Secure data authentication system and method.

FIELD OF INVENTION

The present invention relates to a method for authentication of data in channels/lines of communication/transmissionused for transfer of data of any kind, and a system which uses the method.

BACKGROUND OF THE INVENTION

In an information-driven world, data has come to acquire critical and strategic importance. Data includes personal data, product data or voice data or details of identity orany other piece of information or content in any form. Considering this, it is imperative that lines of communication which act as conduits for transfer of the data are adequately protected to maintain the integrity of the data and to ensure that the data is transmitted only between those individuals/terminals for whose consumption it is intended. The prior art discloses several methods which have been evolved to achieve the said objectives.

In some of the methods used in the prior art, the process of voice authentication occurs over a connection which is parallel to the primary channel of communication where data/voice is transferred/communicated. This requires a user to switch channels solely for the purpose of authentication. This invariably affects the quality of user experience. Further, given the fact that the number of users in most channels of communication has gone up leaps and bounds, it is also necessary to ensure that the time spent in authentication must be minimal so as to avoid clogging of user traffic.

More importantly, there are several known authentication methods which employ the use of Mobile Station ISDN number, which is commonly known as the mobile phone number, or alternatively use a 4-digit personal access code, which is also referred to as Personal Identification Number (PIN). For instance, the prior art discloses a system where the user dials in from a phone, and access to server related information is provided upon identification of a PIN.

Although these methods appear simple and reliable, they do not incorporate an essential quality expected of authentication methods, namely spoof-proofing. For instance, it is possible to fake MSISDN or to illegally lay hands on the PIN.

The other ubiquitous phenomenon which is common to the use of pass codes or PIN is that users routinely forget them, which means one needs to put in place additional back-up systems to either retrieve the old code/PIN or provide users with new pass codes or PIN . This, in practical terms, translates to additional cost of infrastructure, not to mention the time lost in either retrieving or providing news passkeys/PINs.

There also exist authentication systems in the prior art that use locational and/or temporal data pertaining to any mobile device for authentication.While it provides a secure authenticating system, it poses weakness by providing just one layer of security.

Therefore, what is to be borne as a thumb rule in evolving authentication methods and designing systems which employ these methods is that, the system must not burden the user with a lot of detail, must be protected against spoofing and must provide as optimal a number of layers of security as possible.

SUMMARY OF THE INVENTION

Accordingly, a prime object of the invention is to provide for a spoof-proof method and system for authentication of data with optimal layers of security.

Another object of the invention is to provide for an authentication method and system which enables authentication and transmission of data a single line i.e. the line of the communication itself.

Yet another object of the invention is to provide an authentication method and system which reduces human intervention as much as possible so to minimize the dependence on the memory of the user.

The corollarial object of the system is to improve user experience in calls by providing a method and system for authentication which is robust, easy to use and effective against spoofing.

The present invention achieves these objectives by using a method of authentication of a call that employs a variable credential generated by the system, namely a variableidentification passkey which, along with other standard credentials, is configured in the device which receives the call i.e. the receiving device, prior to the call. The very same variable identification passkey is then supplied to the user of the device which makes the call/connects to the receiving device. Upon initiation of the call, the variable identification passkey and other standard credentials are supplied by the user of the connecting device to the receiving device. The receiving device identifies variable identification passkey and other standard credentials since it has been pre-configured in it and authenticates the call. Since the authentication of all the credentials happens on the same channel as that of the call, tedium is reduced. Further, the layer of security is optimal and since the credential used to authenticate is variable/of limited validity and has been generated by the system for the purposes of the call, the method is spoof-proof.

According to a first broad aspect of an embodiment of the present invention, there is disclosed a method of authentication of a call between a connecting device and a receiving device, wherein the method comprises creation of a variable identification passkey by either the connecting device or the receiving device or an offline means.pre- configuration of the variable identification passkey along with other credentials in the receiving device prior to the initiation of call, sharing of the variable identification passkey to the connecting device through an offline means prior to the call, supply of the variable identification passkey and other credentials by the connecting device to the receiving device upon initiation of the call and staggered authentication by the receiving device depending upon the number and type of credentials received .

According to a preferred embodiment of the invention, the constituents for the creation of the variable identification passkey comprise instantaneous input pertaining to the status of the receiving device.

According to another preferred embodiment of the invention, the constituents for the creation of the variable identification passkey compriseat least one spoof-proof detail which is unique, binding and immutable either to the connecting device or the receiving device.

