WO2004084486A1 - Method to increase security of secure systems - Google Patents

Method to increase security of secure systems Download PDF

Info

Publication number
WO2004084486A1
WO2004084486A1 PCT/DK2003/000789 DK0300789W WO2004084486A1 WO 2004084486 A1 WO2004084486 A1 WO 2004084486A1 DK 0300789 W DK0300789 W DK 0300789W WO 2004084486 A1 WO2004084486 A1 WO 2004084486A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
algorithm
result
code
access
Prior art date
Application number
PCT/DK2003/000789
Other languages
French (fr)
Inventor
Tauno Suikkanen
Original Assignee
Eta-Max
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eta-Max filed Critical Eta-Max
Priority to AU2003281970A priority Critical patent/AU2003281970A1/en
Publication of WO2004084486A1 publication Critical patent/WO2004084486A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/23Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/00388Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method

Definitions

  • the present invention relates to a method and an apparatus used to verify the identity of a user requesting access to a secure system.
  • a very common example is an ATM machine or Debit Card terminal.
  • a user In order to withdraw funds or make a payment, a user must first prove his or her identity to the system in order to prevent unauthorized persons from accessing his or her bank account .
  • PIN Identification Number
  • the user inputs the ID card to the system and then enters his or her PIN which is known only to the user and the system.
  • the system compares the PIN input by the user and the PIN stored by the system. If the two numbers are equal, the user is granted access to the system.
  • One problem with the current method is that it is relatively simple for an unauthorized person to observe an authorized user entering his or her PIN code. This could occur via direct observation, or with the help of, for example, a hidden camera. If the unauthorized person then gains access to, or makes a copy of, the user's ID card, the unauthorized person can gain access to the system.
  • Another problem with this idea is that the user needs to keep track of which corrupted versions have been entered previously and then develop newly corrupted versions. This will usually result in a few guesses to find a new version. An unauthorized user could observe the attempts made by the user and deduce the underlying PIN code.
  • a first aspect of the current invention is to provide a method to verify the identity of a user requesting access to a secure system, as mentioned in the opening paragraph, where an unauthorized person cannot gain access to the system by observing how an authorized user interacts with the system.
  • Another aspect of the current invention is to provide a method of the kind mentioned in the preamble where an unauthorized person cannot gain access to the system by stealing a piece of hardware from an authorized user of a system.
  • a third aspect of the current invention is to provide a method of the kind mentioned in the preamble where an unauthorized person is highly unlikely to gain access to the system even after repeated observations of an authorized user inputting his or her access code.
  • a fourth aspect of the current invention is to provide a method of the kind mentioned in the preamble where the user is not forced to remember any previous interactions with the system.
  • a fifth aspect of the current invention is to provide a method of the kind mentioned in the preamble where currently used systems can be used without any modifications to t ⁇ ir hardware .
  • a sixth aspect of the current invention is to make it easier for a user to remember his or her access code while simultaneously maintaining a high security level.
  • the current invention presents a new method to verify a person's identity comprising the steps of the user providing a user identity code to the system, the system providing a response code to the user, the system applying a first algorithm to the response code to get a first result, the user applying a second algorithm to the response code to get a second result, the user inputting the second result to the system, the system comparing the first result and the second result, and the system granting the user access to the secure system if the comparison of the first and second results meets a certain set of criteria.
  • the personal identification code can take many different forms, for example, an alphanumeric code, a multi-digit number, a voice characteristic, a fingerprint, plus many others.
  • the response code can also take many different forms, for example a random number, a random alphanumeric string, a sentence, plus many others.
  • the algorithms are chosen so that they are of sufficient complexity to prevent an unauthorized user from determining the algorithm by observing the user entering his or her code, even if the observation occurs a number of times.
  • the algorithms can simultaneously be chosen to be simple to remember. The user can therefore memorize his or her algorithm to ensure high security.
  • Algorithms can be easier to remember than PIN codes since peoples minds are better at remembering procedures than they are in remembering abstract codes.
  • an algorithm can be so complicated that it would be too time consuming to attempt to determine the algorithm, given both the response code provided by the system and the result input by the user.
  • the algorithm stored by the system and the algorithm memorized by the user can be identical, which makes the comparison of the two results a simple equality comparison.
  • the response number provided by the system can be a random number.
  • a simple random number generator can be used to provide the response number.
  • a component of the algorithm can be a Personal Identification Number (PIN) known to the system and memorized by the user.
  • PIN Personal Identification Number
  • the result of the algorithm can then be a specific combination of the users PIN code and the response number provided by the system.
  • the method is not limited to single terminal systems, but can also be applied to systems, which are composed of a number of remote terminals connected to a secure central server.
  • a good example of such a system is an Automated Teller Machine (ATM) system or a debit card terminal system.
  • ATM Automated Teller Machine
  • the user accesses the central server via the remote terminals.
