比利时专利BE1019683A3 METHOD AND SYSTEM FOR AUTHENTICATING ENTITIES USING MOBILE DEVICES.

专利PDF首页>>比利时专利

专利附录

专利说明

权利要求

类似技术

同族专利

引用文献

法律状态

优先权

专利摘要:
Entity Authentication Method and System. Users (A, B) are provided with a set of authentication codes (3-5), each set consisting of at least one secret (3), a private key QR code (4) and an associated public key QR- code (5), wherein the private and public key QR codes are generated from a first string (1) consisting of a URL of an authentication server system (10) and a PKI private key and a second string ( 2) consisting of the same URL and corresponding PKI public key. If the authentication server system (10) receives a first sting (1), as a result of a first user scanning the respective private key QR code (4), a procedure with defined actions will be performed asking the first user enter the secret (3) associated with the set of authentication codes (3-5). If the evaluation returns a positive result, the first user can define a set of actions to be performed when the authentication server system (10) receives a second string (2) belonging to the same set of authentication codes.
公开号:BE1019683A3
申请号:E2012/0231
申请日:2012-04-04
公开日:2012-09-04
发明作者:Luc Buntinx
申请人:Buntinx；
IPC主号:

专利说明:

Method and system to authenticate entities using mobile devices.
Technical area
This invention relates to a method and a system for authenticating entities by means of mobile devices.
State of the art QR codes have been known for some time. A QR code (Quick Response code), or also referred to as QR code, is a specific matrix barcode (or two-dimensional code), which can be read by any telephone equipped with a camera and a QR barcode reader. A QR code is made up of colored blocks (usually black) in a square pattern and on a white background. This coded information can contain a URL.
There are many different QR code reader applications that can be installed on a smartphone with which a user can scan a QR code and through which he is automatically redirected to the web page behind the URL encoded in the scanned QR code. This prevents the user from having to type in the URL on his smartphone to gain access to the services offered on the web page. All information contained in the QR code is forwarded to the corresponding web page. This makes it possible to link a complex alphanumeric string (eg a code) to a service without having to enter this string manually.
A Public Key Infrastructure (PKI) (or Public Key Infrastructure) is a combination of hardware and software used to issue and control digital certificates, in particular public and private key pairs, for various purposes such as security and authentication such as, for example, encrypting information or authenticating users. The PKI usually consists of a Certification Authority (CA) that generates a PKI public and private key set for the user, a Registration Authority (RA) where the user can register his PKI public and private key set and a Validation Authorithy (VA) that can validate the PKI public and private key set.
Since the PKI public and private key can consist of a fairly long string of characters, it is not easy for a user to type this string on a smartphone. If these keys are stored on the device, the keys can be misused or the information copied in the event of theft. This means that a PKI-based security solution is not suitable for use on a smartphone.
Explanation of the invention
The object of this invention is to provide a more user-friendly authentication system and method suitable for use with mobile devices.
This object is achieved according to the invention by a method / system comprising the various steps / functions of the independent claims. ,
The invention uses a set of authentication codes to authenticate a specific entity. These authentication codes are uniquely linked in the system as part of this specific entity. According to the invention, a set of authentication codes consists of the combination of a private key QR code, a corresponding public key QR code and one or more 'secrets', such as, for example, an alphanumeric password or a pin code. The private key QR code is a QR code that is generated from a first string that consists of a URL / domain name of an authentication server system, a PKI private key and probably one or more parameters or identification labels. The public-key QR code is a QR code that is generated from a second string that consists of. a URL / domain name of an authentication server system (i.e. the same URL / domain name as in the first string), the corresponding PKI public key and probably one or more parameters or identification labels.
A secure transaction is considered safe if it consists of 'something' that you own and 'something' that you know (eg a bank card and a pin code to withdraw money from your account, an e-mail address and a password for information) download from a website, an alarm system and a pin code to deactivate monitoring). Therefore, this invention combines the PKI keys in the form of a QR code with one or more secrets (e.g., a password). With this invention it is possible to prevent the PKI keys and the secrets from being stored simultaneously on the mobile device. As a result, the authentication system and method are independent of the mobile device and can thus guarantee a high level of security.
The invention describes an action definition procedure whereby a first user can define which series of actions are to be performed once the authentication server system receives the second string (encoded in the public-key QR code) from a set of authentication codes that provided to the first user. To activate the action definition procedure, the first user scans the private key QR code from the set of authentication codes with his mobile device. As a result of the scanning, the authentication server system receives the first string encoded in the private key QR code. The first user is then guided through the action definition procedure. He is first asked to enter the secret. The authentication server system then checks whether the secret and the previously received first string belong to the same set of authentication codes and whether they meet the predefined conditions (eg they were received within predefined time window relative to each other, they come from the same mobile device, eg by checking the IP address, session identification, etc.). If this check gives a positive result, the first user is asked to define a series of actions to be performed on receipt of the second string (encoded in the public-key QR code) that belong to the same set of authentication codes on the authentication server system.
The advantages of the invention are as follows. The use of QR codes is simple as the current smartphones are equipped with a camera and are therefore able to read QR codes. The software for reading QR codes is available free of charge, allowing a user to use his own smartphone to visit a website, only by scanning a QR code. Thus, no other specific devices are required to use the invention. The invention uses QR codes that contain a PKI public and a private key, but is nonetheless nevertheless. secure as the set of authentication codes also consists of one or more secrets that are only known by the user. The invention is further secured by means of the predefined conditions such as, for example, a predefined time window in which successive actions must occur and / or the successive actions must come from the same mobile device. If desired, security can then be increased by using https connections to send information over the internet to the authentication server system.
In an advantageous embodiment of the invention, multiple consecutive scans are combined, on the same mobile device, within a predefined time window, of a public-key QR code and / or a private-key QR code in combination with the corresponding secret and this from keys that belong to different entities. By creating such combinations, a wide variety of action schedules are created and / or executed.
In an advantageous embodiment of the invention, each set of authentication codes includes additional user-definable secrets, and the action definition procedure includes the steps to associate the necessary predefined procedures with each user-defined secret. As soon as one of these additional user-defined secrets arrives on the authentication server system, (1U), the corresponding predetermined device is executed. This can be used, for example, to create a password that the user enters when he is under threat so that the corresponding procedure is carried out such as, for example, alerting an emergency service. ,
In an advantageous embodiment of the invention, the action definition procedure further consists of creating a temporary key as a QR code for the first user, said temporary key having a predetermined validity period, and having a series of actions assigned to it must be executed as soon as the temporary key is received by the authentication server system. This QR code can, for example, be generated from a string that contains a URL / domain name of the authentication server system and a string with alphanumeric characters that may or may not contain separators.
In an advantageous embodiment of the invention, a set of authentication codes for an entity is assigned to a first user, said aforementioned entities set, being a set of authentication codes where the public-key QR code is assigned to the entity of the first user. This set of an entity, for example, can be used to authenticate lost objects found: by attaching the public-key QR code to the object, anyone who finds the object can scan the public-key QR code activating a series of actions such as notifying the owner, the finder, informing who the owner is or where the object is to be taken, etc. This set of an entity can also be used to secure a location, such as, for example, if a (security) agent arrives at a location, he scans the public-key QR code of the location and has to go through an authentication procedure before he gains access to the protected areas.
In an advantageous embodiment of the invention, the definition of the actions includes the following steps: the first user is prompted to define a set of logical conditions which are evaluated as soon as the second string is received on the authentication server system and a first set of define actions to be performed if the evaluation of the logical condition gives "true", and a second set of actions to be performed if the evaluation of the logical condition gives "false". These logical conditions can be made up of definable attributes (variables) that can be given a value in the definition or by evaluation, and call predefined functions from the authentication server system.
Short description of the drawings / figures
The invention is also illustrated with the following descriptions and accompanying drawings / figures.
Figure 1 provides an overview of an advantageous embodiment of an authentication system according to the invention.
Figure 2 shows an advantageous embodiment of a set of authentication codes according to the invention.
Figure 3 gives an example of a procedure according to the invention for creating a first set of authentication codes for the user.
Figure 4 gives an example of a procedure according to the invention for changing the attributes of the authentication codes and / or defining actions for the authentication codes.
Figure 5 gives an example of a procedure according to the invention for creating / assigning a set of authentication codes for an entity of a user.
Figure 6 gives an example of a procedure according to the invention for creating / assigning a temporary QR code for a user. ,,
Figure 7 gives an example of a procedure according to the invention for authenticating a second user by scanning a public key QR code.
Figure 8 gives an example of a procedure in which a first user sends an encrypted and signed document to a second user, the two users being authenticated according to the invention.
Figure 9 shows the application of the invention in a first case.
Figure 10 shows the application of the invention in a second case.
Figure 11 shows the application of the invention in a third case.
Figure 12 shows the application of the invention in a fourth case.
Figure 13 shows the application of the invention in a fifth case.
Figure 14 shows the application of the invention in a sixth case.
Figure 15 shows the application of the invention in a seventh case.
Figure 16 shows the application of the invention in an eighth case.
Modes for carrying out the invention
The present invention will be described with respect to particular embodiments and with reference to certain drawings, but the invention is not limited thereto but only by the claims. The described drawings are schematic representations and are non-limitative. The dimensions in the drawing of some parts may differ from reality and are not drawn to scale, they are for illustrative purposes only. The dimensions and relative dimensions do not necessarily correspond to an actual scaling for proper operation of the invention.
