FIELD OF INVENTION

The present invention relates to a method for authenticating and synchronizing data. More particularly, the present invention relates to a method for authenticating and synchronising offline data so as to allow a user device to perform online application task with an application server even when the user device is disconnected from the application server.

BACKGROUND OF THE INVENTION

In accessing a web application for web service, a user device requires network connectivity to an application server. Such network connectivity may not be interrupted especially when the user device is performing a task in the web application. A loss or interruption of the network connectivity may cause the application server to terminate the user device’s login session and thus, the user may need to redo the task again if the data is not saved.

In view of the network disconnection, there are various systems and methods developed for offline authentication and data synchronization. In one example, US Patent No. 9,602,284 B1 discloses an offline authentication system and method. The offline authentication involves a user workstation to store a vendor identifier and encrypted data comprising a first string of randomized data, a second string of randomized data, and encrypted text. The encrypted text further comprising a first security answer. The user workstation receives credentials information and a second security answer. The user workstation then generates an encryption key. Further, the user workstation uses the encryption key to decrypt the encrypted text and extract the first security answer. Then, the user workstation compares the second security answer with the first security answer and authenticates a second username if the second security answer is the same as the first security answer.

In another example, US Patent Publication No. 2016/0314303 discloses methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline. The methods include receiving a request from a user of a web application during offline use, wherein the request implicating a data item; receiving an offline password from the user; decrypting an encrypted offline key to provide an offline key and selectively using the offline key to process the data item. The data item is process based on a data protection policy stored in a storage of the web browser and a protection level assigned to the data item.

In yet another example, US Patent Publication No. 2015/0261800 A1 discloses a system, method and computer-readable medium for managing the storage, access and synchronization of offline data. A set of online data, which is available for online access, is persisted as a set of offline data in a local storage associated with a user device and a key-value pair is used to cross-reference the first set of online data and the first set of offline data. An access request for a set of data, corresponding to the first set of online data, is received from a user device application. The access request is then processed to determine whether the first set of online data is available for online access. If it is, then the first set of online data is provided to the user device application for processing. Otherwise, the first set of online data is provided to the user device application for processing.

However, the developed systems and methods mostly require the storing or caching of user credentials or any sensitive data in the user device when offline. This poses a security risk as the user credentials are vulnerable to be accessed by an unauthorised user once the security layer of the user device has been bypassed. This may even threaten the data security of web applications in terms of the data being synchronized once online or accessing the data in the web application. Additionally, such systems and methods would also consume the resources of the user device in either to store the user credentials or to perform the authentication process.

Therefore, there is a need to provide a method for authenticating and synchronizing offline data that addresses the above-mentioned drawbacks.

SUMMARY OF INVENTION

The present invention provides a method of authenticating and synchronizing offline data. The method is characterized by the steps of registering user with a web application by using a web browser (12) of a user device (10), logging into the web application using the web browser (12), performing local server authentication, and synchronizing at least one offline data of a local server with at least one online data of an application server (40).

Preferably, the step of registering user with a web application by using the web browser (12) of the user device (10) includes inputting user registration information by the user, storing user registration information in an authentication database (70), generating a nonce and universally unique identifier, UUID from user registration information by an authentication server (60), sending an activation link to the user with the nonce attached, sending a create password page to the user, generating a public key and a private key based on user identification and password, creating a certificate signing request based on user information and public key, generating a digital certificate based on the certificate signing request, and storing the digital certificate in an authentication database (70).

Preferably, the step of logging into the web application using the web browser (12) includes requesting for application webpage from the application server (40), caching the application webpage by the web browser, logging into the webpage by inputting user identification and password by the user, generating the public key and the private key from the user identification and password, generating the first digital signature using the private key, verifying the digital signature by the authentication server (60), retrieving the digital certificate from the authentication database (70), encrypting the digital certificate with the public key by authentication server (60), sending the encrypted digital certificate to a login selector (13), decrypting the digital certificate using the private key by the login selector (13), and storing the decrypted digital certificate and user identification to the browser database (14) in the user device (10).