  • a system such as this can be organized in many different ways. Some systems can be organized where the processing elements and database elements are located at a central location and the remote terminals act as "dumb" terminals, accepting user input and displaying output to the user, but where all the processing occurs at a central location. Other systems are organized into a more distributed system where the remote terminals have their own processing means, allowing the remote terminals to do part of the processing, minimizing the amount of communication between the terminal and the central computer .
  • the user identifying number can be stored on a magnetic stripe card or the like, input to the system by the user at the start of the procedure. This is identical to currently available Debit Cards .
  • the algorithm and/or PIN code can also be stored in an encrypted form on a magnetic stripe card or the like, input to the system by the user at the start of the procedure.
  • the system works as previously described, the difference being that the remote terminal can read the data on the card and compare this to the data entered by the user.
  • This can be used in distributed systems with a number of "smart" remote terminals. In this case, the remote terminal can verify the identity of the user without any communication being necessary between the terminal and the central system.
  • the response number output to the user can be stored in a table by the system. Subsequent response numbers generated by the system are looked up in the table and if the response number is already present in the table, a new response number is chosen before being displayed to the user.
  • authorized users can be given a second algorithm, which also gives access to the system, but simultaneously activates an alarm. This will dissuade unauthorized persons from attempting to coerce an authorized user .
  • Fig. 1 is a flowchart of the authorization process on a single secure system
  • Fig. 2 is a flowchart of the authorization process on a centralized computer system
  • the flowchart of Fig. 1 shows the authorization procedure when the current invention is applied to a single-location secure system.
  • a single-location secure system In this example, it is a door to a secure area.
  • the user identifies him or her self to the system via a magnetic key card which has the user's ID number encoded on it.
  • the system has a built in card reader to read the ID number from the card.
  • the user interacts with the system via a small numeric keypad and the system interacts with the user via a small alphanumeric display.
  • the system has a database containing the IDs of all the authorized users and a specific algorithm for each user.
  • step 1 the system is in an idle loop waiting for the user to enter his or her identity card.
  • step 2 the user enters a magnetic stripe card which has his or her identity number (ID) encoded on it.
  • ID his or her identity number
  • the system reads the ID number from the card in step 3 and finds the ID number in the database in step 4. If, in step 5, the ID number is not found in the database or the ID number is from an unauthorized person, the system ejects the card 6 and the system goes back to its idle state 1, waiting for a new ID card. If the user ID is found in the database the system generates a random number, N, in step 7. In step 8 the system displays the random number, N, on the screen. In step 9 the system retrieves, from the database, an algorithm, Al, which is associated with the user ID number.
  • Al an algorithm
  • step 11 the system waits for the user to enter a number.
  • step 12 the system checks if the two results are equal.
  • step 14 the doors opens and permits the user access to the system.
  • the users ID card is ejected. If the two results, Rl and R2 , are not equal, then step 13 is skipped and the user's card is ejected in step 14 without the door opening.
  • FIG. 2 shows an embodiment of the current invention applied to an Automated Teller Machine (ATM) system.
  • ATM Automated Teller Machine
  • a centralized processing system comprising a number of "dumb" remote terminals and a central processing system.
  • the user identifies him or her self to one of the remote terminals via a magnetic key card which has his or her ID number on it.
  • the terminals have a built in card reader to read the ID number from the user's identity card.
  • the user interacts with the remote terminal via a small numeric keypad and the remote terminal interacts with the user via a small alphanumeric display.
  • the remote terminals interact with the central computer via secure telephone lines.
  • the central computer has a database containing all the authorized users and a specific algorithm for each user.
  • the procedure starts in an idle loop 15, with the remote terminal waiting for the user to enter his or her identity
  • step 16 When the user enters his ID card in step 16, the terminal reads the ID from the card and sends it to a central computer in step 17.
  • step 18, the central computer looks up the ID number in the database. If the ID number is not found in the database in step 19, then the central computer commands the remote terminal to eject the users ID card in step 20. In step 21, the terminal ejects the users card. If the user ID is found in the database in step 19, then the central computer generates a random number, N, in step 22. The central computer sends the random number, N, to the terminal in step 23. In step 24 the terminal displays the random number, N, on its screen.
  • step 25 the central controller retrieves, from the database, an algorithm, Al, associated with the user ID.
  • step 28 the number entered by the user, R2 , is sent to the central computer.
  • step 29 the central computer compares the result generated by the computer and the result input by the user. If the results are equal, then central computer allows the user to perform a financial transaction starting at step 30 and ending at step 32.
  • step 33 the central computer commands the terminal to eject the card, which is ejected in step 34. If, in step 29, the two numbers, Rl and R2 , are not equal, then the central computer skips steps 30 to 32 and commands the terminal to eject the card in step 33.
  • the hardware used is identical to hardware already used in many ATM machines. Therefore the only change necessary to implement this idea is a change in software.
