Qualification Questionaire for
Client Authentication in Presence of
Electronic Identification
CONNOTECH Experts-conseils Inc.
July 1999
Table of contents
Preface
Introduction
Section 1. Background information on the service described in the
questionaire
Section 2. Category of security into which the service
fits
Section 3. Justification for
security
Section 4. The client authentication
process
Preface
Because the handling of electronic identification is subject to very
diversified attitudes and solutions, the present document attempts to
provide a conceptual framework as a tool for preliminary
classification.
The document is organized as a questionaire, with many definitions and
explanations intermixed with formal questions. Not all questions need
to be answered since the primary goal of this document is to assist
the reader in making his mind about the classification of an electronic
identification scheme.
The author's organization owns the intellectual property rights for a
client authentication procedure called SAKEM (Secret Authentication
Key Establishment Method), and the benefit of efficient classification
is an easier determination of a possible match between a scheme and the
SAKEM procedure. The classification exercise applies both to existing
and planned electronic identification schemes.
The present document should be used by two types of readers:
- the one who faces an obligation to report on possible patent
infringement of an electronic identification scheme versus the SAKEM
intellectual property rights (hereafter called
obligation to
report), and
- the one who is voluntarily looking for a better understanding of the
client authentication issue in the presence of an electronic
identification scheme (herafter called
voluntary
investigation).
Again, this document is limited to a preliminary classification, so
either type of reader may feel the need to further the investigation
into the client authentication process intricacies.
- © 1999 CONNOTECH Experts-conseils Inc. - non-commercial
derivative works are welcome
- Obviously, the SAKEM procedure has a definitive influence on the
organization of this questionaire. So, it is a by-product of this
questionaire if it promotes the formalization of this increasingly critical
business function, namely client authentication, in the context of
steadily increasing penetration of transaction automation with corresponding
growing concerns about hackers. The author welcomes derivative works
in the form of adaptations and improvements by authors without a
commercial bias, provided this original source is referenced and
acknowledged.
Introduction
This document outlines sequences of questions to be answered to
determine which approach is actually taken for client authentication in an
e-commecre scheme or other scheme encompassing electronic
identification.
In this context, the following definitions apply:
- Electronic
identification broadly refers to the use of digital technology in situations where
the identity of a person (physical person or legal entity) is collected
by a computer, and/or used by a computer, e.g. to grant access to a
computer system. In order to widen the definition,
identity of a
person can be any identification information, from someone's name and place
of living to the account number used for the billing of a service to a
person. Moreover, the identity of an automated functional entity
(such as an Internet web server or a switching node in a data transmission
network) qualify as the target of electronic identification according
to the present definition.
- Client
authentication broadly refers to the safeguards against the potential consequences
of unreliable electronic identification. The purpose of the present
document is to precise and refine this definition.
Sometimes, the client authentication issue is not even acknowledged by
those who run an electronic identification scheme. Or maybe the
actual approach to client authentication it is lost in the informal
relationships between the various departments of an organization that might
have some view on the issues (e.g. marketing, customer service,
computer operations, systems development, even the legal department). For
this reason, the questionnaire starts with scope-defining questions that
should direct the reader to the proper set or technology-intensive
questions.
For the
obligation to
report, the reader is likely to look for conclusive data pointing toward
non-infringement of the SAKEM intellectual property rights. In many
instances, the electronic identification scheme might simply not exploit
strong IT security mechanisms despite marketing or public relations
claims to the contrary (perhaps a risk analysis has been preformed and
came to the conclusion that implementing security technology would cost
more than the anticipated loss from the unlikely occurrence of fraud).
In other cases, some strong IT security mechanisms are in place but
client authentication is addressed using a known pattern that is
different from SAKEM. So in many cases, the
obligation to
report might boil down to documenting these findings and there may be no
need to throughly understand the SAKEM procedure in order to dismiss any
possible infringement. In this context, the purpose of this document
is to promote efficiency by quickly eliminating schemes that are easily
recognized as non-infringing, reserving valuable investigation
resources to situations where infringement remains a possibility.
For the
voluntary
investigation, the reader may be receptive to indications as the potential benefits
of the SAKEM procedure. The SAKEM procedure features a unique
combination of security and operating cost efficiencies for client
authentication using strong IT security techniques.
Section 1. Background information on the service described in the
questionaire
1.1
Name of the system, service, product, application, or security scheme
under investigation (hereafter called the service)
Answer: ________________________________
1.2
Describe the aspects of the service where electronic identification is used.
