle credible management method based on Intelligent mobile equipment cloud service |
CN110611913A (en) * | 2019-09-24 | 2019-12-24 | 中广核工程有限公司 | Wireless network access method, system management platform and access system for nuclear power plant |
CN111132155A (en) * | 2019-12-30 | 2020-05-08 | 江苏全链通信息科技有限公司 | 5G secure communication method, equipment and storage medium |
CN111836085A (en) * | 2020-07-15 | 2020-10-27 | 北京奇艺世纪科技有限公司 | Television screen projection method and device, cloud server and terminal equipment |
CN113726503A (en) * | 2021-07-12 | 2021-11-30 | 国网山东省电力公司信息通信公司 | Method and system for protecting web interaction information |
Also Published As
Publication number | Publication date |
---|---|
US9124571B1 (en) | 2015-09-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9124571B1 (en) | Network authentication method for secure user identity verification | |
US9838205B2 (en) | Network authentication method for secure electronic transactions | |
US9741033B2 (en) | System and method for point of sale payment data credentials management using out-of-band authentication | |
US9231925B1 (en) | Network authentication method for secure electronic transactions | |
EP3138265B1 (en) | Enhanced security for registration of authentication devices | |
EP2885904B1 (en) | User-convenient authentication method and apparatus using a mobile authentication application | |
US8171531B2 (en) | Universal authentication token | |
US10523441B2 (en) | Authentication of access request of a device and protecting confidential information | |
US9780950B1 (en) | Authentication of PKI credential by use of a one time password and pin | |
US20110185181A1 (en) | Network authentication method and device for implementing the same | |
US20150222435A1 (en) | Identity generation mechanism | |
US10045210B2 (en) | Method, server and system for authentication of a person | |
US10050791B2 (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
US9667626B2 (en) | Network authentication method and device for implementing the same | |
TW201903637A (en) | Query system, method and non-transitory machine-readable medium to determine authentication capabilities | |
US20200196143A1 (en) | Public key-based service authentication method and system | |
US8397281B2 (en) | Service assisted secret provisioning | |
US20110289316A1 (en) | User authentication | |
EP2916509B1 (en) | Network authentication method for secure user identity verification | |
CN101924634A (en) | Verification portal | |
KR102313868B1 (en) | Cross authentication method and system using one time password | |
JP5793593B2 (en) | Network authentication method for securely verifying user identification information | |
KR101936941B1 (en) | Electronic approval system, method, and program using biometric authentication | |
KR101879842B1 (en) | User authentication method and system using one time password | |
KR102123405B1 (en) | System and method for providing security membership and login hosting service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: KEYPASCO AB, SWEDEN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIN, MAW-TSONG;SKYGEBJERG, PER;REEL/FRAME:032502/0225 Effective date: 20140310 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: LYDSEC DIGITAL TECHNOLOGY CO., LTD., TAIWAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KEYPASCO AB;REEL/FRAME:049305/0157 Effective date: 20190416 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |