SECURING A TRANSACTION PERFORMED FROM A NON-SECURE TERMINAL

Info

Publication number: 20190260747
Type: Application
Filed: Apr 29, 2019
Publication Date: Aug 22, 2019
Inventors: Guillaume Pitel (L'Hay Les Roses), Jean-Luc Leleu (Paris)
Application Number: 16/398,066

Abstract

In a general aspect, a method for authenticating a user can include: receiving, from a secure processor, a software component configured to generate an image frame including information intelligible to the user, and input data of the software component, the software component can include a first input for receiving a first input data having two randomly-selected valid values, and invalid values. The transmitted input data can include the valid values of the first input data. The method can also include, performing a plurality of times: selecting one of the valid values of the first input data in the transmitted input data, executing the software component by applying the transmitted input data to inputs of the software component and the selected valid value to the first input of the software component. The execution of the software component generating the image frame can have pixels in a visible or invisible state, depending on the selected valid value and defining the information, displaying the image frame. The method can also include, acquiring, from the user, a response depending on the information in the displayed image frame, and transmitting the acquired response to the secure processor.

Description

Description

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of PCT Application No. PCT/EP2017/077895, filed Oct. 31, 2017, which claims the benefit of European Application No. 16196945.6, filed Nov. 20, 2016, European Application No, 16196947.2, filed Nov. 2, 2016, European Application No. 16196950.6, filed Nov. 2, 2016 European Application No. 16196957.1, filed Nov. 2, 2016, European Application No. 17172856.1 filed May 24, 2017 and European Application No. 17195479.5 filed Oct. 9, 2017, the disclosures of which are all incorporated by reference herein in their entireties.

TECHNICAL FIELD

The present disclosure relates to methods and devices for securely authenticating a user from a non-secure terminal, such as for executing a secure transaction involving such a non-secure terminal and a remote server, based on such a user authentication.

BACKGROUND

It would be desirable to execute transactions, for instance e-commerce transactions or fund transfer, initiated from mobile terminals such as smartphones, personal computers, digital tablets, or the like, or any other connected device including devices belonging to the Internet of Things (IoT). However, this raises security problems, notably because “malicious software” or “malware” may be executed by a processor (CPU) of the terminal. The malware may be able to access all or a part of the memories accessible by the processor, and thus may be maliciously configured to spy on any transactions executed by the terminal and to recover any secret data manipulated during these transactions for transmission over the network.

To ensure the security of such transactions, it has already been proposed to entrust cryptographic computations to a dedicated secure element, such as the processor of a UICC (“Universal Integrated Circuit Card”) card, e.g. a SIM (subscriber identification module) card with which cell phones are generally equipped. In order to be able to execute one or more payment applications, the secure processor should be able to store as many secret cryptographic keys as there are payment applications. However, loading an application into the memory of a secure processor is a complex operation that should be highly secure. Specifically, it involves external parties such as Trusted Service Managers. Since SIM cards are issued by cell phone operators, the latter may refuse to have such applications installed in the card. Furthermore, in the event of theft, or during maintenance of the telephone, the processor of the SIM card may be hacked by a hacker seeking to discover the secret keys stored in its memory.

In addition, accessing the secure functions installed in the processor of a SIM card generally entails inputting a secret code (PIN code) by means of a keypad or a touch-sensitive surface connected to the processor of the terminal. In a classical configuration, the secret code input by the user necessarily passes through the processor of the terminal. Malware executed by the processor of the terminal can therefore access this secret code.

The patent application WO2012/107698 filed by the Applicant discloses a method using a graphic processor of a terminal as a secure element to perform transaction. Such a method can include establishing a secure communication link between the graphic processor of the terminal and an authentication server, and displaying a virtual keypad with keys arranged in a random order. The image of the keypad is displayed using visual cryptography, by successively displaying complementary frames in which the labels of the keys are not intelligible, the complementary frames being combined into an intelligible image by the visual system of the user thanks to the retinal remanence thereof. In this way, even if a malicious program running on the processor of the terminal is able to access the positions of the keys touched by the user during input of a secret code, it cannot, by taking a succession of screenshots, determine which labels correspond to the touched keys.

However, this method requires important calculation resources that are not available in all portable devices such as all of the existing smartphones on the market.

To secure transactions performed using a terminal connected to a web site, it has been proposed to use a single-use secret code which is transmitted to the user each time a transaction is validated. According to a first solution the single-use secret code is transmitted to the user via a distinct communication channel, e.g. via a phone link or SMS (Short Message Service), the user being required to input the received secret code on the terminal to validate the transaction. Another known solution provides an additional hardware device to each of the users, this device generating the single-use secret code after an authentication of the user by means of credentials such as a password or biometric data. These solutions are burdensome for the users who do not always have nearby a phone or mobile or wireless network coverage, or this hardware device, when they are required to validate a transaction. The solution requiring an additional hardware device is costly for the banking organizations. In addition, the solution using a secret code transmitted by SMS does not provide sufficient high security level since it has already been subjected to successful attacks.

Therefore, it may be desirable to propose a method for securing a sensitive operation performed using a non-secure terminal, such as a transaction, e.g. a payment transaction, or a user authentication, or more generally an operation with protection against tampering. It may also be desirable to protect secret data input by users and transaction data transiting through such a non-secure terminal. Further, it may be desirable to make the proposed method compatible with all existing terminals, even with terminals of low computation power.

SUMMARY

A method is disclosed for authenticating a user, the method comprising: receiving from a secure processor, a software component configured to generate an image frame including information intelligible to the user, and input data of the software component, the software component comprising a first input configured to receive a first input data having two randomly-selected valid values, and invalid values, the transmitted input data comprising the valid values of the first input data; performing several times: selecting one of the valid values of the first input data in the transmitted input data, executing the software component by applying the transmitted input data to inputs of the software component and the selected valid value to the first input of the software component, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid value of the first input and defining the information, displaying the image frame, acquiring from the user a response depending on the information in the displayed image frame; and transmitting the acquired responses to the secure processor.

According to an embodiment, a first a valid value of the first input data used for displaying a first image frame is selected as a function of a data provided by the secure processor, and one of the valid values of the first input data used for displaying a another image frame is selected as a function of the response acquired from the user from a previously displayed image frame.

According to an embodiment, the valid value of the first input data used for displaying the image frames generated by successive executions of the software component, is randomly selected and a signature of data defining each generated image frame is transmitted to the secure processor.

According to an embodiment, the software component is configured to generate an image frame wherein the information is displayed using random pixels having a probability lower than 100% to be visible in the image frame, the software component being executed a plurality of times to generate a plurality of image frames which are displayed at frame display rate such that the information becomes intelligible to the user.

According to an embodiment, the information: comprises a series of labels of a keypad ordered as a function of the first input data, the response from the user comprising key positions of keys of the keypad selected by the user, or comprises a series of labels of a keypad ordered as a function of the first input data, and one symbol belonging to a validation code, the response from the user comprising key positions of keys of the keypad selected by the user, or specifies a biometric challenge, the response from the user comprising biometric data inputted by the user using a biometric sensor.

According to an embodiment, the software component is configured to provide the output data in one of the two binary states with a probability comprised between 12.5% and 87.5% or set to 50%, in response to the random selection.

According to an embodiment, the software component is configured to store several image frame configurations which are selected by selecting values of input data of the software component.

According to an embodiment, the software component is configured to generate encrypted parts of an image frame, the method further comprising: executing the software component; decrypting each generated encrypted image frame parts, using a decrypting mask which is transmitted from the secure processor; inserting each decrypted image frame parts in an image frame background to generate an image frame; and displaying the generated image frame.

According to an embodiment, the method further comprises: acquiring a response from the user in relation with the displayed information; transmitting the response to the secure element; and authenticating the user by the secure element when the response corresponds to the information and to a secret data shared by the user and the secure element.

According to an embodiment, the software component is encoded as a garbled circuit comprising circuit inputs, circuit outputs, logic gates and wires, each logic gate having two inputs and one output, each wire having a first end connected to one of the circuit inputs or to one of the logic gate outputs and a second end connected to one of the logic gate inputs or to one of the circuit outputs, the garbled circuit being generated by selecting a valid data for each binary state of each of the wires, and by computing for one logic gate of the garbled circuit, truth table values as a function of each valid data of each input of the logic gate, each valid data of the output of the logic gate and a logic operation performed by the logic gate.

Embodiments may also relate to a user terminal configured to: receive from a secure processor, a software component configured to generate an image frame including information intelligible to the user, and inputs data of the software component, the software component comprising a first input configured to receive a first input data having two randomly-selected valid values, and invalid values, the transmitted input data comprising the valid values of the first input data; perform several times: selecting one of the valid values of the first input data in the transmitted input data, executing the software component by applying the transmitted input data to inputs of the software component and the selected valid value to the first input of the software component, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid value and defining the information, displaying the image frame, acquiring from the user a response depending on the information in the displayed image frame; and transmit the acquired responses to the secure processor.

According to an embodiment, the terminal is further configured to execute the operations performed by a terminal in the method as previously disclosed.

According to an embodiment, the secure processor is a secure element connected to a main processor of the terminal.

According to an embodiment, the secure processor belongs to a remote server linked to the terminal through a data transmission network.

Embodiments may also relate to a secure element configured to execute the operations performed by a secure processor in the method as previously disclosed, wherein the secure element is connected to a main processor of a terminal.

Embodiments may also relate to a server configured to execute the operations performed by a secure processor in the method as previously disclosed, the server being linked to the terminal through a data transmission network.

Embodiments may also relate to a computer program product loadable into a computer memory and comprising code portions which, when carried out by a computer, configure the computer to carry out the method as previously disclosed.

BRIEF DESCRIPTION OF THE DRAWINGS

Examples of the method and/or device may be better understood with reference to the following drawings and description. Non-limiting and non-exhaustive descriptions are described with the following drawings.

FIG. 1 is a block diagram of user terminals performing transactions with remote servers;

FIG. 2 is a block diagram of a user terminal;

FIG. 3 is a sequential diagram of initialization steps performed by a user terminal, an authentication server and an application server, according to an embodiment;

FIG. 4 is a sequential diagram showing steps of a user authentication procedure, according to an embodiment;

FIG. 5 is a block diagram of a database managed by the authentication server, according to an embodiment;

FIG. 6 illustrates an image frame displayed by the user terminal, according to an embodiment;

FIG. 7 is a block diagram of an application program executed by the user terminal, according to an embodiment;

FIG. 8 is a block diagram of a circuit implemented by software in the user terminal, according to an embodiment;

FIG. 9 is a block diagram of a part of the circuit of FIG. 8, according to an embodiment;

FIGS. 10A, 10B and 11 are block diagrams of parts of the circuit of FIG. 9, according to an embodiment;

FIG. 12 is a block diagram of a database describing the circuit of FIG. 8, according to an embodiment;

FIG. 13 is a block diagram illustrating a processing performed by the application program for displaying the image frame of FIG. 6, using the circuit of FIG. 7, according to an embodiment;

FIGS. 14A and 14B illustrate respectively an image frame displayed by the user terminal, and a corresponding resultant image which can be observed by a user of the user terminal executing the circuit of FIG. 14, according to an embodiment;

FIG. 15 illustrates two layers of a part of an image frame which are displayed superimposed by the user terminal, a corresponding part of a resultant image frame which is displayed by the user terminal, and a corresponding part of a resultant image which can be observed by a user of the user terminal, according to an embodiment;

FIG. 16 is a block diagram of a circuit implemented by software in the user terminal, according to another embodiment;

FIG. 17 is a block diagram of a database describing the circuit of FIG. 16, according to an embodiment;

FIG. 18 is a block diagram illustrating a processing performed by the application program for executing the circuit of FIG. 16, according to an embodiment;

FIG. 19 is a block diagram of a part of the circuit of FIG. 16, according to another embodiment;

FIGS. 20, 21 and 22 illustrate image frames displayed by the user terminal, according to various embodiments;

FIG. 23 is a sequential diagram showing authentication steps, according to another embodiment.

DETAILED DESCRIPTION

In the figures, like referenced signs may refer to like parts throughout the different figures unless otherwise specified.

In the following, the term “secure” is employed according to its plain meaning to those of ordinary skill in the art and encompasses, in different embodiments, security arising from techniques such as encryption, or other types of software or hardware control used to isolate information from the public or to protect it against unauthorized access or operation. The expressions “secure communication” and “secure communication link” refer to communications that are encrypted using public/private key pairs, or symmetrical key encryption with keys shared between communicating points. “Secured communications” can also involve virtual private networks, and other methods and techniques used to establish authenticated and encrypted communications between the communicating points.

FIG. 1 illustrates user terminals UT that can perform transactions with remote service provider servers or application servers SSRV through communication networks NT. In the following, the term “user terminal” shall be synonymous and refer to any device that can communicate with one or more remote servers such as application servers and service provider servers. Thus, a user terminal can be for instance a mobile phone, a smartphone, a smartwatch, a personal computer, a payment terminal and a digital tablet, or any equipment having communication and man-machine interface capabilities. Those two functionalities may be also provided by two or several devices, provided that those devices are securely associated or linked. The communications networks may include IP (Internet Protocol) networks, such as Internet, mobile or cellular networks, wireless networks, and any kind of network that can be used to establish a communication link between a user terminal and a remote server.

According to an embodiment, an authentication server ASRV is configured to implement a method for authenticating a user during transactions involving an application or service provider server SSRV and a user terminal UT, based on a two-factor authentication scheme.

FIG. 2 illustrates a conventional terminal UT, comprising communication circuits NIT for communicating with a remote server such as the server ASRV, through a transmission network such as the network NT. The terminal UT can be a cellular phone, a smartphone or a PDA (Personal Digital Assistant) or any other device such as a digital tablet or a personal computer including communication circuits to be connected to a network such as Internet network. The user terminal UT further comprises a main processor HP (also called “Central Processing Unit”—CPU) connected to the communication circuits NIT, a display screen DSP, a graphic processor GP connected to the processor HP and controlling the display screen DSP, and a control device CM connected to the processor HP. The control device can include a keyboard or keypad, or a touch-sensitive surface, e.g. transparent and disposed on the display screen DSP. The control device CM can further include a pointing device such as a mouse, a pencil or a pen.

The terminal UT can further comprise a secure element SE, such as a secure processor that can be standalone or embedded into a smartcard UICC. The secure processor SE can be for example a SIM (“Subscriber Identity Module”) card, or a USIM (“Universal Subscriber Identity Module”), providing an access to a cellular network. The secure processor SE can include an NFC (“Near Field Communication”) circuit to communicate with a contactless reader. The NFC circuit can be embedded into a SIM card (SIM-NFC) or UICC, or in a SoC (“System on Chip”) circuit, or in an external memory card, for example an “SD card”. The circuits NIT can include a mobile telecommunication circuit giving access to a mobile cellular network and/or to the Internet network, through the cellular network, and/or a wireless communication circuit (Wi-Fi, Bluetooth®, or any other radio frequency or wireless communication methodology), and/or any other wired or wireless connection circuit that can be linked to a data transmission network such as Internet.

FIG. 3 illustrates registration steps S1 to S15 for registering a user terminal UT to be used for authenticating a user to validate a transaction. In step S1, the user connects a user terminal OT to the server SSRV of the service provider, e.g. to a web site of the service provider, and provides credentials, such as a user identifier UID and a corresponding password UPW to the server SSRV. In step S2, the user credentials UID, UPW are transmitted by the terminal OT to the server SSRV. In step S3, the server SSRV checks the received credential UID, UPW and if they correspond to a valid registered user, the server SSRV sends to the authentication server ASRV, a registration request RGRQ containing the user identifier UID and a service identifier SID related to the service provider server SSRV. The communication link between the servers SSRV and ASRV is secured, such that a hacker cannot retrieve the transmitted data. The following steps performed by the server ASRV are executed by a secure processor of the server ASRV or within a secure domain thereof. Besides, the links between the terminals OT and the server SSRV and between the terminal UT and the server ASRV may not be secure links.

In steps S4 and S5, the authentication server ASRV generates a single-use link token LTK (dedicated to registration of the user identified in step S2) and transmits it to the server SSRV in response to the registration request RGRQ. The link token LTK establishes a link between the received user identifier UID and the service identifier SID. The link token LTK has a time-limited validity that may be fixed to a value between several minutes out several hours. Instep S6, the server SSRV receives the link token LTK and transmits it to the terminal OT. In step S7, the terminal OT displays the link token LTK.