Preferably, the step of performing local server authentication includes requesting cached webpage from the cache application (11) by the web browser, logging into the webpage by inputting user identification and password by the user, generating the public key and the private key from the user identification and password, generating a second digital signature using the private key by the login selector (13), retrieving the digital certificate from the browser database (14) by the login selector (13), verifying the digital certificate and the digital signature by the local server (20), entering offline data by the user through the web browser (12), encrypting the offline data using the public key by the login selector (13), and storing the encrypted offline data in the local server (20).

Preferably, the step of synchronizing at least one offline data with at least one online data of the web application includes requesting cached webpage from the cache application (11) by the web browser, logging into the webpage by inputting user identification and password by the user, generating the public key and the private key from the user identification and password, generating a third digital signature using the private key by the login selector (13), retrieving the digital certificate from the authentication database (70), verifying the digital certificate and the digital signature by the authentication server (70), requesting for data synchronization by retrieving the digital certificate from the browser database (14), verifying the digital certificate by the local server (20), retrieving the encrypted offline data from the local server (20) using the hashed UUID, decrypting the encrypted offline data by the login selector using the private key, and syncing the decrypted offline data with the application database (50).

Advantageously, the method allows a user device to continuously perform a task on a web application even when network connectivity is intermittently offline.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.

FIG. 1 shows a block diagram of a system (100) for authenticating and synchronizing offline data according to an embodiment of the present invention.

FIG. 2 shows a flowchart of a method for authenticating and synchronizing offline data according to an embodiment of the present invention.

FIGS. 3(a-b) show a flowchart of sub-steps for registering a user as in step 1000 of the method of FIG. 2.

FIG. 4(a-b) shows a flowchart of sub-steps for a first-time login as in step 2000 of the method of FIG. 2. FIG. 5(a-b) shows a flowchart of sub-steps for performing authentication with a local server (20) as in step 3000 of the method of FIG. 2.

FIGS. 6(a-c) show a flowchart of sub-steps for performing data synchronisation as in step 4000 of the method of FIG. 2.

DESCRIPTION OF THE PREFERRED EMBODIMENT

A preferred embodiment of the present invention will be described hereinbelow with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the description with unnecessary detail.

Referring to FIG. 1 , there is shown a block diagram of a system (100) for authenticating and synchronizing offline data. The system (100) comprises at least one user device (10), a local server (20), an application gateway (30), at least one application server (40), at least one application database (50), at least one authentication server (60), and at least one authentication database (70). During online mode, a connection is established between the user device (10) and the application server (40) through the application gateway (30). During offline mode, a connection is established between the user device (10) and the local server (20).

The user device (10) is a computing device used to access a web application and perform any tasks or data transactions on the web application, wherein the computing device can either be a computer, a laptop, a tablet, a smartphone or any other computing devices that are able to access the web application to perform tasks. Some examples of tasks performed on web application include online purchases on e- commerce system and online healthcare services. The user device (10) includes a cache application (11) to load a cached webpage for offline session, a web browser

(12) to display the webpage, a login selector (13) to generate a key pair and digital signature, and a web browser database (14) to store the digital certificate for offline session; wherein the cache application (11), the web browser (12), the login selector

(13) and the web browser database (14) are computer programmes installed on the user device (10). The local server (20) is configured for storing at least one encrypted offline data and authenticating digital signatures and digital certificate. The local server (20) is connected to the web browser (12) and the login selector (13) of the user device (10).

The application gateway (30) is configured as a proxy for communication between the user device (10) and the application server (40), wherein the application gateway (30) provides a first level of data security for the application server (40). The application gateway (30) is connected to the cache application (11), the web browser

(12), the application server (40) and the authentication server (60).

The application server (40) is configured to provide at least one web application. The application server (40) is connected to the application gateway (30) and the application database (50), wherein the application database (50) is configured to store all the data from the performed tasks on the web application.

The authentication server (60) is configured for authenticating digital signatures and digital certificate. The authentication server (60) is connected to the login selector

(13), the application gateway (30) and the authentication database (70), wherein the authentication database (70) is configured to store digital certificates, nonces, and registration information.

