WO2014141263A1 - Asymmetric otp authentication system - Google Patents

Asymmetric otp authentication system Download PDF

Info

Publication number
WO2014141263A1
WO2014141263A1 PCT/IL2014/050263 IL2014050263W WO2014141263A1 WO 2014141263 A1 WO2014141263 A1 WO 2014141263A1 IL 2014050263 W IL2014050263 W IL 2014050263W WO 2014141263 A1 WO2014141263 A1 WO 2014141263A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
otp
keys
clients
otps
Prior art date
Application number
PCT/IL2014/050263
Other languages
French (fr)
Inventor
Evgeny GREKOV
Leonid Voldman
Original Assignee
Biothent Security Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Biothent Security Ltd. filed Critical Biothent Security Ltd.
Publication of WO2014141263A1 publication Critical patent/WO2014141263A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Definitions

  • the invention relates generally to authentication systems and more particularly the invention relates to access authentication, biometric authentication and remote directive strong authorization systems.
  • Authentication is a foundation service designed to provide information security. It is crucial to authorization and auditing sendees.
  • OTPs One time passwords
  • static passwords are passwords that are valid for a single authentication session or transaction in contrast to static passwords.
  • OTPs avoid a number of shortcomings that are associated with static passwords.
  • the most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks.
  • a potential intruder, who manages to record an OTP that was already used to log into a sendee or to conduct a transaction, will not be able to abuse it, since it will be no longer valid.
  • HMAC/Time Time-based and keyed- hash message authentication code
  • TOPT HOTP time-based and keyed- hash message authentication code
  • 2STEP-OTP two- step authentication
  • PKI Public-key cr ptography
  • OOB Out-of-band authentication - OOB (using alternative channels for OTP deliver ⁇ ' , e.g. SMS, e-mail, mobile push, etc.).
  • OOB method depends on permanent availability of secured delivery channels.
  • TOPT/HOTP, 2STEP-OTP and PKI-OTP are communication independent and therefore are more universal methods.
  • PKI refers to a cryptographic algorithm which requires generation of two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.
  • the public key is used to encrypt plaindata and the private key is used to decrypt the cipherdata.
  • the term "asymmetric" stems from the use of different keys to perform these opposite functions, each the inverse of the other.
  • TOPT HOTP, 2STEP-OTP and PKI-OTP systems use share secret keys and other s nchronized data (e.g. synchronized time, PIN, serial numbers, etc.) as seed input for an OTP algorithm that allows servers to authenticate passwords generated by clients.
  • nchronized data e.g. synchronized time, PIN, serial numbers, etc.
  • TOPT/HOTP, 2STEP-OTP and PKI-OTP systems are vulnerable to shared secrets discovery due to keys thefts, keys leaks, unsecure keys exchange and the like.
  • Biometric authentication systems match captured biometric identifiers with specific templates stored in a biometnc database repository in order to verify that an individual is the person he or she claims to be.
  • Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Examples include, but are not limited to fingerprint, face recognition, DNA, Palm print, hand geometry, ins recognition, retina odor/scent.
  • biometric database repository raises privacy concerns about the safety and authorized use of biometric information, concerns that limit a wider use of biometric authentication systems in financial and commercial systems, such as web based businesses and e ⁇ commerce.
  • Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details and the like by masquerading as a trustworthy entity in an electronic communication.
  • Phishing emails may contain links to websites that are infected with malware. Phishing may be carried out by email spoofing or instant messaging, and it may direct users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
  • the asymmetric OTP authentication system may include a plurality of authentication clients and at least one authentication server.
  • the plurality of authentication clients may be configured to generate asymmetric encrvption and decryption key pairs and OTP keys, may register in the at least one authentication server the decryption keys and OTP keys.
  • the plurality of authentication clients may be configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and to provide to the authentication server the encrypted OTPs.
  • the at least one authentication server may ⁇ be configured to decrypt the clients' OTPs using the decryption keys, to generate servers' OTPs using the OTP keys and to authenticate requests by matching the decrypted authentication clients' OTPs with the server's generated OTPs.
  • authentication requests, by the authentication clients may be single step processes.
  • the authentication clients may be configured to initiate registration processes on a plurality of authentication servers.
  • the authentication clients may be configured to store in the authentication clients the generated encryption keys.
  • the OTPs may be generated using an algorithm such as: RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP) and the like.
  • the authentication clients may be: tokens, mobile devices, computing systems and the like.
  • the plurality of authentication clients may be further configured to receive biometric inputs, by biomet ic capable input devices, to generate and store biometric templates in the authentication clients,
  • the OTP keys and/or the asymmetric encryption and decryption key pairs may be built upon the stored biometric templates.
  • the plurality of authentication clients configured to receive biometric inputs may be further configured to match the biometric inputs with the stored biometric templates and to generate the OTPs if the biometnc inputs and the biometric templates match.
  • the biometric inputs may be: fingerprints, face images, voice recordings, DNA sequences, palm prints, hand geometries, iris images, retina images and odor, scent recordings and the like.
  • the OTP authentication system may be configured to authorize remote directives, wherein approval passwords may be the encrypted OTPs, wherein prior to generating the approval passwords, the plurality of authentication clients may be configured to receive encoded data blocks that may include the remote directives' content, and wherein the generated approval passwords may be generated using the OTP keys, the encryption and decryption keys and the remote directives' content.
  • the plurality of authentication clients may include means for receiving the data blocks from terminals and extracting the remote directives' content from the data blocks.
  • the plurality of authentication clients may include means for displaying the extracted remote directives' content accompanied with the clients' generated approval passwords.
  • the encoded data blocks may be: QR codes, blue tooth, NFC, Wi-Fi transmission, and combination thereof.
  • an OTP authentication method includes generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on at least one authentication server the decryption keys and OTP keys.
  • the methods includes generating authentication credentials, by the plurality of authentication clients, using encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys and authenticating the authentication requests, by the authentication servers, by decrypting the authentication clients' OTPs using the deciyption keys, generating servers' OTPs using the OTP keys, and matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
  • requesting authentication permits may include transmitting the encrypted OTPs m a single step.
  • a biometric asymmetric encrypting OTP authentication method may include receiving biometric inputs, by a plurality of authentication clients, by biometric capable input devices, generating and storing biometric templates in the client's devices, generating using the biometric templates, biometric asymmetric encryption and decryption key pairs and OTP keys and registering in at least one authentication server the decryption keys and OTP keys.
  • the method may include matching, by the plurality of authentication clients, biometric inputs with biometric templates.
  • the method may include generating authentication credentials, by plurality of authentication clients, using the encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys.
  • the method may include authenticating the authentication requests, by the authentication servers, by decrypting the clients' OTPs using the decryption keys, generating servers' OTPs using OTP keys, and by matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
  • requesting biometric authentication may include transmitting the encrypted OTPs in a single step.
  • a remote-directive strong authorization method may include generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers, the decryption keys and OTP keys.
  • the method may include transmitting, by the authorization servers, encoded data blocks that include the encoded content of remote directives to the authentication clients.
  • the method may include communicating, by the plurality of authentication clients, encrypted approval passwords generated using the remote directives' content and OTP keys and encrypted by the encryption key.
  • the method may include authorizing the remote directives, by the authorization servers, by decrypting the clients' approval password using the decryption keys, generating servers' approval passwords using the remote directives' content and OTP keys, and by matching the decrypted authentication clients' approval passwords with servers' generated approval passwords.
  • the method may include a plurality of term inals used for communicating messages to the authorization servers and for presenting data blocks received from the authorization servers to users.
  • the encoded data blocks may be QR codes, blue tooth, NFC, Wi-Fi transmission, and the like.
  • FIG. 1 illustrates an asymmetric OTP authentication system architecture, according to certain embodiments
  • FIG. 2 illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments
  • FIG. 3 illustrates an overview of an OTP authentication process, according to certain embodiments
  • FIG. 4 illustrates authentication clients' registration on an OTP server, according to certain embodiments
  • FIG. 5 illustrates a single step OTP authentication process, according to certain embodiments
  • FIG. 6 illustrates a flow chart of the OTP authentication process, according to certain embodiments.
  • FIG. 7 illustrates authentication client's registration on a plurality of
  • OTP servers according to certain embodiments.
  • FIG. 8 illustrates authentication clients' biometric registration on an
  • FIG 9 illustrates a biometric OTP authentication process, according to certain embodiments.
  • FIG 10 illustrates a flow chart of the biometric OTP authentication process, according to certain embodiments.
  • FIG. 11 illustrates a remote directive authorization system's submission form, according to certain embodiments.
  • FIG. 12 illustrates a remote directive authorization system's confirmation request, according to certain embodiments
  • FIG. 13 illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments
  • FIG. 14 illustrates submission of the approval password to the application server, according to certain embodiments
  • FIG. 15 illustrates a remote directive strong authorization process, according to certain embodiments
  • FIG. 16 illustrates a flow chart of the remote directive strong authorization process, according to certain embodiments.
  • FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments.
  • FIG. 18 illustrates a flowchart of a biometric OTP authentication method, according to certain embodiments.
  • FIG. 19 illustrates a flowchart of a remote directive strong authorization method, according to certain embodiments.
  • an asymmetric OTP authentication system uses different keys for OTP generation and authentication. Together with shared OTP key, the asymmetric OTP authentication system utilizes asymmetric keys pair, also known as encrypting decrypting or public/private keys pair, where encrypting key is used for encrypted OTP generation (i.e. authentication credentials) and decrypting key is used for OTP authentication.
  • the asymmetric OTP authentication system includes at least one authentication client and at least one authentication server. The one or more authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and register on the at least one authentication server the decryption and OTP keys.
  • the one or more authentication clients are configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and allow authentication using encrypted OTPs in a single authentication step.
  • the authentication servers are configured to decrypt the clients' OTPs using the registered decryption keys, to generate servers' OTPs using the registered OTP keys and to authenticate requests by matching authentication clients' OTPs with server's generated OTPs.
  • authentication clients are configured to provide the decryption keys, and not the encryption keys, to the contra-party authentication server. Since encryption keys are generated and stored at the authentication clients, only authentication clients are able to issue authentication credentials (e.g. encrypted OTPs) and hence encryption keys thefts, encryption keys leaks, un secure encryption keys exchange and the like from authentication servers are impossible.
  • authentication credentials e.g. encrypted OTPs
  • authentication clients are configured to generate OTPs and encrypt the generated OTPs using encryption keys generated and stored at the authentication clients only.
  • issued authentication credentials and/or secure codes mean encrypted OTPs that are provided by authentication clients and the terms encrypted OTPs, secure codes and issued credentials are used interchangeably.
  • user name and user ID mean a unique sequence of characters used to identify a user and allow access to a computing system. The terms user name and user ID are used interchangeably herein.
  • secure keys means authentication keys, OTP keys, encryption/decryption keys needed to generate and/or validate authentication credentials.
  • the use of asymmetric encrypted OTPs allows authentication servers to validate that the authentication client that provided credentials for authentication requests is the same authentication client that provided the decryption key on registration since only the encrypting authentication client preserves the encr ption key.
  • the encryption keys are created by the authentication clients and are not disclosed at any time to external computing environments.
  • embodiments of the present invention facilitate a single step authentication process similar to static password authentication process
  • Another advantage of the asymmetric OTP authentication system is that the use of OTPs prevents man-in-the-middle attacks since OTPs change in each authentication request. Since OTPs are encrypted by the authentication clients and only the authentication client that provided the decryption key on registration preserves the paired encryption key and can generate a valid encr pted OTP, mathematical means cannot be used to crack the authentication keys used to generate the authentication credentials.
  • Another advantage of the asymmetric OTP authentication system is that a user name is not required to be stored with the security keys at the authentication client. Hence, even if security keys are stolen they will not be accompanied by the user names in contrast to authentication servers where user names must be linked to security keys and may be both stolen by hackers.
  • authentication clients' registration processes may be initiated by authentication clients on a plurality of authentication servers and may be re-initiated by the authentication clients.
  • a biometric asymmetric OTP authentication system is disclosed.
  • a plurality of authentication clients are configured to receive biometnc inputs using biometric capable input devices, to convert biometric inputs into biometric templates and store the biometric templates in the authentication clients' repository, to match biometric inputs with stored biometric templates, to generate encryption and decryption key pairs and OT keys build upon biometric templates derivatives (e.g. biometric template's digital representation or biometric template's digital signature), to generate OTPs using the generated OTP keys and encrypt OTPs using encryption key.
  • the plurality of authentication clients are configured to issue authentication credentials allowing a single step authentication process.
  • Authentication servers are configured to decrypt authentication credentials using the decr ption keys and to generate OTPs using OTP keys. Authentication servers are configured to authenticate received requests by validating the decrypted clients' OTPs with the server's generated OTPs.
  • the plurality of biometric authentication clients may be configured to generate asymmetric encryption and decryption key pairs and/or OTP keys using biometric inputs and/or biometric templates derivatives.
  • Biometric inputs may be fingerprints, face images, voice recordings,
  • DNA sequences DNA sequences, palm prints, hand geometries, iris images, retina images, odor and scent recordings, veins topography and the like.
  • a remote directives strong authorization system is disclosed.
  • a plurality of authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and to provide the decryption keys and OTP keys to authorization servers.
  • the plurality of authentication clients are configured to receive encoded data blocks that include the content of remote directives from the authorization servers, to issue encrypted approval passwords based on the remote directives' content and the OTP keys.
  • the authorization servers are configured to decrypt the authentication clients' approval passwords using the decryption keys, to generate servers' approval passwords using the remote directives' content and the OTP keys and to authenticate the remote directives by matching decrypted clients' approval passwords with server's generated approval passwords.
  • a plurality of terminals are configured to provide data blocks received from authorization servers (by displaying Quick Response (QR.) codes for example).
  • QR codes are given as an example only and Blue Tooth and/or NFC and/or WiFi communication and the like may be used by terminals to provide the data blocks to the authentication clients.
  • a plurality of authentication clients may be configured to receive the provided data blocks from authorization servers and to present the data blocks' content (i.e. remote directive) to users.
  • OTP authentication system may include a plurality of authentication clients 101a and 101 b configured to connect to one or more computing systems 103 using their input means further connected through a network 105 to one or more application servers 107.
  • Application servers 107 may be connected to OTP server 113.
  • Computing system 103 may be a personal computer (PC), a mobile device, an IP AD and the like.
  • Authentication clients 101a and 101b are configured to issue credentials for web server 107 to be further authenticated by OTP authentication server 113.
  • FIG. 2 illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments.
  • Authentication client 101 which may be mobile device and/or tokens for example, may be configured to generate secure key 201 and complementary key- Ill.
  • Secure key 201 may includes OTP key 203 and encryption key 205 that may be stored at client 101.
  • Complementary key 211 may include OTP key 213, a copy of OTP key 203, and decryption key 215 that may be registered on OTP server 113.
  • Encryption key 205 and decryption key 215 are an asymmetric key pair.
  • FIG. 3 illustrates an overview of an
  • Authentication Client 101 may be configured to generate OTPs 310 using OTP key 203, to encrypt OTPs using encryption key 205 and provide encrypted OTPs to OTP server 113.
  • OTP server 113 may be configured to generate OTPs 320 using OTP key 213, which is identical to OTP key 203.
  • OTP server 113 may be configured to decrypt OTPs provided by client 101 using registered decryption key 215 and match 330 decrypted clients' OTPs 31 ⁇ with servers' OTPs 320.
  • OTP authentication system may include at least one authentication server 113 and a plurality of authentication clients 101a, 101b and 101c.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to generate 402, 404 and 406 asymmetric encryption and decryption key pairs and OTP keys and to register the keys 401, 403 and 405 on the at least one authentication server 113.
  • Clients 101a, 101b and 101c may be computers, tokens, mobile devices and the like.
  • clients 101a, 101b and 101c may be configured to register the decryption key 215, OTP key 203 on authentication server 113 and to store the generated encryption key 205, OTP key 203 in the clients.
  • generating and storing the encrypting key at the clients facilitates an efficient authentication process having a single authentication step similar to static password systems and furthermore, guarantees that only authentication clients are able to generate valid credentials using their keys.
  • Single step OTP authentication system 500 includes at least one authentication server 113 and at least one authentication client 101.
  • Authentication client 101 may be configured to issue credentials for authentication request (a) using an encryption key 205 encrypted OTP 203.
  • Authentication server 113 may be configured to authenticate request (b) by decrypting 215 and matching the decrypted authentication request's OTP with a generated OTP using OTP key 203.
  • Authentication server 113 may be configured to generate OTPs using OTP key 203 stored in authentication server 113.
  • the information required for authenticating by server 113 e.g. encrypted OTP and optionally a user ID, may be provided in a single authentication step (a) similar to static password authentication systems.
  • FIG. 6, illustrates a flow chart of the
  • OTP authentication process 6 ⁇ 0 may be configured to generate OTP using OTP key 203 and encrypt the generated OTP using encryption key 205 (FIG. 3).
  • OTP server 113 may be configured to draw the user's registered decryption key 215 and OTP key 213 from a repository stored in the OTP server using user name 605.
  • OTP server 113 may be configured to receive the client's encrypted OTP 603 to decrypt the client's OTP 609 using decryption key 215.
  • OTP server 113 may be configured to generate OTP 611 using the registered OTP key 213,
  • OTP Server 113 and authentication client 101 may be configured to generate OTPs using the synchronized clock and other synchronized data (not shown).
  • OTP server 113 may be configured to match 613 the client's decrypted
  • OTP 609 with the authentication server's generated OTP 611.
  • OTP authentication server 113 may be configured to authenticate the request 615 if the two OTPs match 614.
  • OTPs may be generated, by authentication clients and servers, using algorithms such as RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP), combinations of thereof and the like.
  • RFC 1760 S/KEY
  • OTP RFC 2289
  • OTP RFC 4226
  • TOTP RFC 6238
  • authentication client 101 is configured to generate valid encrypted OTPs using OTP key 203 and encr ption key 205, Since encryption key 205 is generated and stored at, authentication client 101, encryption key 205 cannot be stolen or leak out from authentication server 113.
  • FIG. 7, illustrates client's registration on a plurality of authentication servers 700, according to certain embodiments.
  • Authentication client 101 may be configured to register on a plurality of authentication servers 113, 115 and 117.
  • Authentication client 101 may be configured to generate identical or diverse sets of decryption/encryption keys and OTP keys 701 for each one of the OTP authentication servers and register them in each OTP servers 113, 115 and 117.
  • Authentication client 101 may be configured to store for each server
  • biometric identifiers are stored in authentication clients and not in centralized database repositories.
  • Authentication clients are configured to store and match biometric inputs and to generate OTPs that may be authenticated by authentication servers that are not required to store any biometric identifiers.
  • biometric templates are stored at the authentication clients only. Furthermore, storing the encr pting keys only at the authentication clients prevents stealing the encrypting keys from authentication servers. Finally, storing the encryption keys at the authentication clients allows a single step authentication process similar to static password authentication systems.
  • FIG. 8 illustrates clients' registration 800 on an OTP server, according to certain embodiments.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to receive biometric inputs 802, 812 and 822 by biometric capable devices 852, 862 and 872 that may be included in authentication clients 101a, 101b and 101c or may be external devices.
  • the plurality of clients 101a, 101b and 101c may be configured to generate 803, 813 and 823 biometric templates from the biometric inputs and to store the generated biometric templates in the clients on enrolment.
  • Biometric inputs may be fingerprints, face images, voice recordings,
  • Plurality of authentication clients 101a, 101b and 101c may be configured to generate asymmetric encryption and decryption key pairs (806 and 808, 81 and 818, 826 and 828) and OTP keys (804, 814 and 824) that may be built upon the generated biometric templates.
  • Plurality of authentication clients 101a, 101b and 101c may be configured to provide 805, 815 and 825 decryption keys (808, 818 and 828), OTP keys (804, 814 and 824) to OTP server 113 and to store the generated encryption keys (806, 816 and 826) and OTP keys in the authentication clients.
  • the plurality of authentication clients may be configured to generate asymmetric encr ption and decryption key pairs and/or OTP keys using the biometric inputs and/or the biometric templates.
  • Biometric OTP authentication system 900 may include at least one authentication server 113 and at least one authentication client 101.
  • Authentication client 101 may be configured to issue credentials for biometric authentication request (a) using encrypted OTP 901.
  • OTP server 113 may be configured to authenticate the biometric authentication request (b) by matching the decrypted clients' authentication request's OTP with OTP server's 113 generated OTP.
  • OTP server 113 may be configured to generate OTPs using OTP keys stored in the authentication server on registration.
  • the OTP auth entication process may be a single step authentication process where the information required for biometric authentication may be provided in a single step (a).
  • Authentication client 101a may be configured to receive biometric input 802 from biometric capable devices 852 and may be configured to match biometric input 802 with a stored biometric template 1001 generated on registration. If matching 1002, client 101a may be configured to generate an OTP and to encrypt it 1004 using encryption key 806 generated on registration. OTP 1004 may be generated using OTP key 804.
  • OTP server 113 may be configured to draw user's decryption key 808 and OTP key 804 from the server repository using user ID 1006.
  • OTP server 113 may be configured to receive the client's encrypted OTP 1005 and to decrypt the client's OTP 1009 using decr ption key 808.
  • OTP server 113 may be configured to generate OTP 1011 using OTP key 804.
  • OTP server 113 and client 101a may be configured to generate OTP 1011 and 1004 using in addition to OTP key 804 and also synchronized clock and other synchronized data (not shown).
  • OTP server 113 may be configured to match 1013 the client's decrypted OTP 1009 with the server's generated OTP 1011 .
  • OTP server 113 may be configured to authenticate the requested biornetric authentication 1014 if the two OTPs match 1013.
  • Phishing techniques attempt to substitute content of users remote directives transmitted over a network by masquerading as a trustworthy entity in the remote directive transmission chain. Phishing techniques may attempt to change remote directives' amounts and receiver's identity in bank transfers or payment orders, change items type and buyer details in purchase orders and the like.
  • approval passwords generated in both authentication clients and authorization servers, among other security keys, are based on the remote directives' content. Phishing attempts may be prevented since the approval passwords that are based on the remote directives' content will not match if the remote directive content is changed by a man- iii-the-middle-attack or other means.
  • authentication clients may be configured to receive data blocks by means of QR codes (blue tooth, Wi-Fi communication, NFC and the like) that are generated by authorization servers that include the remote directive contents and to present the contents to users.
  • QR codes blue tooth, Wi-Fi communication, NFC and the like
  • a remote directive's submission form 1101 may include payment order information, such as Name: Mr. John Smith for example, Account: 123-456789/ A and Amount: $15.45 for example.
  • submission form 1101 may appear on terminal's screen where the terminal may be configured to transmit the submission fonn (a) to web server 107.
  • submission form 1101 may appear on any kind of computing system's display.
  • Application server 107 may be configured to transmit a confirmation request with data block in plain form or encrypted (b) to client 101a that contains the remote directives content in a QR code 1201 representation that may be displayed on computing system screen FIG. I, 103 for example.
  • FIG. 13 illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments.
  • Authentication client 101a (shown in FIG. 12) may be configured to scan the QR code 1301, extract the directive content from the scanned QR code and present 1509 the content on authentication client's 101a display to a user.
  • the remote directive content that may include for example Name: Mr. John Smith, Account: 123-456789/A, Amount: $15.45 may be presented to the user accompanied by an approval password 1303.
  • the approval password, 753847 for example, is the remote directive's content dependent OTP.
  • the remote directive's content dependent approval password is generated by authentication client 101 a using client ' s OTP key (FIG. 2, 203) and is further encrypted by an encryption key (FIG. 3, 205).
  • FIG. 14 illustrates submission of an approval password to application server 107, according to certain embodiments.
  • Authentication client 101 a may be configured to provide the remote directive's content dependent approval password (c) to application server 107 through terminal 1203.
  • authorization server (not shown) may be configured to decrypt the received remote directive's content dependent OTP (c) using decryption key FIG. 3, 215, to generate a remote directive's content dependent approval password using a registered OTP key (FIG.3, 213) and to match decrypted client's OTPs and Server's generated OTP as illustrated in FIG. 15 below.
  • FIG. 15 illustrates a remote directive strong authorization process, according to certain embodiments.
  • Remote directive strong authorization system 1500 may include at least one authorization server 1501 and at least one authentication client 101.
  • Authentication client 101 may be configured to generate encryption and decryption keys and OT keys and register the OTP and decryption keys on at least one authorization server 1501.
  • Authentication client 101 may be configured to store the decryption key and OTP key in authorization server 1501 and to score the generated encryption key and OTP key in authentication client 101.
  • Authorization server 1501 may be configured to provide to authentication client 101 encoded data blocks 1503 that include remote directives' contents 1502.
  • the provided encoded data blocks 1510 may be for example in form of QR codes 1503 (e.g. 2D barcodes).
  • Authentication client 101 may be configured to decode encoded blocks 1504 and to present the encoded blocks' content 1.506 to users accompanied with encrypted OTP 1505, which is encrypted by encryption key 205 generating approval password 1509.
  • Authentication client 101 may be configured to provide 1520 the encrypted approval password 1509 to authorization sever 1501.
  • Authorization server 1501 may be configured to authorize remote directives 1530 by- matching 1508 decrypted authentication clients' communicated approval passwords with server's generated approval passwords 1507.
  • FIG. 16 illustrates a flow chart of the remote directive authorization process 1600, according to certain embodiments.
  • Authorization server 1501 is configured to receive 1603 a remote directive 1601.
  • Authorization server 1501 may be configured to encode the remote directive's content in data block in form of QR code 1605 and to provide the QR code 1510 to authentication client 101 (e.g. by displaying it on directive terminal's screen).
  • Authentication client 101 may be configured to scan the QR code 1607 and to display the content of the remote directive encoded in the QR code to the user 1609 for validation.
  • Authentication client 101 may be configured to generate approval passwords using OTP key 203 and the remote directives' content 1611.
  • Authentication client 101 may be configured to encrypt approval passwords using encryption key FIG. 3, 203 and may be configured to provide 1520 the encrypted approval passwords 1611 for authorization on authorization server 1501.
  • Authorization Server 1501 may be configured to draw the user's decryption key 215 and OTP key 213 from the authorization server 1501 repository using user name 1604.
  • Authorization server 1501 may be configured to decrypt approval passwords 1613 using decryption key 215. Authorization server 1501 may be configured to generate server's approval passwords 1615 using OTP key 213 and the remote directive content 1606,
  • authorization server 1501 and client 101 may be configured to generate the server's and client's approval passwords 1615 and 1611 using the synchronized data e.g. clock and the like (not shown).
  • Authorization server 1501 may be configured to match 1617 the decrypted client's approval passwords 1613 with the server's generated approval passwords 1615.
  • Authorization server 1501 may be configured to authorize 1530 the client's remote directive 1601 if the two approval passwords match 1617.
  • FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments.
  • OTP authentication method 1700 includes: in stage 1710, generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decryption keys and OTP keys; in stage 1720, requesting authentication permits, by- using credentials generated by plurality of authentication clients, using encrypted OTPs wherein the OTPs are generated using the OTP keys and encrypted by the encryption keys; in stage 1730, approving the authentication requests, by the authentication servers, by matching the decr pted client's OTPs with the server's generated OTPs.
  • OTP authentication method 1700 stage 1720 includes a single step authentication that may include further communicating users IDs to the authentication server.
  • OTP authentication method 1700 stage 1730 may include decrypting the authentication request credentials using the decryption keys and generating OTPs using the OTP keys.
  • FIG. 18 illustrates a flowchart of biometric OTP authentication method, according to certain embodiments.
  • Biometric OTP authentication method 1800 includes: in stage 1810, receiving biometric inputs, by a plurality of authentication clients, using biometric capable input devices, generating and storing biometric templates in the authentication client's devices, generating asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decr ption keys and OTP keys; in stage 1820, matching, by a plurality of authentication clients, biometric inputs with biometric templates: in stage 1830, requesting authentication permits using authentication credentials, e.g. encrypted biometric OTPs, wherein the authentication credentials are generated using the OTP keys and encrypted by the encryption keys; in stage 1840, authenticating the authentication requests by matching the decrypted client's OTPs with the server's generated OTPs.
  • stage 1810 receiving biometric inputs, by a plurality of authentication clients, using biometric capable input devices, generating and storing biometric templates in the authentication client's devices, generating asymmetric encryption and decryption key pairs and OTP keys and registering on
  • Biometric OTP authentication method 1800 stage 1810 generating asymmetric encryption and decryption key pairs and OTP keys may include generating the keys using the biometric templates.
  • Biometric OTP authentication method 1800 stage 1830 includes a single step authentication that may include further communicating users IDs to the authentication server.
  • Biometric OTP authentication method 1800 stage 1840 may include, by the authentication server, decrypting the authentication credentials using the decryption keys and generating OTPs using the OTP keys.
  • FIG. 19 illustrates a flowchart of remote directive strong authori zation method, according to certain embodiments.
  • Remote directive OTP strong authorization method 1900 includes: in stage 1910, generating, by a plurality of clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers the decryption keys and OTP keys; in stage 1920, transmitting, by the authorization servers, encoded data blocks that include remote directives' content to authentication clients; in stage 1930, communicating, by the plurality of authentication clients, encrypted approval password based on the remote directives' content and the OTP keys; in stage 1940, authorizing the remote directives by matching decrypted clients' approval passwords with servers' generated approval passwords.
  • Remote directive strong authorization method 1900 stage 1940 may include decrypting clients' approval passwords using decryption keys and generating approval passwords using remote directives' content and OTP keys.
  • Remote directive strong authorization method 1900 plurality of authentication clients may include a plurality of terminals configured to communicating messages to authorization servers and to presenting data blocks (e.g. QR codes) received from the authorization servers to users.
  • data blocks e.g. QR codes
  • the above described OTP authentication system may ⁇ be used to authenticate in a single step similar to static password authentication systems.
  • autlientication clients are configured to encrypt credentials using encryption keys, generated and stored only in the authentication clients, and thus the encryption keys are not provided to authentication sen/ers and hence cannot be stolen or leak from authentication servers.
  • biometric OTP authentication system may be used for biometric authentication without storing biometric identifiers in biometric database repositories.
  • biometric authentication may be a single step authentication similar to static password authentication systems.
  • the above described remote directive strong authorization system may be used to authorize remote directives and prevent phishing attacks by the usage of encrypted approval passwords that is based on the remote directive content and OTP keys.
  • Another advantage of the above described remote directive authorization system is that it is a strong authentication system, that use asymmet ric encryption and decryption key pairs to encrypt and decrypt OTPs, e.g. the approval passwords, and furthermore use the content of the remote directives as additional security factor when generating the approval passwords.

Abstract

An asymmetric one-time-password (OTP) authentication, biometric authentication and remote directive strong authorization systems are disclosed. The asymmetric OTP authentication system includes a plurality of authentication clients and at last one authentication server. The plurality of authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and register in the at least one authentication server decryption keys and OTP keys. The plurality of authentication clients are configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and to generate authentication credentials using encrypted OTPs. The authentication server is configured to decrypt the clients' OTPs using the decryption keys, to generate servers' OTPs using the OTP keys and to authenticate requests by matching decrypted clients' OTPs with server's generated OTPs.

Description

ASYMMETRIC OTP AUTHENTICATION SYSTEM FIELD OF THE INVENTION
[0001] The invention relates generally to authentication systems and more particularly the invention relates to access authentication, biometric authentication and remote directive strong authorization systems. BACKGROUND
[0002] Authentication is a foundation service designed to provide information security. It is crucial to authorization and auditing sendees.
[0003] One time passwords (OTPs) are passwords that are valid for a single authentication session or transaction in contrast to static passwords. OTPs avoid a number of shortcomings that are associated with static passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. A potential intruder, who manages to record an OTP that was already used to log into a sendee or to conduct a transaction, will not be able to abuse it, since it will be no longer valid.
[0004] Several OTP system implementations are known: Time-based and keyed- hash message authentication code (HMAC/Time)-based OTP (TOPT HOTP), two- step authentication (2STEP-OTP), Public-key cr ptography (PKI)-based two-step authentication (PKI-OTP), Out-of-band authentication - OOB (using alternative channels for OTP deliver}', e.g. SMS, e-mail, mobile push, etc.). OOB method depends on permanent availability of secured delivery channels. TOPT/HOTP, 2STEP-OTP and PKI-OTP are communication independent and therefore are more universal methods.
[0005] PKI, refers to a cryptographic algorithm which requires generation of two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaindata and the private key is used to decrypt the cipherdata. The term "asymmetric" stems from the use of different keys to perform these opposite functions, each the inverse of the other.
[0006] TOPT HOTP, 2STEP-OTP and PKI-OTP systems use share secret keys and other s nchronized data (e.g. synchronized time, PIN, serial numbers, etc.) as seed input for an OTP algorithm that allows servers to authenticate passwords generated by clients. Thus, TOPT/HOTP, 2STEP-OTP and PKI-OTP systems are vulnerable to shared secrets discovery due to keys thefts, keys leaks, unsecure keys exchange and the like.
[0007] Biometric authentication systems match captured biometric identifiers with specific templates stored in a biometnc database repository in order to verify that an individual is the person he or she claims to be. Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Examples include, but are not limited to fingerprint, face recognition, DNA, Palm print, hand geometry, ins recognition, retina odor/scent.
[0008] However, the collection of biometric identifiers stored in a biometric database repository raises privacy concerns about the safety and authorized use of biometric information, concerns that limit a wider use of biometric authentication systems in financial and commercial systems, such as web based businesses and e~ commerce.
[0009] Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details and the like by masquerading as a trustworthy entity in an electronic communication. Phishing emails may contain links to websites that are infected with malware. Phishing may be carried out by email spoofing or instant messaging, and it may direct users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
[0010] In view of the above, there is a need for a highly secure OTP authentication and biometric authentication systems. There is further a need for remote directive strong authentication systems designed to prevent phishing attacks. SUMMARY
[0011] This summary is provided to introduce a selection of concepts in a simplified form that are further described in the detailed description of the invention. According to an aspect of some embodiments of the present invention there is provided an asymmetric OTP authentication system. The asymmetric OTP authentication system may include a plurality of authentication clients and at least one authentication server. The plurality of authentication clients may be configured to generate asymmetric encrvption and decryption key pairs and OTP keys, may register in the at least one authentication server the decryption keys and OTP keys. The plurality of authentication clients may be configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and to provide to the authentication server the encrypted OTPs. The at least one authentication server may¬ be configured to decrypt the clients' OTPs using the decryption keys, to generate servers' OTPs using the OTP keys and to authenticate requests by matching the decrypted authentication clients' OTPs with the server's generated OTPs.
[0012] According to a further feature of an embodiment of the present invention, authentication requests, by the authentication clients, may be single step processes.
[0013] According to a further feature of an embodiment of the present invention, the authentication clients may be configured to initiate registration processes on a plurality of authentication servers.
[0014] According to a further feature of an embodiment of the present invention, the authentication clients may be configured to store in the authentication clients the generated encryption keys.
[0015] According to a further feature of an embodiment of the present invention, the OTPs may be generated using an algorithm such as: RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP) and the like.
[0016] According to a further feature of an embodiment of the present invention, the authentication clients may be: tokens, mobile devices, computing systems and the like. [0017] According to a further feature of an embodiment of the present invention, the plurality of authentication clients may be further configured to receive biometric inputs, by biomet ic capable input devices, to generate and store biometric templates in the authentication clients,
[0018] According to a further feature of an embodiment of the present invention, the OTP keys and/or the asymmetric encryption and decryption key pairs may be built upon the stored biometric templates.
[0019] According to a further feature of an embodiment of the present invention, the plurality of authentication clients configured to receive biometric inputs may be further configured to match the biometric inputs with the stored biometric templates and to generate the OTPs if the biometnc inputs and the biometric templates match.
[0020] According to a further feature of an embodiment of the present invention, the biometric inputs may be: fingerprints, face images, voice recordings, DNA sequences, palm prints, hand geometries, iris images, retina images and odor, scent recordings and the like.
[0021] According to a further feature of an embodiment of the present invention, the OTP authentication system may be configured to authorize remote directives, wherein approval passwords may be the encrypted OTPs, wherein prior to generating the approval passwords, the plurality of authentication clients may be configured to receive encoded data blocks that may include the remote directives' content, and wherein the generated approval passwords may be generated using the OTP keys, the encryption and decryption keys and the remote directives' content.
[0022] According to a further feature of an embodiment of the present invention, the plurality of authentication clients may include means for receiving the data blocks from terminals and extracting the remote directives' content from the data blocks.
[0023] According to a further feature of an embodiment of the present invention, the plurality of authentication clients may include means for displaying the extracted remote directives' content accompanied with the clients' generated approval passwords. [0024] According to a further feature of an embodiment of the present invention, the encoded data blocks may be: QR codes, blue tooth, NFC, Wi-Fi transmission, and combination thereof.
[0025] According to a further feature of an embodiment of the present invention, an OTP authentication method is disclosed. The OTP authentication method includes generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on at least one authentication server the decryption keys and OTP keys. The methods includes generating authentication credentials, by the plurality of authentication clients, using encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys and authenticating the authentication requests, by the authentication servers, by decrypting the authentication clients' OTPs using the deciyption keys, generating servers' OTPs using the OTP keys, and matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
[0026] According to a further feature of an embodiment of the present invention, requesting authentication permits may include transmitting the encrypted OTPs m a single step.
[0027] According to a further feature of an embodiment of the present invention, a biometric asymmetric encrypting OTP authentication method is disclosed. The biometric asymmetric encrypting OTP authentication method may include receiving biometric inputs, by a plurality of authentication clients, by biometric capable input devices, generating and storing biometric templates in the client's devices, generating using the biometric templates, biometric asymmetric encryption and decryption key pairs and OTP keys and registering in at least one authentication server the decryption keys and OTP keys. The method may include matching, by the plurality of authentication clients, biometric inputs with biometric templates. The method may include generating authentication credentials, by plurality of authentication clients, using the encrypted OTPs wherein the OTPs may be generated using the OTP keys and encrypted using the encryption keys. The method may include authenticating the authentication requests, by the authentication servers, by decrypting the clients' OTPs using the decryption keys, generating servers' OTPs using OTP keys, and by matching the decrypted authentication clients' OTPs with the servers' generated OTPs.
[0028] According to a further feature of an embodiment of the present invention, requesting biometric authentication may include transmitting the encrypted OTPs in a single step.
[0029] According to a further feature of an embodiment of the present invention, a remote-directive strong authorization method is disclosed. The remote- directive strong authorization method may include generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers, the decryption keys and OTP keys. The method may include transmitting, by the authorization servers, encoded data blocks that include the encoded content of remote directives to the authentication clients. The method may include communicating, by the plurality of authentication clients, encrypted approval passwords generated using the remote directives' content and OTP keys and encrypted by the encryption key. The method may include authorizing the remote directives, by the authorization servers, by decrypting the clients' approval password using the decryption keys, generating servers' approval passwords using the remote directives' content and OTP keys, and by matching the decrypted authentication clients' approval passwords with servers' generated approval passwords.
[0030] According to a further feature of an embodiment of the present invention, the method may include a plurality of term inals used for communicating messages to the authorization servers and for presenting data blocks received from the authorization servers to users.
[0031] According to a further feature of an embodiment of the present invention, the encoded data blocks may be QR codes, blue tooth, NFC, Wi-Fi transmission, and the like.
[0032] Additional features and advantages of the invention w ll become apparent from the following drawings and description. BRIEF DESCRIPTION OF THE DRAWINGS
[0033] For a better understanding of the in vention and to show how the same may be carried into effect, reference will now be made, purely by way of example, to the accompanying drawings i which like numerals designate corresponding elements or sections throughout,
[0034] With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of the preferred embodiments of the present invention only, and are presented in the cause of providing what is believed to be the most useful and readily understood description of the principles and conceptual aspects of the invention. In this regard, no attempt is made to show structural details of the invention in more detail than is necessary for a fundamental understanding of the invention, the description taken with the drawings making apparent to those skilled in the art how the several forms of the invention may be embodied in practice. In the accompanying drawings:
[0035] FIG. 1 illustrates an asymmetric OTP authentication system architecture, according to certain embodiments;
[0036] FIG. 2 illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments;
[0037] FIG. 3 illustrates an overview of an OTP authentication process, according to certain embodiments;
[0038] FIG. 4 illustrates authentication clients' registration on an OTP server, according to certain embodiments;
[0039] FIG. 5 illustrates a single step OTP authentication process, according to certain embodiments;
[0040] FIG. 6 illustrates a flow chart of the OTP authentication process, according to certain embodiments;
[0041] FIG. 7 illustrates authentication client's registration on a plurality of
OTP servers, according to certain embodiments;
[0042] FIG. 8 illustrates authentication clients' biometric registration on an
OTP server, according to certain embodiments; [0043] FIG 9 illustrates a biometric OTP authentication process, according to certain embodiments;
[0044] FIG 10 illustrates a flow chart of the biometric OTP authentication process, according to certain embodiments;
[0045] FIG. 11 illustrates a remote directive authorization system's submission form, according to certain embodiments;
[0046] FIG. 12 illustrates a remote directive authorization system's confirmation request, according to certain embodiments;
[0047] FIG. 13 illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments;
[0048] FIG. 14 illustrates submission of the approval password to the application server, according to certain embodiments;
[0049] FIG. 15 illustrates a remote directive strong authorization process, according to certain embodiments;
[0050] FIG. 16 illustrates a flow chart of the remote directive strong authorization process, according to certain embodiments;
[0051] FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments;
[0052] FIG. 18 illustrates a flowchart of a biometric OTP authentication method, according to certain embodiments; and
[0053] FIG. 19 illustrates a flowchart of a remote directive strong authorization method, according to certain embodiments.
DETAILED DESCRIPTION
[0054] While a number of exemplar}' aspects and embodiments have been discussed above, those of skill in the art will recognize certain modifications, permutations, additions and subcombinations thereof. It is therefore intended that the following appended claims and claims hereafter introduced be interpreted to include all such modifications, permutations, additions and sub-combinations as are within their true spirit and scope. [0055] In the description and claims of the application, each of the words
"comprise" "include" and "have", and forms thereof, are not necessarily limited to members in a list with which the words may be associated.
[0056] According to certain embodiments of the present invention, an asymmetric OTP authentication system is disclosed. The asymmetric OTP authentication system uses different keys for OTP generation and authentication. Together with shared OTP key, the asymmetric OTP authentication system utilizes asymmetric keys pair, also known as encrypting decrypting or public/private keys pair, where encrypting key is used for encrypted OTP generation (i.e. authentication credentials) and decrypting key is used for OTP authentication. The asymmetric OTP authentication system includes at least one authentication client and at least one authentication server. The one or more authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and register on the at least one authentication server the decryption and OTP keys. The one or more authentication clients are configured to generate OTPs using the OTP keys, to encrypt the generated OTPs using the encryption keys and allow authentication using encrypted OTPs in a single authentication step. The authentication servers are configured to decrypt the clients' OTPs using the registered decryption keys, to generate servers' OTPs using the registered OTP keys and to authenticate requests by matching authentication clients' OTPs with server's generated OTPs.
[0057] According to certain embodiments of the present invention, on registration, authentication clients are configured to provide the decryption keys, and not the encryption keys, to the contra-party authentication server. Since encryption keys are generated and stored at the authentication clients, only authentication clients are able to issue authentication credentials (e.g. encrypted OTPs) and hence encryption keys thefts, encryption keys leaks, un secure encryption keys exchange and the like from authentication servers are impossible.
[0058] According to certain embodiments of the present invention, authentication clients are configured to generate OTPs and encrypt the generated OTPs using encryption keys generated and stored at the authentication clients only.
[0059] As used herein, the terms issued authentication credentials and/or secure codes mean encrypted OTPs that are provided by authentication clients and the terms encrypted OTPs, secure codes and issued credentials are used interchangeably. As used herein, the terms user name and user ID mean a unique sequence of characters used to identify a user and allow access to a computing system. The terms user name and user ID are used interchangeably herein.
As used herein, the term secure keys means authentication keys, OTP keys, encryption/decryption keys needed to generate and/or validate authentication credentials.
[0060] According to certain embodiments of the present invention, the use of asymmetric encrypted OTPs allows authentication servers to validate that the authentication client that provided credentials for authentication requests is the same authentication client that provided the decryption key on registration since only the encrypting authentication client preserves the encr ption key. The encryption keys are created by the authentication clients and are not disclosed at any time to external computing environments.
[0061] Advantageously, embodiments of the present invention facilitate a single step authentication process similar to static password authentication process, [0062] Another advantage of the asymmetric OTP authentication system is that the use of OTPs prevents man-in-the-middle attacks since OTPs change in each authentication request. Since OTPs are encrypted by the authentication clients and only the authentication client that provided the decryption key on registration preserves the paired encryption key and can generate a valid encr pted OTP, mathematical means cannot be used to crack the authentication keys used to generate the authentication credentials.
[0063] Another advantage of the asymmetric OTP authentication system is that a user name is not required to be stored with the security keys at the authentication client. Hence, even if security keys are stolen they will not be accompanied by the user names in contrast to authentication servers where user names must be linked to security keys and may be both stolen by hackers.
[0064] Optionally, authentication clients' registration processes may be initiated by authentication clients on a plurality of authentication servers and may be re-initiated by the authentication clients.
[0065] According to certain embodiments of the present invention, a biometric asymmetric OTP authentication system is disclosed. A plurality of authentication clients are configured to receive biometnc inputs using biometric capable input devices, to convert biometric inputs into biometric templates and store the biometric templates in the authentication clients' repository, to match biometric inputs with stored biometric templates, to generate encryption and decryption key pairs and OT keys build upon biometric templates derivatives (e.g. biometric template's digital representation or biometric template's digital signature), to generate OTPs using the generated OTP keys and encrypt OTPs using encryption key. The plurality of authentication clients are configured to issue authentication credentials allowing a single step authentication process. Authentication servers are configured to decrypt authentication credentials using the decr ption keys and to generate OTPs using OTP keys. Authentication servers are configured to authenticate received requests by validating the decrypted clients' OTPs with the server's generated OTPs.
[0066] Optionally, the plurality of biometric authentication clients may be configured to generate asymmetric encryption and decryption key pairs and/or OTP keys using biometric inputs and/or biometric templates derivatives.
[0067] Biometric inputs may be fingerprints, face images, voice recordings,
DNA sequences, palm prints, hand geometries, iris images, retina images, odor and scent recordings, veins topography and the like.
[0068] According to certain embodiments of the present invention, a remote directives strong authorization system is disclosed. A plurality of authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys and to provide the decryption keys and OTP keys to authorization servers. The plurality of authentication clients are configured to receive encoded data blocks that include the content of remote directives from the authorization servers, to issue encrypted approval passwords based on the remote directives' content and the OTP keys. The authorization servers are configured to decrypt the authentication clients' approval passwords using the decryption keys, to generate servers' approval passwords using the remote directives' content and the OTP keys and to authenticate the remote directives by matching decrypted clients' approval passwords with server's generated approval passwords.
[0069] According to certain embodiments of the present invention, a plurality of terminals are configured to provide data blocks received from authorization servers (by displaying Quick Response (QR.) codes for example). QR codes are given as an example only and Blue Tooth and/or NFC and/or WiFi communication and the like may be used by terminals to provide the data blocks to the authentication clients.
[0070] According to certain embodiments of the present invention, a plurality of authentication clients may be configured to receive the provided data blocks from authorization servers and to present the data blocks' content (i.e. remote directive) to users.
[0071] Reference is now made to FIG. 1, which illustrates an OTP authentication system., according to certain embodiments. OTP authentication system, may include a plurality of authentication clients 101a and 101 b configured to connect to one or more computing systems 103 using their input means further connected through a network 105 to one or more application servers 107. Application servers 107 may be connected to OTP server 113.
[0072] Computing system 103 may be a personal computer (PC), a mobile device, an IP AD and the like.
[0073] Authentication clients 101a and 101b are configured to issue credentials for web server 107 to be further authenticated by OTP authentication server 113.
[0074] Reference is now made to FIG. 2, which illustrates OTP authentication system asymmetric key pairs' generation and registration, according to certain embodiments. Authentication client 101, which may be mobile device and/or tokens for example, may be configured to generate secure key 201 and complementary key- Ill. Secure key 201 may includes OTP key 203 and encryption key 205 that may be stored at client 101. Complementary key 211 may include OTP key 213, a copy of OTP key 203, and decryption key 215 that may be registered on OTP server 113. Encryption key 205 and decryption key 215 are an asymmetric key pair.
[0075] Reference is now made to FIG. 3, which illustrates an overview of an
OTP authentication process, according to certain embodiments. Authentication Client 101 may be configured to generate OTPs 310 using OTP key 203, to encrypt OTPs using encryption key 205 and provide encrypted OTPs to OTP server 113. OTP server 113 may be configured to generate OTPs 320 using OTP key 213, which is identical to OTP key 203. OTP server 113 may be configured to decrypt OTPs provided by client 101 using registered decryption key 215 and match 330 decrypted clients' OTPs 31Θ with servers' OTPs 320.
[0076] Reference is now made to FIG. 4, winch illustrates clients' registration on an authentication server, according to certain embodiments. OTP authentication system may include at least one authentication server 113 and a plurality of authentication clients 101a, 101b and 101c. Plurality of authentication clients 101a, 101b and 101c may be configured to generate 402, 404 and 406 asymmetric encryption and decryption key pairs and OTP keys and to register the keys 401, 403 and 405 on the at least one authentication server 113. Clients 101a, 101b and 101c may be computers, tokens, mobile devices and the like. According to embodiments of the present invention, clients 101a, 101b and 101c may be configured to register the decryption key 215, OTP key 203 on authentication server 113 and to store the generated encryption key 205, OTP key 203 in the clients.
[0077] According to embodiments of the present invention, generating and storing the encrypting key at the clients, facilitates an efficient authentication process having a single authentication step similar to static password systems and furthermore, guarantees that only authentication clients are able to generate valid credentials using their keys.
[0078] Reference is now made to FIG. 5, which illustrates a single step OTP authentication process, according to certain embodiments. Single step OTP authentication system 500 includes at least one authentication server 113 and at least one authentication client 101. Authentication client 101 may be configured to issue credentials for authentication request (a) using an encryption key 205 encrypted OTP 203. Authentication server 113 may be configured to authenticate request (b) by decrypting 215 and matching the decrypted authentication request's OTP with a generated OTP using OTP key 203. Authentication server 113 may be configured to generate OTPs using OTP key 203 stored in authentication server 113. According to embodiments of the present invention, the information required for authenticating by server 113, e.g. encrypted OTP and optionally a user ID, may be provided in a single authentication step (a) similar to static password authentication systems. [0079] Reference is now made to FIG. 6, which illustrates a flow chart of the
OTP authentication process 6Θ0, according to certain embodiments. Authentication client 101, may be configured to generate OTP using OTP key 203 and encrypt the generated OTP using encryption key 205 (FIG. 3). OTP server 113 may be configured to draw the user's registered decryption key 215 and OTP key 213 from a repository stored in the OTP server using user name 605. OTP server 113 may be configured to receive the client's encrypted OTP 603 to decrypt the client's OTP 609 using decryption key 215. OTP server 113 may be configured to generate OTP 611 using the registered OTP key 213,
[0080] Optionally, OTP Server 113 and authentication client 101 may be configured to generate OTPs using the synchronized clock and other synchronized data (not shown).
[0081] OTP server 113 may be configured to match 613 the client's decrypted
OTP 609 with the authentication server's generated OTP 611. OTP authentication server 113 may be configured to authenticate the request 615 if the two OTPs match 614.
[0082] Optionally, OTPs may be generated, by authentication clients and servers, using algorithms such as RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP), RFC 6238 (TOTP), combinations of thereof and the like.
[0083] According to embodiments of the present invention, authentication client 101 is configured to generate valid encrypted OTPs using OTP key 203 and encr ption key 205, Since encryption key 205 is generated and stored at, authentication client 101, encryption key 205 cannot be stolen or leak out from authentication server 113.
[0084] Reference is now made to FIG. 7, which illustrates client's registration on a plurality of authentication servers 700, according to certain embodiments. Authentication client 101, may be configured to register on a plurality of authentication servers 113, 115 and 117. Authentication client 101, may be configured to generate identical or diverse sets of decryption/encryption keys and OTP keys 701 for each one of the OTP authentication servers and register them in each OTP servers 113, 115 and 117. [0085] Authentication client 101, may be configured to store for each server
113, 115 and 117 encryption keys (715, 725 and 735) and OTP keys (713, 723 and 733) during the authentication client's registrations 703, 70S and 707 on OTP servers 113, 115 and 117.
[0086] Proposed biometric authentication systems use biometric identifiers repository to store biometric images/templates of users recorded on registration/enrollment procedure. In contrast to traditional biometric database repository systems, according to certain embodiments of the present invention, biometric identifiers are stored in authentication clients and not in centralized database repositories. Authentication clients are configured to store and match biometric inputs and to generate OTPs that may be authenticated by authentication servers that are not required to store any biometric identifiers.
[0087] According to embodiments of the present invention, biometric templates are stored at the authentication clients only. Furthermore, storing the encr pting keys only at the authentication clients prevents stealing the encrypting keys from authentication servers. Finally, storing the encryption keys at the authentication clients allows a single step authentication process similar to static password authentication systems.
[0088] Reference is now made to FIG. 8, which illustrates clients' registration 800 on an OTP server, according to certain embodiments. Plurality of authentication clients 101a, 101b and 101c may be configured to receive biometric inputs 802, 812 and 822 by biometric capable devices 852, 862 and 872 that may be included in authentication clients 101a, 101b and 101c or may be external devices. The plurality of clients 101a, 101b and 101c may be configured to generate 803, 813 and 823 biometric templates from the biometric inputs and to store the generated biometric templates in the clients on enrolment.
[0089] Biometric inputs may be fingerprints, face images, voice recordings,
DNA sequences, palm prints, hand geometries, iris images, retina images, odor and scent recordings. However, any biometric input known in the art may be used and such biometric inputs are in the scope of the present invention.
[0090] Plurality of authentication clients 101a, 101b and 101c may be configured to generate asymmetric encryption and decryption key pairs (806 and 808, 81 and 818, 826 and 828) and OTP keys (804, 814 and 824) that may be built upon the generated biometric templates. Plurality of authentication clients 101a, 101b and 101c may be configured to provide 805, 815 and 825 decryption keys (808, 818 and 828), OTP keys (804, 814 and 824) to OTP server 113 and to store the generated encryption keys (806, 816 and 826) and OTP keys in the authentication clients.
[0091] Optionally, the plurality of authentication clients may be configured to generate asymmetric encr ption and decryption key pairs and/or OTP keys using the biometric inputs and/or the biometric templates.
[0092] Reference is now made to FIG. 9, which illustrates a biometric OTP authentication process, according to certain embodiments. Biometric OTP authentication system 900 may include at least one authentication server 113 and at least one authentication client 101. Authentication client 101 may be configured to issue credentials for biometric authentication request (a) using encrypted OTP 901. OTP server 113 may be configured to authenticate the biometric authentication request (b) by matching the decrypted clients' authentication request's OTP with OTP server's 113 generated OTP. OTP server 113 may be configured to generate OTPs using OTP keys stored in the authentication server on registration. According to em bodiments of the present invention, the OTP auth entication process may be a single step authentication process where the information required for biometric authentication may be provided in a single step (a).
[0093] Reference is now made to FIG. 10, which illustrates a flow chart of biometric authentication process 1000, according to certain embodiments. Authentication client 101a, may be configured to receive biometric input 802 from biometric capable devices 852 and may be configured to match biometric input 802 with a stored biometric template 1001 generated on registration. If matching 1002, client 101a may be configured to generate an OTP and to encrypt it 1004 using encryption key 806 generated on registration. OTP 1004 may be generated using OTP key 804.
[0094] OTP server 113 may be configured to draw user's decryption key 808 and OTP key 804 from the server repository using user ID 1006. OTP server 113 may be configured to receive the client's encrypted OTP 1005 and to decrypt the client's OTP 1009 using decr ption key 808. OTP server 113 may be configured to generate OTP 1011 using OTP key 804. [0095] Optionally, OTP server 113 and client 101a may be configured to generate OTP 1011 and 1004 using in addition to OTP key 804 and also synchronized clock and other synchronized data (not shown).
[0096] OTP server 113 may be configured to match 1013 the client's decrypted OTP 1009 with the server's generated OTP 1011 . OTP server 113 may be configured to authenticate the requested biornetric authentication 1014 if the two OTPs match 1013.
[0097] Phishing techniques attempt to substitute content of users remote directives transmitted over a network by masquerading as a trustworthy entity in the remote directive transmission chain. Phishing techniques may attempt to change remote directives' amounts and receiver's identity in bank transfers or payment orders, change items type and buyer details in purchase orders and the like.
[0098] According to embodiments of the present invention, approval passwords, generated in both authentication clients and authorization servers, among other security keys, are based on the remote directives' content. Phishing attempts may be prevented since the approval passwords that are based on the remote directives' content will not match if the remote directive content is changed by a man- iii-the-middle-attack or other means. Furthermore, according to embodiments of the present invention, authentication clients may be configured to receive data blocks by means of QR codes (blue tooth, Wi-Fi communication, NFC and the like) that are generated by authorization servers that include the remote directive contents and to present the contents to users. Thus, users may validate that the content of their remote directives have not been changed using a phishing or other malware techniques, which makes the present invention's authorization system a strong authorization system.
[0099] Reference is now made to FIG. 1 1, which illustrates a remote directive authorization system's submission form, according to certain embodiments. A remote directive's submission form 1101 may include payment order information, such as Name: Mr. John Smith for example, Account: 123-456789/ A and Amount: $15.45 for example.
[00100] Submission form 1101 may appear on terminal's screen where the terminal may be configured to transmit the submission fonn (a) to web server 107. Optionally, Submission form 1101 may appear on any kind of computing system's display.
[00101] Reference is now made to FIG. 12, which illustrates a remote directive authorization system's confirmation request, according to certain embodiments. Application server 107 may be configured to transmit a confirmation request with data block in plain form or encrypted (b) to client 101a that contains the remote directives content in a QR code 1201 representation that may be displayed on computing system screen FIG. I, 103 for example.
[00102] Reference is now made to FIG . 13, which illustrates presenting remote directive's content and the generated approval password on client's display, according to certain embodiments. Authentication client 101a (shown in FIG. 12) may be configured to scan the QR code 1301, extract the directive content from the scanned QR code and present 1509 the content on authentication client's 101a display to a user. The remote directive content that may include for example Name: Mr. John Smith, Account: 123-456789/A, Amount: $15.45 may be presented to the user accompanied by an approval password 1303.
[00103] The approval password, 753847 for example, is the remote directive's content dependent OTP. According to embodiments of the present invention, the remote directive's content dependent approval password is generated by authentication client 101 a using client' s OTP key (FIG. 2, 203) and is further encrypted by an encryption key (FIG. 3, 205).
[00104] Reference is now made to FIG. 14, which illustrates submission of an approval password to application server 107, according to certain embodiments. Authentication client 101 a may be configured to provide the remote directive's content dependent approval password (c) to application server 107 through terminal 1203. To complete the remote directive authorization process, authorization server (not shown) may be configured to decrypt the received remote directive's content dependent OTP (c) using decryption key FIG. 3, 215, to generate a remote directive's content dependent approval password using a registered OTP key (FIG.3, 213) and to match decrypted client's OTPs and Server's generated OTP as illustrated in FIG. 15 below. [00105] Reference is now made to FIG. 15, which illustrates a remote directive strong authorization process, according to certain embodiments. Remote directive strong authorization system 1500 may include at least one authorization server 1501 and at least one authentication client 101. Authentication client 101 may be configured to generate encryption and decryption keys and OT keys and register the OTP and decryption keys on at least one authorization server 1501. Authentication client 101 may be configured to store the decryption key and OTP key in authorization server 1501 and to score the generated encryption key and OTP key in authentication client 101.
[00106] Authorization server 1501 may be configured to provide to authentication client 101 encoded data blocks 1503 that include remote directives' contents 1502. The provided encoded data blocks 1510 may be for example in form of QR codes 1503 (e.g. 2D barcodes). Authentication client 101 may be configured to decode encoded blocks 1504 and to present the encoded blocks' content 1.506 to users accompanied with encrypted OTP 1505, which is encrypted by encryption key 205 generating approval password 1509. Authentication client 101 may be configured to provide 1520 the encrypted approval password 1509 to authorization sever 1501. Authorization server 1501 may be configured to authorize remote directives 1530 by- matching 1508 decrypted authentication clients' communicated approval passwords with server's generated approval passwords 1507.
[00107] Reference is now made to FIG. 16, which illustrates a flow chart of the remote directive authorization process 1600, according to certain embodiments. Authorization server 1501, is configured to receive 1603 a remote directive 1601. Authorization server 1501 may be configured to encode the remote directive's content in data block in form of QR code 1605 and to provide the QR code 1510 to authentication client 101 (e.g. by displaying it on directive terminal's screen).
[00108] Authentication client 101, may be configured to scan the QR code 1607 and to display the content of the remote directive encoded in the QR code to the user 1609 for validation. Authentication client 101 may be configured to generate approval passwords using OTP key 203 and the remote directives' content 1611. Authentication client 101 may be configured to encrypt approval passwords using encryption key FIG. 3, 203 and may be configured to provide 1520 the encrypted approval passwords 1611 for authorization on authorization server 1501.
[00109] Authorization Server 1501 may be configured to draw the user's decryption key 215 and OTP key 213 from the authorization server 1501 repository using user name 1604.
[00110] Authorization server 1501 may be configured to decrypt approval passwords 1613 using decryption key 215. Authorization server 1501 may be configured to generate server's approval passwords 1615 using OTP key 213 and the remote directive content 1606,
[00111] Optionally, authorization server 1501 and client 101 may be configured to generate the server's and client's approval passwords 1615 and 1611 using the synchronized data e.g. clock and the like (not shown). Authorization server 1501 may be configured to match 1617 the decrypted client's approval passwords 1613 with the server's generated approval passwords 1615. Authorization server 1501 may be configured to authorize 1530 the client's remote directive 1601 if the two approval passwords match 1617.
[00112] FIG. 17 illustrates a flowchart of an OTP authentication method, according to certain embodiments. OTP authentication method 1700 includes: in stage 1710, generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decryption keys and OTP keys; in stage 1720, requesting authentication permits, by- using credentials generated by plurality of authentication clients, using encrypted OTPs wherein the OTPs are generated using the OTP keys and encrypted by the encryption keys; in stage 1730, approving the authentication requests, by the authentication servers, by matching the decr pted client's OTPs with the server's generated OTPs.
[00113] OTP authentication method 1700 stage 1720 includes a single step authentication that may include further communicating users IDs to the authentication server.
[00114] OTP authentication method 1700 stage 1730 may include decrypting the authentication request credentials using the decryption keys and generating OTPs using the OTP keys. [00115] FIG. 18 illustrates a flowchart of biometric OTP authentication method, according to certain embodiments. Biometric OTP authentication method 1800 includes: in stage 1810, receiving biometric inputs, by a plurality of authentication clients, using biometric capable input devices, generating and storing biometric templates in the authentication client's devices, generating asymmetric encryption and decryption key pairs and OTP keys and registering on authentication servers the decr ption keys and OTP keys; in stage 1820, matching, by a plurality of authentication clients, biometric inputs with biometric templates: in stage 1830, requesting authentication permits using authentication credentials, e.g. encrypted biometric OTPs, wherein the authentication credentials are generated using the OTP keys and encrypted by the encryption keys; in stage 1840, authenticating the authentication requests by matching the decrypted client's OTPs with the server's generated OTPs.
[00116] Biometric OTP authentication method 1800 stage 1810 generating asymmetric encryption and decryption key pairs and OTP keys may include generating the keys using the biometric templates.
[00117] Biometric OTP authentication method 1800 stage 1830 includes a single step authentication that may include further communicating users IDs to the authentication server.
[00118] Biometric OTP authentication method 1800 stage 1840 may include, by the authentication server, decrypting the authentication credentials using the decryption keys and generating OTPs using the OTP keys.
[00119] FIG. 19 illustrates a flowchart of remote directive strong authori zation method, according to certain embodiments. Remote directive OTP strong authorization method 1900 includes: in stage 1910, generating, by a plurality of clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers the decryption keys and OTP keys; in stage 1920, transmitting, by the authorization servers, encoded data blocks that include remote directives' content to authentication clients; in stage 1930, communicating, by the plurality of authentication clients, encrypted approval password based on the remote directives' content and the OTP keys; in stage 1940, authorizing the remote directives by matching decrypted clients' approval passwords with servers' generated approval passwords.
[00120] Remote directive strong authorization method 1900 stage 1940 may include decrypting clients' approval passwords using decryption keys and generating approval passwords using remote directives' content and OTP keys.
[00121] Remote directive strong authorization method 1900 plurality of authentication clients may include a plurality of terminals configured to communicating messages to authorization servers and to presenting data blocks (e.g. QR codes) received from the authorization servers to users.
[00122] Advantageously, the above described OTP authentication system may¬ be used to authenticate in a single step similar to static password authentication systems.
[00123] Another advantage of the above described OTP authentication system is that autlientication clients are configured to encrypt credentials using encryption keys, generated and stored only in the authentication clients, and thus the encryption keys are not provided to authentication sen/ers and hence cannot be stolen or leak from authentication servers.
[00124] Advantageously, the above described biometric OTP authentication system may be used for biometric authentication without storing biometric identifiers in biometric database repositories.
[00125] Another advantage of the above described biometric OTP authentication system is that biometric authentication may be a single step authentication similar to static password authentication systems.
[00126] Advantageously, the above described remote directive strong authorization system may be used to authorize remote directives and prevent phishing attacks by the usage of encrypted approval passwords that is based on the remote directive content and OTP keys.
[00127] Another advantage of the above described remote directive authorization system is that it is a strong authentication system, that use asymmet ric encryption and decryption key pairs to encrypt and decrypt OTPs, e.g. the approval passwords, and furthermore use the content of the remote directives as additional security factor when generating the approval passwords. [00128] Although the invention has been described in conjunction with specific embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. Accordingly, it is intended to embrace all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.
[00129] It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.
[00130] Unless otherwise defined, all technical and scientific terms used herein have the same meanings as are commonly understood by one of ordinary skill in the art to which this invention belongs. Although methods similar or equivalent to those described herein can be used in the practice or testing of the present invention, suitable methods are described herein. In addition, the methods and examples are illustrative only and not intended to be limiting.
[00131] It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the present invention is defined by the appended claims and includes both combinations and sub-combinations of the various features described hereinabove as well as variations and modifications thereof, which would occur to persons skilled in the art upon reading the foregoing description. While preferred embodiments of the present invention have been shown and described, it should be understood that various alternatives, substitutions, and equivalents can be used, and the present invention should only be limited by the claims and equivalents thereof.

