Remote user authentication method and the system for realization of the method

IPC classes for russian patent Remote user authentication method and the system for realization of the method (RU 2303811):

G06F21/22 - ELECTRIC DIGITAL DATA PROCESSING (computers in which a part of the computation is effected hydraulically or pneumatically G06D, optically G06E; computer systems based on specific computational models G06N; impedance networks using digital techniques H03H)

Another patents in same IPC classes:

Method, device and information carrier for confirming access right to autonomous resources / 2300142
Method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

Method for controlling protected communication line in dynamic networks / 2297037
Invention discloses method for setting up protected communication lines for transferring data and controlling them by means of exchanging keys for protection, authentication and authorization. Method includes setup of protected communication line with limited privileges with usage of identifier of mobile computing block. This is especially profitable is user of mobile block does not have information identifying the user and fit for authentication. Also, advantage of provision by user of information taken by default, identifying the user, is that it initiates intervention of system administrator instead of refusal based on empty string. This decentralized procedure allows new users to access the network without required physical presence in central office for demonstration of their tickets.

/ 2292122

Method for restricting access to protected system / 2289845
Fingerprint image is registered with following user personality identification. Some peculiarities of papillary pattern coordinates are determined and using difference of coordinates of peculiarities of received fingerprint image and stored in database positive or negative decision to grant access to system is made.

Distribution device, terminal device, program and method used in these devices / 2287851
In distribution device groups of two or more informational products which represent digital informational content are stored with information about policy administration which indicates user's rights to this group by interrelated method. Distribution device transfers the user requested informational content from group to the terminal device with license certificate (LC), refreshes information about policy administration decreasing policy validity. On return of the renewed LC distribution device increases the decreased policy validity taking into account the part of policy validity which is indicated in the renewed LC. On user's demand distribution device again transfers LC or other digital informational content.

Method for using a server, device for controlling reservation of server and means for storing a program / 2276400
For this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

/ 2292122

Remote user authentication method and the system for realization of the method / 2303811
In accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority.

Multi-broadcasting, limited by time window for future delivery of multi-broadcasting / 2305863
In accordance to the invention, encoded event, containing information which is not meant to be published before time of publishing, is dispatched to clients before the time of publishing. In the moment of the time of publishing, small decryption key is dispatched to each client. In another variant, highly reliable boundary servers, which can be trusted not to publish the information before appropriate time, dispatch non-encrypted event or decode an encrypted event and dispatch decrypted event in certain time or before it, but after the time of publishing, so that decrypted or non-encrypted event reached clients, which can not store and decrypt an encrypted event, approximately at the same time when the key reaches other clients. Therefore, every client may receive information at approximately one and the same time, independently from client throughput or client capacity for storage and decryption of information.

Method (variants) and device (variants) for protecting communication channel of a computer network / 2306599
In the method, initial data is set, initial data packet is generated at sender side. Then received data packet is encoded and transformed to TCP/IP format. After that current addresses of sender and receiver are included in it and formed packet is transferred. Sender address is replaced. At receiver side, sender and receiver addresses are selected and compared to predetermined addresses. In case of mismatch received packets are not analyzed, and in case of match encoded data is extracted from received packet and decoded. Receiver address is replaced. Then initial data packet is repeatedly formed at sender side. Protection device consists of 2 identical local protection segments 3₁ and 3_k, one of which is connected to local computing network l_i, and k one is connected to local computing network l_k. Local computing networks are interconnected through corresponding routers 4₁,4_k and the Internet.

FIELD: digital data processing, namely, remote user authentication.

SUBSTANCE: in accordance to method, electronic user identification data is formed and saved in authentication server database, which data is compared to identification data of user during realization of procedure of user access to computer network of protected system and on basis of that comparison, decision is taken about degree of user authority.

EFFECT: possible passive user authentication mode without usage of hardware.

2 cl, 2 dwg

The invention relates to a method of digital data which are intended for commercial applications, in particular to a method for remote authentication of a user, which is registered in the appropriate secure system. It performs monitoring and analysis of the user's authority to perform its access to a computer network of any secure system.