  • the algorithm applied to the response code can be one of many different types. However, when choosing an algorithm it is important to choose one which doesn't have any specific frequency components. Algorithms having specific frequency components have a "rhythm" and are therefore easier to determine using statistical programs.
  • An example of an algorithm is as follows,
  • one component of the algorithm could be a Personal Identification Number (PIN) .
  • PIN Personal Identification Number
  • An example of an algorithm with the use of a PIN code is as follows. In the example, the PIN code is assumed to be 6735.
  • the initial response code generated by the system is a four-digit random number.
  • the user performs an algorithm on the four-digit number, the result of which is a single digit.
  • the user then inputs the single digit to the system.
  • the number system used in this example is a base 4 number system, that is to say the number system counts as follows, 0, 1, 2, 3, 10, 11, 12, 13, 20, 21, etc...
  • the final result entered by the user can be one of four different values. This means that there is a 25% chance that an unauthorized user will be able to gain access to the system with a random guess. Therefore it is unlikely that this specific example would actually be implemented. However, since the result is only one digit, there will be a very large number of different algorithms which give the same result.
  • the "random" number generated by the system could be limited to “random” numbers which work well with the algorithm. For example if a part of the algorithm were “choose the number after the digit 7", then the "random” numbers could be limited to those random numbers where there is a 7 and where 7 is not the last digit.
  • the way in which the "random" number is limited is stored together with the users identification code and algorithm. Some example of how the limitation could be stored are: on a magnetic user identification card, on the local terminal, in the central computer's database, and so on.
  • users of the system can have the possibility to choose and modify their algorithms themselves.
  • the user can establish an encrypted connection to the secure system's central computer from a personal computer via the internet and change his or her algorithm via a form.
  • a user is required to use specially designated terminals located at secure locations in order to create and/or change the algorithm.
  • the security of the system can also be improved by forcing the user to change his or her algorithm on a regular basis.
  • a more advanced system could keep track of the users activity and when a user has used his or her algorithm a certain number of times from a certain location, then the user is required to change his or her algorithm.
  • the system can assign different security risks to different locations. For example using a debit card at a pizza shop could be assigned a higher security risk than using the same card at a bank terminal. In this way, the algorithm could be made to expire more quickly if the algorithm were used often in an insecure place. If the algorithm were used in a very secure place, the algorithm could be made to expire more slowly.
  • the algorithm security level can be set appropriately. If the algorithm is to be used for, for example, small cash sums, the algorithm could be made very user friendly but not very secure. If the algorithm is to be used for, for example, unlimited cash sums, then the algorithm could be made more secure but consequently also less user friendly.
  • the algorithm security level can also be set depending on what other security measures are in place. If extra security measures are in place, the algorithm could be made less secure, if the algorithm is the only security measure, then the algorithm should be made more complex.
  • One example of an extra security measure would to provide screens which prevent unauthorized users from seeing the random number generated by the system. In this case, only the authorized user can see the random number. Therefore the security is much improved over a situation where unauthorized users could see the random number. In this case, the algorithm could be made simpler, for example, enter the first two digits of the random number and the last two digits.
  • Another example of an external security measure would be for the authorized user to have an identity card. An unauthorized user would have to steal the card plus know the algorithm.
  • Another possible embodiment of the current invention can be applied to voice recognition systems.
  • the user issues a command to a system.
  • the voice of the user is analysed and compared to a database of authorized users. If a match is found, the user's command is executed.
  • an unauthorized person it is possible for an unauthorized person to make a copy of an authorized user's voice command via, for example, a tape recorder.
  • the user is prompted with a random number and asked to provide a result based on an algorithm known only to the authorized user and the system. This means that the entire procedure can take place audibly.
  • each authorized user can be given a second algorithm.
  • Use of the second algorithm gives full access to the system, but simultaneously activates an alarm. This feature will be well known and unauthorized persons will therefore be dissuaded from attempting to coerce authorized users to give away their algorithms, since they will be unsure as to which algorithm they are receiving. The security could be further improved by giving the authorized users a random number of second algorithms. In this way, the unauthorized person will not know how many alarm algorithms there are.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Finance (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The current invention presents a method and an apparatus to verify the identity of a user requesting access to a secure system. The method differentiates itself from the known systems by preventing unauthorized users form being able to gain access to the system either by observing what the authorized user inputs to the system or by stealing a piece of hardware form the authorized user. This is achieved by the system comparing the result of the user applying a memorized algorithm to a random number presented by the system, and the result of the system applying an algorithm to the same random number.