Furthermore, the terms "first, second, third and the like" are used in the descriptions and in the claims to distinguish between similar elements and not necessarily for describing a sequential or chronological order. The terms are interchangeable under proper conditions and the operation of the invention can be performed in a different order than described or illustrated herein.
Moreover, the terms "above, below, on, below and the like" are used in the descriptions and in the claims, only used as a description and to indicate their mutual position. The terms are interchangeable under the right circumstances and the operation of the invention can be carried out in positions relative to each other than described or illustrated here.
The term "consisting of" used in claims should not be limited to the following list; it does not exclude the use of other elements or steps. It is to be interpreted as specifying the presence of said functions, integers, steps or components as intended, but does not preclude the presence or addition of one or more other functions, integers, steps or components, or groups thereof. Thus, the application of the term "a device consisting of A and B" is not limited to devices that consist solely of components A and B. It means that, with regard to the present invention, the only relevant components of the device are: A and B are.
The invention relates to a method and a system for authenticating an entity using a mobile device. A first person A stores irrefutable event information about an entity (eg an object, person, animal, plant, location, task, service, condition, ...) which can be requested by a second person B who can then respond to the information received. The first person A can be notified as soon as a request is made by a second person B. The parameters sent can be, for example, time, location, person, IP address, device, etc. For example, if you absolutely want to be sure that the police at home call at your door, is a legitimate agent.
The invention uses QR codes to represent a key of the PKI system, and thus generate "QR-PKI codes". Use can be made of existing PKI schemes, existing Certification Authority (CA), which are translated into a 'QR code. The invention further uses simple, conventional mobile devices, such as, for example, smartphones with a built-in camera, a QR-reader application and a mobile internet connection to interpret QR-PKI codes and to connect them in the system. An "event" is created by combining various QR-PKI scans within a predefined time window. This "event" can be retrieved later by scanning a QR-PKI code which then evaluates whether an action defined in the "event" should be performed.
In this text the term entity is used in the broadest sense of the word, such as for an object, person, task, location, event, transaction or status, m: a.w. everything that is defined and / or represented by the user. An entity is defined in the system by means of one or more alphanumeric strings - which are used as encryption keys and visualized as a QR code as this is easier to use in their daily use - and one or more secrets, also consisting of an alphanumeric string and only known by the user who entity. The basic principle is to use a private and public key of the PKI (Public Key Infrastructure), hence the QR-PKI method and system, but other codes (alphanumeric strings) can also be used (eg for temporary keys). When another technology penetrates and is widely used, the QR code can be replaced, such as an RFID code that represents the key.
A service may consist of a single service or a combination of services such as a notification for an entity or combination of entities, secure authentication of an entity or combination of entities, an action derived from an entity or combination of entities. A notification can be defined as sending or displaying a message (eg an e-mail, an SMS). An authentication can be defined to ensure that the entity is authentic according to the rules / conditions with which the user has defined the entity (for example, that a document is authentic from this sender). An action can be defined as any change in the status of a device, object or situation that can be defined in the system and is carried out from the system via an electronic message (eg SMS, connection to a CPU, transfer of an IP address, etc.). Services and promotions are selected as a predefined Function of the entity in the system. An Attribute (variable) can be created and a Value is assigned to this, a logical Comparison can be made by using these Attributes and Functions. As soon as an entity is activated - via linking of a QR-PKI key to the system - the conditions of the Comparison are evaluated and depending on the logical outcome, the associated services and actions performed.
The method consists of successively reading, within a specific time window, one or more QR codes and, if necessary, entering one or more secrets on the communication device, to activate or define a service, depending on which type key was read first. The two options are: 1) if a private key is read first, the corresponding password is requested. If the password turns out to be correct after verification, the entity can be (re) defined, so attributes, characteristics, services, actions, variables and / or comparisons can be changed.
2) If a public or temporary key is read first, the following action may require the reading of another QR code to activate a defined action or to activate a temporary key.
A QR code is usually made up of the name of the service provider (a URL / domain name, eg https://QRPKI.com). optional parameters (delimited by me, eg can also be passed on if this information has been added to the URL encoded in the QR code. Part of this information is used to identify parameters such as the IP address, the session ID, etc. time / date, in which it is evaluated whether the successive scans come from the same communication device In addition to the evaluation and a possible implementation of a predefined action and service, the user can be informed on the above-mentioned communication device and the owner / maker of the QR code can also be notified of the implementation.
The security schemes used to distribute the public and private keys of the QR-PKI system are keys according to a public-key infrastructure or PKI. Other keys can consist of any secret code, composed of a string of alphanumeric characters. A secret can consist of a simple alphanumeric password that is entered on the communication device or first generated and then entered via other options such as a "smart card", a key or other device. In fact, a QR-PKI code is part of a standard QR code, consisting of a service URL (eg https://grpki.com or https://qr-pki.com. But also from the http counterpart), a separator (eg "/"), the key in alphanumeric form and probably some extra separators and parameters, can be used in the QR-PKI code.
A communication device as referred to in the invention may be a mobile device such as a smartphone, a laptop with wireless connection and the like, but any other device is sufficient if this communication device can be connected to the internet, is equipped with a camera, a QR code can decode and send the result to a browser (eg a PC connected to the internet with a webcam, a smartphone, a GSM with the possibility to access the internet and equipped with a camera, a tablet PC with built-in camera and internet connection, ...) · The communication device itself is interchangeable since it itself contains no secrets, codes or other information or data that can be linked to the system or method. The communication device is only used by the owner of the device to decode the QR code, as bi-directional communication between the owner of the communication device (or person holding the device) and the aforementioned service intended for this particular entity . When a figure or a QR code is sent to the screen of a communication device, this screen can also be read by another communication device, which then interprets the QR code and can therefore pass on information from one device to another device without being in direct contact with each other. In this way, a sequence of Events can be triggered between multiple participants using communication devices to exchange information via QR codes using the screen and camera of the communication. device.
By entering / reading / scanning one or more predefined QR codes and the associated secret within a predefined time window on the same communication device, the corresponding predefined service is performed. The result is displayed on the screen of the communication device used, where the owner is informed, or where the device owner is requested to provide more information (eg by scanning yet another QR code, by entering a password, by entering other data).
The method and system QR-PKI is a practical solution to codes and keys such as. To use PKI on (mobile) communication devices, it is a simple way to safely perform a service while you are mobile, without having to store secrets on the (mobile) communication device used.
The embodiment in FIG. 1 shows a "QR-PKI" system consisting of a Certification Authority (CA) to generate PKI key couples, a Registration Authority (RA) to register PKI key couples, a Validation Authority (VA) to PKI validate keys and a new QR-PKI service 10 to transform PKI keys into a QR code and to keep track of additional data (eg characteristics, passwords, actions, ...). Depending on the setup, the CA, RA, VA and the QR-PKI service can consist of one or more entities, called Trusted Third Parties (= TTP). A TTP can perform a service and functions (see eg below): • Creating a QR-PKI set: PKI-key-link + password + attributes (see Fig. 3) • Transforming a PKI-key into a QR code and vice versa • Creating an event by scanning a QR-PKI or linking two or more QR-PKI keys • Updating, comparing, insuring and maintaining a database of QR-PKI sets • Creating logical combinations of QR-PKI sets (expert system) • Evaluate comparisons, composed of Values and Attributes • Give a “confirming” or “negative” result of the requested • Communication with mobile terminals via the mobile internet • Logging of all transactions and sending e -mails with a status update • "Charging" a small contribution for this QR-PKI service from an account set up for this purpose '
The CA, RA, VA and QR-PKI together form "an authentication server system" according to the invention, wherein the CA, RA, VA and QR-PKI can be implemented on the same server or on two or more different servers. In the preferred embodiment, the QR-PKI 10 is implemented on a separate server, so that use can be made of any existing PKI in combination with the QR-PKI server 10.
For example, anyone who owns an Entity (object) that he wants to label creates / receives a QR-PKI key link and password for this Entity (see Fig. 5), registers this QR-PKI key link and password for this Entity and confirms the public-QR-PKI key of the key link to this Entity. Now a second person can take action for this Entity by scanning the public QR-PKI key (see Fig. 7), if necessary he must first authenticate himself with the private part of his own QR-PKI key- couple and password. Optionally other people can participate; where everyone has their own QR-PKI key pair and password.
The PKI keys are combined with a URL service provider to form strings from characters, which are then translated into a QR code. The transformation process from PKI key to QR-PKI key is done at the service provider, the process can be reversed by the same service provider. More specifically, the QR-PKI key may consist of a URL Service (e.g., http://grpki.com or, https://qrpki.com, the URL of the service provider), with all subsequent information is separated with a 7 ”separator, an identifier, one or more PKI keys, and additional information such as some parameters.
The combination of a private key QR code, a corresponding public key QR code and one or more passwords is referred to here as a set of authentication codes. FIG. 2 shows an embodiment of a possible set of authentication codes. A set consists of at least a password 3, a private key QR code 4 (also referred to here as "private QR-PKI key) and a corresponding public key QR code 5 (also referred to here as" public -QR-PKI key). The private key QR code 4 is a QR code generated from a first string 1 consisting of the URL / domain name of the QR-PKI authentication server 10, an identifier to increase efficiency, a PKI private key and probably some parameters. The public key QR code 5 is a QR code generated from a second string 2 consisting of the URL / domain name of the QR-PKI authentication server 10, an identifier to increase efficiency, a corresponding PKI public key and probably some parameters.
The QR-PKI service can be used as in the examples below to define an action by means of a standard smartphone: 1) Scan a private QR-PKI key as the first scan and enter the password = the settings of an entity: • Change / Add one or more password (s).
• Changing / adding attributes, which can be given a value.