Claims

What is claimed is:
1. An asymmetric OTP authentication system, the system comprising:
a plurality of authentication clients and at least one authentication server,
wherein said plurality of authentication clients are configured to generate asymmetric encryption and decryption key pairs and OTP keys, register in said at least one authentication server said decryption keys and OTP keys,
wherein said plurality of authentication clients are configured to generate OTPs using said OTP keys, to encrypt said generated OTPs using said encryption keys and to provide to said authentication server said encrypted OTPs, wherein said at least one authentication server is configured to decrypt said clients' OTPs using said decryption keys, to generate servers' OTPs using said OTP keys and to authenticate requests by matching said decrypted authentication clients' OTPs with said server's generated OTPs.
2. The system according to claim 1, wherein authentication requests, by said authentication clients, are single step processes,
3. The system according to claim 1, wherein said authentication clients are configured to initiate registration processes on a plurality of authentication servers.
4. The system according to claim 1, wherein said authentication clients are configured to store in said authentication clients said generated encryption keys.
5. The system according to claim 1, wherein said OTPs are generated using an algorithm selected from the group consisting of: RFC 1760 (S KEY), RFC 2289 (OTP), RFC 4226 (FIOTP), RFC 6238 (TOTP), and combinations thereof
6. The system according to claim 1, wherein said authentication clients are selected from the group consisting of: tokens, mobile devices, computing systems and combinations of thereof.
7. The system according to claim 1 , wherein said plurality of authentication clients are further configured to receive biometric inputs, by biometric capable input devices, to generate and store biometric templates in said authentication clients.
8. The system according to claim 7, wherein said OTP keys and/or said asymmetric encryption and decryption key pairs are built upon said stored biometric templates.
9. The system according to claim 8, wherein said plurality of authentication clients configured to receive biometric inputs are further configured to match said biometric inputs with said stored biometric templates and to generate said OTPs if said biometric inputs and said biometric templates match.
10. The system according to claim 9, wherein said biometric inputs are selected from the group consisting of: fingerprints, face images, voice recordings, DNA sequences, palm prints, hand geometries, iris images, retina images and odor and scent recordings.
11 . The system according to claim 1 , wherein said OTP authentication system is configured to authorize remote directives, wherein approval passwords are said encrypted OTPs, wherein prior to generating said approval passwords, said plurality of authentication clients are configured to receive encoded data blocks that include the remote directives' content, and wherein said generated approval passwords are generated using said OTP keys, said encryption and decryption keys and said remote directives' content.
12. The system according to claim 1 1 , wherein said plurality of authentication clients further comprising means for receiving said data blocks from terminals and extracting said remote directives' content from said data blocks.
13 , The system according to claim 12, wherein said plurality of authentication clients further comprising means for displaying said extracted remote directives' content accompanied with said clients' generated approval passwords.
14. The system according to claim 11, wherein said encoded data blocks are selected from the group consisting of: QR codes, blue tooth, NFC, Wi-Fi transmission and combination thereof.
15. An asymmetric one-time-password (OTP) authentication method, the method comprising:
generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on at least one authentication server said decryption keys and OTP keys;
generating authentication credentials, by said plurality of authentication clients, using encrypted OTPs wherein said OTPs are generated using said OTP keys and encrypted using said encryption keys; and
authenticating said authentication requests, by said authentication servers, by decrypting said authentication clients' OTPs using said decryption keys, generating servers' OTPs using said OTP keys, and matching said decrypted authentication clients' OTPs with said servers' generated OTPs.
16. The method according to claim 15, wherein said requesting authentication permits comprising transmitting said encrypted OTPs in a single step.
17. A biornetric asymmetric encrypting one-time-password (OTP) authentication method, the method comprising:
receiving biornetric inputs, by a plurality of authentication clients, by biornetric capable input devices, generating and storing biornetric templates in said client's devices, generating using said biornetric templates, biornetric asymmetric encryption and decryption key pairs and OTP keys and registering in at least one authentication server said decryption keys and OTP keys; matching, by said plurality of authentication clients, biornetric inputs with biornetric templates generating authentication credentials, by plurality of authentication clients, using said encrypted OTPs wherein said OTPs are generated using said OTP keys and encrypted using said encryption keys; and
authenticating said authentication requests, by said authentication servers, by decrypting said clients' OTPs using said decryption keys, generating servers' OTPs using OTP keys, and by matching said decrypted authentication clients' OTPs with said servers' generated OTPs.
18. The method according to claim 17, wherein said requesting biometric authentication comprising transmitting said encrypted OTPs in a single step;
19. A remote-directive strong authorization method, the method comprising;
generating, by a plurality of authentication clients, asymmetric encryption and decryption key pairs and OTP keys and registering on authorization servers, said decryption keys and OTP keys;
transmitting, by said authorization servers, encoded data blocks that include the encoded content of remote directives to said authentication clients;
communicating, by said plurality of authentication clients, encrypted approval passwords generated using said remote directives' content and OTP keys and encrypted by said encryption key;
authorizing said remote directives, by said authorization servers, by decrypting said clients' approval password using said decryption keys, generating servers' approval passwords using said remote directives' content and OTP keys, and by matching said decrypted authentication clients' approval passwords with servers' generated approval passwords.
20. The method according to claim 19, further comprising a plurality of terminals used for communicating messages to said authorization servers and for presenting data blocks received from said authorization servers to users.
21. The method according to claim 19, wherein said encoded data blocks are Q codes, blue tooth, NFC, Wi-Fi transmission and combination thereof.
PCT/IL2014/050263 2013-03-13 2014-03-13 Asymmetric otp authentication system WO2014141263A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US201361779707P 2013-03-13 2013-03-13
US201361779580P 2013-03-13 2013-03-13
US61/779,707 2013-03-13
US61/779,580 2013-03-13
US201361846172P 2013-07-15 2013-07-15
US61/846,172 2013-07-15

