SECURE WAP TRANSACTIONS USING VOICE BASED AUTHENTICATION
TECHNICAL FIELD
This invention relates to an arrangement and method for providing user authentication when performing Wireless Electronic Commerce transactions using a mobile device.
PRIOR ART
The problem is to provide a satisfactory level of security when someone is performing Wireless Electronic Commerce transactions on a mobile device . From prior art there are known some solutions to this problem, including:
1. Using SIM card based security. This requires either that the microbrowser is located on the SIM card, or that there exists standard solutions for a phone microbrowser to access the SIM card security functions.
The SIM card solutions are limited to GSM systems. A SIM Application Toolkit based browser has certain limitations due to proprietary SIM technology, limited functionality in the SIM Toolkit standards and no support outside GSM. There is standardisation going on to provide SIM/smart card security within WAP, but the standards are not finished. Hence there is a need for intermediate solutions using WAP 1.0 based solutions, which has not solved the security aspects .
2. Using security functions on a smart card that can be read from the phone with an extra card reader.
The limitation with this solution is that a phone with extra smart card reader is required. There is limited availability of these phones, the solution is not standardised yet, and the phones tend to be larger and more expensive.
3. Using external security devices like password calculators that generates single time passwords and requires a personal PIN code to be activated.
It is not very convenient to carry with you a password calculator, and it takes time to use it (first type PIN, then type generated password on phone) . Furthermore, the cost of the solution for the end user increases.
OBJECTS OF THE INVENTION
The present invention has as its objective to provide user authentication security when performing Wireless Electronic Commerce transactions on a mobile device without security functions above standard security provided by the network.
This is achieved by combining a WML (WAP mark-up language) based microbrowser on the mobile device and voice based authentication in the network.
The invention is applicable in Wireless Electronic Commerce and other Wireless Application Protocol (WAP) based applications requiring user authentication above what is provided by the wireless network itself. The invention is applicable in wireless networks like GSM, D-AMPS and CDMA.
The exact scope of the invention is as defined in the appended claims.
BRIEF DESCRIPTION OF DRAWINGS Figure 1 is a schematic diagram showing the various entities involved in a transaction using the present invention.
Figure 2 shows a network architecture example for systems using the invention.
Figure 3 shows an example of a message flow for a transaction using the invention.
DETAILED DESCRIPTION OF THE INVENTION
Figure 1 shows the various entities involved when a user wishes to access a WML based application (wireless E- commerce, Intranet access gateway, premium service access, etc.), 4, via a mobile device, and using a method and system according to the present invention. The user starts a WML based diaglogue involving a WML based browser, 1, a microbrowser with the ability to display Wireless Mark-up Language (WML) • The browser can be located in a phone or other type of wireless device, like a Personal Digital Assistant (PDA). For simpler wireless devices, parts of the browser may be implemented in a server. An example of this, is a GSM phone using the GSM Phase 2 USSD feature together with a proxy server that converts WML content to USSD text strings that is displayed on the phone.
The mobile device is connected in a wireless network, 2, including a WAP gateway. This entity consists of all wireless switching components like Base Station System (BSS) and Mobile Switching Centre (MSC) . In addition to that it contains the WAP gateway. The WAP gateway converts between the WAP protocol and and bearer services on the radio side, and Internet protocols on the Internet side.
The user accesses the WML based application, 4. This entity is an application that uses the WAP defined Wireless Mark¬ up Language (WML) for dialogue with a user. At a certain stage in the dialogue an authentication is required. The application, 4, uses a voice password handling enrity, 3, for authentication of the user. This entity is a network component that handles voice recognition and voice based dialogue with the user. It will also handle the password and personal voice detection mechanisms. This entity will typically be based on an Integrated Voice Response (IVR) system. . .
The authentication can be performed by presenting a WML card (page) to the user that includes a menu entry initiating a voice call to an IVR based authentication centre using basic Wireless Telephony Application functionality (the ability to make a phone call by selecting an entry in a WAP based menu) . The authentication is performed using a voice-based password that may provide both a user password and verification of the user's voice. The result of the authentication is returned to the WML based application, which continues or finalises the transaction.
If the browser does not support this menu feature (click- to-call) , the voice password handling entity may instead initiate a call to the user after the WML dialogue is finished, to perform the authentication. The voice password handling entity may identify the user that shall be authenticated by his/her calling ID (phone number) . In case of several users connected to the same phone number, or in case* of a phone that is not owned by the user, extra identification of the user is required for the voice password handling entity. This can be accomplished using a B-number that provides extra information, or by informing the voice password handling entity in advance that an authentication of a specific user is to be taken place from the given phone number.
