1. Field of the Invention
The present invention relates to methods and devices for secure transmission of information using a standard mobile device, such as a mobile phone.
2. Description of the Related Art
The number and variety of computer-based services that can be accessed remotely, either by means of public access channels such as the Internet or telephone networks, or through media such as interactive TV continues to grow exponentially. As many of these services are financial in nature or are otherwise sensitive as to who gets access to what information, there is a great demand for authenticating the identity of someone before granting that person access to potentially sensitive information. All authentication methods can be reduced to a combination of providing proof of something a user knows, has (e.g., owns), or is.
For example, a popular method to authenticate people is the “username-password” method. This method requires that people have to claim their identity, and then have to provide a secret password to prove that identity. Clearly, this method is of the type of “proving something you know”. While very simple to implement, this method has serious security concerns. As most people are not very good at memorizing secret passwords, they tend to either choose easy to remember passwords, or to write the passwords down. In both cases the security of the username-password method is considerably compromised.
An alternative to the ‘something you know’ method is the ‘something you have’ method. Instead of proving the user's identity by proving that they know some secret, the user must prove that they are in possession of some physical personalized object, e.g. a computer-based key device (also known as a token) or smart card. In essence this is the same concept as being able to enter a building because you possess the key to the door. Unfortunately, physical objects can be lost or stolen.
To attain a higher level of security, one can combine the “something you know” and the ‘something you have’ methods. In this scenario, in order to prove their identity the user must prove both that they know some secret, and that they possess some specific object. An example is a smart card that can only be used after the user has presented a secret personal identification number (PIN). Another example are the so-called strong authentication tokens that generate one-time passwords. In their most common form these strong authentication tokens are small handheld battery-powered devices with a display and a keyboard that look much like pocket calculators. Examples of such devices are the Digipass™ devices and related technologies from Vasco Data Security, Inc., which are described in further detail in the following applications and patents, each of which is incorporated herein by reference in its entirety: U.S. Provisional Patent Application 60/287,858, entitled “Use And Generation of a Session Key in a Secure Socket Layer Connection”, filed on May 1, 2001; U.S. patent application Ser. No. 09/500,533, entitled “Security Access and Authentication Token With a Private Key Transport Functionality”, filed on Feb. 9, 2000; U.S. patent application Ser. No. 09/789,197, entitled “Field Programmable Smart Card Terminal and Token Device”, filed on Feb. 20, 2001; U.S. Pat. No. 4,599,489, entitled “Solid state key for controlling access to computer software”; U.S. Pat. No. 4,609,777, entitled “Solid state key for controlling access to computer software”; and U.S. Pat. No. 4,819,267, entitled “Solid state key for controlling access to computer systems and to computer software and/or for secure communications”. When using such a device, after the user has entered their secret PIN, the strong authentication token calculates a dynamic value. The calculation of this value is based on a secret that is unique for each token instance and input value. This input value can, for example, be a challenge that is entered by the user, or in other instances a time value provided by the token device's internal clock or both. The dynamic value (or one-time password) can then be used to prove to a server that one is in possession of the token device, and that one knows the PIN for that token device.
Tokens and smart cards offer a robust solution for many security-conscious organizations. But the cost of purchasing and deploying tokens (as well as software tokens, digital certificates, or smart cards) can limit their accessibility, and does require additional expenditures. Accordingly, there is a need to provide for secure transmission of information without having to deploy security specific devices to end users.
Systems are now available that generate and transmit a one-time password directly to a mobile phone or other mobile device. The one-time password appears as a text message or e-mail on the mobile device. After being viewed on a display of the mobile device, the one-time password is then entered into a PC or laptop (by an end user) to gain supposedly secure access to private information. The above procedure offers the security for user authentication according to an ownership (what a user has) principle. The widespread use of mobile telephones also means that this procedure may be less expensive than procedures with comparable security which require additional hardware, such as smart cards or tokens. However, a problem with the above described system is that the transmission of the one-time password is not encrypted, and thus passwords can be easily sniffed or hacked by an untrusted third party. Further, if a mobile device is lost or stolen, an untrusted third party may be able to obtain one-time passwords and then gain access to private information of the mobile phone's true owner.
Other systems use mobile phones to offer the functionality of authentication tokens either through the use of embedded software, or through a software application residing on a Subscriber Identity Module (SIM) card, thus taking advantage of the fact that a mobile phone is a personal device that people carry around all the time and that is already (typically) equipped with a display and a keyboard. Each SIM card is programmed with specific identification features for a unique user, allowing the mobile phone that contains a SIM to be used for such things as online banking and purchasing that require a secure means of identification. Each SIM card may also be programmed with a private key. A one-time password can then be sent to the mobile phone either as a clear text or encrypted (public key procedure) message. If the one-time password is encrypted, then the SIM card (or embedded software) includes the private key that can be used to decrypt the message. Accordingly, related keys must be stored in a database (public key) and on the SIM card (or embedded software) in the mobile phone (private key). A significant disadvantage of the above described system which relies on SIM cards is that it can only be used with mobile phones that can accept and read SIM cards. Even if the software were embedded in mobile phones (rather than residing on SIM cards), only mobile phones having the application specific software (including a private key) could be used with the system. Stated another way, already deployed mobile phones and new mobile phones not including the appropriate embedded software would not be usable with the above described system.
What is needed are methods and systems that overcome some, and preferably all, of the above described disadvantages. More specifically, there is the need for methods and systems that provide for secure transmission of information (e.g., a one-time password) by taking advantage of mobile devices (e.g., mobile phones) that people carry around all of the time. Preferably, such methods and systems should be useable with already deployed mobile devices. Stated another way, it is preferably that such methods and system do not require any modification or customization of existing or future mobile devices. Preferably, the transmissions should be secure such that an untrusted third party can not sniff or hack the transmission. Further, if an untrusted third party finds or steals a mobile device, the methods and systems should be such that the untrusted third party can not gain access to private information of the mobile device's true owner.