Description

Method to Increase Security of Secure Systems
Field of the Invention
The present invention relates to a method and an apparatus used to verify the identity of a user requesting access to a secure system.
Background of the Invention
There are many examples of systems, which require some sort of user authentification before a user is permitted access to the system. A very common example is an ATM machine or Debit Card terminal. In order to withdraw funds or make a payment, a user must first prove his or her identity to the system in order to prevent unauthorized persons from accessing his or her bank account .
Other examples where a user authorization is required are when a user needs to login to his or her computer, security systems on doors in office buildings, encrypted communication systems, and so on.
In most currently available secure systems a user verifies his or her identity with the help of an ID card and a Personal
Identification Number (PIN) . The user inputs the ID card to the system and then enters his or her PIN which is known only to the user and the system. The system compares the PIN input by the user and the PIN stored by the system. If the two numbers are equal, the user is granted access to the system. One problem with the current method is that it is relatively simple for an unauthorized person to observe an authorized user entering his or her PIN code. This could occur via direct observation, or with the help of, for example, a hidden camera. If the unauthorized person then gains access to, or makes a copy of, the user's ID card, the unauthorized person can gain access to the system.
Another problem with the current systems is that many people find it difficult to memorize their PIN codes. In this case, people usually choose a PIN code which is easy to remember, such as their birthday or their address, etc. This makes it easy for an unauthorized person to guess their PIN code. Other people write down their PIN code so that they won't forget it. Usually they store the PIN code in their wallet or purse so that they can find it when they use their card. This means that an unauthorized person who steals the user's wallet or purse can find both the ID card and the PIN code and thereby gain access to the system.
Description of the Prior Art
The problems listed above are well known to the banking community and other vendors of secure systems. Therefore there have been a number of attempts to solve this problem.
From US 5,655,020 a method is known where the user has an ID card and a PIN code. However, the user never enters his or her PIN code directly, rather the user inputs a deliberately corrupted version of his or her PIN code. Each time the system is accessed, the PIN code needs to be corrupted in a different way. A code corrupted in a manner similar to a previous attempt is not accepted in successive accesses. A main problem with this system is that there are a limited number of corrupted versions of a PIN code. This means that at some point a previously used PIN code will be valid again. An unauthorized user could therefore observe a code entered by a user and then wait a month or so before using the same code. Another problem with this idea is that the user needs to keep track of which corrupted versions have been entered previously and then develop newly corrupted versions. This will usually result in a few guesses to find a new version. An unauthorized user could observe the attempts made by the user and deduce the underlying PIN code.
From US 5,940,511 a method is known where the system gives the user instructions in how to modify his or her PIN code while the user is entering the code. For example, the system might tell the user to add a random number to the PIN code before he or she enters the PIN code. The problem with this system is that an unauthorized person observing the system will be able to see or hear the instructions and therefore deduce the actual PIN code.
From US 4,679,236 is known a system where the user has a special portable calculation device, such as a calculator, which is programmed to perform a complex algorithm on a random number generated by the system. When the user starts the interaction with the system, the system presents a response number to the user. The user then inputs a part of the response number to the calculation device and then inputs a part of the result of the calculation performed by the calculation device to the system. The computer compares the result input by the user with the result of an identical algorithm stored in the computer applied to the response number. The problem with this system is that by observing which parts of the numbers an authorized user enters into the system and stealing the calculation device an unauthorized user can gain access to the system.
Summary of the Present Invention
A first aspect of the current invention is to provide a method to verify the identity of a user requesting access to a secure system, as mentioned in the opening paragraph, where an unauthorized person cannot gain access to the system by observing how an authorized user interacts with the system.
Another aspect of the current invention is to provide a method of the kind mentioned in the preamble where an unauthorized person cannot gain access to the system by stealing a piece of hardware from an authorized user of a system.
A third aspect of the current invention is to provide a method of the kind mentioned in the preamble where an unauthorized person is highly unlikely to gain access to the system even after repeated observations of an authorized user inputting his or her access code.
A fourth aspect of the current invention is to provide a method of the kind mentioned in the preamble where the user is not forced to remember any previous interactions with the system.
A fifth aspect of the current invention is to provide a method of the kind mentioned in the preamble where currently used systems can be used without any modifications to t ^ir hardware .
A sixth aspect of the current invention is to make it easier for a user to remember his or her access code while simultaneously maintaining a high security level.
The current invention presents a new method to verify a person's identity comprising the steps of the user providing a user identity code to the system, the system providing a response code to the user, the system applying a first algorithm to the response code to get a first result, the user applying a second algorithm to the response code to get a second result, the user inputting the second result to the system, the system comparing the first result and the second result, and the system granting the user access to the secure system if the comparison of the first and second results meets a certain set of criteria.
The personal identification code can take many different forms, for example, an alphanumeric code, a multi-digit number, a voice characteristic, a fingerprint, plus many others. The response code can also take many different forms, for example a random number, a random alphanumeric string, a sentence, plus many others.
The algorithms are chosen so that they are of sufficient complexity to prevent an unauthorized user from determining the algorithm by observing the user entering his or her code, even if the observation occurs a number of times. However, the algorithms can simultaneously be chosen to be simple to remember. The user can therefore memorize his or her algorithm to ensure high security.
Algorithms can be easier to remember than PIN codes since peoples minds are better at remembering procedures than they are in remembering abstract codes. In addition, an algorithm can be so complicated that it would be too time consuming to attempt to determine the algorithm, given both the response code provided by the system and the result input by the user.
The algorithm stored by the system and the algorithm memorized by the user can be identical, which makes the comparison of the two results a simple equality comparison. Both for simplicity and security, the response number provided by the system can be a random number. A simple random number generator can be used to provide the response number.