Closest to the claimed solution to the technical essence and the achieved technical result is:

- Way remote user authentication, as described in the system of remote authentication patent EP 0986209, IPC 7 04L 9/32, publ. 15.03.2000. This method consists in the fact that generates and stores in the database of the authentication server of the electronic user identification data, which is compared with the identity of the user when performing procedures user access to the computer network protected systems, and on the basis of this comparison a decision is made about the presence or absence of authorization from the user. At the same time as the electronic identity of the user using the biometric user data in the form of fingerprints, palm and/or information on the retina, the details of which are stored in the database behold the faith of authentication. In addition, typically, the authentication server also controls and such electronic identification data as the username and password of the user.

- System of remote user authentication according to the patent EP 0986209, IPC 7 04L 9/32, publ. 15.03.2000 contains the authentication server, an application server, which is connected via a secure computer network, the access terminal user, the authentication server provides the access controls, database access identifiers, the processing node encryption. The system also includes a device for obtaining biometric data of a user, comprising the receiving node fingerprints, the receiving node of the handprints, the node information on the retina.

The main disadvantage of this method remote user authentication and system for its implementation is the fact that there is an active mode of authentication where the user authentication to the server is a significant flow of data in the form of information about the fingerprint, palm, retina. And this increases the vulnerability of the authentication server due to the fact that in this thread, the attacker may introduce false information, including to make any computer virus.

Another disadvantage of this method and system DL is its implementation is to reduce the speed of data transmission from the access terminal user to the authentication server and the application server, there is an increased flow of information about the fingerprint, palm, retina of the user.

The disadvantage of this method and system for its implementation is the need to use, as well as the high cost of special equipment in the form of hardware nodes on biometric information about the user, namely the retina, fingerprints, palms and the like.

The basis of the invention is the creation of an efficient method of remote user authentication and system for its implementation by providing passive mode user authentication, thereby dramatically reducing to a minimum the flow of data between the user terminal and the authentication server. This will also reduce the vulnerability of protected systems from the introduction of a computer virus through the network data transfer or other malicious acts. And to avoid expenditure on hardware nodes.

The problem is solved in that way remote user authentication, namely, that generates and stores in the database of the authentication server of the electronic user identification data, which is compared with the identification data of the user in the implementation of the access procedure, the user is the appropriate fields in the computer network of protected systems and based on this comparison, a decision is made about the presence or absence of authorization from the user. At the same time as the electronic identity of the user, which generates and stores in the database of the authentication server, use the history of the usual order of execution of actions by the user when the previous procedure of user access in a computer network protected systems. The history of the usual order of execution of actions by the user, which generates and stores in the database of the authentication server, before they are compared with the identification data of the user and analyze the essential features, which take the most often repeated user actions with the designation of possible deviations from some average value or essential characteristics, which are consistent each time a user visits the corresponding WEB resource. And the identification data of the user in the database of the authentication server is updated constantly. In addition, as the history of the usual order of execution of actions by the user, which generates and stores in the database of the authentication server, use the sequence and the duration of action by the user when the previous procedure of user access in a computer network protected systems. And as the actions of users of the I, the history of the usual order of execution which generates and stores in the database of the authentication server in the previous procedure user access to the computer network protected systems, use of time, which is usually the user visits a WEB resource, the session duration, the order of opening of the http pages on the WEB resource, the IP address of the computer user. Through the authentication server additionally perform interactive survey of user.

The task is also solved by the fact that the system of remote user authentication contains the authentication server, an application server, which is connected via a secure computer network, the access terminal user, and the authentication server contains a database of identifiers of access, which is made with the ability to save credentials, access controller, which is configured to compare the identification data of the user stored in the database identifiers of the access credentials of the user when performing procedures user access to the computer network protected systems. When the authentication server further comprises a database of the history of the usual order of execution of actions by the user, which retain the create the controller of the access history data of the usual order of execution of a user action, when the access controller is made with a site analysis of the history of the usual order of execution of actions by the user.

Use in accordance with the method and system for its implementation, as the electronic identity of the user stories in the usual order of execution of actions by the user, the details of which remain in the database, the previous implementation of the procedure of access to a computer network protected system provides passive mode user authentication. And this allows us to reduce to a minimum the flow of data, that is necessary, for example, login and password and/or other required data that is passed from the user to the authentication server. The user may not know that his powers carefully checked. All this allows not only to increase the reliability of the test the user's authority, but also to reduce the vulnerability of the authentication server from false information with malicious acts, or to reduce the possibility of introducing some kind of computer virus in the data network.

Execution in accordance with the method and system for the implementation of the analysis on essential features of the history of the usual order of execution of actions by the user, Motorauthority and store in the database of the authentication server, allows to increase the reliability of authentication by selecting, from all actions that the user performs, the only important, the performance of which the user is most likely.

