DE10043554C2 - Data network based identification procedure - Google Patents

Description

The invention relates to a method for personal identification of a User in a data network by a third party in which the user Personal identification number is assigned and his personal data are registered in a central database.

Such identification methods are used worldwide today. For example, the increasing commercial use of the Internet Financial institutions, department stores or other service providers often use the There is also a need to reliably identify the business partner. The time-saving advantage of personal contact that is no longer necessary between the contracting parties also means that the identity of the declaring contractual partner is no longer checked by conventional means can be. Already knowing a person's few data, the personal details and regarding the bank details, it can be an unauthorized third party enable effective business under false identity over the data network To make statements. Such a declaration of will are for both Identity holder, as well as for the recipient of the declaration as a rule considerable inconvenience and sometimes with high economic Losses connected. The rapidly increasing crime rate in the area Credit card fraud is only an indication that security previous data network-based identification procedures is insufficient.

In order to avoid the problem described, the most varied Institutes think about getting their business partners to start with a mostly permanent one Identify business relationships safely and with opportunities  equip which facilitate subsequent identifications. It is currently so For example, before a financial institution does business with a customer handles the Internet, the customer via the postident procedure or similar Identify procedures clearly and with a personal one Identification number and a list to be used once To equip transaction numbers. As a rule, institutions have to Offering business over the Internet, every single customer so elaborate identify and with the appropriate authorization options equip.

This procedure is for the commercial institution as well as for the Customers are very complex, time-consuming and expensive. He usually operates potential customer not just a business connection over a data network and Accordingly, such an elaborate identification must also be carried out frequently endure. In the event that some of the data already exists change identified person, all business partners must also be informed of this change confidentially, respectively Depending on the type of change, it must be a time-consuming and costly one personal identification.

According to the prior art (US 5 642 401) is a method for Authentication in a mobile network known. With this previously known Procedures involve a user, a third party and a central database. The Authentication process begins with the previously known method that an authentication request is transmitted from the third party to the user. This authentication request contains a random number that is from the Mobile phone device of the user including a secret Authentication key of the user in an authentication response is converted. This authentication response is then from the user transferred back to the third party. The third party sets one up Authentication confirmation request to the central database, whereby in the Request a personal identification number assigned to the user as well as the mentioned random number are included. The central database now calculates from the random number including the secret Authentication key, which of the contained in the request  Identification number is assigned, also an authentication response, which is transferred back to the third party. The third party then compares that of the user and authentication responses received from the database together. In case of a match, the authentication process is successfully completed.

This known authentication method has a number of disadvantages which this procedure for a secure and reliable, data network based Make identification of people unsuitable. A major disadvantage is based on the fact that, during the authentication process, one of an authentication result is calculated for the third predetermined random number must become. Suitable technical are for the calculation process Means, such as required in the form of computer programs, through which the identifying user is not readily available. Another disadvantage is that the third party compares the authentication results obtained from the Users and from the database receives, must carry out the positive itself or get negative authentication result. Finally, it is a disadvantage nor that a secret to calculate the authentication result Authentication key is used that only the user has. at There is a risk of such permanently valid keys Misplacement. If an unauthorized person is in possession of the secret key, it is also possible for this person to use false Make identity effective business declarations over the data network.

Furthermore, EP 873 032 A1 describes an authentication method for Cellular networks known. In this process, in addition to a Mobile phone identification number (CLI) assigned to the user of the Authentication number (CAN) assigned to mobile phones. The The procedure corresponds to the usual practice, for authentication except one personal authentication number a secret password, here in the form a so-called CAN number (= Caller Authentication Number) use. This method thus contributes to the problematic, a safe and to provide a reliable, data network-based identification procedure, not at. Here too there is a loss of the secret password  the danger that unauthorized persons under false identity over the data network to do business.

The invention has for its object to provide a method which while avoiding the disadvantages mentioned the effort of safe Identification of a user in a data network for both identification requesting third parties as well as for the user reduced, without sacrificing the security of identification have to.

This object is achieved by a method according to claim 1.