According to another preferred embodiment of the invention, the constituents for the creation of the variable identification passkey comprise a combination of instantaneous input pertaining to the status of the receiving device and at least one spoof-proof detail which is unique, binding and immutable either to the connecting device or the receiving device.

In accordance with the present invention, the pre-configured credentials further include a personal access code and / or a subscription identity of the connecting device.

Accordingto yet another preferred embodiment of the invention, there is disclosed a system for authentication of identity, the system comprising a connecting device, a receiving device, and an offline means, wherein all three are capable of generating a variable identification passkey using the instantaneous input and/or at least one spoof- proof detail which is unique, binding and immutable either to the connecting device or the receiving device.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 : Block diagram depicting the architecture for secure authentication system

Figure 2: Flowchart illustrating authentication of variable and standard credentials supplied by connecting device to receiving device.

DETAILED DESCRIPTION OF THE INVENTION

In the present invention, instead of using a method of authentication which uses a channel parallel to that of the primary communication channel, the invention envisages a method which uses the primary channel of communication itself for authentication of data to permit secure transfer of the data. This ensures that there is no compromise on the quality of user experience and saves costs. Further, the invention uses a variable credential which forms the core of the authentication method.

The invention is illustrated by the following embodiments and examples describing the authentication method and system in detail. The embodiments are exemplary in nature, and are not to be construed as limiting the scope of the invention in any way.

The present invention relates to a secure system and method for authenticating data in a call between a receiving device and a connecting device, using a variable credential along with other standard credentials.

In accordance with the invention, a receiving device refers to any device, including a device in transit which is capable of storing its physical and/or geo-location. A typical example of a receiving device could be any vehicle, stationary or moving, that is capable of establishing internet connection and initiating, participating or terminating a voice call via its mobile subscription number.

A connecting device refers to any device capable of initiating, participating or terminating a voice call via its subscription number. A typical example of a connecting device can be a mobile phone, a laptop, a computer, etc. In accordance with the invention, the connecting device is capable of supplying data using a DTMF signal or any other audio-coding means to any other device capable of receiving the same.

A typical example of an offline means that can be used in the present invention is an internet-based server or a dedicated intranet server capable of establishing a secure connection with the connecting and/or receiving device, in order to facilitate any sharing of information between the devices or between itself and the devices.

The receiving device is linked to the offline means, and the offline means is connected to the connecting device. The connecting device and the receiving device are connected via prevalent means of connectivity such as WLAN or any other means which serves as a connecting medium. This completes the systemic loop.

One of the audio-coding methods which the connecting and receiving devices could employ for the supply of credentials is the Dual Tone Multi Frequency (DTMF) method of signalling. That said, the invention is equally suited to other methods of audio-coding such as digital watermarking.

Referring to Figure 1 , high level architecture for a secure authentication system 10 is depicted, where the authentication system 10 involves a connecting device 12 connected to a receiving device 14 and an offline means 16 via a secure connection 18. The connecting device 12 also establishes direct contact with the receiving device 14 via prevalent means of connectivity 20, for example WLAN, Bluetooth, etc. The connecting device 12 is capable of initiating a call 22 to the receiving device 14 and supplies the variable and standard credentials for authentication via DTMF 24 mode.

In the authentication method described herein, a combination of variable and standard credentials are pre-configured in the receiving device 14 and are supplied by the connecting device 12 to the receiving device 12 upon initiation of the call 22. The receiving device 14 then authenticates the supplied credentials and permits access.

In the method, at least one of the pre-configured credentials is a variable identification passkey (also referred to as variable passkey) which is created either by the connecting device 12 or the receiving device 14 or by the offline means 16. The variable passkey is pre-configured in the receiving device 14 along with other credentials and is shared with the user of the connecting device prior to the initiation of the call through the offline means 16.

In one preferred embodiment, the constituents for the creation of the variable passkey comprise instantaneous input pertaining to the status of the receiving device 14. The instantaneous input varies with the location of the receiving device 14, for example its physical and/or geo-location. In accordance with this embodiment, the instantaneous input is expressed using the latitude and / or longitude defining the geo-location of the receiving device 14.

