BACKGROUND OF THE INVENTION

Although cryptographic algorithms and related technologies to generate and verify digital signatures exist, it is still a big challenge how these signatures can be generated and verified in a trustworthy and reliable way in practice. The existence of malicious software (malware) and related active attacks driven by professional or even organized cyber crime are the main source for such problems.

Some of these problems are discussed for example in the articles of A. Jøsang et al.: "What You See is Not Always What You Sign", Proceedings of 2002 Annual Technical Conference of the Australian UNIX and Open Systems User Group, 2002 and in the presentation of J. Mϋller-Quade and S. Rόhrich at the Heidelberger Innovationsforum 2007 with the title: "What you see is what you sign". The latter presentation discusses a signing process using a camera phone (see also WO 2008/017477). Morover, Cronto Limited discusses in the published article "Beyond Phishing -

De-mystifying the growth threat of internet banking fraud" two types of attack known as "Man in the Middle" and "Man in the Browser". These two types of attacks are highly sophisticated frauds in the field of internet banking. In order to defend these attacks, it is suggested that every important instruction the customer sends to the bank be authenticated. In particular, the security effectively moves down from protecting the "front door" at login to protecting each individual instruction. Cronto Limited provides a solution for online banking based upon visual signing technology.

In particular, online banking transaction details are encoded in a visual cryptogram by the banking server, wherein the visual cryptogram is provided on a web page. The customer uses the camera in his/her mobile phone to capture this cryptogram by photographing the displayed web page. After photographing the cryptogram, the customer is presented with critical transaction information, like payment details, on the screen of this mobile phone. In case the information has not been manipulated, an authentication code is generated on the mobile phone and passed back to the bank's server to complete the transaction.

However, in case the customer has a plurality of bank accounts at different banks, the customer would have to install and manage different software with different keys on his/her mobile phone for the different banks. It is therefore an object of the present invention to provide an improved and simplified signing and verifying system. In particular, it is a further object to provide a verifying system and method on a universal mobile trusted verifier which can be used in connection with different banks but may be used in other online transaction involving monetary values such as e-commerce. These and other objects are achieved by the features of the independent claims.

Further preferred embodiments are characterized in the dependent claims.

SUMMARY OF THE INVENTION

The system and the method according to the present invention preferably use a mobile device with a camera, such as a mobile phone with a camera, as a trusted verifier. The term "trusted verifier" is used in the security community for IT systems which allow verifying - mostly digitally signed - documents such as contracts or monetary transactions in a trustworthy and dependable manner. Thus, a "trusted verifier" relates to a device which is capable of verifying whether a signature or signed data is/are signed by a trusted entity. In particular, the term "trusted" means that a user can trust the verifier, e.g., the user is the only person who has access to the trusted verifier, such as a mobile phone of a user.

The system and the method according to the present invention provide a general solution which can be deployed in many applications domains, which require the verification of digitally signed documents or transactions, such as on eBilling, eGovernment, and on-line Banking. According to a first embodiment, the method of the present invention is for verifying visually observable digitally signed data based on digital signature schemes relying on cryptographic primitives, preferably asymmetric cryptography with the steps: capturing the visually observable digitally signed data with a camera of a mobile device and temporarily storing (preferable in memory) the captured data in form of image data; transforming said image data into digitally signed data; verifying whether the digitally signed data is signed from a trusted entity by using the public signature verification key said trusted entity; and displaying the result of the verifying step on a display (4) of the mobile device. The present invention also relates to a method for digitally signing data using a digital signature scheme based on cryptographic primitives, preferably asymmetric cryptography, preferably sensitive data, and verifying whether the digitally signed data are signed by a trusted entity, with the steps: digitally signing said data by the trusted entity by using the private signature generation key of said trusted entity and providing the signed data in form of visually observable signed data; and verifying the visually observable signed data with the above method.

Further advantages of the present invention are obtained by using a service provider for the step of digitally signing transaction data. In particular, by using a service provider for the step of digitally signing transaction data, a plurality of different e-commerce services may use the same service provider such that the user (in the following the term user and customer are equivalently used) needs only one type of software on the mobile phone lowering the management costs and at the same time increasing usability. This provides the further advantage that any updates of the security mechanism needs only be updated once controlled centrally by the service provider. Finally, the costs required to integrate the present invention into existing e-commerce or online banking systems are reduced to a minimum, since the service provider implements digital signature and for some technical realisation also the visualisation functionalities.

