A secured data channel is used in case of remote access of users or systems to protected assets in the information systems of the service provider. Protected assets may be of variable character—these may be confidential information or information designed for publication, but allowed to be changed by authorised persons only or it may relate to realisation of various actions or transactions using information and communication technologies, or it may concern setting of instructions for various devices, obtaining measured or otherwise obtained information or data.
Data channel security is the limiting factor of the protection level of protected assets during remote access. The general level of protected assets security cannot be higher than the data channel security. That emerges from general rules of security, where the general security level is set by the level of the weakest element security.
The data channel security is limited by authentication, i.e. verified establishment of identity of systems or users respectively operators or owners of systems on both ends of data channel.
Authentication—the verification of electronic identity, typically performed on remote basis before target electronic service use—is performed before creation of a secured data channel or as a part of the data channel creation, before start of data transfer through the data channel.
The data channel is used for protection of data transfer in case of remote access to the target electronic service as protection of an authorised user from access of unauthorised users, e.g. an attacker, to the service.
A secured data channel is protected by an authenticated shared secret, which is known only to systems on both data channel ends. The authenticated shared secret creation includes the identity check—authentication of users respectively systems on both data channel ends.
Another known variant is that the data channel is created without authentication or with partial authentication and it is consequently used for user's authentication for target application. In such a case, the data channel uses non-authenticated shared secret and it cannot act as a secure one, as it may be abused by an attacker, as there was not performed any full-value data channel authentication and the attacker may abuse or otherwise attack even the authentication of the user for the target application and consequently successfully attack even the target application.
So as to ensure security of the data channel and the target application it was necessary to perform double authentication—for the data channel and target application or to connect the data channel and the target application in some other way.
There are known some methods of the target application connection with the data channel (Channel Bindings) serving for improvement of application communication security, using the result of data channel authentication performed before creation or at the moment of creation of the data channel in the authentication performed by the application.
External authentication is not used for data channel authentication at the present time. The user respectively the system to be authenticated have available the authentication secrets (credentials) that they may use directly for authentication for example in case of authentication by password or they will use the secret to perform an appropriate cryptographic operation needed for authentication as in case of using authentication by a Public Key Infrastructure.
The aim of the invention is to eliminate the current weak point of electronic communication security, i.e. insufficient, non-functional, weak or hardly usable authentication of secure channel and to increase in this way the resistance of mainly remote electronic communication against various even highly qualified attacks and to significantly decrease in this way the risks of electronic communication.
More, the aim of the presented invention is to simplify the use of external authentication by simplifying the data transfer between the external authentication system and data channel, respectively target application to a one-way transfer at one moment. That allows use of other technologies for data transfers—they are commonly available and they could not be used for more complicated methods of data transfer.
Base of the Invention
The subject of the invention is the method of a secured data channel authentication, characterised by the fact that at first a non-authenticated encrypted data channel is created between two parties using a non-authenticated shared secret obtained based on use of ordinary cryptographic methods, e.g. using key-agreement, guaranteeing existence of only two ends of the data channel or a temporarily generated pair of cryptographic keys.
Then, using the non-authenticated data channel, the information needed for authentication of a user and data channel may be (confidentially) transferred by e.g. external authentication service URL, challenge, authentication/data session identifier.
Consequently, the data channel ending on both sides creates a cryptographic derivate of non-authenticated shared secret of the data channel, e.g. using a pseudo-random cryptographic function using the signature by the shared secret. The method of derivate creation guarantees that both derivates of shared secret calculated on both endings of the data channel have an identical value in case of the shared secrets to be identical. The calculation may be performed e.g. using ordinary asymmetrical pseudo-random algorithms of the type HASH or HMAC.
Then—using the external communication means on both ends of the data channel, but out of the data channel—there are transferred the data derived from non-authenticated shared secret, at least a derivate of non-authenticated shared secret of the data channel or its derived information to the appropriate inputs of external authentication (external authentication system or service).
The data derived from the non-authenticated shared secret can be the derivate of the non-authenticated shared secret or a modified derivate of the non-authenticated shared secret, e.g. obtained by modification with additional data or a derivate calculated from the non-authenticated shared secret and additional data or a derivate calculated from non-authenticated shared secret and additional data and further modified, e.g. by additional data. The modification by additional data may be performed by the data channel endings or by target applications on each side of the data channel and/or by the side of the authentication system. The modification may be performed on both sides of the data channel by the same component or by a different component on each side of the data channel. The additional and/or supplemental data may be created by the data channel ending and/or by the target application and/or by the side of the external authentication system. The additional and/or supplemental data may be created on both sides of the data channel by the same component or by a different component on each side of the data channel.
After the external authentication receives data derived from the non-authenticated shared secret on both ends of the data channel, the external authentication performs authentication of passed data derived from non-authenticated shared secret of the data channel, usually by using user's or provider's authentication secret accessible by external authentication, all of that in such a way that there is connected in a cryptographically reliable way the authentication of data derived from non-authenticated shared secret and authentication of the user respectively the system, e.g. using a signature or encrypting by the secret or by otherwise authenticated secret.
The external authentication is a special system, a set of programmes and devices or an electronic service able to independently perform authentication of users respectively systems and other authenticated secure operations including authentication of data derived from non-authenticated shared secret of a data channel which is separated from the data channel and it does not use the data channel for transfer of information.
External communication means may e.g. use the technology of local communication, like easily and intuitively performable optical communication using scanning and displaying of QR codes, like technologies of wireless communication on short distances, optical communication, local network, built-in internal communication in the device or other ordinary appropriate means like e.g. internal network of the service provider or internal protected network of “cloud” service providers respectively secure remote communication.
Authentication of data derived from non-authenticated shared secret may be performed using the External authentication system e.g. based on comparison of derivates developed from data derived from non-authenticated shared secret and authenticated secret of the user and/or system or it may be performed using the External authentication system via a cryptographic signature using the temporary signature key authenticated during authentication of the user and/or system using the External authentication; or it may be performed using the External authentication system by encrypting using a temporary encryption key authenticated during authentication of the user and/or system using the External authentication system; or it may be performed using the External authentication system by comparison of derivates developed from data derived from non-authenticated shared secret and temporary secret authenticated during authentication of the user and/or system using the External authentication system; or it may be performed using the External authentication system in such a way that handed over data derived from the non-authenticated shared secret of the data channel will be used by the External authentication system for authentication of the user in such a way that these will replace the challenge while using the authentication protocols of the challenge-response type.
In this way there will also be authenticated the data channel resp. its shared secret, i.e. there is authenticated the user respectively the system on both ends of the external authentication system as well as the data channel.
The result of authentication may consequently pass the external authentication (authentication system/service) to the target application including relevant information on authenticated user or system as well as on the user or system on the other side of the data channel.
As from the moment of successful authentication of data derived from non-authenticated shared secret of the data channel the data channel is authenticated and it becomes a secure authenticated data channel that may be used by an authenticated target application for secure communication with authenticated user of the target application.
The user means a real person using the relevant electronic device as well as the electronic system or electronic device itself.