The identification method according to the invention is not just about to authenticate a user and thus to use certain (mobile Services) to authorize, but it should give a third party the additional Possibility to be given safe and reliable personal data of a potential business partner, such as the personal details and the Get bank details.

It is different from the method known from the prior art does not require the third party to send the user an authentication request aimed at, which the user then after the complicated calculation of a Authentication response is responding. According to the invention, the user transmits the third party only their personal identification number (IDNR) and a one-time use personal authentication number (PAN). Advantageously, there are no special technical requirements for this necessary. In the simplest case, the user shares the two numbers with the third party by phone with.

For the third party, the invention is also designed there Identification procedure particularly simple, since this is the user received numbers without special processing steps to the central Database passed on. The central database checks the validity of the IDNR and the PAN and then shares the third party identification of the user With. In particular, those addressed can also be included in this identification  personal data of the user may be included. Unlike the after Methods known in the prior art are therefore also for the invention the third party does not need any special data processing steps. The The reason for this is that the actual authentication, which is part of the identification method according to the invention is, not by the third party, but is carried out by the central database.

The particular advantage of the method according to the invention is that Security gain of the identification of the user through the identification inquiring third party. For the first time, the user is able to use the Initiation of a long-term business relationship or only for one unique transaction with the indication of his personal identification number with a one-time usable personal authentication number Business partners in a safe way with the necessary information supply. In addition to the increase in security, the effort also increases identification of a user.

While users have so far, especially in the short term Business relationships, often simply by providing bank details identified to her business partner lies with the inventive one Process an identification with a personal, multiple use Identification number and a one-time use Authentication number. Repeated use of Identification information, for example the data of a credit card So far, there has always been a dangerous loss of security because this data too after each use their identification and sometimes even Have retained authorization function. By the invention Procedures, the information given becomes worthless after use and no longer pose a risk to the user. At the same time, the Inquiring institution according to the invention with regard to the information about the user secured without an independent, always up to date Maintain database with securely identified users.

Furthermore, the user is no longer forced to work with every business partner together a secure business connection including a secure one  Identification build up, but can according to the invention Procedure for secure identification via the central database preferably for each individual business or business partner have it carried out.

Should the user's personal data change, for example within the framework a change of residence, so the user can make a one-time Change notification to be carried out change the data in the central bank and thus ensure that all business partners who access the data access this central database, always with the correct information work.

The central database can also reduce the frequency of errors due to incorrect Reduce information transmission, especially on the part of the user. Losing writing and reading errors in forms filled in under time pressure by the method according to the invention in importance.

The method according to the invention is particularly advantageous if the user to identify the third party personally Identification number and the corresponding personal Authentication number over a public data network, for example that Internet, transmitted. This is particularly the case with offers via the Internet Procedure expedient because the user is able to use an identical platform both for taking note of and assessing the offer, as well as for to use any acceptance of the offer. This procedure is reduced the time required and minimizes the likelihood of one Error. Previous security disadvantages, especially in the transmission personal information about public data networks are provided by the method according to the invention eliminated.

For the third party, what security regarding the identity of the user it makes sense for the third party to receive the user’s personal identification number and personal Authentication number to the central via a public data network Database submitted. The use of a public data network,  for example, the Internet, for this data transfer has the crucial Advantage that the verification of the user by the third party with the corresponding information is no longer tied to a specific location is. The required infrastructure, the access to the public data network, is available almost everywhere. This omnipresent makes use of the central one Database especially inexpensive. Since this is also the same platform for the transmission of the information from the user to the third party, as well can also be used to check the identity of the user here the time expenditure and the frequency of errors are significantly reduced. Farther it is possible to archive such processes automatically and exactly at any time reproduce in terms of timing and content. The information regarding the validity of the personal identification number and the personal authentication number gives the third party, for example one Department store, a sure guarantee of trustworthiness of the user and shows whether the identity of the third party is based on the central Database is verifiable.

An advantageous development of the invention provides that the third party at each Identification process additionally his own personal Identification number and your own personal authentication number together with the personal identification number of the user and the personal authentication number of the user to the central database transmitted. This procedure increases the security of the invention Procedural additional. Furthermore, all processes are due to the Unique uniqueness of personal authentication numbers reproducible.

Because the connection between the third party and the central database preferably also via a public data network, it makes sense if the data transmitted to the central database and that from the central Data made available to the database are encrypted. The effort of Encryption is no longer a burden on the user, which is security this way it is still guaranteed.  

Another advantageous way to use the data in the central database zen, arises if the third party receives the personal one received by the user Identification number, personal authentication number and others User data to be checked via the data network to a server to which the central database is kept available, the server transmits the comparing the checking data with the data in the central database and that The result of this check is communicated to the third party requesting information. In this way, when presenting the personal identification number and a personal authentication number of a user to access the personal data of this user excluded. It’s just that Result of a review available, reducing the risk of Data abuse is reduced. This means a special one for the user high level of security regarding his personal data in the central Database, which will not be announced. For the third party for example, a mail order company, is the result of one Identity verification is often sufficient to prevent criminal activity, for example, to counter an order to an incorrect address. The user retains full control over his personal data and the Third parties are given the opportunity to verify the information provided.

To minimize the effort of identifying a user reduce, sees an advantageous development of the inventive Ver drive that the third party by specifying the combination of personal Identification number and personal authentication number Read access to a part of those stored in the central database receives personal data of the user. This reduces for the user the effort of a business relationship with the third party in such a way that the Users, for example, when concluding a purchase contract for the acceptance of a Offer only needs to specify the accepted offer and its personal identification number with a personal Authentication number must transmit to the third party. Thanks for your order for a mail order company, the information can refer to Order number, personal identification number and personal Reduce authentication number. The previously necessary complex Filling out forms, for example for initial registration or updating  of customer data, is omitted because all data is in the central database be kept ready. The effort is also on the side of the third party significantly reduced since all essential points with a minimum of Data flow can be regulated. Furthermore, the third party for users of the central Database a sustainable information store, which is regularly updated must be brought up to date, as part of any all relevant data from the central business contact Database will be provided. A mail order company, for example, could on the updating of a customer directory for ordering processes completely dispense.

Another advantageous variant of the method according to the invention provides that the user has a confirmation of this identification after successful identification receives from the central database. Such confirmation gives the Users an additional security regarding the intended Use of his data. An operation not authorized by him would open this way it will uncover and any security gaps in the user or in the system would later on about this information reflux recognized. With the help of extremely timely communication in the form of The SMS has text messages, electronic mail and similar procedures Users even the possibility in the event of an error or misuse for example, to cancel shipments of goods.

Because the amount of information that the third party from the central data be made available to the intended purpose of the bank Realizing information transmission is always different and strong the type of business relationship between the user and the third party depends on the personal identification number and / or the personal authentication number contains a coding, which determines which user data can be checked, or which parts of the personal registered in the central database Third party access data. For example, if it is one free service, which, however, knowledge of the address of the user assumes that the user can, for example, give the third party their personal Identification number with a personal authentication number  who provide information or a review of Excludes information, for example regarding the bank details. Of Coding of personal data is of particular importance Identification number and / or personal authentication number, which within the scope of a purchase contract the possible payment modes from the beginning committed in.

Since the address and name of the user are data, it makes sense to specify which ones have to be specified frequently in daily traffic the name and / or address of the user in the central database to register.

It is also advantageous if information from the Identity card of the user are registered. Especially when dealing with Public authorities can provide data on the identity card of Be useful. Likewise, the indication of the tax number, the social insurance security number and other identification numbers are important.

An advantageous development of the method according to the invention provides that biometric data of the user are registered in the central database. For example, this opens up the possibility of biometric identification to have a user review or set up a biome trical identification system of the institution establishing the inclusion of the to save biometric data and this by means of a personal Identification number and a personal authentication number for the Authorize access to the central database.

Sometimes it can be done as efficiently as possible reduced correspondence between the user, the third party and the central database on the need for personal contact come between the third party and the user. For this purpose it is useful if the central database also contains contact information for the contains the respective user. This information can be, for example Telephone numbers, addresses of electronic mail, fax numbers and the like act.  

A common problem is the secure transmission of banking association user and / or credit card data to a third party. Insbeson Security in the transmission of credit card data can result in a lack of security have unfavorable economic consequences. Therefore it makes sense if the central database also information about bank details and / or Contains the user's credit card data. Again, due to the central Filing this information always with the necessary timeliness of this information little effort can be guaranteed. Security can also be due to the access restriction through the personal identification number in Combination with the personal authentication number is always guaranteed become. In addition, the user is no longer forced to use a variety various identifiers and personal identification numbers, as these stored securely in the database and always accessible when needed according to the invention by specifying the personal identification number in Combined with a personal authentication number.

In the following, the method according to the invention is based on a special Example with reference to illustrations for clarification tert. Show it:

In the following, the method according to the invention is based on a special Example with reference to illustrations for clarification tert. Show it:

Fig. 1 A data network as a platform for the dung OF INVENTION proper method,

Fig. 2 is a flow diagram of an example of he invention modern methods

Fig. 3 is another flow chart as an example of the inventive method,

Fig. 4 An example of an encoded personal authentication number.

In Fig. 1, the Internet is provided with the reference number 1 as a platform for the method according to the invention. Some elements of this public data network, which play a special role for the method according to the invention, are shown separately. Specifically, these are users 2 or customers, the third party 3 requesting the identification, or a mail-order company and a central database 4 in which the personal data of the users 2 are stored.

First of all, the user 2 causes his personal data 5 to be registered once in the central database 4 . The user 2 receives a confirmation of this registration together with a personal identification number (IDNR) 6 and a list 7 of one-time use personal authentication numbers (PAN) 8 via a postident procedure.

After the identity of the user 2 has been established with certainty, the department store presents the user 2 with offers 9 for the conclusion of a purchase contract for a product 10 .

On one of the offers 9 , the user 2 decides to buy the goods 10 which have the specifications 11 . In order to inform the goods mail order company of its decision to accept the offer 9 , the user 2 sends his personal identification number (IDNR) 6 a personal authentication number (PAN) 8 together with the specifications 11 of the goods 10 to the goods mail order company. The personal authentication number (PAN) 8 here contains a code which authorizes the department store for read access to the data of the user 2 in the central database 4 . For this purpose, the department store sends the received personal identification number (IDNR) 6 together with the personal authentication number (PAN) 8 to the central database 4 , which, after checking the identity of the user 2 , transmits the data 12 to the department store. At the same time, the coding in the personal authentication number (PAN) 8 authorizes the department store to debit the invoice amount for the ordered goods shipment using the bank details of the user 2 , which is also registered in the central database 4 . The user 2 receives his goods 10 in the conventional way 13 .

FIG. 3 shows another example of the inventive method. Here the user 2 decides on an offer 9 to buy the goods 10 and selects the credit card as the payment mode. Since the transaction is carried out over the Internet, the user 2 can not provide a manual signature, but has reached an agreement with his financial institution that a personal authentication number (PAN) 8 must be transmitted for such cases. the user transmits the personal identification number (IDNR) 6 , the personal authentication number (PAN) 8 , the specifications 11 for the goods 10 and the credit card number (CCNR) 17 to the sales institute 16 via the public data network. In order to initiate the payment of the purchase price 18 , this is sent to a credit institution together with the personal identification number (IDNR) 6 of the user 2 and the personal authentication number (PAN) 8 of the user 2, i.e. that in the central database 4 according to a Identification requesting third party 3 transmitted. The third party 3 sends the transmitted personal identification number (IDNR) 6 of the user 2 and the personal authentication number (PAN) 8 of the user 2 and their own personal identification number (IDNR) 14 with their own personal authentication number (PAN) 15 to the via a secure connection Central database 4 , which checks the validity of the combination of the personal identification number (IDNR) 6 of the user 2 with the personal authentication number (PAN) 8 of the user 2 . If the result of this check is positive, the central database 4 transmits the confirmation to the third party 3 requesting the identification and the payment is initiated.