In step S8, the user downloads and/or installs an application APP dedicated to user authentication in a user terminal UT to be used for authentication and involving the authentication server ASRV. The terminal UT may be the terminal OT or another terminal (a mobile phone, a smartphone, a smartwatch, a personal computer, a payment terminal and a digital tablet, or any equipment having communication and man-machine interface capabilities). Steps S9 to S13 are performed at a first execution of the application APP. In step S9, the application APP generates a unique device identifier DID of the terminal UT. Then, the user is invited to choose a password PC and to input the link token LTK received and displayed in steps S6, S7. In steps S10 and S11, the user inputs a password PC and the link token LTK. The link token LTK may be displayed in the form of an optical code, such as a QR code, and captured on the display screen of the terminal OT by the application APP using the camera of the terminal UT. In step S12, the application APP transmits a registration message ERP to the authentication server ASRV, this message containing the device identifier DID, the password PC and the link token LTK. In step S13, the server ASRV checks the validity of the received link token LTK. A link token may be considered invalid, when its validity period has elapsed, or when it has been already used once or a predefined number of times to identify a device. If the link token is valid, the server ASRV stores the device identifier DID and the password PC in a user database UDB in step S14. In step S15, the server ASRV transmits a message RP in response to the request RGRQ to the service provider server SSRV. The message RP contains the user identifier UID and a status of the registration depending on the validity check of the link token performed in step S13.

If the check performed in step S13 succeeds, the user terminal UT is regularly registered by the server ASRV and thus it can be used as a second authentication factor associated with the user, the authentication of the user by the service provider server SSRV being considered as a first authentication of the user.

FIG. 4 illustrates authentication steps S21 to S32, which are performed to authenticate the user during a transaction conducted by the application APP or for executing an operation of this application, which requests that the user to be authenticated. During the authentication process, the user terminal UT has been previously registered by the authentication server ASRV, for example by executing steps S1 to S15 of FIG. 3. The user registration can be performed in a separate preliminary process. In step S21, the service provider server SSRV transmits an authentication request ARQ to the authentication server ASRV. The authentication request ARQ contains an identifier SID of the service, an identifier UID of the user involved in the transaction, a message MSG to be displayed to the user and presenting information related to the transaction to be validated by the user, and an address SURL where a result of the authentication is transmitted by the authentication server ASRV. The authentication request ARQ may also optionally contain a message MSG to be displayed to the user and presenting for example information related to the transaction to be validated by the user (e.g. an amount to be paid).

In step S22, the authentication server ASRV receives the request ARQ, and generates a unique transaction identifier TID. The authentication server ASRV further searches the database UDB for device identifiers DID corresponding to the user identifier UID, and generates a transaction validation code CC, preferably of single-use, and a distinct dedicated software component GC for each of the user terminals UT corresponding to the devices identifiers DID found in the database UDB. Since the software component GC is designed to display the validation code CC, it is specific to this code. In step S23, the server ASRV sends to the terminal UT structure and content data GCD defining the software component GC and including input data of the software component in an encrypted form, a final mask IMSK to be applied to image frame parts generated by the software component circuit, and a cryptographic data GCK to be used to execute the software component. In step S24, the server ASRV sends an acknowledge message ACK to the server SSRV, this message containing the user identifier UID and the transaction identifier TID. In step S25, the application APP executed by the terminal UT receives the data GCD, IMSK, GCK related to the software component GC and transmitted in step S23, and sends an acknowledge message AKM to the server ASRV. If the application APP is not currently running on the terminal UT, the reception of the data related to the software component may trigger the execution of the application APP. In step S26, the server ASRV sends to the terminal UT a request RGC to execute the software component GC. In step S27, the reception of the notification RGC triggers the execution by the application APP of the software component GC which generates an image frame showing, for example, a keypad having keys, the message MSG and one or more digits of the single-use transaction validation code CC having, for example two or more digits.

According to an embodiment, the keys of the keypad are arranged in a randomly selected layout in the displayed frames, and each time the user presses a key of the displayed keypad in step S28, a new keypad layout is selected and the user terminal UT displays the keypad having the newly selected layout.

According to an embodiment, the first displayed keypad has a layout known from the server ASRV, and each new displayed keypad has a layout which is selected as a function of the position in the keypad of the previous key pressed by the user and a number of previously keys pressed by the user. According to an embodiment, only one digit of the validation code CC is displayed at the same time in the images generated by the software component, and when the user enters the first digit of the validation code, the first digit is replaced in the generated images by the second digit of the validation code.

According to an embodiment, the value of the first displayed digit of the validation code CC is computed as a function of the key previously selected by the user for inputting the last digit of the password PC. In addition, the value of second displayed digit of the validation code CC can be computed as a function of the key previously selected by the user for inputting the first digit of the validation code. The digits of the displayed validation code CC may be also computed as a function of the number of keys previously pressed by the user when the user types the password PC and the validation code CC.

In step S28, the user of the terminal UT inputs one digit of the password PC or the displayed digit of the validation code CC. In the example of a smartphone, the user uses the displayed keypad, and touches corresponding positions POSi of the keys of the displayed keypad. The steps S27 and S28 are executed again until all digits of the password PC and of the validation code CC are entered by the user. In step S29, the application APP transmits the sequence of positions POSi selected by the user with the device identifier DID to the server ASRV. In step S30, the server ASRV determines the password PC1 and the code CC1 corresponding to the positions POSi typed by the user. To this purpose, the server ASRV knows the keypad used to input the first position POS1, and can determine the subsequent displayed keypad layouts generated by the software component GC, and thus can determine the keys labels corresponding to the positions POSi, and consequently the values of the password and validation code typed by the user. In step S31, the server ASRV checks the compliance of the entered password PC1 and validation code CC1 with the ones (PC, CC) stored in the database UDB in association with the device identifier DID. For security reasons, the database UDB may only store a hash value HPC instead of a clear value of the password PC entered in step S10, the verification operation of the password PC being performed by applying a hash function to the typed password PC1 and by comparing the result of the hash function with the hash value HPC of the password PC stored in the database UDB. In step S32, the server ASRV transmits to the service provider server SSRV using the address SURL, an authentication response containing the user identifier UID and the result of the verifications performed in step S31. In this way, the user corresponding to the identifier UID is authenticated and the transaction TID may be validated only when the typed password PC1 and validation code CC1 match the password PC stored in the database UDB and the validation code CC corresponding to the software component GC sent by the server ASRV to the user terminal UT in step S23.

In one embodiment, the input of the password PC in step S10 is performed by executing twice the steps S27 to S30 using two different software components to get two passwords from the user. After each execution of steps S27 to S30, the validation code CC1 is checked and the password PC1 entered by the user is validated by the server ASRV only if the validation code CC1 entered by the user is the same as the validation code CC displayed by the user terminal UT executing one software component GC. After two successful executions of steps S27 to S30, each providing a validated password PC1, the validated passwords PC1 entered during the first and second execution of the steps S27 to S30 are compared, and if they are identical, the password PC1 is stored in the database UDB to assign it to the user terminal UT. In addition, steps S11 to S15 are executed only once the password PC1 entered by the user is stored in the database UDB. In this way, only the positions POSi typed by the user are transmitted from the user terminal UT to the server ASRV. Therefore, a malware installed in the terminal UT or a man-in-the-middle attack between the server ASRV and the user terminal UT cannot discover the typed codes PC and CC without executing the software component. If this happens, the hacker performing the attack sends a message ARP to the server ASRV (as in step S29). Thus the server ASRV can receive two messages ARP for a same transaction or from the same user terminal UT, one from the authenticated user and one from the hacker, and can device to invalidate the transaction or raise a flag or perform any other specific action related to this event.

According to an embodiment, the message ARP is transmitted by the user to the server ASRV (step S29) by another transmission channel.

FIG. 5 illustrates different tables DEV, LNK, SVC, TT, GCP of the database UDB. The table DEV contains one record for each registered user device or terminal UT, each record comprising a device identifier DID, the password PC entered by the user in step S10 or a hash value HPC thereof, and the corresponding user identifier UID. The table SVC contains one record for each registered service provider, each record of the table SVC comprising a service identifier SID and a service name. The table LNK contains one record for each link token generated in step S4, each record comprising comprises a link identifier LID which is generated with the link token LTK in step S4, the service identifier SID of the server SSRV requesting the link token in step S3, the user identifier UID of the user having triggered the link token request RGRQ in step S2, the link token value LTK, and a validity period of the link token. The table TT contains one record for each current transaction, each record comprising a transaction identifier TID, a device identifier DID, a service identifier SID, the message MSG to be displayed by the application APP executed by the terminal having the identifier DID, the address SURL provided in step S21, an identifier GCID identifying the software component generated for the transaction TID, and a single-use transaction validation code CC. The table GCP contains one record for each software component generated by the server ASRV, each record comprising an identifier GCID identifying the software component, a device identifier DID of the device UT for which the software component was generated in step S22, and the identifier TID of the transaction for which the software component was generated. Since the software components are dedicated to one transaction and consequently generated and executed for only one user authentication, the records corresponding to an already ended transaction can be deleted from the table GCP, but they may be kept for statistical purposes or to ensure the unicity of each transaction. In other embodiments, each software component can be executed a given number of times or have a validity period of use.