In order to increase the security of the method, a component of the algorithm can be a Personal Identification Number (PIN) known to the system and memorized by the user. The result of the algorithm can then be a specific combination of the users PIN code and the response number provided by the system.
The method is not limited to single terminal systems, but can also be applied to systems, which are composed of a number of remote terminals connected to a secure central server. A good example of such a system is an Automated Teller Machine (ATM) system or a debit card terminal system. In these types of systems the user accesses the central server via the remote terminals. A system such as this can be organized in many different ways. Some systems can be organized where the processing elements and database elements are located at a central location and the remote terminals act as "dumb" terminals, accepting user input and displaying output to the user, but where all the processing occurs at a central location. Other systems are organized into a more distributed system where the remote terminals have their own processing means, allowing the remote terminals to do part of the processing, minimizing the amount of communication between the terminal and the central computer .
In order to make the system more user friendly the user identifying number can be stored on a magnetic stripe card or the like, input to the system by the user at the start of the procedure. This is identical to currently available Debit Cards .
The algorithm and/or PIN code can also be stored in an encrypted form on a magnetic stripe card or the like, input to the system by the user at the start of the procedure. The system works as previously described, the difference being that the remote terminal can read the data on the card and compare this to the data entered by the user. This can be used in distributed systems with a number of "smart" remote terminals. In this case, the remote terminal can verify the identity of the user without any communication being necessary between the terminal and the central system.
In order to make sure that the response numbers output by the system are not repeated, after each use of the system, the response number output to the user can be stored in a table by the system. Subsequent response numbers generated by the system are looked up in the table and if the response number is already present in the table, a new response number is chosen before being displayed to the user.
To prevent the case of an authorized user being forced to reveal his algorithm, authorized users can be given a second algorithm, which also gives access to the system, but simultaneously activates an alarm. This will dissuade unauthorized persons from attempting to coerce an authorized user .
Brief Description of the Figures
The invention will be explained in greater detail below where further advantageous properties and example embodiments are described with reference to the drawings, in which
Fig. 1 is a flowchart of the authorization process on a single secure system,
Fig. 2 is a flowchart of the authorization process on a centralized computer system,
Description of a Preferred Embodiment of the Invention
The flowchart of Fig. 1 shows the authorization procedure when the current invention is applied to a single-location secure system. In this example, it is a door to a secure area. The user identifies him or her self to the system via a magnetic key card which has the user's ID number encoded on it. The system has a built in card reader to read the ID number from the card. The user interacts with the system via a small numeric keypad and the system interacts with the user via a small alphanumeric display. The system has a database containing the IDs of all the authorized users and a specific algorithm for each user.
In step 1 the system is in an idle loop waiting for the user to enter his or her identity card. In step 2 the user enters a magnetic stripe card which has his or her identity number (ID) encoded on it. The system reads the ID number from the card in step 3 and finds the ID number in the database in step 4. If, in step 5, the ID number is not found in the database or the ID number is from an unauthorized person, the system ejects the card 6 and the system goes back to its idle state 1, waiting for a new ID card. If the user ID is found in the database the system generates a random number, N, in step 7. In step 8 the system displays the random number, N, on the screen. In step 9 the system retrieves, from the database, an algorithm, Al, which is associated with the user ID number. In step 10 the system generates a result, Rl, which is the result of applying the algorithm, Al , to the random number, N. That is to say R1=A1 (N) . In step 11 the system waits for the user to enter a number. The number, R2 , entered by the user, is the result of the user applying an algorithm, A2 , which is memorized by the user, to the random number N. That is to say, R2=A2(N). If the user is the authorized user, then the two algorithms, Al and A2 , are the same and therefore the two results, Rl and R2 , will be equal. In step 12, the system checks if the two results are equal. If the results, Rl and R2 , are equal, the door opens and permits the user access to the system. In step 14 the users ID card is ejected. If the two results, Rl and R2 , are not equal, then step 13 is skipped and the user's card is ejected in step 14 without the door opening.
The flowchart of Fig. 2 shows an embodiment of the current invention applied to an Automated Teller Machine (ATM) system. In this example, a centralized processing system is assumed, comprising a number of "dumb" remote terminals and a central processing system. The user identifies him or her self to one of the remote terminals via a magnetic key card which has his or her ID number on it. The terminals have a built in card reader to read the ID number from the user's identity card. The user interacts with the remote terminal via a small numeric keypad and the remote terminal interacts with the user via a small alphanumeric display. The remote terminals interact with the central computer via secure telephone lines. The central computer has a database containing all the authorized users and a specific algorithm for each user.
The procedure starts in an idle loop 15, with the remote terminal waiting for the user to enter his or her identity
(ID) card. When the user enters his ID card in step 16, the terminal reads the ID from the card and sends it to a central computer in step 17. In step 18, the central computer looks up the ID number in the database. If the ID number is not found in the database in step 19, then the central computer commands the remote terminal to eject the users ID card in step 20. In step 21, the terminal ejects the users card. If the user ID is found in the database in step 19, then the central computer generates a random number, N, in step 22. The central computer sends the random number, N, to the terminal in step 23. In step 24 the terminal displays the random number, N, on its screen. In step 25 the central controller retrieves, from the database, an algorithm, Al, associated with the user ID. in step 26, the central controller applies the algorithm, Al , to the random number, N, to get a first result, Rl , where Rl=Al (N) . The terminal then, in step 27, waits for the user to enter a number, R2 , which is the result of the user applying a memorized algorithm, A2 , to the random number, N. R2=A2 (N) . In step 28 the number entered by the user, R2 , is sent to the central computer. In step 29 the central computer compares the result generated by the computer and the result input by the user. If the results are equal, then central computer allows the user to perform a financial transaction starting at step 30 and ending at step 32. In step 33 the central computer commands the terminal to eject the card, which is ejected in step 34. If, in step 29, the two numbers, Rl and R2 , are not equal, then the central computer skips steps 30 to 32 and commands the terminal to eject the card in step 33.
In this example, the hardware used is identical to hardware already used in many ATM machines. Therefore the only change necessary to implement this idea is a change in software.