In particular, the present invention relates to a method for digitally signing at least a part of transaction data, e.g., sensible parts of the transaction data, using a digital signature scheme based on cryptographic primitives, preferably asymmetric cryptography. The method comprises the steps: a) sending data on the basis of the transaction data from an e-commerce server to a service provider, wherein the service is responsible for b) digitally signing the received data on the service provider by using a private signature generation key of said service provider. In other words, the step of digitally signing is preferably not executed on the e-commerce server, but on a specialized service provider. It is further preferred that different e-commerce servers use the service of the service provider for digitally signing sensitive data. This provides the advantage that the signing step of sensitive transaction data is centrally handled by a service provider which provides advantages for the provider of e-commerce server and the customer. The method according to the present invention further comprises the step c) of generating visually observable digitally signed data on the basis of the digitally signed data. In other words, digital data are digitally signed on the service provider by using a private key of the service provider. Said digitally signed data is transformed into visual code (in the following also called visually observable data). Said visual code is provided such that a user may observe or see said visual code. The method according to the present invention also relates to the verification of the visual code. In particular, in a subsequent verifying method for verifying whether the visually observable signed data are signed by the service provider, the verifying method comprises the steps of: capturing the visually observable digitally signed data with a camera of a mobile device and temporarily storing the captured data in form of image data in a memory of the mobile device. In other words, the user simply takes a picture of the visual code with his/her mobile device (e.g. a mobile phone with camera). The digital image is then transformed into digitally (signed) data. In other words, a pattern transformation is executed on the mobile device to transform the image data into digital data which can be easily used for digitally verifying on the basis of cryptographic primitives such as asymmetric cryptography.

In a next step, it is verified whether the digitally signed data is signed from the service provider by using the public signature verification key of the service provider. If the data was indeed signed by the service provider, it is preferably displayed in an easy manner on the display of the mobile device, e.g. by using simple pictograms or simple text like: "manipulated" or "not manipulated".

The method of the present invention preferably sends in step a) at least a part or all of the transaction data to the service provider. According to another preferred embodiment of the present invention, a transmission of sensitive data to the service is avoided to preserve the customers' privacy. Instead, a part of or the entire transaction data is/are used to calculate a hash code on the e-commerce server. Said hash code is transmitted to the service provider. This provides the further advantage that the transaction data may not be manipulated on the service provider.

According to a further preferred embodiment, a blind signature is generated on the e-commerce server on the basis of the transaction data instead of a hash code. Said blind signature may be sent in step a) to the service provider. In particular, before step a) a blinded transaction data is generated on the e-commerce server on the basis of the transaction data, wherein said blinded transaction data is sent in step a) to the service provider which computes a blind signature on the received blinded transaction data. The blind signature can in turn be computed by the e-commerce server to a digital signature of the original transaction data. As mentioned above, the digitally signed data is transformed into visual code. The transformation into visual code may be executed on the service provider or on the e- commerce server.

The visual code preferably comprises not only the signature but also a part of the transaction data. Thus, the service provider may generate the visual code only if at least part of transaction data is available on the service provider. In case the transaction data (or part of the transaction data) are sent to the service provider it is possible to generate the visual code on the service provider. The visual code is subsequently sent to the E- Commerce server.

In case the data is transferred from the E-Commerce server to the service provider in form of a hash code or a blind code, it is preferred to generate the visual code with part of the transaction data on the service provider. Instead, only a signature is created on the service provider on the basis of the hash code or the blind code. The visual code is preferably generated in a subsequent step on the E-Commerce server on the basis of the signed data and (at least part of) the transaction data. The visually observable digitally signed data (or visual code) is preferably provided in form of a 2D-matrix or 3D-matrix. The barcode or matrix may comprise additional colour-encoding. Moreover, the visual code may also be provided as 4D code, which may be animated and/or coloured. According to a further embodiment the visual code is simply a text code, e.g., an ASCII text which may be transformed in the mobile device with an OCR (optical character recognition) software.