• Request a new set of PKI-QR codes to confirm to an entity (object, document, container, ...). These entities are then the property of the first user.
• Request a temporary PKI-QR code (Fig. 6).
• Next scan of a public QR-PKI key or of another entity and linking to the current entity.
• Depending on the service: add money to your account.
• Encrypt / decrypt something.
• 2) Scan a public-QR-PKI key (or temporary key) as the first scan = request proof, get information, ...: • A public-key scan serves to inform about the entity, ... or to respond to an event defined by the owner of the corresponding private QR PKI key (first person).
• When a temporary PKI-QR key is scanned for the first time it is immediately activated.
• A private QR-PKI key is then scanned (corresponding defined in the event) to identify the second person so that this person is qualified to handle or view the information.
• The QR-PKI Password is then entered to verify that the second person is indeed the person he claims to be.
• Encrypt something / decrypt / verify / authenticate •
For security reasons it can be imposed that consecutive scans or entering passwords should be done as follows: 1) within a time window of for example 60_seconds, 2) must be executed from the same communication device and 3) that the user does not change network in the meantime or restart his communication device between successive actions.
A first possible application that uses the authentication system as described above is to send an encrypted e-y Letter with reference to Figs. 8. The following steps are performed: • Setup • A wants to send an e-Letter to B (recipient) • A and B each have a QR-PKI code set from the QR-PKI service (see Fig. 3)
• A owns a private A-PR-QR-PKI and a public A-PU-QR-PKI
• B owns a private B-PR-QR-PKI and a public B-PU-QR-PKI
• A has a QR-Temp as QR-code / URL (see Fig. 6) • Definition • A scans / enters the QR-Temp for the first time for activation • A scans the private A-PR-QR-PKI, enters the A-Password (A = Authentic) • A uploads an e-Letter and connects it to a QR-Temp
• A encrypts the e-Brief with A-PR-QR-PKI
• A scans the public B-PU-QR-PKI of the recipient B
• A re-encrypts the e-Brief with B-PU-QR-PKI
• A closes the QR-Temp event • A sends the QR-Temp to B (mail, mail, SMS, ...) • Execution • B receives QR-Temp from A (mail, mail, SMS, ...) • B scans / enters the QR-Temp (= link to the e-Letter) • B scans the private B-PR-QR-PKI, enters the B-Password (B = Authentic) • B decrypts the e-Letter with B-PR-QR-PKI (the e-Brief was single and only intended for B) • B scans A's public A-PU-QR-PKI (A = sender) • B decrypts the e-Letter with A- PU-QR-PKI (A = the only possible sender) • B retrieves the (location of) e-Brief
• B can read the e-Brief and he is assured that it comes from A
• Notification • A has been informed that B has received the e-Letter • A is sure that only B can read the e-Letter
Although this may seem complicated at first sight, the two people only scanned the QR-PKI key three times and entered a password to send and receive the encrypted and signed electronic Letter. Ultimately, with a high degree of probability, B can know that the E-Letter could only have been sent by A and A knows that only B could have read the E-Letter. If no signing or encryption is required, the number of scans at the sender can be reduced to two and reduced to one scan by the receiver.
The invention will be further elucidated in the following examples. The use of the invention is not limited only to these cases, but serves to illustrate how the invention can be used. By combining / mixing different methods with each other, a new method can be created in which all resulting methods fall within the scope of this invention.
EXAMPLE 1 (see Fig. 9 (a-c)): Granting access to a remote building. Provide a unique definition of the visitor, a time window and a date for the allowed access. Notify the owner as soon as the visitor enters and / or leaves the building.
SETUP: The owner of a building (Own) wants to grant access to a building (Fac) to a visitor (Vi) within a certain time window, using the method as stated in the invention via a Trusted Third Party (TTP).
DEFINING THE PERSONS “OWN” AND “VI”: Both Own and Vi register via the TTP website (eg https://qr-pki.com) and create a set of QR-PKI codes (a private QR -PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail) Depending on the TTP, at least the e-mail address mail address to be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e-mail address).
Person Own now owns: a private QR code "Own-PR-QR code"; a public QR code Own-PU-QR-PKI "and a secret master password" Own-PW ". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
Person Vi now owns: a private QR code “Vi-PR-QR code”; a public QR code "Vi-PU-QR-PKI" and a secret master password "Vi-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). "
Persoon Own requests a new QR code for the “Fac” building. Persoon Own logs in to the TTP with his Own-PR-QR-PKI and certifies with his Own-PW. Own requests a new QR code for an item, and therefore creates a private QR code “Fac-PR-QR-ΡΚΓ; a public QR code “Fac-PU-QR-PKI” and a secret. master password “Fac-PW”. Both QR codes are represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). The TTP has now registered that Own has an entity Fac.
REQUEST for access: if person wants to grant Own access to person Vi; or if Vi requests permission to enter the Fac building. Own requests the public QR code of person Vi (Vi-PU-QR-PKI). If applicable, also time, date, time span of access can be negotiated and / or promised.
DEFINING THE EVENT: Entrance to the Fac by Vi building. Own scans or sends the Fac-PR-QR-PKI from the building to the TTP, and identifies Own as the owner. To confirm this, Own is requested to enter the Fac-PW. Now Own can define parameters, attributes, variables and values (eg the code to open the building's access door, the time window within which access is allowed, a way to notify the owner when the access is used, a way to to inform the visitor how to gain access). To identify the Vi, the QR-code Vi-PU-QR-PKI is sent or scanned. All consecutive scans, transmissions must be made within the defined time window and from the same communication device. From all this information, the event created is stored in the database and a random session key (SK) is created and stored. Afterwards, the secret key is encrypted with the Vi-PU-QR-PKI and stored (ESK). Depending on the function, the encrypted ESK secret key is re-encrypted by the Fac-PR-QR-PKI key and stored (CESK). The owner attaches the Fac-PU-QR-PKI to the entrance door of the building. Depending on the functionality, this Fac-PU-QR-PKI can be fixed (for example, printed on a sheet of paper), or it can appear on a screen at the request of the visitor (as soon as the doorbell is activated). In the latter case, Fac-PU-QR-PKI can be expanded with additional information (D) (eg a string with reference to the date and time, a secret). That extra information can change at any time, which prevents Fac-PU-QR-PKI from being copied and scanned at another location in the building. The Fac owner can activate a “time code function” - a service of the TTP - that regularly sends an extensive form of the Fac-PU-QR-PKI, that is a QR code with the URL service or the TTP, the public service key and an additional parameter D that is related to a date and time of its creation.
IMPLEMENTATION OF THE EVENT: Grant or deny access to a building. Mobile communication devices are used for ease of use. Vi approaches the building and scans the Fac-PU-QR-PKI (or the secretly extended. Fac-PU-QR-PKI) at the entrance of the building. If Vi scans its Vi-PR-QR-PKI and enters the password Vi-PW, within the defined time window and from the same mobile device, this event is valid. If the entered password matches the Vi-PR-QR-PKI, the defined event is executed. If the additional information D is present in the scanned Fac-PU-QR-PKI, this is checked in the stored data. If both match, the content of CESK is decrypted with Fac-PU-QR-PKI and then decrypted again with Vi-Pr-QR-PKI. If the result corresponds to the secret key SK, this event is positive, and the defined action (s) can be performed (e.g., sending a code to open the access door). Optionally, this Vi scan can be repeated in a similar procedure to leave the building. If Vi attempts to perform the same procedure outside the defined time window, the result is negative, in which case the access door will not open. If necessary, a similar procedure can be created for when the visitor leaves the building.
ALERT: Depending on the institutions, the owner, the visitor, a third party can be notified by e-mail, SMS (depending on what has been defined in the institution) with the message whether access to the building has been granted or denied, including information about the visitor. All reasons for not ending an event can be stated depending on the settings of the event.
USE: This specific setting of the QR-PKI method and system ensures - through the use of easy-to-create QR codes - that great flexibility and security has been obtained, whereby the reading device, the aforementioned communication device is, or an ordinary smartphone. This example can be extended for not only opening doors, but also for switching on or off everything that can be controlled remotely with commands sent from a computer. It can be used to manage a security guard's inspection round with an automatic report to the agency about every QR code that was scanned. In the meantime, the system keeps a log of the places inspected, ensuring that the agent has actually been at those locations. These logs can then be read by an expertise system and thus alert if irregularities occur. A log can be sent to the owner of the building being inspected for these inspection rounds for billing purposes, for example. To prevent a "smart guy" from photographing a QR code and using it the next day, the owner of the building can - at any time - add additional information / parameters to the QR code,. this information is then sent to the owner of the building to check that the inspection round did indeed take place at the correct locations. Since this is a bi-directional communication between the visitor / agent who scans the QR code at certain places, it is easy to send this person an instructional video / audio fragment. And since the visitor / agent is known, the location, date and time of the day is known, this sent information can be adapted to specific needs (eg correct language, video / information with instructions, ...) without the visitor in advance / to inform / inform the agent.
EXAMPLE 2 (see Fig. 10 (a-d)): identifying a trusted agent in a residential home. Uniquely define the agent, the time window and the date of the possible access, the nature of the visit. Notify the agency when the agent enters the home and optionally when he leaves the home.
SETUP: The owner of a home or a residential home (Lo = Location Owner) wants to authenticate the identity of the visiting agent (Va) before opening the door for him, using the invention through a Trusted Third Party (TTP). The agent (Va) was sent by an agency or service requesting access (Access Requesting Company or ARQ) that uses the invention to confirm that Va is indeed allowed to request access on behalf of ARQ. The agent Va must start his day by authenticating himself to the ARQ staff (Aacp).
DEFINERS OF THE PERSONS AND OBJECTS: All persons involved have access to the TTP website (eg https://ar-pki.com) and register, they create a set of QR-PKI codes (a private QR-PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
Person Own now owns: a private QR code “Own-PR-QR code”; a public QR code 'Own-PU-QR-ΡΚΓ and a secret master password' Own-PW '. Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
Person Va now owns: a private QR code “Va-PR-QR code”; a public QR. code "Va-PU-QR-PKI" and a secret master password "Va-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
The ARQ staff now owns: a private QR code “ARQ-PR-QR code”; a public QR code “ARQ -PU-QR-PKI” and a secret master password “ARQ -PW”. Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
Persoon Own requests a new QR code for the residential property “Lo”. Persoon Own logs in to the TTP with his Own-PR-QR-PKI and certifies himself with his Own-PW. Own requests a new QR code for an object, and therefore creates a private QR code “Lo-PR-QR-PKI”, a public QR code “Lo-PU-QR-PKI” and a secret master password “Lo-PW”. codes are represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically) .The TTP has now registered that Own has an entity Lo. Own places the QR code so that it is visible on the outside of the residential home (eg behind a window) For ease of use, mobile communication devices are used
Upon request, the TTP can provide a temporary, one-off and unique key in the form of a QR code (eg ARQ-QR-Temp).