The algorithm applied to the response code can be one of many different types. However, when choosing an algorithm it is important to choose one which doesn't have any specific frequency components. Algorithms having specific frequency components have a "rhythm" and are therefore easier to determine using statistical programs. An example of an algorithm is as follows,
Figure imgf000014_0001
In addition, one component of the algorithm could be a Personal Identification Number (PIN) . An example of an algorithm with the use of a PIN code is as follows. In the example, the PIN code is assumed to be 6735.
Figure imgf000014_0002
Another example is shown below. In this example, the initial response code generated by the system is a four-digit random number. The user performs an algorithm on the four-digit number, the result of which is a single digit. The user then inputs the single digit to the system. The number system used in this example is a base 4 number system, that is to say the number system counts as follows, 0, 1, 2, 3, 10, 11, 12, 13, 20, 21, etc... As a general rule in this example, if an operation results in a 2 digit number, only the last digit is used, for example 2x2=10 -> 0 is used.
Figure imgf000015_0001
In the above example, the final result entered by the user can be one of four different values. This means that there is a 25% chance that an unauthorized user will be able to gain access to the system with a random guess. Therefore it is unlikely that this specific example would actually be implemented. However, since the result is only one digit, there will be a very large number of different algorithms which give the same result.
Increasing the number of algorithms which give the same result is of significance to security. Since an authorized person needs to perform all the algorithm' s operations in his or her head, both the number of operations and the number of operator types used in the algorithm are limited. This means that with a computer it is not of great difficulty to find all the algorithms which give a certain result based on a certain input. If the system code and the result code are observed a number of times, a computer could determine the correct algorithm. However, the more algorithms there are which give the same result, the more times the codes need to be observed before the algorithm can be found.
Therefore there is a trade-off between protecting against unauthorized users gaining access to the system via random guessing and protecting against the algorithm being determined via frequent observation of the entered code. The fewer numbers the user enters to the system, the easier it is for an unauthorized user to guess the correct number. Simultaneously, the fewer numbers the user is required to enter to the system, the more difficult it is for a computer to determine the algorithm used, even after frequent observations of an authorized user entering his or her code. In a real system, a compromise is found between these two factors. In the above examples, the codes used were numerical codes. However this is not a requirement of the current invention. Many different types of codes can be used, a few examples being words, sentences, sounds, pictures, and so on.
In order to increase the user friendliness of the algorithm, the "random" number generated by the system could be limited to "random" numbers which work well with the algorithm. For example if a part of the algorithm were "choose the number after the digit 7", then the "random" numbers could be limited to those random numbers where there is a 7 and where 7 is not the last digit. The way in which the "random" number is limited is stored together with the users identification code and algorithm. Some example of how the limitation could be stored are: on a magnetic user identification card, on the local terminal, in the central computer's database, and so on.
In order to increase the security of the system, users of the system can have the possibility to choose and modify their algorithms themselves. In one example, the user can establish an encrypted connection to the secure system's central computer from a personal computer via the internet and change his or her algorithm via a form. In a more secure system, a user is required to use specially designated terminals located at secure locations in order to create and/or change the algorithm.
The security of the system can also be improved by forcing the user to change his or her algorithm on a regular basis. A more advanced system could keep track of the users activity and when a user has used his or her algorithm a certain number of times from a certain location, then the user is required to change his or her algorithm. Furthermore, the system can assign different security risks to different locations. For example using a debit card at a pizza shop could be assigned a higher security risk than using the same card at a bank terminal. In this way, the algorithm could be made to expire more quickly if the algorithm were used often in an insecure place. If the algorithm were used in a very secure place, the algorithm could be made to expire more slowly.
Depending on the use of the code, the algorithm security level can be set appropriately. If the algorithm is to be used for, for example, small cash sums, the algorithm could be made very user friendly but not very secure. If the algorithm is to be used for, for example, unlimited cash sums, then the algorithm could be made more secure but consequently also less user friendly.
The algorithm security level can also be set depending on what other security measures are in place. If extra security measures are in place, the algorithm could be made less secure, if the algorithm is the only security measure, then the algorithm should be made more complex. One example of an extra security measure would to provide screens which prevent unauthorized users from seeing the random number generated by the system. In this case, only the authorized user can see the random number. Therefore the security is much improved over a situation where unauthorized users could see the random number. In this case, the algorithm could be made simpler, for example, enter the first two digits of the random number and the last two digits. Another example of an external security measure would be for the authorized user to have an identity card. An unauthorized user would have to steal the card plus know the algorithm.
Another possible embodiment of the current invention can be applied to voice recognition systems. In typical voice recognition systems, the user issues a command to a system. The voice of the user is analysed and compared to a database of authorized users. If a match is found, the user's command is executed. However in this type of system, it is possible for an unauthorized person to make a copy of an authorized user's voice command via, for example, a tape recorder. By applying a system as proposed by the current invention, after a user's voice have been recognized, the user is prompted with a random number and asked to provide a result based on an algorithm known only to the authorized user and the system. This means that the entire procedure can take place audibly. Even if unauthorized users overhear the transaction, they will be unable to gain access to the system since the transaction will be different each time. This procedure also forms a sort of double security. Even if the unauthorized person were to both record the person's voice, and get access to the algorithm, it would be relatively difficult to manipulate the authorized user's voice recording to give the correct answer.
In order to prevent unauthorized persons from forcing authorized users into giving their algorithms away, each authorized user can be given a second algorithm. Use of the second algorithm gives full access to the system, but simultaneously activates an alarm. This feature will be well known and unauthorized persons will therefore be dissuaded from attempting to coerce authorized users to give away their algorithms, since they will be unsure as to which algorithm they are receiving. The security could be further improved by giving the authorized users a random number of second algorithms. In this way, the unauthorized person will not know how many alarm algorithms there are.