In FIG. 4, a structure of a coded personal authentication number (PAN) 8 is shown. The personal authentication number (PAN) 8 here consists of nine numbers 20 and three letters 21 , which are only given if the requesting third party 3 is to receive information relating to the bank details of the user 2 .

Claims (16)

1. Method for personal identification of a user ( 2 ) in a data network by a third party ( 3 ), in which the user ( 2 ) is assigned a personal identification number (IDNR) ( 6 ) and his personal data in a central database ( 4 ) are registered, characterized in that the user ( 2 ) notifies the third party ( 3 ) in addition to the personal identification number (IDNR) ( 6 ) of a one-time use personal authentication number (PAN) ( 8 ) provided for each identification process and that the Third parties ( 3 ) receive an identification of the user ( 2 ) from the central database ( 4 ) on the basis of a combination of the personal identification number (IDNR) ( 6 ) and the personal authentication number (PAN) ( 8 ) communicated. 2. The method according to claim 1, characterized in that the user ( 2 ) for his personal identification to the third party ( 3 ) his personal identification number (IDNR) ( 6 ) and a personal authentication number (PAN) ( 8 ) via a public data network. 3. The method according to claim 1, characterized in that the third party ( 3 ) the personal identification number (IDNR) ( 6 ) received by the user ( 2 ) ( 6 ) the personal authentication number (PAN) ( 8 ) via a public data network to the central database ( 4 ) transmitted. 4. The method according to claim 1, characterized in that the third party ( 3 ) with each identification process additionally his own personal identification number (IDNR) ( 14 ) and his own personal authentication number (PAN) ( 15 ) together with the personal identification number (IDNR) ( 6 ) of the user and the personal authentication number (PAN) ( 8 ) of the user to the central database. 5. The method according to claim 1, characterized in that the data transmitted to the central database ( 4 ) and the data provided by the central database ( 4 ) are encrypted. 6. The method according to claim 1, characterized in that the identification of the user ( 2 ) only confirms the validity of the combination of the transmitted personal identification number (IDNR) ( 6 ) and the personal authentication number (PAN) ( 7 ) to the third party ( 3rd ) includes. 7. The method according to claim 1, characterized in that the identification of the user ( 2 ) confirmation of the validity and correctness of the combination of the transmitted personal identification number (IDNR) ( 6 ) and the personal authentication number (PAN) ( 7 ) and other transmitted personal Data of the user towards the third party included. 8. The method according to claim 1, characterized in that the third party ( 3 ) by specifying the combination of personal identification number (IDNR) ( 6 ) and the personal authentication number (PAN) ( 8 ) read access to a part of the in the central database ( 4 ) stored personal data of the user ( 2 ). 9. The method according to claim 1, characterized in that the user ( 2 ) receives a confirmation of this identification from the central database ( 4 ) after identification. 10. The method according to claim 1, characterized in that the personal identification number (IDNR) ( 6 ) and / or the personal authentication number (PAN) ( 8 ) contains a code by which it is determined which data of the user ( 2 ) are checked can, or to which parts of the personal data registered in the central database ( 4 ) the third party ( 3 ) has access. 11. The method according to claim 1, characterized in that the name and / or the address of the user ( 2 ) is registered in the central database ( 4 ). 12. The method according to claim 1, characterized in that in the central database ( 4 ) information from the identity card of the user ( 2 ) are registered. 13. The method according to claim 1, characterized in that in the central database ( 4 ) biometric data of the user ( 2 ) are registered. 14. The method according to claim 1, characterized in that in the central database ( 4 ) contact information to the user ( 2 ) are registered. 15. The method according to claim 1, characterized in that in the central database ( 4 ) bank details and / or credit card data of the user ( 2 ) are registered. 16. The method according to claim 1, characterized in that the personal identification number (IDNR) ( 6 ) and / or the personal authentication number (PAN) ( 8 ) consists of both numbers and letters.