IDENTIFY: the agent starts his working day by registering as a valid agent (Va). He scans the ARQ-PU-QR-PKI at the reception of his office / agency where he works. As an added security, the ARQ-PU-QR-PKI can be expanded with information that is changed daily, not known by others. The Va receives a welcome screen on its mobile device where it is requested to identify itself. The agent then scans his personal Va-PR-QR-PKI, requesting details of the daily task in the give and the password (Va-PW). If the password matches the VA-PR-QR-PKI, and all actions have been taken from the same mobile device and within the defined time window, the event is further executed and then creates a session key SK and an ARQ-PU-QR PKI encrypted version of SK (= ESK). The TTP sends a temporary event code in the form of ARQ-QR-Temp1 code to the screen of the agent Va. The Aacp scans this ARQ-QR-Temp1 code from the agent's screen. The Aacp receives details of Va's day job and is asked to vote or reject this tpe. Aacp then scans the ARQ-PR-QR-PKI code and enters the password ARQ-PW. If the password matches, the ESK is decrypted. with ARQ-PR-QR-PKI and must match SK to be valid. After this determination, this agent becomes a verified agent (Va) for the coming x hours of the agency or ARQ office. A temporary code in the form of ARQ-QR-Lic is created and sent to both Aacp and Va. Once Va's day job is over, the same procedure can be repeated to substantiate this and to revoke the validity of ARQ-AR-Lic.
AUTHENTICATION: Va is approaching the Lo home and scans ARQ-QR-Lic (= check of the validity of his day job), and is requested to scan Lo-PÜ-QR-PKI at the entrance of the home. All subsequent scans or entries must be made from the same mobile device and within the defined time window. Va scans his ARQ-PR-QR-PKI and enters the password ARQ-PW with details of the daily task and reason for the visit. If the entered password matches, a session key (SK) is created and a version of SK (= ESK) that is not encrypted with Lo-PU-QR-PKI. TTP then sends a temporary event code in the form of ARQ-QR-Temp3 to the screen of the mobile device of the agent Va (= link to the daily task and the validity of the agent). This link is now valid for the next y minutes. Now Lo is asked to scan ARQ-QR-Temp3 from the agent's mobile device screen (this can be done through a closed window). Lo scans this with his own mobile device and then scans his Lo-PR-QR-PKI code, Lo is asked to accept or reject the task and to check the Lo-PW ^ "As long as the time is within y minutes , ESK is decrypted with Lo-PR-QR-PKI and if this result is in agreement with SK, the information regarding the identity of Va, the purpose of the visit ..., is authenticated and sent to Lo's mobile device. he can verify that the Va agent is legitimate and grant him access to the home ARQ is sent a message that Va has entered the home Both parties can receive optional instructions The same procedure can be followed once Va has ended his visit and the In this way, Lo is safe in the home and ARQ has been informed that the visit has ended, making it possible to already transfer the information collected during the visit.
FIND OUT: Depending on the settings of the event, ARQ, Aacp, Va, Lo can be kept informed of the different stages of the event. All reasons for not ending an event can be stated depending on the settings of the event.
IDENTITY THEFT: Suppose the VA-PR-QR-PKI code was stolen or suppose the VA-PW was issued under threat. If Va was able to deliver the defined VA-PW under threat, ARQ will be notified. At that time, Lo is advised not to give access to the (false) Va. The Aacp can revoke the validity of the ARQ-QR-Lic data at any time.
USE: This specific example demonstrates the possibilities of the system and method. A chain of events can be merged to create a complex event based on the same principle. Two parties build a relationship of trust through the exchange of (secret) information that can only be checked by the other party: In the above case, the agency / office can be an electricity company, the water company that comes to take the meter reading. These companies send out agents to check the meters on location. But for a private individual it is not always clear whether "the man at the door" is actually a police officer, or the right person who comes to take the meter reading, for which he pretends to be. By using the procedure according to the invention, no one can just impersonate an agent and talk his way in.
EXAMPLE 3 (see Fig. 11 (a-b)): locating, identifying (lost) objects, people. Any item that is provided with a QR-PKI code can be returned by any accidental finder or a lost, (elderly) person.
SETUP: The owner (owner) of an item (or person in charge of another person) wants to locate the lost item using the Trusted Third Party (TTP) method described in the invention.
DEFINER OF THE OWNER: The Own registers via the TTP website (eg https://qr-pki.com) and creates a set of QR-PKI codes (a private QR-PKI code and a public QR- PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
Person Own now owns: a private QR code "Own-PR-QR code"; a public QR code Own-PU-QR-PKI "and a secret master password Own-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
DEFINING AN OBJECT: Person Own requests a new QR code for marking objects or people. Persoon Own logs in to the TTP with his Own-PR-QR-PKI and certifies with his Own-PW. Own requests a new QR code for an object, and therefore creates a private QR code "Obj-PR-QR-PKI"; a public QR code "Obj-PU-QR-ΡΚΓ and a secret master password Obj -PW ”To prove the authenticity of the item, the owner enters an alphanumeric value A for the“ Authentication string ”field (eg WD6G 3US9 Q90D HT8X). Both QR codes are represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). The alphanumeric value A is printed in clear text under the QR code figure of the public QR code Obj-PU-QR-PKI. When Own scans the Obj-PR-QR-PKI, and enters the Obj-PW, it now defines what information must be passed when Obj-PU-QR-PKI is scanned under normal conditions (eg the value A, a general informative video of the object) and whether he wishes to be notified of every time a scan is made. The TTP has now registered that Own has an object Obj. Own confirms the code clearly visible on the object or clothing of the person.
FIND UP: As soon as the owner discovers the Obj loss, he changes the Obj parameters by scanning the Obj-PR-QR-PKI key and entering the correct Obj-PW password. Any person (IB) who now scans the code will see information about how the object can be returned to Own, or will be asked for details about the location. Even an SMS can be sent to Own if that is defined in the actions to be taken as soon as Obj-PU-QR-PK1 is scanned. IB can see that the code is genuine since it receives the alphanumeric value A printed below the QR code. In that case, IB must not have a membership with the TTP.
USE: In this case the QR code is only used to activate an event created in the system. It is not used as in method 2 where 2 consecutive QR codes are scanned within a limited time window. But the schedule can be expanded at any time, with the obligation to read a second - private private QR code - to trigger an event, but in this case, this cannot have the desired effect, since when an object is lost, it does not matter whether or not the finder has a valid private QR code or not, but that every communication device must work.
EXAMPLE 4 (see Fig. 12 (a-b)): secure electronic payment (e-Wallet Payment Activation). Micro payments are becoming increasingly popular. This example demonstrates the implementation of such a payment in a mobile manner with a minimum of actions and a very high safety level. In this way you avoid a hassle between different payment schedules of different e-wallet services and different authentication methods.
SET-UP: An e-Wallet user (eWu) has an ordinary contract with an e-Wallet service provider. The eWu wants to make payments (in a mobile manner) using the method of the Trusted Third Party (TTP), described in the invention.
DEFINING AN E-WALLET USER: The eWu registers via the TTP website (eg https://qr-pki.com) and creates a set of QR-PKI codes (a private QR-PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
Person eWu now owns: a private QR code “eWu-PR-QR code”; a public QR code "eWu-PU-QR-PKI" and a secret master: password "eWu-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). eWu can define an additional password for the eWu QR code eg a password that will certify that it is effective eWu, but that it can also use the QR code if it is under threat. Entering this under-password, will not only execute the normal event, but will also send a message to, for example, the emergency services. eWu can also define an additional password in which the event is NOT carried out but only a message is sent to, for example, the emergency services. Even more passwords can be created, "positive" passwords that activate the event that is executed by default, but with an associated information provision, or "negative" passwords where the execution of the event is NOT continued, but a predefined instance is notified via eg SMS, mail.
DEFINING THE ACCOUNT TO BE PAID: Person eWu requests a new QR code for each bill that must be paid through the e-Wallet service provider. Person eWu logs in to the TTP with his eWu-PR-QR-PKI and certifies himself with his eWu-PW. eWu requests a new QR code for each account (Ace), and therefore creates a private QR code “Acc-PR-QR-PKI”; a public QR code "Acc-PU-QR-PKI" and a secret master password "Acc-PW". Both QR codes are. represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). The eWu defines the information needed for an electronic payment, eg its own account number, user name and password to transfer the money via the e-Wallet service provider, and the account number to which the money must be transferred. All information that is not immediately provided can be requested later when the transfer takes place. The event also contains the API or URL that must be invoked or executed when the transfer is made and the associated protocol or parameter list. Once the event has been defined, a session key SK is created and stored. This SK is encrypted with eWu-PU-QR-PKI and stored (ESK). eWu takes every Acc-PU-QR-PKI and its eWu-PR-QR-PKI. The eWu remembers its eWu-PW and the alternative password it has created (eg the under-password, the negative password with only some information).
TRANSFER: if eWu wants to pay for a service, it will extract the correct Acc-PU-QR-PKI and scan this QR code. He is then asked to show his eWu-PR-QR-PKI and to give his eWu-PW to certify that he is indeed eWu. This must be done within the defined time window and from the same communication device. The stored ESK is decrypted with eWu-PR-QR-PKI and compared with the stored SK. If both match, the event is executed, the Acc is authentic. Depending on the entered password, the standard event is executed (the correct eWu-PW was entered) or another event as defined if an alternative password is entered. When the transfer is made (if a positive eWu-PW was entered), first the information from Acc is requested that has not yet been entered (eg the amount). Once all information has been entered, the TTP will execute an API and go through all the steps necessary to make the payment.
ALERT: the eWu is notified of the positive or negative outcome of the API that performs the actual transfer. An e-mail is sent to eWu as proof, possibly (if defined) the beneficiary of the transfer can receive a message with the status of the payment.
USE: by using the system and method of the invention, a payment can be made securely, with a high security level and with the aid of a standard smartphone on which no secrets are stored. By using an alternative password, even under threat, the threatened person can notify a predefined instance without the aggressor knowing as the transaction continues. If an Acc becomes PU-QR-PKI code. stolen or copied, the owner (who owns the Acc-PR-QR-PKI and Acc-PW) can change the event and give a completely different interpretation, eg ask for the identity of the person who has Acc-PU-QR-PKI scans, or sends his IP address, data from his mobile device to the government as a reference for possible evidence.
EXAMPLE 5 (see Fig. 13 (a-b)): Certification of Authenticity. Nowadays many counterfeit goods are produced in various countries, counterfeits of the original products. This example demonstrates the use of QR codes in the fight against counterfeiting and counterfeit products and can make anyone a possible "detector". As a side effect, the manufacturer of the original goods can start a "relationship" with everyone between the manufacturer and the end user of the product.
SETUP: A manufacturer wants to authenticate and locate his product, goods and packages, using the Trusted Third Party (TTP) method described in the invention. The authentication can be done in a very fast way (one scan, start a search, find duplicates) or in an extensive way (double scan, certification of the originality of the product).
DEFINER OF THE MANUFACTURER / PRODUCER: The manufacturer, producer (Prod) registers via the website of TTP (eg https://qr-pki.com) and creates a set of QR-PKI codes (a private QR-PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), / more information can be provided through attributes that are defined and values that are entered (eg special time codes and intervals sent to Prod, additional information).