The operation of checking the received link token in step S13 can be performed by comparing the received link token LTK with the token stored in step S4 in the table LNK. The received link token is retrieved in a record of the table LNK in relation with a user identifier UID having a device corresponding to the device identifier DID received by the server ASRV in step S12, and according to the table DEV. If not the case, the received link token is considered as invalid and the user terminal UT is not registered in the table DEV.

Instead of being performed by the application APP, the steps S22, S25, S27 and S29 may be performed within or by a web browser installed in the terminal UT, the steps S25, S27 and S29 being performed by a script executed by the web browser, such as a script written in JavaScript®, and transmitted for instance in a web page by the server ASRV. In an embodiment, those transmissions may be encrypted, to enhance security level.

FIG. 6 illustrates an example of an image frame FRM displayed by the user terminal UT when it executes the software component GC. The image frame FRM comprises a banner frame BNF displaying the message MSG and one digit of the single-use code CC. The image frame FRM further comprises a keypad image frame KYP showing for example a twelve-key keypad, each key of the keypad being displayed with a label KYL indicating the function of the key to the user. The keypad comprises an erase key “C” and a validation key “V”, and ten keys corresponding to a digit, and having a layout specific to the software component GC which generates the image frame FRM. The image frame FRM may further comprises a display zone FBD where a dot is displayed each time the user touches a new one of the keys KY. In the example of FIG. 6, the display zone FBD shows that three keys were already typed by the user.

In the example of FIG. 6, the keypad comprises four lines of three keys, the first line of the keypad comprising (from left to right) the digits “9”, “3” and “6”, the second line comprising the digits “2”, “0” and “1”, the third line comprising the digits “4”, “7”, and “8” and the fourth line, the validation key “V”, the digit “5” and the erase key “C”. The label KYL of each digit key is displayed by several segments SG (e.g. seven segments), visible or not, according to the key label KYL to be displayed.

FIG. 7 illustrates a functional architecture of the application APP, according to an embodiment. The application APP comprises a management module MGM, an initialization module INM, an authentication module AUTM, a link module LKM, a software component execution module GCM. The management module MGM controls the other modules INIM, RGM, LKM and GCM, and the communications between the application APP and the server ASRV through the communication circuits NIT. The initialization module INM performs step S9. The link module LKM performs steps S11 and S12. To this purpose, the link module can be connected to an image sensor IMS of terminal UT to acquire an optical code corresponding to the link token LTK to be received by the terminal UT, and displayed by the terminal OT. The authentication module AUTM performs steps S25 to S29 to process the authentication request received in step S23, to trigger the execution of the software component GC, and to receive and transmit the positions POSi typed by the user. The module AUTM is connected to the keypad or a touch-sensitive surface TSIN of the terminal UT. The module GCM performs the step S27 to generate and display the image frames FRM at a suitable refresh rate, the module GCM selecting at each frame, input values to be applied to the software component GC and executing the latter. The module GCM produces the image frames FRM which are displayed on the display screen DSP of the terminal UT.

FIG. 8 illustrates an example of a software component GC according to an embodiment. The software component GC is a software-implemented Boolean circuit encrypted as a garbled circuit. The software component GC comprises a circuit PLS, a circuit layer, L2, and two interconnection matrices XM1, XM2. A first interconnection matrix XM1 receives input data INb, INc, ADl, RDk of the software component GC. The circuit PLS receives the input data ADl and RDk permuted by the matrix XM1, and provides output values SGj to the second interconnection matrix XM2. The circuit layer L2 comprises logic gates XGb, XGj, each gate receiving two input values from the matrix XM2, and providing one output value PXb, PXj representing a pixel value. Each of the logic gates XGj of the circuit layer L2 receives one input value INc of the software component and one output value SGj provided by the circuit PLS, these input values being selected by the matrix XM2. Each of the logic gates XGb of the circuit layer L2 receives two input values INb1, INb2 of the software component, these input values being selected by the matrix XM1 and/or XM2.

The software component GC is arranged in layers of parallel logical gates that can be processed at the same time, so that the software component can be executed by parallel processing.

According to an embodiment, to generate image frames FRM as shown in FIG. 6, the software component GC comprises one circuit SGCj for each of the segments SG that can be visible or invisible in the image frames FRM, and one circuit FPCb for each pixel PXb distinct from a segment pixel PXj, for example around the segments SG or in the banner frame BNF. Thus, when the image frames FRM to be displayed comprise 70 segments (10 key label digit×7 segments per digit) for the keypad KYP, plus 7 segments (1 digit×7 segments per digit) for one displayed digit of the validation code CC, the software component comprises 77 circuits SGCj. Each of the circuits SGCj comprises as much logic gates XGj in the circuit layer L2, as the number of pixels PXj1, PXj2, . . . PXjp forming the segment SG as displayed in the image frames FRM.

Each of the gates XGj performs a logical XOR operation with an input INi of the software component. Each of the outputs SGj of the circuit PLS is connected to an input of all gates XGj of the circuit SGCj. Each gate XGj also receives one of the input values INc1-INcp and provides one pixel value PXj1-PXjp to the output of the circuit GC.

Each of the circuits FPCb comprises one logic gate XGb performing a logical XOR operation per pixel PXb controlled by the software component GC and distinct from a segment pixel in the image frames FRM. Each of the gates XGb in the circuit layer L2 receives two input values INb1, INb2 of the software component GC and provides one pixel value PXb. The number of input values INb, INc can be limited to a value around the square root of the number of pixels PXb, PXj controlled by the software component GC.

Of course, the digits can also be controlled and/or arranged (e.g. with more segments) to display other signs than numbers such as alphabetic characters or more generally symbols including ASCII characters.

In the example of the software component GC of FIG. 8, one input INb or INc can be connected to several logic gates XGb, XGj, such that there are fewer inputs INb, INc than the number of logic gates XGj plus twice the number of logic gates XGb.

The interconnection matrix XM2 defines which pixel generated by the software component belongs to a segment SG. According to one embodiment, the position, orientation and shape of each segment SG are varied by one or several pixels, depending on the display resolution of the user terminal, from one software component to another. This provision makes it more difficult to perform a machine optical recognition of the displayed symbols.

It may be observed that the term “segment” as used herein designates a set of pixels that are controlled by a same one of the segment values SGj in output of the circuit PLS. The set of pixels forming a segment is not necessarily formed of adjacent pixels, but can comprise groups of adjacent pixels as the segments forming a key label KYL. In addition, the pixels forming a segment are all visible or all invisible in one displayed image frame FRM.

FIG. 9 illustrates an example of the circuit PLS. The circuit PLS comprises an address decoding circuit ADC, a memory plane MP comprising logical gates MCij forming memory cells and a read circuit RCT. The circuit ADC receives the input data ADl (l=1, . . . n) and comprises 2n circuits AGi performing logical AND operations, each circuit AGi having n inputs and one output providing a respective selection signal SLi to a memory cell MCij in the memory plane MP. Each address signal ADl is provided to an inverted input of one half of the circuits AGi, i.e. 2n−1 circuits AGi, and to a non-inverted input of the other half of the circuits AGi. One of the circuits AGi has only inverted inputs and one of the circuits AGi has only non-inverted inputs. Each of the circuits AGi has one output SLi, SLi′ connected to m respective memory cells MCi1 to MCim in the circuit MP comprising m×2n memory cells MCij. Each of the memory cell MCij has one other input receiving one of the input data RDk. Each of the memory cells MCij has one output connected to a respective input of m circuits OGj performing logical OR operations, in the read circuit RCT. Each circuit OGj has 2n inputs and one output providing a respective data SGj (SG1-SGm) to the second interconnection matrix XM2. Each of the read signals RDk can be provided to one or more of the memory cells MCij in the memory plane MP of any ranks i. Therefore, the number s of read signals RDk provided to the memory plane MP is comprised between two (corresponding to the two binary states) and 2n. As a result, the data pieces of the original data stored in the memory plane MP can be randomly distributed in the memory cells MCij. The signals outputted by the circuits AGi are generated such that m memory cells MCi1-MCim of the memory plane MP are selected at a same time to be read. Each of the circuits OGj receives only one signal from a selected memory cell, all the other received signals being issued by non-selected memory cells and being in an inactive binary state. The single signal SGj from one of the selected memory cells MCij received by each of the circuits OGj can be at an active or inactive binary state, depending on the binary value stored in the memory cell MCij.