Referring now to FIG. 2, there is shown a flowchart of a method for authenticating and synchronizing offline data synchronisation according to an embodiment of the present invention. For convenience, the method is described in relation to data transmissions amongst a single user device (10), a single application server (40), and a single authentication server (60). It should be understood that in practice, the method can be adapted for any data transmission amongst multiple user devices (10), multiple application servers (40) and multiple authentication servers (60).

Initially, a user registers with a web application by using the web browser (12) of the user device (10) as in step 1000, wherein the web browser (12) interacts with the application gateway (30) that communicates with the application server (40) running the web application. The sub-steps for registering the user will be later described in relation to FIG. 3. Once the user registration has been completed, the user logs into the web application for a first time using the web browser (12) as in step 2000. The sub-steps of the first-time login will be later described in relation to FIG. 4.

Thereon, the user performs authentication with the local server (20) using the login selector (13) as in step 3000. The sub-steps of the local server authentication will be later described in relation to FIG. 5.

Next, the web browser (12) synchronizes at least one offline data of the local server (20) with the data of the application server (40) as in step 4000. The sub-steps of the data synchronization will be later described in relation to FIG. 6.

FIGS. 3(a-b) show a flowchart of the sub-steps for online registration of the user as in step 1000 of the method as shown in FIG. 2. In step 1001 , the user sends a request message for a new user registration from the web browser (12) to the application gateway (30). The application gateway (30) relays the request message to the authentication server (60).

Once the authentication server (60) receives the request message, the authentication server (60) transmits user registration webpages to the application gateway (30) as in step 1002. The application gateway (30) relays the user registration webpages to the web browser (12).

The web browser (12) displays the user registration webpages to the user as in step 1003, wherein the user registration webpages are registration forms for the user to input his/her registration information such as name, user identification, email address and the like.

After the user has inputted the registration information, the registration information is sent to the application gateway (30) that relays the registration information to the authentication server (60) as in step 1004. Thereon, the authentication server (60) automatically generates a nonce and a universally unique identifier, UUID as in step 1005. The registration information together with the generated nonce and UUID are sent and stored in the authentication database (70) as in step 1006. In step 1007, the authentication server (60) sends a notification message and an activation link attached with the generated nonce to the email address provided in the registration information. The activation link is a weblink that automatically indicates the verification of the new registered account.

If the activation link has not been accessed for a certain period of time, the registration information and the generated nonce and UUID are deleted from the authentication database (70) by the authentication server (60) as in decision 1008 and step 1009.

If the activation link has been accessed accordingly, the attached nonce is sent from the web browser (12) to the application gateway (30) as in decision 1008 and step 1010. The application gateway (30) relays the nonce to the authentication server (60).

Based on the nonce, the authentication server (60) retrieves the user identification and UUID from the authentication database (70) as in step 1011. The authentication server (60) transmits a create password webpage embedded with the user identification to the web browser (12) via the application gateway (30) as in step

1012.

The user inputs a password in the create password webpage displayed by the web browser (12) as in step 1013. The web browser (12) then generates a public key and a private key based on a mathematical transformation of the user identification and password as in step 1014. The web browser (12) sends the nonce and the generated public key to the authentication server (60) via the application gateway (30) as in step 1015.

The authentication server (60) validates the user data using the nonce and the public key as in step 1016. Once the user data has been validated, the authentication server (60) sends the public key and the nonce to a Certificate Manager as in step 1017. The Certificate Manager retrieves the user registration information from the authentication database (70) based on the nonce as in step 1018. Thereon, the Certificate Manager generates a certificate signing request based on the user registration information, email address, the public key and a digest of a hashed UUID as in step 1019. In step 1020, the certificate signing request is sent to a Certificate Authority server that issues a digital certificate, wherein the digital certificate certifies the ownership of the public key. The digital certificate issued by the Certificate Authority is sent to the Certificate Manager. The Certificate Manager stores the digital certificate relative to the user registration information in the authentication database (70) as in step 1021.