Claims

Claims
1. A method of verifying the identity of a user requesting access to a secure system comprising the steps of: - the user providing a user identity code to the system, the system providing a response code to the user, the system applying a first algorithm to the response code to get a first result, the user applying a second algorithm to the response code to get a second result, the user inputting the second result to the system, the system comparing the first result and the second result, and the system granting the user access to the secure system if the comparison of the first and second results meets a set of criteria.
2. A method according to claim 1, characterized by, the system retrieving said first algorithm, based on the identity code input by the user, from a database containing a multitude of algorithms, each algorithm being associated with a unique user identity code.
3. A method according to claim 1 or claim 2, characterized by, - using identical algorithms for the first algorithm which is retrieved by the system and the second algorithm which is known to the user, the system and the user generating the first result and the second result respectively, according to said two algorithms, comparing the first result and second results, and giving access to the system if the first and second results are equal .
4. A method according to any of the preceding claims, characterized by, generating a random number as the response code.
5. A method according to any of the preceding claims, characterized by, using a Personal Identification Number (PIN) known to the system and memorized by the user as a part of the algorithm.
6. A method according to any of the preceding claims, characterized by, the user interacting with the system via remote terminals, said remote terminals being connected to a secure central server, an example of such a system being Automated Teller Machines (ATM) or debit card terminals.
7. A method according to any of the preceding claims, characterized by, the user inserting a magnetic stripe card, on which the user identifying code is stored, to the system at the start of the interaction, in order to identify the user to the system.
8. A method according to any of the preceding claims, characterized by, the system storing the response codes output to the user in a table, and, the system checking future generated response codes against the table entries so that response codes are not repeated.
9. A method according to any of the preceding claims, characterized by, the user, if the user feels threatened, using a second access algorithm which also permits access to the system, but simultaneously activates an alarm.
10. An apparatus used to verify the identity of a user requesting access to a secure system comprising, an input device allowing a user to input a user identity code to the apparatus, - a code generating device which generates a response code, an output device allowing the apparatus to transfer the response code to the user,
- means to apply a first algorithm to the response code to get a first result, - an input device for accepting a second result input by the user, said second result being the result of an algorithm known by the user being applied to the response code,
- means to compare the first and second results, and - means to give the user access to the system if the comparison of the first result and the second result meets a certain set of criteria.
PCT/DK2003/000789 2003-03-18 2003-11-19 Method to increase security of secure systems WO2004084486A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003281970A AU2003281970A1 (en) 2003-03-18 2003-11-19 Method to increase security of secure systems