According to a simplified example, s is equal to one (1), such that a single read signal RD is applied to all the memory cells MCij of the memory plane MC.

According to another example, the read signal inputs RDk of the circuit GC can be combined together by logic gates which output read signals applied to the memory cells MCij. Therefore, the number s of read signals RDk provided to the Boolean circuit can be greater than the number (2n×m) of memory cells MCij in the memory plane MP.

According to another example, the circuit PLS may comprise another decoding circuit that can be the same circuit as the circuit ADC, and the number s of input data RDk can be set equal to n (i.e. the number of input data ADl), such that each set of n input data ADl corresponds to a set of n input data RDk. This another decoding circuit generates active read signals that are provided to the memory cells MCij selected by one of the signals SLi.

FIGS. 10A, 10B illustrate an example of memory cells MC1, MC2 storing two different binary values, respectively. Each of the memory cells MC1, MC2 comprises a logic AND gate A1, A2 with two inputs receiving respectively a selection signal SL and a read signal RD. To store different binary values, the input receiving the read signal RD is inverted in the gate A2, whereas it is not inverted in the gate A1. When the active state of the selection signal SL is set to 1, the memory cells MC1, MC2 can be considered as storing a 1 and a 0, respectively, when the active state of the read signal RD is set to 1. Conversely, the memory cells MC1, MC2 can be considered as storing a 0 and a 1, respectively, when the active state of the read signal RD is set to 0. The active state of the selection signal SL can be set to 0 by using for example a memory cell including a logic AND gate with an inverted input for the selection signal SL.

Other types of logic gates can be used instead of AND gates for the memory cells MCij. In one example, the memory cells can include a logic NAND gate with the input of the read signal RD inverted or not depending on the binary data stored by the memory cell. In another example, the memory cells can also include a logic OR or NOR gate with the input of the read signal RD inverted or not depending on the binary data stored by the memory cell. The output value of a memory MCij cell can be also at 0 for storing a 1, provided that the output of the memory cell is connected to an inverted input of the corresponding circuit OGj. The memory cells can also have their selection signal input SL inverted.

In addition, all the memory cells Mij in the memory plane MP do not have necessarily the same types such as the ones disclosed in FIGS. 10A, 10B, provided for illustration purpose only. The memory plane MP can be formed with different types of logic gates and the selection and read signals SLi, RDk do not have necessarily the same active states for all memory cells of the memory plane MP.

In the example of FIG. 6 with 77 segments to be displayed, m=77, and 2n corresponds to the number of different keypad layouts that can be selected using the input data ADl. The number n can be set to for example to 4 in order to obtain 16 selectable different keypad layouts with a value of the first displayed validation code CC.

FIG. 11 illustrates a circuit that can implement each of the circuits OGj of the read circuit RCT, using only logic gates G having two inputs and one output. The circuit of FIG. 11 comprises 2r inputs and one output. For this purpose, the circuit OGj comprises r layers LR1, . . . LRr−2, LRr−1, LRr of gates G, the first layer LR1 including 2r−1 gates G, the layer LRk comprising 2r-k gates G (k=1, . . . r), and the last layer LRr comprising only one (=2) gate G providing the output of the circuit RCT. The outputs of the gates G of each layer LRk are connected to the inputs of the gates G of the following layer LRk−1. In the case of the circuits OGj, the gates G can be logic OR gates and/or logic NAND gates. In the example of the FIGS. 8 and 9, each of the circuits OGj comprises 2n inputs and n layers of gates.

Each of the circuits AGi may have the structure as disclosed in FIG. 11 with the gates G being logic AND gates and r=n, the gates G of the first layer LR1 having inverted and/or non-inverted inputs, according to the number of inverted inputs and non-inverted inputs of the gate AGi to realize.

FIG. 12 illustrates the structure and content data GCD defining the software component (which is transmitted in step S23 to the user terminal), when it is designed as a garbled circuit, according to an embodiment. The data GCD comprises:

a unique software component identifier GCID,

a number set DIM comprising a number d of input values INb, INc, a number n of input values ADl, a number s of input values RDk, a number z of output values PXi, PXj of the circuit GC, a number g1 of gates MCij, XGb, XGj and gates Gin the circuits AGi, OGj, a number g2 of all these gates excluding the XOR gates XGb, XGj, a number w of wires in the circuit, and a number y of circuit layers of parallel logic gates LRk, L2 in the circuit GC,

an input data table INLB comprising all values of the inputs INb, INc of the circuit GC, for example numbered from 1 to d, as specified for the execution of the software component,

an input data table ADLB comprising all values of the input data ADl of the software component GC, numbered from 1 to n, for the execution of the software component,

an input data table RDLB comprising all values of the input data RDk of the software component GC, numbered from 1 to s, for the execution of the software component,

a gate wire table GTW defining two input wires numbers IN1, IN2, an output wire number ON and a type identifier GTYP of each logic gate (logic gates of AGi and OGj, XGb, and XGj) of the software component GC, the gates of the circuit being numbered from 1 to g1, and

a gate truth table GTT comprising four values OV00, OV01, OV10, OV11 for each of the logic gates of the software component GC.

In the example of FIG. 9, the type GTYP specifies that the corresponding logic gate performs either an XOR operation or another logical operation such as AND, OR, NOR, NAND. When the type identifier GTYP is used to identify the XOR gates of the circuit GC, the XOR gates XGb and XGj are excluded from the table GTT.

According to an embodiment, the input values INb, ADl, RDk, INc and the output values PXb, PXj of the garbled circuit GC, and of the logic gates G of the circuits AGi and OGj, and of the gates MCij, XGi, XGj, each representing a binary logical state 0 or 1, are defined by numbers of several bits, for example 64 or 128 bits. In this way, each input and output within the garbled circuit GC has only two valid values, and all the other possible values, when considering the size in bits of these values, are invalid. When the software component GC is generated, the two valid values of each input ADl, RDk, INb, INc of the software component are randomly chosen, provided that the least significant bit of the two valid values are different, these least significant bits being used to select one value in the truth table of the logic gate when computing the output values of the logic gates, and to determine the logical states of the outputs of the circuit GC.

The truth table GTT[i] of each of the logic gates G of the circuits AGi, OGj and MCij comprises four values OV00, OV01, OV10, OV11, each corresponding to a combination (0, 0), (0, 1), (1, 0), (1, 1) of binary input values corresponding to the input values of the logic gate. The topology of the software component GC may be defined in the table GTW, by numbering each wire of the software component, i.e. each input wire of the software component from 1 to INN(=d+s+n+y) and each output of the logic gates from (INN+1) to (INN+g1), and by associating to each logic gate of the software component GC one record of the table GTW comprising two wire numbers IN1, IN2 to the two inputs of the gate and one wire number ON to the output of the gate. The wire numbers of the outputs of the software component GC are numbered from (INN+g1−z+1) to (INN+g1).

According to an embodiment, the tables ADLB, RDLB contain respectively both valid values ADlV1, ADlV2 of each of the input values ADl, and both valid values RDkV1, RDkV2 of each of the input values RDk, corresponding to the logical states 0 and 1. Each value RDkV1, RDkV2 can be equal with a same probability to either one or the other of the two valid values of the input value RDk corresponding respectively to the states 0 and 1. In a similar way, each value ADlV1, ADlV2 may be equal with a same probability to either one or the other of the two valid values of the input value ADl corresponding respectively to the states 0 and 1.

The XOR gates XGb, XGj can be executed either by using a truth table which is encoded in the table GTT, or by applying XOR operations to each pairs of bits of same rank in the input values of the gate. In the latter case, the field GTYP of the table GTW defines whether the gate is a XOR gate or another gate, and the table GTT comprises one record for each gate distinct from an XOR gate.

According to an embodiment, each value in the tables INLB, ADLB, RDLB, GTT is encoded by a 128-bit word, and each record of the table GTW is encoded on a 64-bit word, the wire numbers IN1, IN2, ON being encoded on 21-bit words. The table GTW can be transmitted from the server ASRV to the terminal UT in a compressed form, for example using the gzip compression scheme.

According to an embodiment, the order of the logic gates in the gate tables GTW, and GTT can be defined randomly, provided that the table records GTW[i] and GTT[i] at the index i refer to the same gate.

FIG. 13 illustrates the module GCM, configured to execute a software component GC and to generate the image frames FRM. According to an embodiment, the module GCM executes the software component GC each time a new image frame has to be generated, i.e. each time the user selects one of the keys KY (e.g. presses a key) of the displayed keypad KYP, the software component being executed with a new set of input values RDkVq1, ADlVq2, that can be selected as a function of the position of the previous selected key and/or the number of previous key selections.

The module GCM comprises a switching module SWC, a software component interpreter GCI, an XOR masking circuit XRG and a pixel mapping module MPF. The switching module SWC receives the structure and content data GCD defining the software component GC to be executed, and loads the data to be processed by the next execution of the software component GC in an input data structure GCDI. Thus, the switching module SWC transmits the data DIM, INLB, SGLB, NBGL, GTW, GTT and GCK without modification to the structure GCDI.

According to an embodiment, the switching module SWC performs switching operations SW1k, SW2l to select one or the other of the two valid values RDkV1, RDkV2 of each input value RDk, and one or the other of the two valid values ADlV1, ADlV2 of each input value ADl. Each switching function SW1k is controlled by a respective bit NB1k of a number NB1 having s bits, s being the number of the input values RDk to be input to the software component GC. Each switching function SW2l is controlled by a respective bit NB21 of a number NB2 having n bits, n being the number of the input values ADl to be input to the software component GC. The numbers NB1, NB2 are provided by a selection function SEL. Each switching operation SW1k, SW2l provides for each of the input values RDk, ADl a value RDkVq1, ADlVq2 which is stored in the structure GCDI. As a result of the selection of one of the two valid values RDkV1, RDkV2 of the input values RDk and the selection of one of the two valid values ADlV1, ADlV2 of the input values ADl, one keypad layout is selected among 2n predefined keypad layouts, a keypad having the selected layout being then generated.

The function SEL may receive first numbers NB1, NB2 from the server ARSV to display a first image frame showing a keypad having a first key layout. Each time the user selects a key of the displayed keypad, the function SEL may compute the numbers NB1, NB2 from the previous key selected by the user in the displayed keypad, and/or from the number of keys previously selected by the user from the first execution of the software component GC. The numbers NB1, NB2 are computed modulo s and n, respectively.

In another embodiment, the server ASRV may transmit to the terminal UT all the numbers NB1, NB2 to be used to display a sequence of keypads having different key layouts.

The module GCI is a dedicated interpreting module configured to successively execute each of the logic gates of each circuit layer, as defined by the data in the input data structure GCDI, starting with the first circuit layer. To this purpose, the interpreting module GCI can use a wire table receiving the value of each wire of the software component GC, written in the table at an index corresponding to the wire number of the wire value. The wire table is first loaded with the input values INb, INc, RDkVq1, ADlVq2 of the software component, written in the table at indexes (between 1 and INN=d+s+n+y) corresponding to wire numbers assigned to the input values. Then the computed output value of each executed logic gate is written in the wire table at an index corresponding to the wire number of the output of the executed logic gate. At the end of the software component execution, the wire table comprises the values of the outputs of the software component GC at indexes from (INN+g1−z+1) to (INN+g1).

The output value of each logic gate can be computed by applying a non-reversible function applied to both input values of the gate and to one value selected in the truth table of the gate, as a function of the least significant bit of each of the two input values:

OV=PF1(IN1,IN2,GG) (1)

where IN1 and IN2 represent the input values of the gate, GG=GTT[IN1{0}//IN2{0}], IN1{0} and IN2{0} represent the least significant bit of the input values IN1, IN2, “//” represents the bit concatenation operator, GTT represents the four-element truth table of the gate, and PF1 represents the non-reversible function.

According to an embodiment, the function PF1 can use an encryption function such as AES (Advanced Encryption Standard) using an encryption key assigned to the software component. In this case, the encryption key GCK can be stored in the structure and content data GCD of the software component GC. For example, the output value OV of a logic gate can be computed as follows:

OV=AES(GCK,K)^⊕K^⊕GG (2)

with K=CF(IN1, IN2)^⊕T, “^⊕” represents the Exclusive OR (XOR) operator, T represents a number assigned to logic gate, for example the number of the logic gate, and can also depend on the values of the inputs IN1, IN2, CF represents a combination function, and AES(GCK, K) represents an encrypted value of K by the AES encryption algorithm using the encryption key GCK. The combination function can be an XOR operation or an operation in the form:

CF(IN1,IN2)=SH(IN1,a)^⊕SH(IN2,b), (3)

SH(X, a) representing a left shift operation of X by a number of bits.

The least significant bit of each output data PXv (PXb, PXj1-PXjp) of the software component GC provided by the module GCI is considered as a pixel value PXv. The module XRG combines the least significant bit of each output value PXv provided by the software component GC with a respective mask bit value MKv belonging to an image mask IMSK provided in the structure and content data GCD. The combination operation used can be an XOR operation XRv which provides a pixel value PX′v for each output data PXv. The respective least significant bits of the output values PXv of the software component GV may represent white noise since the output values of the software component including the least significant bit thereof are randomly chosen. Thus the image parts generated by the software component are in an encrypted form, and are decrypted using the image mask IMSK.

The image mask IMSK comprises the message MSG, such that when combined with the pixels PXv provided by the software component GC, the message MSG becomes intelligible and may be combined with segments SG of the validation code CC. The image mask IMSK can also be configured to make visible the pixels PX′v of a digit segment SG corresponding to a keypad layout defined by the selected values RDkVq1, ADlVq2. A segment SG can be set always visible by fixing the corresponding segment value SGj to the binary state 0 (segment configured to be invisible) and by setting to 1 the corresponding pixels MKv in the mask IMSK. Another way to configure a segment always visible (or invisible) is to configure the circuit PLS such that it provides always a visible (or invisible, respectively) segment value SGj for all possible values of RDk and ADl.

Segments SG or pixels PXv are invisible or visible in one of the generated image frames FRM when they are displayed, respectively, with a background color of the image frame, or with a color different from the background color. The background color is defined by the color of the pixels around the considered segment SG, and may vary as a function of the position of the segment within the image frame FRM. In another embodiment, the segments are displayed on a background image. Each pixel of an invisible segment is displayed with the color of the corresponding pixel in the background image which is located below the segment pixel.

According to one embodiment, the final mask IMSK is transmitted to the terminal UT in step S23 using another communication channel, for higher security.

The interconnection matrices XML XM2 define where the pixels PX′v corresponding to the input values of the software component GC are displayed in the generated image frames FRM. The input values INb, INc of the software component GC define in relation with the image mask IMSK if the corresponding pixel PX′v in output of the software component GC is visible or invisible. The respective binary states of the input values INb, INc of the software component GC can be randomly selected at the time the software component is generated, the image mask IMSK being then generated as a function of the 2n keypad layouts and the architecture of the software component GC and more particularly as a function of the interconnection matrices XML XM2.

The mapping module MPF inserts groups of pixels values PX′v provided by the module XRG, at suitable positions into a background image frame BCKF to generate one of the image frames FRM to be displayed. In particular, the module XRG provides a group of pixels PX′v which forms the banner frame BNF as shown in FIG. 7, and groups of pixels PX′v which form each of the key labels KYL of one keypad frame KYP to be displayed in a frame FRM. The mapping module MPF inserts these groups of pixels in respective predefined locations in the background image frame BCKF to generate one of the image frames FRM as shown in FIG. 6. In one embodiment, the module XRG outputs a directly displayable image frame. In this case, the mapping module is not mandatory.

According to another embodiment, the unmasking operation performed by the module XRG could be combined with the generated image frames FRM, i.e. after the image mapping operation performed by the mapping module MPF. Therefore the mask IMSK may have the size of the background image frame BCKF or the image frames FRM.

According to an embodiment, the software component GC is received at step 23 with the first numbers NB1, NB2 to be used for selecting the input values RDkVq1, ADlVq2 (k=1, . . . s and l=1, . . . n). Hence, the server ASRV which generated the software component knows the corresponding first keypad layout. Then each time the user selects a key of the keypad, the terminal UT (the module GCM) computes new numbers NB1, NB2 to select and display a keypad KYP having another key layout. If the user presses the erase key “C”, the keypad layout may be not changed or the previously displayed keypad may be displayed again, using the corresponding numbers NB1, NB2.