Publications (1)

Publication Number Publication Date
WO2014141263A1 true WO2014141263A1 (en) 2014-09-18

Family

ID=51536009

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2014/050263 WO2014141263A1 (en) 2013-03-13 2014-03-13 Asymmetric otp authentication system

Country Status (1)

Country Link
WO (1) WO2014141263A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618117A (en) * 2015-02-04 2015-05-13 北京云安世纪科技有限公司 Two-dimension code based smart card device identity authentication device and method
CN107231234A (en) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 A kind of identity registration method and device
US9860243B2 (en) 2015-07-29 2018-01-02 International Business Machines Corporation Authenticating applications using a temporary password
US9930034B2 (en) 2015-07-29 2018-03-27 International Business Machines Corporation Authenticating applications using a temporary password
EP3312750A1 (en) * 2016-10-24 2018-04-25 Fujitsu Limited Information processing device, information processing system, and information processing method
IT201600127809A1 (en) * 2016-12-19 2018-06-19 DEVICE FOR PAYMENT TRANSACTIONS WITH CONTACTLESS TECHNOLOGY (NFC), WITH GENERATING ALGORITHM OTP CODE UNIQUE INTEGRAL TEXT STRING TEMPLATE GENERATED BY BIOMETRIC SCANNING OF THE DIGITAL FOOTPRINT, WITH TOKEN OTP FUNCTION, RECOGNITION OF IDENTITY AND SUBSCRIPTION FEATURE PUBLIC AND RELATED PROCESSES OF OPERATION, ASSOCIATION AND USE
EP3435589A1 (en) 2017-07-25 2019-01-30 Telefonica Digital España, S.L.U. A method and a system for encrypting wireless communications including authentication
RU2698424C1 (en) * 2017-05-10 2019-08-26 Хун-Чиэнь ЧОУ Authorization control method
EP3588413A1 (en) * 2018-06-21 2020-01-01 Auriga S.p.A. Identification method with strong authentication for the enabling of a computer system
US20200145408A1 (en) * 2018-11-05 2020-05-07 International Business Machines Corporation System to effectively validate the authentication of otp usage
US11138608B2 (en) 2018-06-28 2021-10-05 International Business Machines Corporation Authorizing multiparty blockchain transactions via one-time passwords

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020144128A1 (en) * 2000-12-14 2002-10-03 Mahfuzur Rahman Architecture for secure remote access and transmission using a generalized password scheme with biometric features
US20050050330A1 (en) * 2003-08-27 2005-03-03 Leedor Agam Security token
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020144128A1 (en) * 2000-12-14 2002-10-03 Mahfuzur Rahman Architecture for secure remote access and transmission using a generalized password scheme with biometric features
US20050050330A1 (en) * 2003-08-27 2005-03-03 Leedor Agam Security token
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618117A (en) * 2015-02-04 2015-05-13 北京云安世纪科技有限公司 Two-dimension code based smart card device identity authentication device and method
CN104618117B (en) * 2015-02-04 2018-06-12 北京奇虎科技有限公司 The identification authentication system and method for smart card device based on Quick Response Code
US9860243B2 (en) 2015-07-29 2018-01-02 International Business Machines Corporation Authenticating applications using a temporary password
US9930034B2 (en) 2015-07-29 2018-03-27 International Business Machines Corporation Authenticating applications using a temporary password
CN107231234A (en) * 2016-03-25 2017-10-03 阿里巴巴集团控股有限公司 A kind of identity registration method and device
US11012238B2 (en) 2016-03-25 2021-05-18 Alibaba Group Holding Limited Identity registration method and device
US10833862B2 (en) 2016-03-25 2020-11-10 Alibaba Group Holding Limited Identity registration method and device
CN107231234B (en) * 2016-03-25 2020-06-09 创新先进技术有限公司 Identity registration method and device
US10659457B2 (en) 2016-10-24 2020-05-19 Fujitsu Limited Information processing device, information processing system, and information processing method
EP3312750A1 (en) * 2016-10-24 2018-04-25 Fujitsu Limited Information processing device, information processing system, and information processing method
WO2018116115A1 (en) * 2016-12-19 2018-06-28 Frollini Lorenzo Contactless device and method for generating a unique temporary code
IT201600127809A1 (en) * 2016-12-19 2018-06-19 DEVICE FOR PAYMENT TRANSACTIONS WITH CONTACTLESS TECHNOLOGY (NFC), WITH GENERATING ALGORITHM OTP CODE UNIQUE INTEGRAL TEXT STRING TEMPLATE GENERATED BY BIOMETRIC SCANNING OF THE DIGITAL FOOTPRINT, WITH TOKEN OTP FUNCTION, RECOGNITION OF IDENTITY AND SUBSCRIPTION FEATURE PUBLIC AND RELATED PROCESSES OF OPERATION, ASSOCIATION AND USE
RU2698424C1 (en) * 2017-05-10 2019-08-26 Хун-Чиэнь ЧОУ Authorization control method
EP3435589A1 (en) 2017-07-25 2019-01-30 Telefonica Digital España, S.L.U. A method and a system for encrypting wireless communications including authentication
EP3588413A1 (en) * 2018-06-21 2020-01-01 Auriga S.p.A. Identification method with strong authentication for the enabling of a computer system
US11138608B2 (en) 2018-06-28 2021-10-05 International Business Machines Corporation Authorizing multiparty blockchain transactions via one-time passwords
US20200145408A1 (en) * 2018-11-05 2020-05-07 International Business Machines Corporation System to effectively validate the authentication of otp usage
US10951609B2 (en) * 2018-11-05 2021-03-16 International Business Machines Corporation System to effectively validate the authentication of OTP usage

Similar Documents

Publication Publication Date Title
US10609014B2 (en) Un-password: risk aware end-to-end multi-factor authentication via dynamic pairing
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
US20200358614A1 (en) Securing Transactions with a Blockchain Network
WO2014141263A1 (en) Asymmetric otp authentication system
JP6399382B2 (en) Authentication system
US20160269393A1 (en) Protecting passwords and biometrics against back-end security breaches
US20160205098A1 (en) Identity verifying method, apparatus and system, and related devices
NO324315B1 (en) Method and system for secure user authentication at personal data terminal
US8397281B2 (en) Service assisted secret provisioning
CN111630811A (en) System and method for generating and registering secret key for multipoint authentication
CN107277059A (en) A kind of one-time password identity identifying method and system based on Quick Response Code
US10686771B2 (en) User sign-in and authentication without passwords
US10742410B2 (en) Updating biometric template protection keys
US20140258718A1 (en) Method and system for secure transmission of biometric data
US10574452B2 (en) Two-step central matching
US8806216B2 (en) Implementation process for the use of cryptographic data of a user stored in a data base
KR101856530B1 (en) Encryption system providing user cognition-based encryption protocol and method for processing on-line settlement, security apparatus and transaction approval server using thereof
Kaur et al. A comparative analysis of various multistep login authentication mechanisms
Maheshwari et al. Secure authentication using biometric templates in Kerberos
US20240005820A1 (en) Content encryption and in-place decryption using visually encoded ciphertext
Molla Mobile user authentication system (MUAS) for e-commerce applications.
Reddy et al. A comparative analysis of various multifactor authentication mechanisms
Atzeni et al. Authentication
Ginesu et al. Property Protection and User Authentication in IP Networks through Challenge-Response Mechanisms: Present, Past and Future Trends

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14765417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WPC Withdrawal of priority claims after completion of the technical preparations for international publication

Ref document number: 61/846,172

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

Ref document number: 61/779,580

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

Ref document number: 61/779,707

Country of ref document: US

Date of ref document: 20150907

Free format text: WITHDRAWN AFTER TECHNICAL PREPARATION FINISHED

122 Ep: pct application non-entry in european phase

Ref document number: 14765417

Country of ref document: EP

Kind code of ref document: A1