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
DKPA200300411 2003-03-18
DKPA200300411 2003-03-18
DKPA200300647 2003-04-30
DKPA200300647 2003-04-30

Publications (1)

Publication Number Publication Date
WO2004084486A1 true WO2004084486A1 (en) 2004-09-30

Family

ID=33031169

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2003/000789 WO2004084486A1 (en) 2003-03-18 2003-11-19 Method to increase security of secure systems

Country Status (2)

Country Link
AU (1) AU2003281970A1 (en)
WO (1) WO2004084486A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004049878A1 (en) * 2004-10-13 2006-04-27 Deutscher Sparkassen Verlag Gmbh System and method for checking access authorization

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5163097A (en) * 1991-08-07 1992-11-10 Dynamicserve, Ltd. Method and apparatus for providing secure access to a limited access system
US5544154A (en) * 1995-03-09 1996-08-06 Telefonaktiebolaget Lm Ericsson Method for determining the load induced by a routing verification test on a network
GB2319150A (en) * 1996-10-31 1998-05-13 Solaic Sa A security method for making secure an authentication method that uses a secret key algorithm
WO2001035685A1 (en) * 1999-11-09 2001-05-17 Orange A/S System for electronic delivery of a personal identification code

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5163097A (en) * 1991-08-07 1992-11-10 Dynamicserve, Ltd. Method and apparatus for providing secure access to a limited access system
US5544154A (en) * 1995-03-09 1996-08-06 Telefonaktiebolaget Lm Ericsson Method for determining the load induced by a routing verification test on a network
GB2319150A (en) * 1996-10-31 1998-05-13 Solaic Sa A security method for making secure an authentication method that uses a secret key algorithm
WO2001035685A1 (en) * 1999-11-09 2001-05-17 Orange A/S System for electronic delivery of a personal identification code

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004049878A1 (en) * 2004-10-13 2006-04-27 Deutscher Sparkassen Verlag Gmbh System and method for checking access authorization
DE102004049878B4 (en) * 2004-10-13 2006-09-21 Deutscher Sparkassen Verlag Gmbh System and method for checking access authorization

Also Published As

Publication number Publication date
AU2003281970A1 (en) 2004-10-11

Similar Documents

Publication Publication Date Title
KR100292547B1 (en) Personal Identification Device and Access Control System
CA2089306C (en) Identity verification system resistant to compromise by observation of its use
US20080249947A1 (en) Multi-factor authentication using a one time password
US6990586B1 (en) Secure data transmission from unsecured input environments
WO2000048135A1 (en) Positive identity verification system and method including biometric user authentication
CN1959750B (en) cash automatic access system and device
TWI332637B (en) Biometrics system and method thereof
US20050111709A1 (en) Identification system
JPH06507277A (en) Personal authentication method and device
JP2001188759A (en) Method and system for individual identification
Onyesolu et al. Improving security using a three-tier authentication for automated teller machine (ATM)
US20080037842A1 (en) Smart Card That Stores Invisible Signatures
JP2001337929A (en) Dynamic password control system
JP2007072777A (en) Transaction system
WO2002005077A2 (en) Method and system for using biometric sample to electronically access accounts and authorize transactions
JP2002269052A (en) System, method, and program for portable terminal authentication, and computer-readable recording medium stored with the same program
JPH0750665A (en) Identity confirming device and its method
WO2004084486A1 (en) Method to increase security of secure systems
JP4835102B2 (en) Automatic transaction equipment
JP2002041813A (en) Personal identification system
JP2007018203A (en) Personal identification device
JP3090265B2 (en) Authentication IC card
JPS63136296A (en) Individual identification card
US20070124598A1 (en) System And Method For Providing Security
WO1999060485A1 (en) Authentication card system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP