Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/33—User authentication using certificates
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
  • G06F21/645—Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
  • H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
  • G06F21/31—User authentication
  • G06F21/313—User authentication using a call-back technique via a telephone network

Definitions

• the present application relates to the electronic signature of documents, such as, for example, insurance contracts, but, more generally, all documents of a service provider or a product supplier.
• the document to be signed is accompanied by a certificate of characterization of the signatory and his signature.
• the certificate contains the surname, first name, date of birth of the signatory and an identification number.
• the signed document contains a quick reference QR code (Quick Reference) that represents an internet link to the signed document.
• a signature software irreversibly transforms the PDF document to be signed into a string of characters (HASH) that the signatory must sign.
• the signature is made using a Public Key Infrastructure (PKI).
• PKI Public Key Infrastructure
• the smart ID card contains this public key and a private key.
• the public key is associated with a PKI certificate issued by the PKI server, which is an electronic file that defines the owner of the public key.
• the identity card of the signatory having been introduced in his reader, and the document to sign transformed into HASH, it is with the signature of the HASH that one proceeds.
• the signature software the number of personal identification (PIN code) is requested to the signer to have access to the private key stored and recorded in the chip.
• the HASH is encrypted by means of the private key and the resulting signed HASH, as well as the certificate are sent to the signature server that the PDF document assistants, together with the exact date and time.
• the recipient can, by means of the public key of the PKI certificate, verify the integrity of the document and the authenticity of the signer. Note that the pairing of both public and private keys is impossible, unless you have exorbitant means.
• the invention relates to a method of electronically signing a document of a recipient, by a signatory having a smart telephone mobile terminal and to a camera, via the Internet and to the using a signature server and an application store, connected to the Internet and having a signature application, with a secure cryptography library, a method in which
• the recipient sends the server the document to sign and the telephone number of the signatory
• the signer downloads the application on his terminal and connects to it,
• the server sends a service message (MS) to the terminal with a user code for the continuation of the application, code that the terminal returns to it for security,
• MS service message
• the signatory using his terminal, takes at least one picture of his identity document which is sent to the server by the Internet,
• the terminal creates, from the secure library, a private key and a public key that is sent to the server,
• the server creates the HASH of the document to be signed and a certificate of signature and sends them to the terminal,
• the terminal as a signature, encrypts the HASH using the private key and a PIN code and
• the terminal sends the encrypted HASH and the certificate to the server that recompose the signed document thus available to the recipient of the document.
• the server After reception by the server of the photo of the signer's identity document, the server checks the authenticity of the signer's identity document, preferably by character recognition and image processing.
• the steps of sending a service message (MS) and returning the code, taking the photo of the identity document and authenticating the signer's identity document constitute a global authentication step of the signatory.
• the method of the invention can therefore be extended to an electronic signature method, a document of a recipient, by a signer having a smart telephone mobile terminal and to a camera, via the Internet and to using a signature server and an application store, connected to the Internet and having a signature application, with a secure cryptography library, a method in which
• the recipient sends to the server the document to be signed and the telephone number of the signatory
• the signer downloads the application on his terminal and connects to it,
• the signatory proceeds to the signature of the electronic document, before sending it to the server where it is available to the recipient of the document.
• the authentication of the signatory includes the steps according to which
• the server sends a service message (MS) to the terminal with a user code for the continuation of the application, code that the terminal returns to it for security,
• MS service message
• the signatory using his terminal, takes at least one picture of his identity document which is sent to the server by the Internet,
• the server checks the authenticity of the signatory's identity document.
• the signature of the document comprises the steps according to which the terminal creates, from the secure library, a private key and a public key that is sent to the server,
• the server creates the HASH of the document to be signed and the certificate of signature and sends them to the terminal
• the terminal as a signature, encrypts the HASH using the private key and a PIN code and
• the terminal sends the encrypted HASH and the certificate to the server that recompose the signed document thus available to the recipient of the document.
• FIG. 1 is a general diagram of the system by means of which the method of the invention is implemented;
• FIG. 2 is a block diagram of the steps of the method of the invention.
• FIG. 3 is a block diagram of the signatory authentication step
• FIG. 4 is a block diagram of the certificate creation step
• FIG. 5 is a copy of a signature certificate
• the method which will now be described is intended to be signed by a signatory equipped with a mobile telephone terminal 1, here smart phone type, and which has a camera 2 and a chip 3, a document proposed by a recipient, here an insurance broker, intended to receive the signed document and who has a terminal 4, the two terminals 1 and 4 can be connected to the Internet network 5 as well as to a signature server 6 and an application store 9, which can therefore also be connected to the Internet 5.
• a signature application is implemented in a first part 7 'in the server 6 and in a second part 7 "in the application store 9.
• the part 7' is the" server "application, the part 7", the mobile app.
• a secure cryptography library 8 is located in the store 9, preferably, as here, in the mobile application 7 ".
• the recipient begins, through its terminal 4, to send, via the Internet 5, to the server 6 the document to be signed by the owner of the terminal 1, that is to say the signatory. With the document to be signed, is also sent the phone number of the signer who knows the recipient.
• the signer downloads, in his terminal 1, the signature application 7 'of the server 6 and the signature application 7 "of the store 9 and connects to this application, here through a user code and a password.