In particular, a barcode is an optical machine-readable representation of data. Originally, barcodes represented data in the widths (lines) and the spacing of parallel lines and may be referred to as linear or ID-barcodes or symbologies. But barcodes also come in patterns of squares, dots, hexagons and other geometric patterns within images termed 2D (two dimensional) matrix codes or symbologies. Both parts of the pattern (lines, squares, dots, etc.) and spacing can constitute the data encodation schema. Barcodes can be read by optical scanners called barcode readers or scanned from an image by special software. Known 2D codes or symbologies are for instance: 3-DI, Array Tag, Aztec Code, Small Aztec Code, bCODE, Bullseye, Chromatic Alphabet, Chromocode, Codablock, Code 1, Code 49, ColorCode, CP Code, d-touch, DataGlyphs, Datamatrix, Datastrip, Dot Code, Ezcode, High Capacity Color Barcode, HueCode, INTACTA.CODE, InterCode, MaxiCode, mCode, MiniCode, PDF417, Micro PDF417, PDMark, PaperDisk, Optar, QR Code, Semacode, SmartCode, Snowflake Code, ShotCode, SuperCode, Trillcode, UltraCode, UnisCode, VeriCode, VSCode, WaterCode.

The visually observable digitally signed data (visual code) are preferably provided on a display or printed on a surface, e.g., displayed on computer monitor or printed on a paper.

The e-commerce server is preferably a banking server for internet banking. The method of the present invention may be implemented in an iTAN-based Web banking method. The visual code is preferably displayed together with an iTAN input form on the computer monitor such that a user may verify the visual code with the mobile device before inserting the iTAN.

The software for the mobile device is preferably downloaded from the trusted e- commerce server or the service provider. According to a preferred embodiment of the present invention, the public signature verification key of the service provider for digital signature verification is included in the downloaded software.

The mobile device is preferably a PDA with a camera or a mobile phone with a camera. The present invention also relates to a system for executing the above method steps. In particular, the present invention relates to a system for signing transaction data and verifying whether the signed data are signed by a trusted service provider. The system basically comprises two main components, namely (i) a service provider for signing the data and optionally for providing the signed data in form of a visual code and (ii) a mobile verifying device to perform the verifying process.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described in detail with respect to preferred embodiments with reference to accompanying drawings, wherein:

Fig. 1 shows a step of a process flow of a preferred embodiment according to the present invention, integrated into an existing iTAN-based Web banking system; Fig. 2 shows a step of a process flow of an iTAN-based Web banking system;

Figs. 3 to 5 show further steps of a process flow of a preferred embodiment according to the present invention, integrated into an existing iTAN- based Web banking system; Fig. 6 shows a step of a process flow of a preferred embodiment according to the present invention, integrated into an existing iTAN-based Web banking system with a man-in-the-middle attack;

Fig. 7 shows another system according to the present invention with a service provider between the user and the banking server; Fig. 8 shows the system of Fig. 7 with a request from the user;

Fig. 9 shows the system of Fig. 7 with the signature generation on the service provider;

Fig. 10 shows the system of Fig. 9 according to a different embodiment of signature generation; and Fig. 11 shows the system of Fig. 9 according to still a different embodiment of signature generation. DETAILED DESCRIPTION OF THE INVENTION

In the following, the method and system of the present invention will be described with regard to on-line banking. However, as mentioned above, the system and the method according to the present invention provide a general solution which can be deployed in many other application domains.

The method and system of the present invention applied for on-line banking systems introduce an effective protection against widespread phishing attacks. The method and system of the present invention is easy to use for the bank customer (user) and easy as well as cost-efficient to implement and integrate for the financial institution itself. In brief, the customer's transaction data are preferably encoded and additionally signed by the bank by means of a 2D-barcode, which can then be verified by the bank customer by using his/her own and trustworthy mobile camera phone. Since the attacker will not be able to forge the digitally signed transaction data encoded into the 2D- barcode and the attacker will not be able to manipulate the customer's mobile camera phone, the verification operation performed on the trusted mobile camera phone provides a trustworthy and dependable result. Only when the mobile camera phone verifies the signed transaction data as authentic and not altered by unauthorized entities, the bank customer can be sure that the transaction has been communicated to the bank correctly. If so, the customer can finally authorize the transaction. Figures 1 to 6 show the process flow of a preferred embodiment of the present invention integrated into an existing iTAN-based Web banking system.

In a first step as illustrated in Figure 1 , the mobile camera phone 3 of a bank customer (user 1) will be prepared for the method according to the present invention. The user 1 downloads (see arrow "A") the required software for digital signature verification on the mobile camera phone 3 from the Internet or Web banking server 100. The Web banking server 100 stores a signature key-pair for the signature process, namely a private key 20 and a public key 10. The downloadable software comprises the bank's public key 10. The software is installed on the mobile camera phone 3 such that the mobile camera phone is able to capture a visually observable signature by means of the integrated camera and to verify, by using the bank's public key 10, whether the signature was signed by the trusted entity 100, namely the bank server 100. According to a preferred embodiment, the software is downloaded only once to setup the mobile camera phone 3 of the user 1.

Figure 2 illustrates the next step of the present invention, which is preferably unchanged with regard to a traditionally iTAN online-banking system. In particular, the user 1 fills the form of a typical online-banking transaction window 200 with all relevant data for the transaction, namely the name of the payee (e.g. Bob), the account number of the payee (e.g. 1234567890), the bank route number of payee's bank (e.g. 9876543210) and the amount of money (e.g. € 2.743,89) which should be transferred to the payee. By pressing the "Next button", the transaction data will be transferred to the Web banking server 100, preferably via a secure connection such as Secure Sockets Layer (SSL)/ Transport Layer Security (TLS).

After having received the transaction data the Web banking server 100 computes a digital signature (see S2) by using the received transaction data (see Sl in Fig. 3) and the private key 20 of the Web banking server 100. The digital signature is used for generating a 2D-barcode 30 (see step S3). The generation of the 2D-barcode may be based on the signature and optionally also the transaction data, e.g., the 2D-barcode may comprise the sole digital signature data or the digital signature data and at least a part of the transaction data. In a next step, the 2D-barcode will be embedded (see step S4) on a confirmation web page 201 (see step S5). The confirmation Web page 201 is subsequently transferred to the user's computer, preferably via a secure connection such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (see Fig. 4). In other words, the confirmation web page 201 shows again the data to be transferred to the Web banking server 100. Since the confirmation web page comprises a signature generated by the Web banking server 100 in form of visually observable signed data, namely in form of a 2D-barcode, the user 1 can verify by using the public key 10 of the Web banking server 100, whether the signature is indeed generated by the Web banking server 100. In order to verify the visually observable signed data (the signature in form of a 2D-barcode), the user 1 captures the visually observable signed data 30 with a camera of his/her prepared mobile phone 3 and stores temporarily the captured data in form of image data on the phone. The software on his/her mobile phone is adapted to transform said image data into the digitally signed data (digital signature). Since the software on the user's mobile phone comprises the public key 10 of the Web banking server 100, the software is able to verify whether the digitally signed data (digital signature) is signed from the trusted entity, namely the Web banking server 100. The result of the verifying step is displayed on the display 4 of mobile device 3, preferably by a clear statement or clear symbols. Additionally or optionally, at least a part of the transaction data will be displayed on the user's mobile phone display 4, in case the 2D- barcode comprises at least apart of the transaction data.

After the user 1 has verified that the signature (2D-barcode) was generated by the Web banking server 100, the user confirms the transaction in the confirmation window 201 (see Fig. 5) by inputting the required iTAN number (see arrow "C" in Fig. 5) from the tan list 2. After pressing the "Confirm" button, the transaction data are transmitted to the Web banking server 100, preferably via a secure connection.

The method and system according to the present invention further improve the security of existing iTAN based online-banking systems. In particular, the method and system according to the present invention provide protection against phishing and pharming attacks. As illustrated for instance in Figure 6, a man-in-the-middle attacker 13 will not be able to forge the digitally signed transaction data as long as the attacker can not compromise the bank's key pair or the user's mobile phone, which is both very unlikely. Thus, the method and system according to the present invention provides an easy to integrate and cost-efficient solution to protect users of online-banking systems against phishing and pharming. Moreover, the above discussed example allows a seamless integration which does not force the user to make use of it, i.e., the additional security feature can be optionally used. However, the users which make use of the additional security feature get a higher assurance that their bank transactions are not misused. Figures 7 to 11 show the process flow of a further preferred embodiment of the present invention. Pn contrast to the embodiment depicted in Figures 1 to 7, the signature is generated on an additional service provider 11. The "outsourcing" of the signature generation to a service provider provides several advantages for the user as well as for the bank. In particular, in case a user has a plurality of banking accounts at different banks, it is inconvenient for the user to install the individual software packages together with the plurality of different keys on his/her mobile phone. A plurality of method steps are similar irrespective of whether the signature is created on the e-commerce server or on the service provider. Thus, the following detailed description will concentrate on the steps which are preferably different.

In a first step as illustrated in Figure 7, the mobile camera phone 3 of a bank customer (user 1) will be prepared for the method according to the present invention. The user 1 downloads (see arrow "A") the required software for digital signature verification on the mobile camera phone 3 from the service provider 11 which is an involved stakeholder. The service provider 11 stores a signature key-pair for the signature process, namely a private key 20 and a public key 10. The downloadable software comprises the service provider's public key 10. The software is installed on the mobile camera phone 3 such that the mobile camera phone is able to capture a visual code by means of the integrated camera. According to a preferred embodiment, the software is downloaded only once to setup the mobile camera phone 3 of the user 1. According to a further preferred embodiment, the Service Provider may install the software on the mobile camera phone 3.

Figure 8 illustrates the next step of "service request". In particular, user 1 sends a service request from the web page, preferably presented by a web browser on a personal computer, to the e-commerce server 100. Such a service request may be a banking transaction or any other kind of transaction with sensitive data. Figure 9 shows the next "confirmation code generation" step, hi particular, the transaction data (or at least a part of the transaction data) 50 are transmitted from the e- commerce server 100 to the service provider 10. The service provider generates a digital signature by using said transaction data 50 and the private key 20 (see step S2). In the subsequent step S3 a visual code, namely 2D-Barcode 30 is generated on the basis of the signed data. Said visual code 30 is transmitted from the service provider 11 to the e- commerce server 100 and embedded in a "confirmation web page" which is eventually transmitted to the web browser of the user 1. On the basis of the visual code, the user can verify whether the data was manipulated or not, by photographing the visual code and performing the verifying steps as done in the embodiment of Figures 1 to 6. Figure 10 shows an alternative to Figure 9. In particular, instead of transmitting

(part of) the transaction data 50 to the service provider, a hash code 51 is generated on the e-commerce server 100 on the basis of the transaction data 50. Said hash code 51 is transmitted from the e-commerce server 100 to the service provider 11. The service provider generates a digital signature 151 by using said hash code 51 and the private key 20. The digital signature 151 is transmitted from the service provider 11 to the e- commerce server 100, wherein the e-commerce server 100 generates a visual code 30 on the basis of said digital signature 151 and the transaction data 50. Again, the visual code 30 is embedded in a web page which is transmitted to user 1.

Figure 11 shows an alternative to Figure 9 and is similar to the embodiment as depicted in Figure 10. In particular, instead of transmitting (part of) the transaction data 50 to the service provider, a blind signature 52 is generated on the e-commerce server 100 on the basis of the transaction data 50. hi cryptography, a blind signature is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. Said blind signature 52 is transmitted from the e-commerce server 100 to the service provider 11. The service provider generates a digital signature 152 by using said blind signature 52 and the private key 20 of the service provider. The digital signature 152 is transmitted from the service provider 11 to the e-commerce server 100. The e- commerce server 100 generates a visual code 30 on the basis of said digital signature 151 and the transaction data 50. Again, the visual code 30 is embedded in a web page which is transmitted to user 1.

The above discussed blind signature schemes can be implemented using a number of common key signing schemes, for instance RSA and DSA. To perform such a signature, the message is first "blinded", typically by combining it in some way with a random "blinding factor". The blinded message is passed to the signer (service provider), who then signs it using a standard signing algorithm. The resulting message, along with the blinding factor, can be later verified against the signer's key. In some blind signature schemes, such as RSA, it is even possible to remove the blinding factor from the signature before it is verified. The transmitting of data from the user to the e- commerce server, from the e-commerce server to the service provider, from the service provider to the e-commerce server and/or from the e-commerce server to the user are preferably secure connections such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS).

The invention has been illustrated and described in detail in the drawings and foregoing description. Such illustration and description are to be considered in an illustrative or exemplary and non-restrictive manner, i.e., the invention is not limited to the disclosed embodiments. Moreover, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims should not be considered as limiting the scope.