Referring to FIG. 4(a-b), there is shown a flowchart of the sub-steps for an online login for a first-time user as in step 2000 of the method as shown in FIG. 2. In step 2001 , the web browser (12) sends a request for accessing a login webpage to the application server (40) via the application gateway (30). The application server (40) responds to the request by sending the login webpage to the web browser (12) via the application gateway (30) as in step 2002.

The web browser (12) then caches the login webpage and initializes the login selector (13). The login selector (13) checks for a valid session for the login process as in step 2003.

Once the login selector (13) has validated the session, the login selector (13) toggles login for an online session as in step 2004. The user inputs his/her user identification and password through the web browser (12) and the web browser (12) sends the user identification and password to the login selector (13) as in step 2005.

The login selector (13) initializes the application gateway (30) to download the user’s digital certificate as in step 2006. The application gateway (30) redirects the login selector (13) to the login webpage in the web browser (12) as in step 2007. In step 2008, the login selector (13) generates a public key and a private key based on a mathematical transformation of the user identification and password. Thereon, the login selector (13) generates a first digital signature as in step 2009, wherein the first digital signature is generated by obtaining the system time of the user device, calculating a second digest based on the system time, and signing the second digest using the private key. The first digital signature and the user identification are sent to the authentication server (60). In step 2010, the authentication server (60) verifies the first digital signature by calculating a third digest based on the system time of the authentication server (60) with a tolerance of 2 mins, and comparing the third digest with the second digest. If the second digest is similar to the third digest, the digital signature is verified as in decision 2011 and step 2012. If the second digest is not similar to the third digest, it indicates that the user inputs a wrong user identification or password, thus the digital signature is not verified and the method ends. The authentication server (60) then retrieves the digital certificate from the authentication database (70) based on the user identification and encrypts the digital certificate with the public key as in step 2013. The authentication server (60) generates an online session and sends the encrypted certificate and a login status to the login selector (13) as in step 2014.

The login selector (13) redirects the encrypted certificate to the application gateway (30) in step 2015. The application gateway (30) decrypts the encrypted certificate to obtain the digital certificate by using the private key as in step 2016. The digital certificate is then sent to the login selector (13) that relays the digital certificate to the web browser (12) as in step 2017. The web browser (12) stores the digital certificate together with the user identification in the web browser database (14) as in step 2018.

Referring to FIG. 5(a-b), there is shown a flowchart of the sub-steps for performing an offline authentication with the local server (20) as in step 3000 of the method as shown in FIG. 2. In step 3001 , the web browser (12) sends a request message to the cache application (11). The cache application (11) responds to the request message by loading an application cache webpage to the web browser (12) as in step 3002.

The web browser (12) then initializes the login selector (13). The login selector (13) checks for a valid session for the login process as in step 3003.

Once the login selector (13) has validated the session, the login selector (13) toggles login for offline session as in step 3004. The user inputs his/her user identification and password through the web browser (12) and the web browser (12) sends the user identification and password to the login selector (13) as in step 3005. The login selector (13) generates a public key and a private key based on a mathematical transformation of the user identification and password as in step 3006. Thereon, the login selector (13) generates a second digital signature as in step 3007, wherein the second digital signature is generated by obtaining the system time of the user device, calculating a fourth digest based on the system time of the user device, and signing the fourth digest using the private key to create the second digital signature.

The login selector (13) then retrieves the digital certificate corresponding to the user identification from the web browser database (14) as in step 3008. Thereon, the login selector (13) sends the second digital signature and the digital certificate to the local server (20) as in step 3009.

In step 3010, the local server (20) verifies the digital certificate and the second digital signature. The digital certificate is verified by using public key and the second digital signature is verified by calculating a fifth digest based on the local server’s system time with a tolerance of 2 mins, and comparing the fourth digest with the fifth digest. If the fourth digest is similar to the fifth digest, the second digital signature is verified and the local server (20) notifies the login selector of the login status as in decision 3011 and step 3012. If the fourth digest is not similar to the fifth digest, it indicates that the user inputs a wrong user identification or password, thus the second digital signature is not verified and the method ends. The login selector (13) relays the login status to the web browser (12).