• the signer displays the document to be signed and the phone number provided by the recipient, which he can view.
• the signatory then clicks on the icon "to sign", then, by another click, must accept the general conditions of the use of the signature application.
• the recipient read i sends (1 02) directly over the Internet 5 a service message (MS), here an SMS, with a single-use code for the continuation of the application, code that the terminal 1 returns to the recipient by security for once again confirm that his phone number is the correct one.
• MS service message
• the recipient proceeds to take a picture 1 03 and takes photos of the front and back of his identity card, if it is this piece of identification. Note that other pieces of identity are possible such as a passport.
• the shooting conditions are inevitably random, as to the orientation of the map, the ambient light and the disturbing reflections. For subsequent control this should be taken into consideration.
• identity documents to avoid counterfeits, have many visual elements that create noise that disrupts the recognition of their data.
• identity documents there may be several types of identity documents in each country, with different zone compositions, which must also be taken into account in their recognition.
• Terminal 1 sends the photos to the server 6.
• the control 1 04 of the authenticity of the identity card of the signatory is done as follows, by character recognition and image processing.
• the data areas are precisely recognized by a pre-cut that remains difficult given the freedom of the shooting by the signatory, with a background, orientation and lighting that can leave something to be desired. In any case, arbitration and corrections are necessary.
• the saturation channel makes it possible to detect the chip of the identity card.
• the value channel is used to detect the orientation, the face, the machine readable zone (readable zone, MRZ) and, if it exists, the barcode.
• Points are detected that may be on an object outline in the image. These points are connected to form candidate lines representing the real edges of all the photographed objects of the image.
• To straighten the image we extract from the set D of the candidate straight lines di, a set of orientation angles E
• orientations are sorted according to the number of occurrences. The most present orientation E, is retained and all orientations whose difference with E, in the implementation here performed, less than 3 degrees are rejected. If an element of the line of orientation E can not be detected, we deduce that the orientation is bad and we start again by rejecting the orientation E, and selecting the su ivante. Detection of map elements
• the image can undergo an "advanced morphological transformation" that highlights the element.
• An iteration loop on one of the threshold parameters makes it possible to cover some photographs of more extreme contrasts. As soon as the element is detected, we leave the iteration.
• T text areas, F, areas to be blurred.
• An adjustment step can be made by comparing names determined by character recognition of the front and back faces, which are in two different formats. It will be noted that the applicant, for these control steps, made use of the "Open Computer Vision" library via Emgu Computer Vision. The purpose of this check is to ensure, with a sufficient degree of certainty, that the person using the signing application is who they claim to be. We make sure that the photographed part is probably a true identity document, that the front face of the part corresponds to its back side, that the part is not outdated and that the holder is major.
• a cleaning step 1 4 which aims to expell the certificate that will be created data relating to the privacy of the signatory, such as the national registry number.
• the entire terminal 1 of the signer and the server 6 will create data for certification of the signature.
• This data includes the signatory's last name, first name and date of birth, his email address, the "reduced" telephone number, and the unique serial number of his certificate.
• the terminal 1 From the secure library 8 of the application (7 "), the terminal 1 creates (1 1 1) a private key and a cryptographic public key stored in the mobile application 7".
• This library can be provided by Whitecryption-Approval NIST FIPS 1 40-2 Level 1
• the terminal 1 sends (1 1 2) the public key to the server 6 to link the data of the signer to the public key, sealed by a signature of a certification authority.
• the server creates (1 1 3) then the certificate (FIG. 5) that it sends (1 1 4) to the terminal 1.
• the server 6 in which was entered the document to be signed in PDF format, electronically transforms (1 2) this document into a string of characters (HASH) and that's what the signatory has to sign.
• the server 6 sends it to the terminal 1.
• the terminal encrypts the HASH using the private key and a PIN code that is involved at this point in the process.
• This PIN code has been chosen by the signatory (digital or alphanumeric) for the purposes of signing and to allow access to the private key.
• the terminal sends the HASH and the certificate to the server that recompose the signed document (Figure 6) before making it available to the signatory. He could also send it to the recipient.
• this electronic signature method that has just been described is to be implemented by a signer of a document of a recipient when the signatory wants to make this signature for the first time with a terminal with which he had never made such an electronic signature. In other words, it is a first signature with a new empty terminal of the signature application.
• the recipient sends the server (6) the document to be signed and the telephone number of the signatory
• the server (6) creates the HASH of the document to be signed and sends it to the terminal (1), the terminal (1), by way of signature, encrypts the HASH using the private key and the PIN code previously chosen by the signatory and
• the terminal (1) sends the encrypted HASH and the certificate to the server (6) which recomposes the signed document thus available for the recipient of the document.
• the signature application has been downloaded to the terminal, the server already has the photo of the signer's ID, the private and public keys have already been created and sent to the server and the signature certificate has already been created. .

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• General Health & Medical Sciences (AREA)
• Bioethics (AREA)
• Health & Medical Sciences (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=56737841

Family Applications (1)

Country Status (6)

Families Citing this family (2)

Family Cites Families (3)

• 2016
  • 2016-08-02 BE BE2016/5625A patent/BE1023971B1/fr not_active IP Right Cessation
• 2017
  • 2017-07-07 WO PCT/EP2017/067134 patent/WO2018024445A1/fr not_active Ceased
  • 2017-07-07 EP EP17735171.5A patent/EP3300545A1/de not_active Withdrawn
  • 2017-07-18 FR FR1756791A patent/FR3054906B1/fr not_active Expired - Fee Related
  • 2017-07-20 GB GB1711702.9A patent/GB2555167A/en not_active Withdrawn
  • 2017-07-27 NL NL2019358A patent/NL2019358B1/nl not_active IP Right Cessation

Also Published As

Similar Documents

Legal Events