Producer Prod now owns: a private QR code “Prod-PR-QR code”; a public QR code "Prod-PU-QR-PKI" and a secret master password "Prod-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). Producer can make the Prod-PU-QR-PKI public, expanded with additional, time-varying information, which is only known by Producer and therefore knows when (a counterfeit) Prod-PU-QR-PKI is scanned and this in turn. can check with the own data sent according to the arrangement of the event when Prod-PU-QR-PKI is scanned.
DEFINING THE GOODS, PACKAGES: Producer Prod request) a new set of QR-PKI codes for each product (Good) and for each package (Pack) that must be marked, traced or authenticated. Producer Prod logs in. the TTP with its Prod-PR-QR-PKI and certifies itself with its Prod-PW. Prod requests a new set of QR-PKI codes for every Good and every container with goods, called Pack (eg by providing an overview list with details about the QR-PKI codes to be created). Each QR-PKI code has at least one of the following Attributes: 1) a public part of the QR-PKI code for each Good or Pack, (hereinafter referred to as A), which serves as a reference for the defined product. 2) an arbitrary alphanumeric string, (further referred to as B), in an easily readable form (eg WD6G 3US9 Q90D HT8X ”), which is printed in clear text under the QR code figure. 3) a random, unique, secret code, with a reference to date and time (hereinafter referred to as T). 4) additional information such as serial number, model, production data, ... So creating QR-PKI codes Good-PR-QR-PKI and Good-PU-QR-PKI, without password for the goods, Pack-PR-QR -PKI and Pack-PU-QR-PKI, without password for the packages. The fact that no passwords are provided here means that the information cannot be changed once the events have been created. For both types of QR-PKI codes, the private key is not represented by a figure, but only as an alphanumeric string as this string is not made available for scanning. For the two types of QR-PKI codes, the public key is represented by a figure (which can be read by the aforementioned electronic devices) and by an alphanumeric string, both constructed with the UF-f; an identification code (hereinafter referred to as i), a value A (= public key of the QR-PKI code), an encrypted version of T (where T was encrypted with Prod-PR-QR-PKI and then encrypted with A, further Called you) (eg qrpki.com/i/A/U). The alphanumeric value B is printed in clear text under the QR-PKI code. Depending on the set-up, other information can also be printed in this text (eg serial number). The Prod confirms this Good-PU-QR-PKI and Pack-PU-QR-PKI to the correct goods and packages. The Prod defines when creating the QR-PKI codes which information is sent when a Good-PU-QR-PKI or Pack-PU-QR-PKI is scanned (eg information, the string B, a video with instructions, etc.). ..).
AUTHENTICATION / DETECTION: when Good-PU-QR-PKI or Pack-PU-QR-PKI QR codes are scanned, these events are logged for later reference or for data processing by the Prod. If date, time and location (IP address) are logged, Prod has an overview of where each product or item is located. With every scan of Good-PU-QR-PKI or Pack-PU-QR-PKI, A of the QR-PKI code is used to look up the data and the random string B is sent to the mobile device of the person who scans the QR-PKI code. This is a first visual check whether the product / good can be authentic. If the returned string B matches the printed string under the QR-PKI code, chances are that the product / good is authentic, probably the scanned QR-PKI code is authentic, but can still be a perfect duplicate of an existing QR-PKI code, or fraudsters have created their own "similar" code at another service provider to mislead the user by sending the correct printed value B. If the same Good-PU-QR-PKI or Pack-PU-QR-PKI QR codes keep appearing at different times and different locations (derived from the IP address), it may be that a fraudulent organization has duplicated that product, together with the QR code. This is a first - one way - easy way to start authenticating and tracing. That will not stop the fraudulent organizations from producing exact copies, but if some copied QR codes pop up, it is clear that fraud is being committed and the authorities can be sent to check these counterfeit products, starting with the first scan of a certain QR code (and IP address).
To make a more thorough check possible, the above procedure can be extended. After scanning Good-PU-QR-PKI or Pack-PU-QR-PKI, the person is requested to successively and within a defined time window scan the (extended) Prod-PU-QR-PKI published on the company website. From the scan of the (extensive) Prod-PU-QR-PKI, the U becomes part of the Good-PU-QR-PKI
or Pack-PU-QR-PKI QR code is decrypted with the private key that is retrieved by looking up the data data defined in the A part of the QR code. The result is then decrypted with the Prod-PU-QR-PKI key and compared with T. If both match, the QR code on the product is certainly original and the data is compared with the Manufacturer's database, or with a up-to-date version if the extended version of Prod-PU-QR-PKI was used. If no duplicates were detected in the past (multiple scans of the same Good-PU-QR-PKI or Pack-PU-QR-PKI QR code), then it is likely that no counterfeit products are equipped with Good-PU-QR- PKI or Pack-PU-QR-PKI QR codes.
USE: throughout the entire transport chain from the factory to the trader to the end user, the scans can provide the Producer with insight into the path used by the product and where the products are used, and the Producer can interact with the people who scan the codes or provide useful information such as a user manual, manual or additional (brand) information. When a reward is awarded to encourage the end user to scan the Good-PU-QR-PKI QR code, this information can be used to manage the lifecycle, end of life and even with post-recycling.
EXAMPLE 6 (see Fig. 14 (a-d)): how to check (secured) goods and objects without looking up documents or data from the sender or the recipient (eg customs).
SET-UP: the sender (Se) wants to send a shipping container (Con) with goods to a recipient (Re). On the way, entities (CE), such as customs who check the content, check the accompanying documents, using the Trusted Third Party (TTP) method described in the invention.
DENINE THE SENDER. RECIPIENT AND CONTROL OF THE ENTITIES: All parties register via the TTP website (eg https://gr-pki.com) and create a set of QR-PKI codes (a private QR-PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
The sender (Se) now owns: a private QR code “Se-PR-QR code ^ a perfect QR code“ Se-PU-QR-PKI ”and a secret master password“ Se-PW ”. Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
The receiver Re now has: a private QR code “Re-PR-QR code”; a public QR code "Re-PU-QR-PKI" and a secret master password "Re-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
The entity (CE) that is being monitored now owns: a private QR code "CE-PR-QR-PKI"; a public QR code "Ce-PU-QR-PKI" and a secret master password "CE-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). In this specific example, the CE-PU-QR-PKI is made public.
DEFINE THE CONTAINER: Sender (Se) requests a new QR code for the container that he wants to send to the receiver (Re). Sender logs in to the. TTP with its Se-PR-QR-PKI and certifies itself with its Se-PW. The sender requests a new QR code for the container, and therefore creates a private QR code “Con-PR-QR-PKI”; a public QR code "Con-PU-QR-PKI" and a secret master password "Con-PW". Both QR codes are represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
By scanning Con-PR-QR-PKI and entering Con-Pw, the sender can define which information is provided as soon as Con-PU-QR-PKI is scanned (eg how the container should be handled, information regarding the content) and if desired, a warning each time the code is scanned. Shipping documents, customs documents, a video with the contents of the container can be created or a URL link can be created where this information can be found, all possible information that can be electronically assigned to the Con has been collected under the name Con #. The TTP has now registered that Sender Se has a container Con. The sender confirms the Con-PU-QR-PKI code clearly visible on the outside of the container.
IDENTIFY THE RECEIVER RE: Sender Se scans the Con-PR-QR-PKI and enters the Con-PW. Subsequently, the Re-PU-QR-PKI of the recipient is scanned and the attributes are set (eg inform Re by e-mail every time Con-PU-QR-PKI
is scanned so that the sender can also follow the distance traveled. By creating this event a SK and a key (= ESK) encrypted with Re-PU-QR-PKI are created, to be used later for authentication of the Re.
ENTITY IDENTITY CONTROL CE: Sender Se scans the Con-PR-QR-PKI and enters the Con-PW. Next, the CE-PU-QR-PKI of the CE entity to be checked is scanned (eg by customs) and the attributes are set (eg (referral to) the customs documents Con #). A procedure to authenticate legitimate people who may perform confidential acts with CE-PR-QR-PKI; can be found in a previous example. By creating this event, a SK and a key (= ESK) encrypted with CE-PU-QR-PKI are created, for later use for authentication of the CE.
CONTAINER VERIFICATION: As soon as CE arrives at the container, he scans the Con-PU-QR-PKI on the outside, then he is requested to identify himself by scanning his CE-PR-QR-PKI and the CE -PW, these scans must be done from the same mobile device and within the defined time window. If the CE-PW and CE-PR-QR-PKI are found to be valid (CE is in active service), the ESK is decrypted with CE-PR-QR-PKI, and. if this corresponds to SK, the application is authentic and approved by Se. CE can now check the documents Con # and autonomously decide whether or not to enter the container for inspection. This example shows that the CE does not necessarily have to receive the documents in advance. In this way inspections of the goods can also take place en route. Depending on the settings, the sender and / or recipient will be notified of the actions taken by CE. If necessary, Se can add an additional CE to the list of authorized CEs, additional information, since only Se owns the Con-PR-QR-PKI.
RECEIVING THE CONTAINER: As soon as Re receives the container, Re scans the Con-PU-QR-PKI, then he scans his Re-PR-QR-PKI and enters the Re-PW. If everything matches and within the defined time window and they happen from the same mobile device, ESK is decrypted with Re-PR-QR-PKI, if this corresponds to SK, Re is authenticated, and Re gets access to the Con # that is set by Se was prepared. Se is notified that Re has received the container.
USE: in addition to customs, which can now consult the documents of the container everywhere, this method and system can be used by shipping companies, courier services, postal services.
EXAMPLE 7 (see Fig. 15 (a-b)): sending certified documents and messages or a registered letter. A message (Mes) must be sent from sender (Se) to receiver (Re). Depending on the setup, Mes must be certified from the sender, or certified so that only the recipient can receive this, or both.
SETUP: the sender (Se) wants to send a document / message (Mes) to the receiver (Re), using the Trusted Third Party (TTP) method described in the invention.
DEFINE THE SENDER AND RECEIVER: both parties register via the TTP website (eg https://gr-pki.com) and create a set of QR-PKI codes (a private QR-PKI code and a public QR -PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
The sender (Se) now has: a private QR code “Se-PR-QR code”; a public QR code “Se-PU-QR-PKI” and a secret master password “Se-PW”. Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by a alphanumeric string (that can be sent electronically).
The receiver Re now has: a private QR code “Re-PR-QR-PKI”; a public QR code "Re-PU-QR-PKI" and a secret master password "Re-PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
DEFINE THE MESSAGE: Sender (Se) requests a new QR code for the message he wants to send to the recipient (Re). Sender logs in to the TTP with his Se-PR-QR-PKI and certifies with his Se-PW. The sender requests a temporary, unique QR code for the message, this is QR code Mes-QR-PKI. This QR code is represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). Sender has now prepared an electronic document.
SENDING A MESSAGE ON PAPER: To send a paper letter to a recipient and have the recipient electronically confirm the receipt of the letter, the sender prints the letter with the Mes-QR-PKI on it. The sender then scans the Mes-QR-PKI, and then his Se-PR-QR code and returns his Se-PW im these scans must be done from the same mobile device and within the defined time window. Now he can define the recipient by scanning Re-PU-QR-PKI that he has obtained via the internet or directly from the recipient. A session key (SK) is encrypted in the Mes-QR-PKI with Re-PU-QR-PKI and stored in the event (ESK). The sender also sets the attributes so that as soon as the Mes-QR-PKI is rescanned, the recipient is asked to enter his Re-PR-QR-PKI and RE-PW and that the sender is notified upon receipt. The sender now sends the letter via e-mail, fax, ... to the recipient. If the recipient scans the Mes-QR-PKI followed by his Re-PR-QR-PKI and password RE-PW, the ESK is decrypted with Re-PR-QR-PKI, if this is coordinated with the key SK in the Mes- QR-PKI, the identity of Re is authentic and the sender is notified.