The actual algorithm used by the Voice password handling entity for performing the authentication may differ for different implementations of a voice password handling entity. An example of an algorithm is using a personal PIN code combined with recognition of a personal voice. The voice password handling entity will request the entire PIN code, or alternatively a random digit within the PIN code. The latter will secure that the entire PIN code is never passed at the same time. Personal voice recognition will provide a verification of a specific person's own voice within an acceptable level of accuracy.
The voice password handling entity pass information on the result of the authentication using a secured link towards the WML based application .
In Figure 1, the letters A to D denotes the interfaces between the various entities, which interfaces are:
A. The interface between the device containing the WML based browser and the wireless network.
B- A connection with the ability to transport digital coded voice. This may be a 56/64 kbits/s circuit using a signalling scheme like Signalling System #7 or ISDN. g
C. An interface carrying WML content. This is normally an IP based interf ce. The protocol carrying WML can be the WAP stack, HTTP or HTTPΞ.
D. This can be any type of open or proprietary interface between the two entities. The two entities may be connected directly or via a secure network connection.
An exemplary physical embodiment of an arrangement according to the invention is shown in Fig. 2 as a network architecture. In this example the user accesses an application of interest located on a Wireless E-commerce server from a cellular phone with a microbrowser installed. The wireless E-commerce server is connected to an IVR server which performs the authentication. The connection uses a proprietary link for security reasons. The interfaces involved are as defined above.
In the message flow scheme in Figure 3 the procedure for establishing the WAP session is shown as a message sent from the user terminal to the application. This message triggers off a message from the application to the voice password handling entity. This in turn initiates an exchange of call ontrol messages between the browser (on the user terminal) and the voice password handling entity (on the IPV server) . If the result of the authentication process is satisfactory, the voice password handling entity sends an Authentication OK message to the application. The application may then complete the transaction.
The advantage of the inventive arrangement and method is that it provides enhanced user authentication features on first phase WAP/WML based devices. Voice password based security solution are being implemented e.g. in bank systems, i.e. this solution will fulfil financial institution requirements to user authentication security. By using the click-to-call' feature of WAP, this function will be easy to use for the end user.
The invention may be used for any type of WML based transactions that requires authentication security above what is provided by basic WAP and the cellular network. This may be home banking access, access to restricted information (e.g. corporate information), an extra security for passing an Intranet firewall for WAP access, etc.
DEFINITIONS AND ABBREVIATIONS
E. GSM Global System for Mobile Communications. A digital cellular phone technology based on TDMA that is widely deployed in Europe and throughout the world.
F. Gateway A gateway is a network point that acts as an entrance to another network. In a company network, a proxy server acts as a gateway between the internal network and the Internet. A gateway may also be any device that passes packets from one network to another network in their trip across the Internet.
G. HTTP The Hypertext Transfer Protocol (HTTP) is the set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet) , HTTP is an application protocol. H. HTTPS Secure Hypertext Transfer
Protocol is a Web protocol built into a browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layer.
I. IVR Interactive Voice Response. An automated telephone answering system that responds with a voice menu and allows the user to make choices and enter information via the keypad. IVR systems are widely used in call centres as well as a replacement for human switchboard operators. The system may also integrate database access and fax response.
J. Microbrovser A slimmer variant of a WWW browser tailored for thin clients with small displays and low bandwidth communication. Examples of a microbrowser is the browser on a WAP client, e.g. a WAP enabled phone.
K. Password. In the context of the invention, a secret pattern shared between the user and the entity providing the authorisation. The password may be a spoken word, or e.g. a PIN code consisting of a number of digits.
L. PIN Personal Identification Number. A personal password used for identification purposes.
M. SIM Subscriber Identity Module. The
SIM card is a special type of smart card that is used for security, subscription data and storage in a GSM phone. The SIM Application Toolkit standard in GSM also enables simple applications to be stored and executed on the SIM card. N. USSD Unstructured Supplementary
Service Data. A GSM protocol for passing service data via the control plane of the GSM protocol. Many supplementary services use USSD for signalling (e.g. format of type *123#)
O. WAP Wireless Application Protocol. A wireless standard initially proposed by Motorola, Ericsson and Nokia for providing small wireless devices like phones and PDAs access to Internet type content. WAP uses the Wireless Markup Language (WML) for presenting Internet content.
P.WTA Wireless Telephony Application.
WTA provides telephony functions that may be used in association with WAP. In this invention the WTA functionality required is the ability to make a phone call by selecting an entry in a WAP based menu.