Performing constant updating of the identity of a user in the database, the authentication server before each procedure user access to the computer network secure system allows you to dynamically update the history of the usual order of execution of actions by the user, which also increases the reliability test of his powers.

Use as the history of the usual order of execution of actions by the user, which generates and stores in the database of the authentication server, different types of actions (operations) of the user, as well as their sequence and/or duration of perform these actions, their combinations can increase the reliability of determining the validity of the credentials of the user.

Use as a user action time, which is usually the user visits the WEB resource, the duration of the session of the user, procedure of opening of the http pages on this WEB site, as well as the IP address of the user's computer and their combinations, can also improve the reliability of determination of dostovernost the validation of user credentials.

Performing advanced interactive poll user rarely used his signs, if there are doubts about the validity of the credentials of the user in the usual order of execution of actions, allows you to receive support more informed decision about the user's access to a computer network protected system.

The above confirms the presence of causal relations between a set of essential features of the claimed invention and achievable technical result.

This set of essential features allows comparison with the prototype method remote user authentication and system for its implementation to ensure passive mode user authentication. This allows to reduce the required minimum data flow from the user to the authentication server to increase reliability checks the user's authority. And also will reduce the vulnerability of the authentication server from false information with malicious acts, or to reduce the possibility of introducing some kind of computer virus in the data network. In addition, it will allow you to avoid spending on hardware nodes on biometric information about the user.

According to the author, declare that the technical solution meets the criteria of the invention of "novelty" and "inventive step", because the set of essential features, which characterizes the way remote user authentication and system for its implementation, is new and not obviously result from the prior art.

The invention is illustrated by drawings, where figure 1 shows the structural diagram of the system, which is implemented by way of remote user authentication; figure 2 is a diagram of the sequence of actions of the authentication process.

Method remote user authentication is carried out as follows.

The user using the terminal access user (personal computer, mobile telephone, other telecommunication devices) is drawn through the corresponding computer network to any secure system in which it is registered as a user and has certain powers to conduct operations, such as: electronic Commerce, banking or financial system, a database with restricted access, and an Internet or Intranet system. In each of these protected systems is your authentication server, which generates and stores, in addition to the data required in the form of login, password and other, an electronic identification data of the user in the form of stories in the usual then, the dka perform user actions in the previous implementation of procedures for access to this secure system. When the user at his usual time necessary to secure the system to the Internet, in which it is registered, it first performs a standard, but the necessary actions (steps) by using a WEB-based resource, visit http pages on this WEB resource. The controller access to and analysis of the history of the usual order of execution of actions of the user in the authentication server in passive mode it tracks all user actions (steps), i.e. the start and the end of the session the user visits a WEB resource protected systems; IP address of the host or the terminal of the user from which the user has logged into a secure system; record the user visits each http page of the corresponding WEB resource addresses these http pages; time of entry and exit of each page; the duration of use and the procedure of opening of the http pages. All of these actions (steps) of the user are compared with similar actions, which remain in the database of the authentication server in the history of the usual order of execution of actions by the user and, in the case that their essential features, the authentication server does not limit the user's access to the application server. And in the case of significant discrepancy between these essential features in the give ban on the admission of the user to the application server, moreover, such a ban may be issued after the first, second, or after the third significant mismatch. If necessary, a significant discrepancy, via the authentication server can be conducted online survey of user rarely used to control the characteristics of the user, which remain in the appropriate database server authentication.

Data on the history of the usual order of user actions, which remain in the database of the authentication server, each time the user accesses it constantly updating.

The best option system, which is implemented by way of remote user authentication, in accordance with Figure 1, contains a protected system 1, in which the user is registered. This protected system 1 has a terminal 2 of the user which is connected through a computer network 3 and the WEB server 4 server 5 authentication, which in turn is connected to the server 6 application. Terminal 2 of the user's access is a computer system in the form of a personal computer, which contains the node 2.1 processing of data encryption. The authentication server 5 is a computer system that includes a controller 5.1 access and analysis of the history of the usual sequence of actions the user is elem, base 5.2 history data of the usual order of execution of actions by the user base 5.3 access identifiers (username and password, etc), the site 5.4 processing of data encryption. The server 6 application is a computer system that has multiple applications in the form of, for example, a certain quantity: a WEB resource 1, 6.1... WEB resource N, 6.N.