Each time the user selects a key of the keypad, the numbers NB1, NB2 may be computed and updated as a function of a number attributed to the last key selected by the user, this number being attributed to the key as a function of its position in the keypad. In addition, the computation of the numbers NB1, NB2 may be performed as a function of number of times the user selects a key with the currently executed software component. In addition or alternatively, the computation of the numbers NB1, NB2 may be performed as a function of the previous values of the numbers NB1, NB2. The updated values of the numbers NB1 and NB2 are performed respectively modulo s and n. The module GCM may manage the usage of the erase key “C”, such that the positions POSi sent to the server ASRV at step S29 comprise only the positions validated by the user. In this case, the module GCM commands the display of the keypad that was displayed when the user selected the wrong key pressed just before the erase key, by using the corresponding numbers NB1, NB2.

According to another embodiment, all positions of the keypad selected by the user are sent by the terminal UT to the server ARSV, and the updating of numbers NB1, NB2 also takes into account the selection(s) of the erase key “C” by the user. As the server knows the first values of the numbers NB1, NB2, the updating function of these numbers and the positions POSi typed by the user, it can compute the sequence of numbers NB1, NB2 used by the terminal UT, and determine the sequence of keypad layouts displayed by the terminal, the password and validation code numbers PC, CC typed by the user being determined from each position POSi and the corresponding keypad layout. The cancel key “C” may be managed either to delete the last typed digit or all the previously typed digits. The effect of the cancel key “C” can be shown to the user by erasing one or all dots in the display zone FBD.

According to an embodiment, the digits of the validation code CC are displayed only when the user is requested to type this code, for example after the user typed the password PC. The sequence of numbers NB1, NB2 computed by the module GCM may be such that the segments displaying one digit of the validation code become visible after the user typed the password PC, e.g. after four validated key selections by the user, if the password comprises four digits.

According to an embodiment, the validation code CC can be defined in the structure and data of the software component GC, such that it is independent from the previous keys typed by the user.

According to another embodiment, the validation code CC can be defined as a function of the last key or all the keys previously typed (and possibly validated) by the user to enter the password PC. In this way, if the password PC entered by the user is wrong, the displayed validation code CC is also wrong, and the user cannot enter the right validation code CC expected by the server ASRV. For this purpose, the segments forming a digit of the validation code CC can be formed using the circuit part PLS as the segments forming the key labels KYL.

According to another embodiment, the first numbers NB1, NB2 or all the sequence of numbers NB1, NB2 to be used to select the keypad layouts and the digits of the validation code are randomly selected, and data representative of the displayed image frames are sent by the terminal UT to the server ASRV, these data enabling the server to determine the sequence of displayed keypad layouts and digits of the validation code.

The transmission of the two valid values of the inputs data RDk, ADl in the structure and content data GCD of the software component GC, enables introduction of randomness in the execution and output data of the software component at a very low cost. In contrast, a software component producing random output data can introduce a random generator in the software component, which cannot be obviously realized using the garbled circuit technique, without adding complexity to the garbled circuit, and thus without increasing the size of the structure and content data GCD defining the software component. In addition, the transmission of the two valid values RDkV1, RDkV2 of the input data RDk, and the two valid values ADlV1, ADlV2 of the input data ADl does not reduce the security of the introduction of the password PC and validation code CC, since the correspondence between each input value RDkV1, RDkV2, ADlV1, ADlV2 and a binary value 0 or 1 thereof cannot be established easily.

According to an embodiment, the input of a password may be not requested to authenticate the user, only the displayed validation code CC being requested to the user. In this case, the first displayed image frame shows the first digit of the validation code CC, and each of the subsequent displayed image frames shows one of the other digits of the validation code.

According to one embodiment, each time the terminal UT has to perform a new authentication, a new software component GC displaying a keypad KYP with different key layouts and displaying a different validation code CC is executed in step S27.

According to an embodiment, in order to avoid the transmission of one software component GC (in step S23), each time the user terminal is used to perform a new authentication, several alternative software components (defined by the structure and content data GCD) can be downloaded in the terminal UT in one time, and the terminal UT selects a non-already executed software component each time it has to perform a new authentication. As an example, several software components are downloaded with the application APP when the latter is downloaded and installed in a user terminal UT. Then, when one or several software components are used, a new set of software components can be downloaded from the server ASRV to the terminal UT, for example when the terminal has an efficient network connection.

According to an embodiment, several alternative software components are stored in the terminal UT in an encrypted form, and each time the terminal UT executes a new software component, the server ASRV sends a corresponding decryption key to the user terminal.

According to an embodiment, only a part of each of the software components is downloaded into the terminal UT. The downloaded part of each software component can include the data GCID, DIM, NBGL, GTW with or without the table RNLB. Each time the terminal UT has to perform a new authentication, the server ASRV only transmits to the terminal the data INLB, SGLB, GCK and IMSK, in step S23. Then, the terminal UT transmits the identifier GCID of the software component used for authentication to the server ASRV, for example in step S25 or S29. When the server ASRV receives a software component identifier GCID from a user terminal UT, it checks in the database UDB that the received identifier GCID corresponds with a next unexecuted or valid software component previously transmitted to the terminal UT. If the received identifier does not correspond with a next unexecuted or valid software component previously transmitted to the terminal UT, the server ASRV invalidates the user authentication and the corresponding transaction. The server ASRV may also invalidate a previous transaction performed with the same software component (corresponding to the same identifier GCID).

According to an embodiment, the server ASRV can assign a validity indicator (for example in the table GCP of FIG. 5) to each software component it generates for a user terminal. The server ARSV sets the validity indicator to valid when it transmits the corresponding software component to a user terminal in step S23, and to invalid when it receives the corresponding message ARP in step S29. In addition, the server ARSV can assign a validity period to each generated software component, a software component being set to invalid when its validity period has elapsed. The server ASRV may be configured to rejects a message ARP transmitted in step S29 when it corresponds to a software component set to invalid.

According to an embodiment, to prevent the keypad layout from being acquired using a screenshot function of the terminal UT, only a part of the visible segments in each key KY is displayed in each image frame generated by the software component. To this purpose, each visible segment to be displayed is present in an image frame FRM generated by the software component with a probability lower than 100%, for example equal to 50%. FIG. 14A shows the same frame as in FIG. 6, except that some segments SG of the displayed key labels KYL and of the displayed digit of the validation code are invisible. Thanks to its persistence property, the human visual system combines the image frames successively displayed by the terminal UT. Thus the displayed key labels KYL become intelligible to the user. FIG. 14B illustrates the displayed image IMG as it is perceptible by the human visual system when the image frames FRM generated by the software component are displayed at a sufficiently high frequency (preferably higher than 30 Hz) for example at 60 Hz, such that a new image frame generated by the software component is displayed every 16.6 ms, each segment which is visible being displayed at a frequency greater than 30 Hz. As shown in FIG. 14B, the key labels KYL and the digit of the validation code CC appear in grey to a user when visible segments to be displayed of the key labels are inserted in the frames FRM with a probability lower than 100%.

FIG. 15 at the top shows one example of two superimposed layers of the banner frame BNF produced by the software component and displayed by the terminal UT. The central part of FIG. 15 shows the banner frame as it is generated and displayed. The bottom part of FIG. 15 shows the banner BN as it can be perceived by the user. The first layer of the banner frame BNF (at the top left of FIG. 15) comprises the message MSG “Order: transfer xx € to yyyy” to be displayed. The second layer (at the top right of FIG. 15) comprises the digit of the validation code CC to be displayed and to be entered by the user of the terminal UT. To prevent the validation code CC from being acquired using a screenshot function of the terminal UT, only a part of the visible segments SG is displayed in each image frame FRM generated by the software component, such that each visible segment SG to be displayed is present in an image frame FRM generated by the software component with a probability lower than 100%, for example equal to 50%. The pixels of the first and second layers may be combined together by a XOR operation. Thus, in the generated banner frame BNF as shown in the central part of FIG. 15, the pixels belonging both to the message MSG and to a segment of the validation code CC, are displayed in the background color, when the message and the segment are displayed in a color different from the background color.

The bottom part of FIG. 15 illustrates the displayed banner BN as it is perceptible by the human visual system, when the image frames FRM generated by the software component are displayed at a sufficiently high frequency (greater than 30 Hz) for example at 60 Hz, such that a new frame FRM is displayed every 16.6 ms. The digit DL of the validation code CC appear in grey to the user, when visible segments to be displayed are inserted in the banner frames BNF with a probability lower than 100%.