Answer: ________________________________
1.3
Identify the following items in the context of the service
- 1.3.1 type of entities to which electronic identification is applied
Answer: ________________________________
- 1.3.2 form of electronic identification in use by the person or entity
being idenfified
Answer: ________________________________
- 1.3.3 enrollment or initialization procedure for the electronic
identification
Answer: ________________________________
- 1.3.4 main database or other storage for the client data related to
electronic identification
Answer: ________________________________
1.4
Name of the service provider, e.g. the department primarily in charge of
operating the service from an application's perspective
Answer: ________________________________
1.5
Name of the organization owning the service, of which the service provider
would be a component
Answer: ________________________________
1.6
Indicate
which of the following development stage of the service have been completed
so far, and which is currently occurring?
- System design or initial development
- Pilot project or field trial
- Strategic e-commerce initiative (no expectation of short term
profitability)
- Production system
- Other, specifiy
Answer: ________________________________
1.7 In your own terms,
describe the overall strategy for client authentication in any of the
completed or current development stage above?
Answer: ________________________________
1.8 For each of the following special cases,
indicate
whether they are applicable to the service:
- 1.8.1 The electronic identification applies to an automated device
rather than to a person or a person's role.
Answer: ________________________________
- 1.8.2 The electronic identification is based on biometric
measurements.
Answer: ________________________________
Section 2. Category of security into which the service
fits
2.1 Market segment classification.
2.1.1
Classify the service in one of the market segment definitions from the
following list.
Answer: ________________________________
2.1.2
Indicate, if
any, alternate classifications that might also be made.
Answer: ________________________________
- Authentication outside of the computer world
- Many authentication schemes based on smartcards or electronic
identification chips would fall in this category. If an authentication scheme
does not require computer literacy form the part of its end-users, it
would naturally fit in this category.
Note for the
obligation to
report: this is a market segment where the re-invention of the SAKEM
procedure is expected, as indicated by early market signals.
- Corporate network security
- This category includes access control to central computer systems and
servers using passwords or authentication tokens, and virtual private
networks. E-mail security would fall into this category if handled
within an organization domain. The central concept here is corporate
control.
- Support functions for IT security practice
- Many security systems are themselves protected by security services
based on electronic identification. For instance, automated banking
machines (ABM) are linked to a bank's central computer with secured
(encrypted) data communications. The secret key used for encryption allows
the bank to ascertain the origin of cash widthdrawal messages, thus
providing a form of electronic identification for the ABM, just like the
secret PIN identifies the bank customer. The present category includes
such services (ABM device identification) that indirectly provide
assurance in the integrity of an end-user application (cash widthdrawal
by legitimate account-holders) that encompasses security functions by
itself. Many electronic identification schemes used behind the scene
fall into this category. The central concept here is the observations
that persons or functional entities being identified do play an
important role in a broader security system.
Note for
voluntary
investigation: the SAKEM benefit in this market segment is improved security in the
security management function, where
separation of
duties is often specified as a requirement, but without practical solutions.
- Internet e-commerce
- The internet e-commerce category includes every type of service
intended to the public at large and offered through the Internet network.
Membership may be required by the service if the public at large is
invited to become a member. The Internet e-commerce category includes for
instance the sale of physical goods by web merchants, the sale of
digital contents (software, digital music recordings), electronic
subscription to fee-based information services, and e-mail security schemes
intended to the Internet community at large (e.g. PGP). This category
excludes electronic funds transfers, except for credit card payments in
the context of Internet shopping.
- Electronic funds transfers
- Before the advent of the Internet, the commercial use of IT security
techniques was mainly concentrated in the financial industry for the
protection of electronic funds transfers against fraud. Nowadays, banks
are trying to deliver more and more services through automated
channels, notably the Internet. The present category of electronic services
is limited to financial transactions linked to the national payment
systems, the central concept being the influence of rules and practices
prevailing in the traditional financial industry. Thus, loan
applications through the Internet falls into the preceeding category
(e-commerce) but settlement of securities is typically associated with the
national payment system. For sake of determinism, we place the credit card
transactions for payment of goods or services bought through the
Internet in the preceeding section (strictly speaking this is an exceptional
exclusion from the present category because the credit card system is
widely recognized as an intrinsic component of the national payment
system).
- "military and national security"
- This category includes the security systems used by the military
sector and governments for the protection of very sensitive data, when
these systems differ from comercial systems. The central concept here is
the specialty nature of such systems, because the security
specifications are usually dictated by government agencies to the suppliers of
security systems.
2.2 Qualification as an "m-to-1", "m-to-n", or
"n-to-n" scenario.
Classify the service in one of the scenario definitions from the following
list.
Answer: ________________________________
- "m-to-1" scenario
- An "m-to-1" scenario is when a number ("m") of
clients get an electronic identification for interacting with one
("1") organization. The organization may have a number of units
(e.g. branches) through which the interaction may take place, but the
central concept is some unified organizational control. An example would
be an on-line banking service offered by one bank to its
accountholders only.
Note for
obligation to
report: the SAKEM procedure is well suited to the "m-to-1"
scenario, but not limited to it.
- "m-to-n" scenario
- An "m-to-n" scenario is when a number ("m") of
clients get an electronic identification for interacting with a smaller
number ("n") of service organizations. Typically, these
organizations share common characteristics (such as banks in a given
geographical area). The central concept is that although the system is open,
there are structurally different roles assigned to clients and to
service organizations.
An "m-to-n" scenario is sometimes created by a multi-lateral
agreement among "n" organizations which individually manage
an "m-to-1" scenario. Alternatively, an "m-to-n"
scenario can be a closed PKI (Public Key Infrastructure, see below),
in which case the initial client authentication is handled by a CA
(Certification Authority).
- "n-to-n" scenario
- An "n-to-n" scenario is when any client or organization
(among the "n" of them) can interact with any other client or
organization in a security scheme, on a peer-to-peer basis, and with
minimal intervention of any overseeing authority. The Internet e-mail
security shareware called PGP is the foremost example of this scenario.
In some cases, the central organization in an "m-to-1"
scenario sets up an "m-to-m" application such as coprorate e-mail
security, but the requirement of a central authority disqualifies the
scheme as an "n-to-n" scenario.
Note for
obligation to
report: most genuine "n-to-n" scenario would normally be an open
PKI (Public Key Infrastructure, see below), in which case the initial
client authentication is handled by a CA (Certification Authority).
Section 3. Justification for
security
In this section, the reader is exposed to various business motivations
for implementing information security measures. In the end, the
reader is asked to classify the overall business context for the service
security management.
Often, there is a significant gap between the public relations claims
of information security and the actual implemented measures. This gap
may be caused by
- carelessness,
- difficulty in budgetary justifications for technology without
immediate tangible benefits,
- under-evaluation of risk and technological capabilities of would-be
fraudors,
- technically challenging aspects of good information security measures,
- the conception that good public relations and sensible "crisis
management" of security incidents is adequate security measures.
Keeping these facts of life in mind might assist the reader in a more
realistic assesment of the business context for the service under
ivestigation.
3.1
Describe the overall fraud experience in any of the completed or current
development stages of the service (recent past experience)?
Answer: ________________________________
3.2 Criticalness of reliable electronic identification technology.
Identify any specific vulnerability to fraud or electronic identity sham in
the following areas:
- 3.2.1 consequences on service operations
Answer: ________________________________
- 3.2.2 direct financial impact
Answer: ________________________________
- 3.2.3 damages to legitimate service user
Answer: ________________________________
- 3.2.4 possible further security breaches from successful electronic
identity sham
Answer: ________________________________
- 3.2.5 negative impact on decision-making process (e.g. alteration of
credit rating)
Answer: ________________________________
- 3.2.6 negative image on organization's image or reputation
Answer: ________________________________
- 3.2.7 problems with the organization's ability to offer the same level
of service with alternate mechanisms (fallback strategy)
Answer: ________________________________
- 3.2.8 others (specify)
Answer: ________________________________
3.3 Some legal issues
3.3.1
Describe
any impact of statutes, regulations, and codes of ethics for the privacy
protection of personal information.
Answer: ________________________________
3.3.2
Describe
any impact of any standard of duties of care dictated to the service
provider by statutes, regulations, and/or codes of ethics.
Answer: ________________________________
3.3.3
Indicate the presence of an enrolment contract, and, if any,
describe its relationship with the issuance of electronic identification
means.
Answer: ________________________________
Note for
voluntary
investigation: the SAKEM procedure addresses the bind between the enrolment
contract and the issuance of the electronic identification means.
3.3.4 The notion of an
alternative security
procedure is emerging in various law-making initiatives related to computer
evidence. In practice, an e-commerce server system might chose to support
two security procedures: 1) a secure procedure option that clearly
qualifies as a
reasonable security procedure according to some stringen standards of practice
in a given industry, and 2) an entry-level procedure option. Obviously,
the secure procedure option is more likely to encompass strong
security techniques than the entry-level one. By itself, the entry level
option might be marginally reasonable, but it becomes formally reasonable
if the e-commerce customer knowingly rejects the secure procedure
option (which becomes
alternative by being rejected).
Describe any influence the emerging notion of alternative security procedure
might have on the electronic identification scheme.
Answer: ________________________________
Note for
obligation to
report: the offering of two security procedures may create an obligation to
report on both of them.
3.4 Role of audits and investigation
3.4.1
Describe any involvement of the service provider's auditors with respect to
the security of the electronic identification scheme.
Answer: ________________________________
3.4.2
Describe any requirement for third party security audit for the electronic
identification scheme.
Answer: ________________________________
3.4.3 In the event that the electronic identification is challenged in
a court or in arbitration proceedings,
describe if
possible the likely service provider's attitude in the case of hostile
security investigation assisted by expert witnesses.
Answer: ________________________________
3.5 Organization's response to fraud threat
3.5.1
Describe the actual or anticipated organization's response to insider fraud.
The term
insider
fraud refers to abuse of the electronic identification scheme by employees,
agents or subcontractors of the service provider, for an
ill-intentioned purpose.
Answer: ________________________________
3.5.2
Describe the actual or anticipated organization's response to technological
fraud. The term
technological
fraud refers to "cracking the system" using sophisticated
equipment, software, knowledge, and/or skills, in an unexpected way.
Answer: ________________________________
3.5.3
Describe the actual or anticipated organization's response to hacker fraud.
The term
hacker
fraud refers to moderately sophisticated outsiders who exploit tricks and
tools available among computer hacker circles (e.g. somewhere on an
Internet site).
Answer: ________________________________
3.5.4
Describe the actual or anticipated involvement from the part of the
organization's public relations function in the handling of security incidents
in relation with the electronic identification scheme.
Answer: ________________________________
3.6 Class of business context for security management. This business
context influences the justification for spendings in the area of
information security and the level of organization's care and dedication in
implementing and operating the information security solutions. The
previous questions in this section were intended to collect various
clues about the actual commitment of the service provider for the security
function. From the above clues and other information, the reader is
now asked to make a general assessment on the organization's attitude.
Classify the business context for security management in one of the context
definitions from the following list.
Answer: ________________________________
- Unsecured transmission.
- The electronic identification data is treated just like any other data
in the service offering, without any special protection mechanism.
The transmission medium is unsecure, but it is not anticipated that
someone would ever go to the extent of eavesdroping the transmission
medium in order to attempt an electronic identification sham. An example is
the transmission of a subscriber's password in the clear to access a
restricted Internet web site.
Note for
obligation to
report: it is unlikely for SAKEM procedure infringement to be found once
this context is clearly recognized.
- Contractual endorsement of procedural security.
- Same as the unsecured transmission, but this time the security (or
lack of security) is acknowledged and accpeted by the participants in the
electronic identification scheme in a written contract. An example is
a clause in a business contract stating that notices sent by fax or
e-mail are sufficient for the purposes stated in the contract.
Note for
obligation to
report: it is unlikely for SAKEM procedure infringement to be found once
this context is clearly recognized.
- Technical security mechanisms, non-cryptographic security techniques
- The service provider claims that technical security mechanisms are in
place to protect the electronic identification against misuse, but
those mechanisms are not based on the collective work of modern
cryptographers (from the invention of DES in the 1970's). For instance, the
scheme might be a unique method of obfuscation made by a software
engineer who relied mainly on his own confidence in the difficulty of
breaking the system as a validation tool. The central concept is that under
closer examination, no link can be traced to any work published on a
scientific publication.
Note for
obligation to
report: since the SAKEM procedure makes internal use of cryptographic
techniques, it is unlikely for infringement to be found once this context is
clearly recognized.
- Technical security mechanisms, nominal use of cryptographic techniques
- The service provider implemented some technical security mechanisms,
at least some of which being based on the collective work of modern
cryptographers. However, in contrast with the next context, these
mechanisms are not explicitly operated according to formal rules that enforce
continued protection, notably in the area of cryptographic key
management. Cryptographic techniques do not eliminate the human control over
the data, but rather concentrate such control in the hands of fewer
individuals (through logical leveraging or an hierarchical structure).
In the context of nominal use of cryptographic techniques, an
organization didn't structure its detailed operating procedures to account for
the difference in spread of control. In such a context, it is common
for the security management to be tacitly devoted to the computer
system operations function, with little formal accountability.
Note for
obligation to
report: this business context may be the most difficult to report about,
because the responsibilities for information security can be diffused
throughout the organization.
- Technical security mechanisms, controlled use of cryptographic
techniques
- In this business context, an organization's commitment to information
security is the strongest. In addition to cryptography-based security
mechanisms, detailed operational procedures are in place for security
management. At the management level, there is typically a well-defined
center of responsibility for issues related to information security.
There is no requirement for every aspect of systems and applications
to implement bullet-proof security for this business context to apply.
It is sufficient to observe, in those cases where information security
is deemed important 1) implementation of cryptography-based security
mechanisms, 2) operational procedures for security management, and 3)
some formalism in the managerial responsibility over the security
function.
Note for
obligation to
report: even in the presence of strong managerial commitment to the
information security function, the search is not over for reliable data to
report about the technical aspects of the client authentication process.
- Open PKI model
- The business context for managing the information security function
may be dictated by the organization's decision to join the PKI bandwagon
(Public Key Infrastructure, see below) in its open variant. Then, the
handling of the information security function is dictated by PKI
systems rules (unless the organization is in a rule setting position such
as a Certification Authority, CA). It is a purpose of the open PKI
model to allow service providers to operate without having any control
that might be abused against its customers (the shifting of control
effected by the cryptographic mechanisms extends up to the CA as an
overseeing authority).
Section 4. The client authentication
process
In this section, the reader's attention is focused on
how electronic identities are first established in the service. The
subject matter of this section is a business procedure, to which
information security mechanisms may be tied. There are 9 patterns to which a
given service may adhere, and one influencing factor. The reader is
invited to keep in mind this influencing factor and then to try to identify
the client authentication pattern which is most representative of a
given service under investigation.
The influencing factor is
implicit identification by
experience. This term refers to a subtle factor in the notion of identity.
Realizing that an "identity" is a sound connection between a
"form" and a "function", an implicit
identification by experience occurs when a function is repeatedly performed by an
entity of the same form, and everything goes smoothly. An simple
example is the recurring payment for internet access service by an ISP
(Internet Service Provider). After a couple of monthly payments by credit
card transactions without complaint by the cardholder, the
authentication of the Internet access account to the cardholder makes little
doubt. The "form" is the password for the Internet account and
the "function" is the undisputed completion of the monthly
credit card payment. In some instances, the implicit identification by
experience reduces the requirements of explicit precautions for client
authentication at subscription time. In electronic transactions, the
implicit identification by experience is less likely to occur when the
routine transactions are highly automated. In the example of recurrent
credit card transactions, if the cardholder automatically pays his
monthly credit card statement without manually reviewing it, the level of
automation deters the effectiveness of implicit identification by
experience (a credit card fraud may last indefinitely if the cardholder
does not report it).
4.1
Classify the client authentication process in one of the following approaches
in the following list.
Answer: ________________________________
- (1) The manual delivery approach
- The
manual delivery
approach, where electronic identification means are distributed manually to
their users, such as a computer password or a premises access card
issued to a new employee by authorized personel such as a computer system
manager or a security officer.
Note for
obligation to
report: it is unlikely for SAKEM procedure infringement to be found once
this approach is clearly recognized.
- (2) The critical mass approach
- The
critical mass
approach, where the issuance of electronic identification means is relegated
to an exceptional procedure because most would-be issuers are
participants in an industry-wide scheme
where universal electronic identification can be verified
on-line. The foremost example is a merchant doing business on the Internet
with MOTO accounts (Mail Orders Telephone Orders) with a few major
credit card brands.
Note for
obligation to
report: with this approach, the issuance of electronic identification means
may be done by an organization independent from the service provider.
- (3) The public key infrastructure (PKI), open PKI variant
- The
public key infrastructure (PKI), open PKI
variant is a technology-intensive initiative based on widespread acceptance
and use of digital signatures of the public key cryptography breed.
"The open PKI model envisions that subscribers will obtain a
single certificate from an independent third-party CA [(security)
Certification Authority] which certifies that subscriber's identity.
Certificate holders will then use that certificate to facilitate transactions
with potentially numerous merchants and/or other individuals."
(from Biddle, C. Bradford,
Legislating Market Winners: Digital Signature Laws and the Electronic
Commerce
Marketplace, San Diego Law Review, Vol 34 (1997), issue 3, pp 1225-1246, at page
1235). The PKI initiative can be seen as an attempt to come up with a
critical mass solution to the e-commerce security challenges.