A system for remote user authentication works this way.

In accordance with Figure 2, the user enters in the terminal 2 of the user which may be any terminal protected systems, access identifiers, i.e. your username and password or PIN. The terminal 2 of the user access through the site 2.1 processing of data encryption, computer network 3 and the WEB server 4 connect to the server 5 authentication, sending his request to the authentication server 6 application. Next, the user performs the usual and necessary steps to visit the chosen WEB pecypca server 6 applications, such as Internet banking system "Privat-24" (www.privar24.ua), the opening need http pages on this WEB resource. When this controller 5.1 access and analyze stories in the usual manner of implementation of the action server user 5 authentication in passive (one-way) mode tracks all user actions:

the start time and the Windows of the project for a session, the user logs into the system "Privat-24";

IP address of the host from which the user came into this protected system;

fixed sequence of visits by the user each http page, the addresses of these pages; the time of entry and exit on each page.

the duration of time spent on each page, perform operations on the user the necessary transactions (exchange, payment services, money transfers, and the like).

All of these actions or the actions of the user are compared with the essential features similar to the previous action, the story is the usual order of execution which are still in the 5.2 data server 5 authentication. These significant features are selected and generated by the controller 5.1 access and analysis of the history of the usual order of execution of a user action. These essential features are updated in the database 5.2 history data of the usual order of execution of actions of the user and form after each user accessing a secure system. As these signs take the most often repeated user actions with the designation of possible deviations from some average value or essential characteristics, which are consistent each time a user visits the corresponding WEB resource. In the case of owls is adeniya compare these user actions controller 5.1 access and analysis of the history of the usual order of execution of actions of the user authentication server 5 no limits (no limits) access user to the server 6 application. And in case of significant discrepancy analyzed data you will first receive a warning signal to the authentication server 5, and further, after three or another a certain number of warnings, issued a ban on the access of the user terminal to the server 6 application.

Terminal 2 of the user's access can be performed also in the form of a workstation, a mobile phone or other telecommunications device, made with the node encryption.

Although here shown and described ways that are considered the best for the implementation of the present invention, the specialists in this branch of engineering will be clear that it is possible to make various changes and modifications, and the elements can be replaced by an equivalent, without going beyond the scope of claims of the present invention.

Compliance with the proposed technical solution the criteria of the invention "industrial applicability" is confirmed by these examples perform a method for remote user authentication and system for its implementation.

1. Method remote user authentication, namely, that generates and stores in the database of the authentication server of the electronic user identification data, which are compared to identificat the ion user data when performing procedures user access to the computer network protected by the system and based on this comparison, a decision is made about the presence or absence of authorization from the user, characterized in that the electronic identity of the user, which generates and stores in the database of the authentication server, use the history of the usual order of execution of actions by the user when the previous procedure of user access in a computer network protected system.

2. The method according to claim 1, characterized in that the story is the usual order of execution of actions by the user, which generates and stores in the database of the authentication server, before they are compared with the identification data of the user and analyze the essential features, which take the most often repeated user actions with the designation of possible deviations from some average value or essential characteristics, which are consistent each time a user visits the corresponding WEB resource.

3. The method according to any one of claims 1 and 2, characterized in that the identification data of the user in the database of the authentication server is updated constantly.

4. The method according to claim 1, characterized in that as the history of the usual order of execution of actions by the user, which generates and stores in the database of the authentication server, use the sequence and the duration of action polzovateley previous procedure user access to the computer network protected system.

5. The method according to claim 4, characterized in that as the user's actions, the story is the usual order of execution which generates and stores in the database of the authentication server in the previous procedure user access to the computer network protected systems, use of time, which is usually the user visits a WEB resource, the session duration, the order of opening of the http pages on the WEB resource, the IP address of the computer user.

6. The method according to claim 3, characterized in that via the authentication server additionally perform interactive survey of user.

7. A system for remote user authentication, containing the authentication server, an application server, which is connected via a secure computer network, the access terminal user, and the authentication server contains a database of identifiers of access, which is made with the ability to save credentials, access controller, which is configured to compare the identification data of the user stored in the database identifiers of the access credentials of the user when performing procedures user access to the computer network protected system, wherein the authentication server further comprises a database of the history of PR is lichnogo the order of execution of actions by the user, to keep the generated controller access history data of the usual order of execution of actions of the user, and the access controller performed site analysis of the history of the usual order of execution of actions by the user.