Thereon, the user enters at least one offline data through the web browser (12) and the web browser (12) sends the offline data to the login selector (13) as in step 3013. The login selector (13) encrypts the offline data using the public key in the digital certificate as in step 3014. The encrypted offline data together with the digital certificate are sent to the local server (20) as in step 3015.

In step 3016, the local server (20) verifies the digital certificate by comparing the user’s hashed UUID with the hashed UUID in the digital certificate. The local server (20) then stores the encrypted data together with HID as in step 3017. The local server (20) sends a data stored status notification to the login selector (13) that relays the data stored status notification to the web browser (12) as in step 3018. Steps 3013 to 3018 are repeated for each data entered by the user as in step 3019.

Referring to FIGS. 6(a-c), there is shown a flowchart of the sub-steps for data synchronisation as in step 4000 of the method as shown in FIG. 2. In step 4001 , the web browser (12) sends a request message to the cache application (11). The cache application (11) responds to the request message by loading an application cache webpage to the web browser (12) as in step 4002.

The web browser (12) then initializes the login selector (13). The login selector (13) checks for a valid session for the login process in step 4003.

Once the login selector (13) has validated the session, the login selector (13) toggles login for online session as in step 4004. The user inputs his/her user identification and password through the web browser (12) and the web browser (12) sends the user identification and password to the login selector (13) as in step 4005.

In step 4006, the login selector (13) sends a login request to the application server (40). The application server (40) checks for online session and redirects the login selector (13) to the login webpage as in step 4007.

In step 4008, the login selector (13) generates a public key and a private key based on a mathematical transformation of the user identification and password. Thereon, the login selector (13) generates a third digital signature as in step 4009, wherein the third digital signature is generated by obtaining the system time of the user’s device, calculating a sixth digest based on the system time of the user’s device, and signing the sixth digest using the private key to create the third digital signature.

The third digital signature and the user identification are sent to the authentication server (60). The authentication server (60) retrieves the digital certificate from the authentication database (70) corresponding to the user identification as in step 4010.

The authentication server (60) verifies the digital certificate and the third digital signature as in step 4011. The digital certificate is verified by using public key and the third digital signature is verified by calculating a seventh digest based on the authentication server’s (60) system time with a tolerance of 2 mins, and comparing the sixth digest with the seventh digest. If the sixth digest is similar to the seventh digest, the third digital signature is verified and the authentication server (60) notifies the login selector (13) of the login status as in decision 4012 and step 4013. If the sixth digest is not similar to the seventh digest, it indicates that the user inputs a wrong user identification or password, thus the third digital signature is not verified and the method ends. The login selector (13) relays the login status to the web browser (12).

The web browser (12) sends a data synchronisation request to the login selector (13) as in step 4014. The login selector (13) retrieves the digital certificate corresponding to the user identification from the web browser database (14) as in step 4015. The login selector (13) initializes data synchronisation with the local server (20) and sends the digital certificate to the local server (20) as in step 4016.

The local server (20) verifies the digital certificate by comparing the user’s hashed UUID with the hashed UUID in the digital certificate. Once it has been verified, the local server (20) notifies the login selector (13) of its readiness for data synchronisation as in step 4017. The login selector (13) retrieves the encrypted offline data based on hashed UUID for synchronisation from the local server (20) as in step 4018. The encrypted offline data are then deleted from the local server (20).

The login selector (13) decrypts the encrypted offline data by using the user’s private key as in step 4019.

The decrypted offline data is then sent to the application gateway (30) that relays the decrypted offline data to the application server (40) as in step 4020. The application server (40) synchronises its online data with the decrypted offline data as in step 4021. Once the synchronisation has been performed, the application server (40) sends a status notification to the application gateway (30) that relays it to the login selector (13) as in step 4022. The login selector (13) send the status notification to the web browser (12) as in step 4023.

Steps 4018 to 4023 are repeated until the end of record as indicated by the user’s hashed UUID as in step 4024.