Note for
obligation to
report: with this approach, the issuance of electronic identification means
may be done by an organization independent from the service provider,
such as a CA (Certification Authority).
- (4) The public key infrastructure (PKI), closed PKI variant
- The
public key infrastructure (PKI), closed PKI
variant is a technology-intensive initiative based on acceptance and use of
digital signatures of the public key cryptography breed in a user
community sharing a common perspective on e-commerce issues (e.g. a
consortium or an industrial sector). The closed PKI refers to
context-specific security certification, to be used in a context bounded by
contractual terms. "risk management is the critical area of difference
between closed and open PKI" (and neither network connectivity nor
computer software interoperability) (from Biddle, C. Bradford,
Legislating Market Winners: Digital Signature Laws and the Electronic
Commerce
Marketplace, San Diego Law Review, Vol 34 (1997), issue 3, pp 1225-1246, at page
1240).
Note for
obligation to
report: with this approach, the issuance of electronic identification means
may be done by a CA (Certification Authority), but any service
provider is a likely candidate for the CA role.
Note for
voluntary
investigation: the SAKEM procedure approach is a proper alternative to the closed
PKI model.
- (5) The ad-hoc approach
- The
ad-hoc
approach, where minimal precautions are taken before the issuance of an
identification means. With this approach, it is sufficient for the service
organization to receive personal identification information about the
applicant for the completion of the application process (little or no
recourse on third party verification, personal contact through
out-of-band channel, or verification and filing of an application document
with a handwritten signature). The ad-hoc approach to new client
authentication is often used by default when the business process for customer
enrolment has not been explicitly addressed at the service design
stage. The Internet SSL security protocol, when used in its most common
mode of operation where the SSL client is not authenticated, blends
well with the ad-hoc approach, providing some protection against network
interception of personal identification data. Moreover, the ad-hoc
approach combined with the implicit identification by experience may
provide greater effective security (low fraud rate experience) than what
proponents of strong security mechanisms would expect.
- (6) The secure terminal approach
- The
secure terminal
approach, where the electronic identification means is assigned to a
user/client/subscriber by a secure terminal which is part of a network whose
security is maintained by the issuing organization. Examples are the
banking terminals where accountholders choose a secret PIN (Personal
Identification Number) associated with a bank card. For mobile telephone
subscriber registration, this approach is claimed in the US patent
document 5,557,679.
Note for
obligation to
report: it is unlikely for SAKEM procedure infringement to be found once
this approach is clearly recognized.
- (7) The SAKEM procedure approach
- The
SAKEM procedure
approach, where the client authentication is a two-fold process: first an
on-line registration procedure
and then an out-of-band verification of identity. The immediate result of
the SAKEM procedure is a shared secret that is securely tied to the
client authentication. The SAKEM procedure approach may be present
whenever the designers of the service paid close attention to the initial
client authentication. This is because the two combined design
criteria of
genuine process
security and
minimal direct operating
costs are met by the SAKEM procedure approach.
- (8) Other less prevailing approaches
- Some other
less prevailing
approaches are documented or even fielded. The GSM approach to mobile telephone
subscriber information relies on manual distribution of an anonymous
secret key (hidden in an integrated circuit that was supposedly secure,
but see http://www.scard.org/gsm/gsm-faq.html for the description of
an attack to the logical protection of this integrated circuit),
followed by over-the-air subscriber registration. The following US patents
may also fall in the present approach: US patent document 4,771,461,
US patent document 5,539,824, US patent document 5,020,105, US patent
document 5,386,468, and US patent document 5,077,790.
- (9) The anonymous devices
- The
anonymous
devices, often used for access control in the case of prepaid service. There
is no need for client authentication as the mere possession of the
identification means grants access to the service. Typically, the
depletion of prepaid rights is accounted for in a central database. This
database is indexed by electronic identity, but no customer name is
present in the database.
Note for
obligation to
report: it is unlikely for SAKEM procedure infringement to be found once
this approach is clearly recognized.
[ security scheme design
| alternative to
PKI
| patent publications
| SAKEM
| scholarly web contents
| consulting services ]
[ CONNOTECH home page:
http://www.connotech.com/
| about us
| e-mail to: info@connotech.com ]
CONNOTECH Experts-conseils Inc.
9130 Place de Montgolfier
Montréal, Québec, Canada, H2M 2A1
Tél.: +1-514-385-5691
Fax: +1-514-385-5900