The internet network gave rise to a spectacular development of digital exchanges in the whole world through online applications on web sites. A digital identity (including an identifier known as “login” and a password) allows the access of a user to an application on said web site. As it is known, the pirates and frauds developed tools and techniques to usurp such digital identities, particularly the “horses of Troy”, the “spy” softwares, “keyloggers” and network sniffers such as the “Man in the Middle”. Thanks to such techniques, the identifier and the password of any user being regularly registered by a web site might be captured and used for a abusive logging without the knowledge of the user. The detection of such a fraud is proved to be difficult because of the fact that the digital data can be modified almost without leaving traces. Moreover, the attack can be carried instantaneously from a computer being in a distance of thousands of kilometers, rendering any protection particularly difficult, in particular on the legal level.
The multiplication of the usurpations of digital identities shows nowadays to be a major threat for the digital economy in general and the online trade in particular.
This results to a source of significant insecurity.
Techniques for improving the security of control access of digital applications are already known. Indicated under the name “strong authentication”, they add to the control what the authorized user knows (his password), what he owns (a hardware element) or what he is (its biometric data such as for example its digital fingerprints).
A first technique designated as “One Time Password” consists in providing each legitimate user with an electronic device able to generate a random number being used as a password at the time of his connection to the online application. Thus, the interception or the capture of the password will not allow the access to the application in question, because this password will not be valid any more since it will have been already used and thus will have been valid only once, from which it comes the denomination One Time Password.
Another known technique under the name of “outside band” consists in the transmission of a message through another communication channel, for example an SMS on the mobile phone of the user when the latter wishes to be connected to its information system or to the web site in question. The authentication procedure succeeds only when the web server receives communication of the code dispatched to the user through the other transportation route. This results in that a hacker who might have successfully intercepted and controlled what the legitimate user made on his work station, will not be able to recover the missing element transmitted by the mobile phone and outside of his range.
Another technique based on the infrastructures with public keys (PKI) consists in arranging within each user's system an electronic certificate. When the user connects to the application, the control access mechanism checks the presence of said certificate on its interface and validates an authentication sequence.
Another technique consists in comparing the biometric file of the authorized user, for example his digital fingerprint, with a biometric characteristic of reference and stored, either in a smart card or in the server of the control access at the time of the enrolment of this user.
All those techniques generate a token of access, conventionally designated by “token” in the Anglo-Saxon literature, which theorically allows the authentication of the legitimate user only. As this can be understood, it is critical in all these techniques that a second presentation of this token (i.e. a new “set” of token) by any person cannot lead to an illegitimate authentication and, consequently, to a fraud on the network.
Although these techniques show a well established and undeniable effectiveness, one should notice that they were designed and carried out well earlier than the development and wide spreading of the Internet which is known today. In this respect, these techniques show significant drawbacks as the society moves towards a fully dematerialized economy and the public tends to generalize the use of Internet network for all kinds of possible transactions. Thus, techniques which could appear effective and adapted to a restricted circle of users—i.e. users having a wide know-how regarding the installation of sophisticated systems and software on their machine—these same techniques nowadays show prohibitive disadvantages as there is a need for everybody to take advantage of all the possibilities offered by the Internet network.
The European patent application 04368072.7 filed on Dec. 1, 2004 by the Assignee of the present application describes a very effective process of authentication based on the collection of a wide number of elements of information available from the operating system, in particular those involved in the checking of the availability of the drivers allowing interface with the OS. Such information, when being collected, allows the generation of a unique information, characterizing the system, and allowing to distinguish it from any other systems. This information—designated as ‘digital DNA” or DDNA by the Assignee of the present application allows to significantly increase the security of the authentication procedure.
Thus, the process which is described in the above mentioned patent application considerably improves the security of the identity of the users and, in no way, requires the disclosure of the elements of the personal identity of the user (name, residence, etc. . . . ). However, this process presents the disadvantage of exposing in a non appropriate way this particularly sensitive digital information which is the “digital DNA” rendering the user's machine unique.
Thus, any third party might be capable of intercepting such “digital DNA” information, and diverting it from its authorized use and proceeding to a usurpation of identity, which one absolutely wishes to avoid.
To avoid such situation, it is advisable to have a specific technique, perfectly adapted to the protection of DDNA information particularly during its transmission through the internet network.
Such is the problem to be solved by the object of the present patent application.