ELECTRONIC SENDING A MESSAGE: to send an electronic, encrypted message that only the recipient can read and that the recipient knows the message only comes from the sender, the sender creates the message electronically. The sender then scans the Mes-QR-PI $ 1, and then his Se-PR-QR-PKI and enters his Se-PW, these scans must be done from the same mobile device and within the defined time window. Now he can define the recipient by scanning Re-PU-QR-PKI obtained via the internet or directly from the recipient. A session key (SK) is encrypted in the Mes-QR-PKI with Re-PU-QR-PKI and stored in the event as ESK. Sender loads the electronic message or indicates the place where the electronic message can be found, after the system receives this message, it is encrypted for the first time with its Se-PR-QR-PKI key (this is document A), A is re-encrypted with Re-PU-QR-PKI and saved (that is document B). The sender also sets the attributes so that when the Mes-QR-PKI is rescanned, the recipient is requested to enter his Re-PR-QR-PKI and Re-PW and that the sender is notified of receipt. Sender closes this event with this. Sender sends the Mes-QR-PKI to the receiver. Mes-QR-PKI can be printed as well as faxed, sent via SMS and e-mail, or can be sent via e-mail that is printed on a sheet of paper. . If the recipient scans the Mes-QR-PKI followed by his Re-PR-QR-PKI and password RE-PW, the ESK is decrypted with Re-PR-QR-PKI, if this corresponds to the key SK in the Mes- QR-PKI is the message for this recipient. The double-encrypted electronic message B is decrypted with Re-PR-QR-PKI and thus becomes document A. Now it scans the Se-PU-QR-PKI and decrypts document A again with Se-PU-QR-PKI, which returns the original electronic document. The recipient is sure that only he can receive and decrypt the document (or the In ^ emaaf7 Katf1, and only the sender could have sent it. Sender is now notified of the receipt, the recipient can now link to the electronic document retrieve, download and convert to a readable form.
USE: Postal services can use this method and system.
EXAMPLE 8 (see Fig. 16 (a-b)): disclosing sensitive data to authorized persons via a simple QR code of the person concerned. This example or a variant can be applied to systems for releasing medical records to authorized doctors or medical personnel, for releasing information about fines or driving license penalties, to link additional information to identity documents or other similar applications. In all these examples, the information is not stored on the document itself, nor in the QR code. This makes these documents less attractive for theft or fraud, the linked information can only be read / modified by authorized persons. As sensitive information is involved, a third party may have to approve some of the intermediate steps of this process.
SET-UP: all parties use the method according to the invention via a Trusted Third Party (TTP). A person (Per) possesses a card / information carrier / document (Con) (eg a SIS card, an identity card or social security document). A qualified person (QP) (eg a doctor) wants to add medical information (hereinafter referred to as SDat) that may only be viewed by other doctors (referred to as qualified persons or QPs), and not by non-medical personnel / persons. Person Per wants to add general data (GDat) (eg his address, contact details of family). Different databases are involved in this example. A table with all qualified persons (QPDB) (eg all doctors) managed by QPadmin persons, a table that manages the access mechanisms to store or retrieve the SDat information in or from the SDat database (SdatDB), a table (further Called LinkDb) which links the persons Per (x) or more specifically the Con (x) of Per (x) to SDat (x). As this application involves more than one person and more than one qualified person, all formulas are indexed: Per (x), Con (y), QP (z), ... TTP can issue temporary QR codes, represented by a figure (which can be read with the aforementioned communication devices or printed to have a print on paper) and by an alphanumeric string (which can be sent electronically). All databases are located outside of TTP and are managed by, for example, QPadmin or another organization. In this example, we assume that QPadmin is authorized to manage all databases.
DEFINE THE PERSONS (PERM). QUALIFIED PERSONS (Qp (a)) AND THE QP administration APadmin: all parties register via the TTP website (eg https://ar-pki.com) and create a set of QR-PKI codes (a private QR -PKI code and a public QR-PKI code) and associated passwords (keys and QR codes can be cut and pasted from the browser or sent via e-mail). Depending on the TTP, at least the e-mail address must be created and verified (via an e-mail confirmation), more information can be provided through attributes that are defined and values that are entered (eg additional passwords, additional e -mail address).
Person Per (x) now owns: a private QR code “Per (x) -PR-QR-PKI”; a public QR code "Per (x) -PU-QR-PKr and a secret master password" Per (x) -PW ". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
The QPDB (with the QP (a) list and their permissions), and the QP administrator (QPadmin) who authorizes whether or not QP (a) is an authorized / qualified person. is, now owns: a private QR code “QPadmin-PR-QR-PKI”; a public QR code “QPadmin-PU-QR-ΡΚΓ” and a secret master password “QPadmin-PW”. Both QR codes are also represented - by a figure (which can be read with the aforementioned communication devices) and by a alphanumeric string (that can be sent electronically).
The QP (a) Qualified Person now owns: a private QR code “QP (a) -PR-QR-PKI”; a public QR code "QP (a) -PU-QR-PKI" and a secret master password "QP (a) -PW". Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically).
DEFINE THE CARD / INFORMATION CARRIER / DOCUMENT: Person Per (x) requests a card or has already been assigned a Con (x) card. Per (x) now creates: a private QR code "Con (x) -PR-QR-PKI"; a public QR code "Con (x) -PU-QR-PKI" and a secret master password " Con (x) -PW '. Both QR codes are also represented by a figure (which can be read with the aforementioned communication devices) and by an alphanumeric string (which can be sent electronically). Con (x) -PU-QR-PKI is printed on or attached to a card / information carrier / document. Each Per (x) can change its own general data GDat (x) on the Con (x) by scanning Con (x) -PR-QR-PKI and entering the correct password Con (x) -PW. Per (x) can now define the events to be executed as soon as his card Con (x) -PU-QR-PKI is scanned: eg send an e-mail with the details of each scan that happens, show the GDat (x) information , or send an SMS to a number of people.
GRANT AUTHORIZATION TO QP (a): to grant an authorization, QP (a) scans or enters the QPadmin-PU-QR-PKI, thus starting the authorization request. This should only be done once per specified period, depending on the settings made by QPadmin and the regulations agreed between the parties. Then QP (a) must be identified. He scans or enters his QR (a) -PR-QR-PKI and is requested to enter some information together with the QP (a) -PW, and if the passwords match, QP (a) is authenticated. A session key SK and a double-encrypted version of SK (= ESK) are created and saved. ESK = a version of SK encrypted with a QPadmin-PU-QR-PKI whose outcome was re-encrypted with QR (a) -PR-QR-PKI. The TTP then creates a temporary code and sends it in the form of a Tempi-QR code (= link to ESK and the request for access by QP (a) = license request) to QPadmin. Depending on the organization, QP (a) can mail the Temp1-QR code with a request or post the printed version of the Temp1-QR code via an official letter to QPadmin. For QP (a) the license application has now been started, he must wait for QPadmin's decision.
QPadmin (the QPDB administrator, at its own pace) executes the Temp1-QR link request and enters its own QPadmin-PR-QR-PKI and QPadmin-PW. To check whether the request is legitimate, the ESK is decrypted with QP (a) -PU-QR-PKI and then with QPadmin-PR-QR-PKI and checked with SK. If both match, the application is authentic. QPDB manager will then grant / refuse permission to QP (a). This result is stored in a temporary QR code (hereinafter referred to as Lic-QR). Lic-QR is sent to the applicant QP (a) and stored in QPDB. QR (a) enters Lic-QR or scans Lic-QR and is requested to authenticate with QP (a) -PR-QR-PKI and QP (a) -PW. This information is stored in the QP (a) -QR-PKI file and is executed automatically. If QP (a) is authorized to be part of the group of "Qualified Personnel", he now has the permission / license and therefore also access to SDatDB. If necessary, QPadmin can revoke the license to QP (a) at any time If the license has a certain validity period, this is also included in the Lic-QR.
MANAGING DATA: the mechanisms for adding / changing data in the SdatDB are outside this scope. Assume that QP (a) enters data SDat (y) concerning a Per (y) in “a (medical) database” and a link to this SDat (y) is available.
This “link to Sdat (y)” with access rights, further called Link (y), is stored in SdatDB and is made available in the form of a QR code (containing a service URL + Link (y) on the screen of QP (a), also called Temp3-QR To link SDat (y) to Con (y) of Per (y), QP (a) scans the Con (y) -PU-QR-PKI of Per (y) QP (a) will see the GDat (y) of this Con (y), and can check that this is the correct Per (y) and Con (y), then QR (a) scans within a defined time window and from the same communication device, QP (a) -PR-QR-PKI and QP (a) -PW are entered to confirm its identity, after which the validity and status is checked at QPadmin via Lic-QR still valid, QP (a) now gets access to the QPDBs All Link (y) are retrieved from the LinkDB for this Con (y) and these Link (y) 's are looked up in SDat (y)' s and retrieved from SDatDB The screen of the aforementioned communication device of QP (a) now displays the medical (sensitive) ) data shown. If QP (a) only wants to consult information, further operation will be terminated as soon as the predefined time window has expired (this means that the links are broken, but the info will remain on the screen). If QP (a) wants to add new information, it must go through the above procedure to get the history on screen, within the defined time window, scan the new information to be added or enter it in the form of · Temp3-QR (a figure or a string, depending on the communication device used). If necessary, the Temp3-QR event may have a limited period of validity, which means that if Temp3-QR is used beyond the validity date, the “link” is no longer valid and various warnings can be activated. If a QP (z) proves to be a fraud, its license in the QPDB is withdrawn by QPadmin, with all other information remaining intact and available for other licensed QPs.
READ DATA ONLY: as soon as someone scans Con (z) -PU-QR-PKI, he / she will receive the Gdat (z) and Per (z) will be notified if this has been prepared in this way. As soon as QP (a) scans Con (z) -PU-QR-PKI, it also receives the Gdat (z).
USE: this method can be applied wherever information needs to be attached to a specific item or information carrier. The combination of this method with the method used in the fight against fraud, provides a new application in processing and securing information. By using this application, sensitive or external data is linked to that object (the public part of the QR-PKI) and is not stored in an event that is linked to the object. This means that the owner of the item cannot change or read the linked information, only qualified persons who have access to the external, linked databases. The same arrangement can be applied with different entities (medical, legal, driver's licenses, ...) all linked to the same object, but each with a different access level. The GDat information stored in the event of the object, the owner can be notified of any access that someone requests to the information.
Concerning the illustrated example above, if Per (x) gets an accident on the street, any passerby can scan the Con (x) and thereby indirectly notify certain people (including a doctor who treats this patient as a heart patient), and if necessary a bi-directional communication should be set up between the doctor (or 911/112 emergency service) and the witness on the spot (the passerby who scanned Per (x)). As soon as the emergency services arrive at the location, they immediately get access to all (medical) information to treat this patient with the right care. In addition, family members or other special relatives can be automatically notified as defined in the event.