In another preferred embodiment, the instantaneous input is created and expressed using a reference based location like WLAN ID or cell ID of the receiving device 14. In yet another embodiment, the instantaneous input is identified based on its nomenclature in prevalent Global Positioning Systems. In a related preferred embodiment, the instantaneous input varies with time, since all geo and physical locations are related to the instantaneous location of the receiving device 14 which will bear time stamps. In other words, if the receiving device 14 is in transit, its location at a particular instant will be used and each such location will bear a time-stamp. In another preferred embodiment, the constituents for the creation of the variable identification passkey comprise at least one spoof-proof detail which is unique, binding and immutable either to the connecting device 12 or the receiving device 14. Examples of such spoof-proof detail includes IMEI number of a mobile phone, VIN number for a car, MAC address for a device with WLAN, etc..

In a most preferred embodiment, the constituents for the creation of the variable identification passkey comprise a combination of the instantaneous input pertaining to the status of the receiving device 14 and at least one spoof-proof detail as described above. In one preferred embodiment, the variable identification passkey is valid only for a limited period or it may be used only for a specified number of times. Upon lapsation of the limited period or the specified number, the variable identification passkey expires. The passkey can be created and recreated either automatically by the offline means 16 or upon request made by any of the two devices. In a preferred embodiment, the passkey is created in an alpha-numeric code or a hash code or a combination of both.

In accordance with the invention, the pre-configured credentials further include standard credentials such as personal access code and subscription identity of the connecting device 12. While the subscription identity may be any number or code that is unique to the connecting device 12, for example MSISDN number, etc, the personal access code can be generated by the user of the connecting device 12 at anytime prior to the initiation of the call 22.

The credentials described above are stored and configured in the receiving device 14 using appropriate memory functions. Once the call is initiated, one or more credentials are supplied by the connecting device 12 to the receiving device 14 for authentication. Depending on the supply of one or all the credentials by the connecting device 12/its user, the amount of access given by the receiving device 14 may be calibrated. Accordingly, this provides for a layered security. Illustratively, supply and authentication of only the subscription identity could lead to denial of access. In the same illustration, supply and authentication of subscription number and the personal identification number could lead to grant of access rights to some of the basic information pertaining to or stored in the receiving device 14. In the same illustration, supply and authentication of subscription number, personal identification number and the variable passkey could lead to grant of full access rights to the information stored in the receiving device 14 or even control rights over certain functions of the connecting device 14. Other combinations of the credentials are possible by way of more embodiments. This form of calibrated security is configured in the system.

The calibration of amount of access depending upon the supply of one or all credentials has been illustrated in Figure 2. The flowchart depicts that the call is terminated when any of the supplied credential is not authenticated. On the other hand, the call leads to either next level of authentication or start of communication, when the credential(s) are authenticated. By start of communication it is meant that the connecting device gets access rights over any information stored in the receiving device 14 or control rights over certain functions of the connecting device 4.

To further assist in the understanding of the present invention and not by way of limitation, the following examples are presented:

EXAMPLE 1 :

In a typical example, a user owns a connecting device 12, i.e. a cell phone, and a receiving device 14 which is a car. The user parks his car at a desired location and stores/configures in it the credentials like his cell phone subscription identity and a personal identification number. In an instance when the user is away from his car, he wants to check if the parking lights were left switched on. In order to retrieve this information, (i) the user through the cell phone requests the offline means 16, i.e. the server to create a variable identification passkey for his car, to be used as another authentication credential. Once the passkey is created, it is stored in the car along with the pre-configured credentials. Simultaneously, the passkey is shared with the cell phone via a secure connection 18, i.e. internet (ii) the user then initiates a call 22 to the car (iii) the car authenticates the subscription identity of the cell phone using the corresponding pre- configured credential and allows him to hear basic information including that of parking lights.

EXAMPLE 2:

With reference to the example 1 , the user also intends to switch off the parking lights of the car, upon learning that parking lights were left in'switched on' mode. Accordingly, upon initiation of the call, the user supplies all the three credentials via DTMF 24, i.e. subscription identity, personal identification number and the variable identification passkey. The car authenticates the supplied credentials and allows the user to access any information and even control over the car. Upon receiving the control rights, the user commands to switch off the parking lights.

Thus a highly sophisticated security system and method is put in place that performs multi- tiered authentication using a unique combination of variable and invariable data.

Although the present invention has been described in considerable detail with reference to certain embodiments and examples thereof, other embodiments and equivalents are also possible. Even though numerous characteristics and advantages of the present invention have been set forth in this description, together with functional and procedural details, the disclosure is only illustrative, and any changes may be made, to the full extent indicated by the broad general meaning of the terms in which appended claims are expressed.