权利要求:
Claims (19)
[1]
A method for authenticating an entity, consisting of the following steps: - users (A, B) are each provided with a set of authentication codes (3-5), each set consisting of at least one secret (3), a private key QR code (4) and a corresponding public key QR code (5), wherein the private and public key QR codes are generated from a first string (1) consisting of a URL of an authentication server system (10) and a PKI private key and a second string (2) consisting of the same URL and a corresponding PKI public key; - the authentication server system (10) receives a first string (1) as a result of the first user reading the respective private key QR code (4) via a mobile device (101) equipped with a reading system and a QR code reader application, and performs the action definition procedure below: a) the first user is asked to enter a secret (3), b) to receive the secret, entered by the first user , on the authentication server system (10) c) checking whether the received secret (3) and the received first string (1) belong to the same set of authentication codes (3-5) and whether the received secret and the · first string received meet predefined boundary conditions, d) if this check yields a positive result, the first user is asked to define a sequence of actions to be performed when receiving the second string (2), which belongs to the same se t of authentication codes, on the authentication server system (10).
[2]
Method according to claim 1, wherein the predefined boundary conditions consist of at least one of the following conditions: a predefined time window in which the received first string and the received secret must arrive; that the received first string and the received secret are received from the same mobile device (101); that the received first string and the received secret are sent from the same IP address; that the first string received and the received secret were entered from the same browser session.
[3]
Method according to claim 1 or 2, wherein the first or the second string, from which the private and public-key QR codes are generated, is further composed of at least one parameter and / or identification code.
[4]
Method according to any of the preceding claims 1-3, wherein each set of authentication codes consists of additional user-defined secrets, the defined procedure of actions to be followed consists of assigning a predetermined procedure to each of the user-defined additional secrets, and wherein the method comprises: receiving additional user-defined secrets on the authentication server system (10) and wherein the corresponding and predefined procedure is performed.
[5]
The method of any one of the preceding claims 1-4, wherein the step d further comprises creating a temporary key in the form of a QR code key for the first user, with a predetermined validity period, and defining of a set of actions to be performed when receiving the temporary key on the authentication server system (10).
[6]
Method according to any of the preceding claims 1-5, wherein the step later consists in assigning to the entity a set of authentication codes by the first user, said set of authentication codes for the entity consisting of a set of codes where the public-key QR code is intended to be attached to this entity of the first user.
[7]
Method according to any of the preceding claims 1-6, wherein the definitions of the actions in step d further comprise: requesting the first user to define a set of logical expressions with boundary conditions that are evaluated upon receiving the second string ( 2) on the authentication server system (10), and defining a first set of actions to be performed for each user-defined secret if the result of the logical expression with preconditions gives "true" and a second set of actions to be performed for each secret defined by the user if the result of the logical expression with preconditions gives "false".
[8]
The method of claim 7, wherein the next step is to receive on the authentication server system (10) the second string (2) as a result of reading the respective public-key QR code (5) by a second user with a mobile device (102), equipped with a reading system and a QR code reader application, the following activation procedure being performed: a ') retrieving the sequence of logical expressions and operations that were defined for the received second string (2), and b ') evaluating the sequence of logical expressions in which the first or the second sequence of actions must be performed depending on a respective "true" or "false" outcome.
[9]
The method of claim 7, wherein the next step is to receive on the authentication server system (10) the second string (2) as a result of reading the respective public key QR code (5) by a second user with a mobile device (102), equipped with a reading system and a QR code reader application, the following authentication and activation procedure being performed: a ') requesting the second user for the private key - read QR code and enter a secret belonging to the set of authentication codes (3-5); b ') receiving the respective first string (1) as a result of the second user reading the requested private key QR code, and the hijipi (3), entered by the second user, on the authentication server system; c ') checking whether the received secret (3) and the received first string (1) belong to the same set of authentication codes (3-5) of the previously received second string (2), and whether the received secret and the received first string, meet the imposed conditions; d ') depending on the result, the sequence of logical expressions and actions defined for the secret received is executed; (e) Evaluation of the series of logical expressions where, for each expression, the first or the second series of actions must be performed depending on the outcome.
[10]
System for authenticating an entity, consisting of an authentication server system (10) comprising: - sharing a first algorithm comprising software to provide users (A, B) each with a set of authentication codes (3-D) 5), any set consisting of at least one secret (3), a private key QR code (4) and an associated public key QR code (5), the private and public key QR codes are generated from respectively a first string (1) consisting of a URL of an authentication server system (10) and a PKI private key and a second string (2) consisting of the same URL and a corresponding PKI public key ; - sharing a second algorithm comprising software to receive a first received as a result of the first user reading the respective private key QR code (4) via a mobile device (101) that is equipped with a reading system and a QR code reader application, and perform the action definition procedure below: a) the first user is asked to enter a secret (3), b) to receive the secret, entered by the first user, on the authentication server system (10) c) checking whether the received secret (3) and the received first string (1) belong to the same set of authentication codes (3-5) and whether the received secret and the received first string meet the predefined boundary conditions, d) if this check yields a positive result, the first user is asked to define a sequence of actions to be performed when receiving the second string (2) ), which belongs to the same set of authentication codes, on the authentication server system (10).
[11]
The system of claim 10, wherein the predefined boundary conditions comprise at least one of the following conditions: a predefined time window in which the received first string and the received secret must arrive; that the received first string and the received secret are received from the same mobile device (101); that the received first string and the received secret are sent from the same IP address; that the first string received and the received secret were entered from the same browser session.
[12]
12. System as claimed in claim 10 or 11, wherein the first or the second string, from which the private and public-key QR codes are generated, is further composed of at least one parameter and / or identification code.
[13]
A system according to any of the preceding claims 10-12, wherein each set of authentication codes consists of additional user-defined secrets, wherein the defined procedure of actions to be followed consists of assigning a predetermined procedure to each of the user-defined additional secrets, and wherein the authentication server system (10) is provided with a third algorithm comprising software parts for receiving additional user-defined secrets and for carrying out the corresponding and predefined procedure.
[14]
A system according to any of the preceding claims 10-13, wherein the step d further comprises creating a temporary key in the form of a QR code key for the first user, with a predetermined validity period, and defining a set of actions to be performed when receiving the temporary key on the authentication server system (10).
[15]
A system according to any of the preceding claims 10-14, wherein the step d further comprises assigning to the entity a set of authentication codes by the first user, said set of authentication codes for the entity consisting of a set of codes where the public-key QR code is intended to be attached to this entity of the first user.
[16]
The system according to any of the preceding claims 10-15, wherein the definition of the actions in step d further comprises: requesting the first user to define a set of logical expressions with boundary conditions that are evaluated upon receiving the second string ( 2) on the authentication server system (10), and defining a first set of actions to be performed for each user-defined secret if the result of the logical expression with preconditions gives "true" and a second set of actions to be performed for each secret defined by the user if the result of the logical expression with preconditions gives "false".
[17]
17. System as claimed in claim 16, wherein the authentication server system is provided with a fourth algorithm comprising software parts for receiving the second string (2) as a result of reading the respective public-key QR code (5) ) by a second user with a mobile device (102) equipped with a reading system and a QR code reader application, wherein the following activation procedure is performed: a ') retrieving the sequence of logical expressions and operations which were defined for the received second string (2), and b ') evaluating the sequence of logical expressions where the first or the second sequence of actions are to be executed depending on a respective "true" or "false" outcome .
[18]
The system of any one of claims 10-17, wherein the authentication server system (10) is provided with a fifth algorithm comprising software parts for receiving the second string (2) as a result of reading the respective public key QR code (5) by a second user with a mobile device (102), equipped with a reading system and a QR code reader application, wherein the following authentication and activation procedure is performed: a ' requesting the second user to read the private key QR code and to enter a secret associated with the set of authentication codes (3-5); b ') receiving the respective first string (1) as a result of the second user reading the requested private key QR code, and the secret (3), entered by the second user, on the authentication server system; c ') checking whether the received secret (3) and the received first string (1) belong to the same set of authentication codes (3-5) of the previously received second string (2), and whether the received secret and the received first string, meet the imposed conditions; d ') depending on the result, the sequence of logical expressions and actions defined for the secret received is executed; (e) Evaluation of the series of logical expressions where for each expression, the first or the second series of actions must be performed depending on the outcome.
[19]
Use of a method according to any of claims 1-9 or of a system according to any one of claims 10-18 for authenticating or securing at least one of the following group of entities: an object, a building , an electronic payment, a certificate of authenticity associated with a product, a container, an encrypted and / or electronically signed correspondence, sensitive data whose access must be limited to a limited number of persons, a person, an agent or a representative of a company who visits a building, a customs broker, a police officer, a person with a mandate where that mandate must be verified by a second person.

类似技术:

公开号 | 公开日 | 专利标题

BE1019683A3|2012-09-04|METHOD AND SYSTEM FOR AUTHENTICATING ENTITIES USING MOBILE DEVICES.

CN109417549B|2021-11-02|Method and apparatus for providing information attestation using a centralized or distributed ledger

KR20210024992A|2021-03-08|Systems and methods of using code and images within the blockchain

US11044087B2|2021-06-22|System for digital identity authentication and methods of use

KR20060123134A|2006-12-01|Method and system for establishing a communication using privacy enhancing techniques

US20170026180A1|2017-01-26|Method and database system for secure storage and communication of information

CN107636662A|2018-01-26|Web content certification

JP2009532792A|2009-09-10|Product certification system

CN103109494A|2013-05-15|Method for authenticating a user requesting a transaction with a service provider

US10887098B2|2021-01-05|System for digital identity authentication and methods of use

KR100449751B1|2004-09-22|System for operation and management of water supply facilities

JP2019161302A|2019-09-19|Signature system

WO2014053172A1|2014-04-10|Method and system for securely authenticating entities

WO2019063512A1|2019-04-04|A method for generating a digital identity, a digital identity, a method for creating an electronic transaction document and an electronic transaction document

US20200382501A1|2020-12-03|Email address with identity string and methods of use

Do et al.2015|Mobile Identity as a tool to develop society

Roduner2003|Citizen Controlled Data Protection in a Smart World

Trèek2004|E-Business Systems Security for Intelligent Enterprises

GB2499269A|2013-08-14|Biometric information generation of a secure keychain

同族专利:

公开号 | 公开日

BR112013025752A2|2018-05-02|

AU2012239057B2|2016-06-09|

EP2509275A1|2012-10-10|

US20140026204A1|2014-01-23|

RU2013147885A|2015-05-10|

IL228602D0|2013-12-31|

EP2695354A1|2014-02-12|

CA2832171A1|2012-10-11|

CN103493460A|2014-01-01|

US9167428B2|2015-10-20|

WO2012136366A1|2012-10-11|

SG193987A1|2013-11-29|

AU2012239057A1|2013-11-14|

ZA201308105B|2014-06-25|

EP2695354B1|2020-07-22|

JP2014515142A|2014-06-26|

引用文献:

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

WO2014053172A1|2012-10-03|2014-04-10|Buntinx Bvba|Method and system for securely authenticating entities|CN1534936A|2003-03-31|2004-10-06|华为技术有限公司|Key distribution method in radio local network based on public key certificate mechanism|

JP2008048135A|2006-08-15|2008-02-28|Ntt Software Corp|Two-dimensional code-using system|

JP4791929B2|2006-09-29|2011-10-12|株式会社日立製作所|Information distribution system, information distribution method, content distribution management device, content distribution management method, and program|

US20080244714A1|2007-03-27|2008-10-02|Michael Kulakowski|Secure RFID authentication system using non-trusted communications agents|

CN101707524B|2009-01-09|2012-01-18|北京大学|Method for encrypting public key broadcasts with hierarchical relationship|

CN101741843B|2009-12-10|2012-12-12|北京握奇数据系统有限公司|Method, device and system for realizing user authentication by utilizing public key infrastructure|

US8751794B2|2011-12-28|2014-06-10|Pitney Bowes Inc.|System and method for secure nework login|US8874477B2|2005-10-04|2014-10-28|Steven Mark Hoffberg|Multifactorial optimization system and method|

US8874935B2|2011-08-30|2014-10-28|Microsoft Corporation|Sector map-based rapid data encryption policy compliance|

US9412283B2|2012-12-31|2016-08-09|Piyush Bhatnagar|System, design and process for easy to use credentials management for online accounts using out-of-band authentication|

CN103973652A|2013-02-01|2014-08-06|深圳市天时通科技有限公司|Login method and login system|

US9461898B2|2013-02-27|2016-10-04|Google Inc.|Determining duration of idleness or abandonment of resources and property|

WO2014138187A1|2013-03-05|2014-09-12|Christmas Coy|System and method for cubic graphical user interfaces|

US20140282923A1|2013-03-14|2014-09-18|Motorola Mobility Llc|Device security utilizing continually changing qr codes|

US20140344570A1|2013-05-20|2014-11-20|Microsoft Corporation|Data Protection For Organizations On Computing Devices|

EP3022638B1|2013-07-18|2018-04-04|Fasetto, L.L.C.|System and method for multi-angle videos|

FR3009409A1|2013-08-02|2015-02-06|Mobilead|METHOD FOR ENCODING ACCESS TO A COMPUTER RESOURCE|

US8985437B2|2013-08-07|2015-03-24|International Business Machines Corporation|Creation and management of dynamic quick responsecodes|

DE102013015382A1|2013-09-17|2015-03-19|Giesecke & Devrient Gmbh|Method for displaying information|

US10095873B2|2013-09-30|2018-10-09|Fasetto, Inc.|Paperless application|

US20150106150A1|2013-10-15|2015-04-16|Kastle Systems International Llc|System and method for managing event participant authorizations|

US9584402B2|2014-01-27|2017-02-28|Fasetto, Llc|Systems and methods for peer to peer communication|

US10615967B2|2014-03-20|2020-04-07|Microsoft Technology Licensing, Llc|Rapid data protection for storage devices|

JP6373025B2|2014-03-20|2018-08-15|シャープ株式会社|Information processing apparatus, information processing system, information processing method, and computer program|

US9619706B2|2014-03-28|2017-04-11|Enceladus Ip Holdings Llc|Security scheme for authenticating object origins|

CN104050567B|2014-05-30|2017-11-28|深圳天珑无线科技有限公司|Data interactive method, terminal and server under off-line mode|

US20150358164A1|2014-06-10|2015-12-10|Unisys Corporation|Systems and methods for qr code validation|

CN106797337B|2014-07-10|2021-06-22|法斯埃托股份有限公司|System and method for message editing|

US9825945B2|2014-09-09|2017-11-21|Microsoft Technology Licensing, Llc|Preserving data protection with policy|

US9853812B2|2014-09-17|2017-12-26|Microsoft Technology Licensing, Llc|Secure key management for roaming protected content|

JP6695868B2|2014-10-06|2020-05-20|ファセット・インコーポレーテッド|Systems and methods for portable storage devices|

US10437288B2|2014-10-06|2019-10-08|Fasetto, Inc.|Portable storage device with modular power and housing system|

US9900295B2|2014-11-05|2018-02-20|Microsoft Technology Licensing, Llc|Roaming content wipe actions across devices|

FR3030814A1|2014-12-19|2016-06-24|Jinnov'or|TRACEABILITY SYSTEM OF AN OBJECT BETWEEN A TRANSMITTER AND A RECIPIENT COMPRISING DIGITAL MEANS TO ACCUSE RECEPTION|

US10230526B2|2014-12-31|2019-03-12|William Manning|Out-of-band validation of domain name system records|

WO2016129863A1|2015-02-12|2016-08-18|Samsung Electronics Co., Ltd.|Payment processing method and electronic device supporting the same|

EP3262582B1|2015-02-27|2021-03-17|Samsung Electronics Co., Ltd.|Electronic device providing electronic payment function and operating method thereof|

KR20160105261A|2015-02-27|2016-09-06|삼성전자주식회사|Method and apparatus for providing card service using electronic device|

US10193700B2|2015-02-27|2019-01-29|Samsung Electronics Co., Ltd.|Trust-zone-based end-to-end security|

EP3745679A1|2015-03-11|2020-12-02|Fasetto, Inc.|Systems and methods for web api communication|

US9853820B2|2015-06-30|2017-12-26|Microsoft Technology Licensing, Llc|Intelligent deletion of revoked data|

US10846696B2|2015-08-24|2020-11-24|Samsung Electronics Co., Ltd.|Apparatus and method for trusted execution environment based secure payment transactions|

US10699274B2|2015-08-24|2020-06-30|Samsung Electronics Co., Ltd.|Apparatus and method for secure electronic payment|

US9900325B2|2015-10-09|2018-02-20|Microsoft Technology Licensing, Llc|Passive encryption of organization data|

US10230706B2|2015-10-28|2019-03-12|Lenovo Enterprise SolutionsPte. Ltd.|Using personal RF signature for enhanced authentication metric|

US10929071B2|2015-12-03|2021-02-23|Fasetto, Inc.|Systems and methods for memory card emulation|

CN108243402B|2015-12-09|2021-06-01|Oppo广东移动通信有限公司|Method and device for reading and writing smart card|

CN106997532B|2016-01-22|2021-12-14|阿里巴巴集团控股有限公司|Electronic certificate verification and cancellation method, system and server|

US10666642B2|2016-02-26|2020-05-26|Ca, Inc.|System and method for service assisted mobile pairing of password-less computer login|

MX2019005965A|2016-11-23|2019-10-24|Fasetto Inc|Systems and methods for streaming media.|

CN108737584A|2017-04-19|2018-11-02|中国移动通信集团山西有限公司|The access method of container service, the analytic method of network address, device and system|

US10027697B1|2017-04-28|2018-07-17|The Florida International University Board Of Trustees|Detection of counterfeit and compromised devices using system and function call tracing techniques|

CN107508789B|2017-06-29|2020-04-07|北京北信源软件股份有限公司|Abnormal data identification method and device|

WO2019079628A1|2017-10-19|2019-04-25|Fasetto, Inc.|Portable electronic device connection systems|

US20200082326A1|2018-09-07|2020-03-12|Zebin Guo|Smart reminder system for a storage container|

CN207884641U|2017-12-11|2018-09-18|亚萨合莱有限公司|Physics voucher including encryption key pair|

US11238433B2|2017-12-29|2022-02-01|Paypal, Inc.|Secure matrix barcode based data transfers|

US10628599B2|2018-02-14|2020-04-21|Fmr Llc|Generating and deploying customized software containers|

US11095652B2|2018-02-20|2021-08-17|International Business Machines Corporation|Implementing a separation of duties for container security|

EP3782112A4|2018-04-17|2022-01-05|Fasetto Inc|Device presentation with real-time feedback|

WO2019204670A2|2018-04-18|2019-10-24|2Key New Economics Ltd.|Decentralized protocol for maintaining cryptographically proven multi-step referral networks|

US11251980B2|2020-01-22|2022-02-15|Motorola Mobility Llc|Electronic devices and corresponding methods for verifying device security prior to use|

法律状态:

优先权:

申请号 | 申请日 | 专利标题

EP11161033|2011-04-04|

EP11161033A|EP2509275A1|2011-04-04|2011-04-04|Method and system for authenticating entities by means of mobile terminals|

[返回顶部]