According to an embodiment, visible and invisible segments of each digit KYL, DL to be displayed appear in the frames FRM with respective probabilities such that the displayed digits are intelligible for the human visual system, thanks to the persistence of the latter. For example, the generated software components are configured to display the invisible segments with a probability of 0 to 15%, and the visible segments with a probability of 50 to 100%. The visible segments forming a key label KYL or a digit of the validation code CC can be displayed with respective probabilities comprised between 50 and 100%, and the invisible segments in a key label or a digit of the validation code CC can be displayed with respective probabilities comprised between 0 and 15%. The display probabilities of the segments forming the digits of the key labels and the validation code CC can be adjusted as a function of the frame display frequency, such that the labels of the displayed digits remain intelligible for the human visual system.

The displayed keypad KYP may not need to have a validation key “V”, the validation of the typed codes being performed when the user inputs the last digit of the password PC and validation code CC to be typed. For example, if the password PC comprises four digits and the validation code CC two digits, the execution of the software component can be ended when the user inputs six digits.

FIG. 16 illustrates a software component GC1 according to another embodiment. The software component GC1 differs from the software component GC in that it comprises an additional circuit layer L1 inserted between the circuit PLS and the interconnection matrix XM2. According to an embodiment, to generate image frames FRM as shown in FIG. 14A, each of the circuits SGCj of the software component GC1 comprises one gate BGj for each of the segments SG that can be visible or invisible in the image frames FRM. The gates BGj are configured to generate the visible segments of the digits of the key labels KYL and validation code SG with a probability of 50% and the invisible segments of these digits with a probability of 0%. The structure of the software component GC can be adapted to apply other display probabilities to the visible and invisible segments of the digits to be displayed. The gate BGi performs for example a logical operation such as AND, OR, NAND, NOR, to display each visible segment with a probability of 50%, and each invisible segment with a probability of 0% to be visible. The circuit layer L1 comprises 2n logic gates BGj, each gate BGj processing one output value SGj of the circuit PLS before being transferred to the circuit layer L2 through the interconnection matrix XM2. Each gate BGj has two inputs receiving one output value SGj of the circuit PLS and one input value RNj of the circuit GC1, and provides an output value SGj′ to gates XGj1, XGjp in the layer L2. The gates BGj turn the visible segments SG to invisible as a function of the input values RNj.

FIG. 17 illustrates the structure and content data GCD1 defining the software component GC1 (which may be transmitted in step S23 to the user terminal), when it is designed as a garbled circuit, according to an embodiment. The data GCD1 differs from the data structure GCD in that it comprises an input data table RNLB comprising all possible values of the input data RNj of the software component GC1, numbered from 1 to 2n, for the execution of the software component GC1, the gate wire table GTW and the gate truth table GTT being modified to take into account the presence of the gates BGj in the circuit GC1.

According to an embodiment, the table RNLB contains both valid values RNjV1, RNjV2 of each of the input values RNj corresponding to the logical states 0 and 1. Each value RNjV1, RNjV2 can be equal with a same probability to either one or the other of the two valid values of the random value RNj corresponding respectively to the states 0 and 1.

FIG. 18 illustrates a module GCM1, configured to execute a software component GC1 and to generate the image frames FRM. According to an embodiment, the module GCM1 executes the software component GC1 each time a new image frame is to be generated, i.e. at a frame refresh rate equal to or greater than 30 Hz. To this purpose the module GCM1 can be activated by a synchronization signal SNC having for example a rising edge each time a new image frame is generated.

The module GCM1 differs from the module GCM in that it comprises a modified switching module SWC1. The module SWC1 differs from the module SWC in that it performs additional switching operations SWi to select one or the other of the two valid values RNjV1, RNjV2 of each random input value RNj. Each switching function SWj is controlled by a respective bit RNBj of a random number RNBj having 2n bits, generated by a random number generation function implemented in the function SEL, and which generates a random number of 2n bits at a rate defined by the signal SNC. Each switching operation SWj provides for each of the random input values RNj a randomly selected value RNiVq3 which is stored in the structure GCDI. As a result of the selection of one of the two valid values RNjV1, RNjV2 of the random input values RNj (the visible segments SG to be displayed corresponding to a data SGj output by the circuit PLS set to the state one), the output of the corresponding AND gate BGj is set to state either 0 or 1, depending on the logical state of the selected random value RNjVq3. As a consequence, the visible segments SGj appear in each frame FRM with a probability equal to the probability of the random input value RNj to be set to state 1. If the number RNB is a true random number, this probability is equal to 50%.

The image mask IMSK can be configured to make visible the pixels PXv of a digit segment SG corresponding to a segment value SGj fixed to the binary state 0 (segment configured to be invisible). In this way, the segment is always visible (with a probability of 100%) in the generated image frames FRM. Another way to configure a segment always visible or invisible is to attribute a same value to the two random values RNjV1, RNjV2 corresponding to the related segment value SGj, in the transmitted structure and content data GCD1.

The transmission of the two valid values of the random inputs RNj, in the structure and content data GCD1 of the software component GC1, enables introduction of randomness in the execution and output data of the software component GC1.

FIG. 19 illustrates a part of the software component GC1 according to another embodiment. The circuit part disclosed in FIG. 19 is intended to replace one logic gate BGj in the circuit of FIG. 16. In the example of FIG. 19, the circuit part comprises three AND gates AGj1, AGj2 and AGj3 and two OR gates OGj1, OGj2. Instead of having one segment value SGj and one random input RNj for each segment SG of the image frame FRM to be displayed with a probability lower than 100%, this circuit part comprises for one segment, three segment inputs SGj1, SGj2, SGj3 and three corresponding random inputs RNj1, RNj2, RNj3. Each of the gates AGj1, AGj2, AGj3 combines one respective segment input SGj1, SGj2, SGj3 with one respective random input RNj1, RNj2, RNj3. The outputs of the gates AGj1 and AGj2 are connected to the inputs of the gate OGj1, and the outputs of the gates AGj3 and OGj1 are connected to the inputs of the gate OGj2. The output Dj of the gate OGj2 is connected to as much gates XGj as the number of pixels forming the segment controlled by the inputs SGj1, SGj2, SGj3. In this way, when all the segment inputs SGj1, SGj2, SGj3 are set to the binary state 0, the output Dj of the gate OGj2 is set to the binary state 1 with a probability of 0%. When only one of the segment inputs SGj1, SGj2, SGj3 is set to the binary state 1, the output Dj of the gate OGj2 is set to the binary state 1 with a probability of 50%. When only two of the segment inputs SGj1, SGj2, SGj3 are set to the binary state 1, the output Dj of the gate OGj2 is set to the binary state 1 with a probability of 75%, and when all the three segment values SGj1, SGj2, SGj3 are set to the binary state 1, the output Dj of the gate OGj2 is set to the binary state 1 with a probability of 87.5%. Depending on the corresponding input values INi1-INip and corresponding mask bit values MKi1-MKip of the mask IMSK, and the segment values SGj1, SGj2, SGj3 provided by the circuit PLS, it is possible to display a segment SG with a probability fixed either to 0%, 12.5%, 25%, 50%, 75%, 82.5% or 100%. According to an embodiment, the visible segments SG are displayed in the image frames FRM with a probability randomly set to either 12.5%, 25%, 50%, 75%; 82.5% or 100%.

These probabilities or others can be obtained using other combinations of logic gates combining the three segment values SGj1, SGj2, SGj3 and the three random input values RNj1, RNj2, RNj3.

Other probability values can be reached by the software component, by increasing the number of inputs for one segment, and thus by increasing the number of AND gates in the first circuit layer L1 and the number of combining OR gates in following circuit layers.

According to one embodiment, the visible segments are displayed with a probability decreasing as a function of the experience level of the user. At first authentications, performed from a first installation of the application APP, the visible segments SG can be displayed in the image frames FRM with high probabilities, e.g. between 75% and 100%. As the experience level of the user grows, these probabilities can be progressively reduced and finally set to randomly-selected values for example between 12.5% and 50%.

Instead of displaying a keypad with a variable key layout, the software component GC and corresponding mask IMSK may be configured to display a biometric challenge, requesting the user to input a response using a sensor that may be used for instance as a biometric sensor. The sensor may be a camera, a fingerprint sensor or a microphone (or an iris sensor, a heart rate monitor, a glucose monitor, a blood pressure sensor, . . . ). In this case, the user may be invited in step S10 to introduce in the terminal UT requested biometric data RBD using one or more sensors of the terminal UT (and/or one or more sensors securely associated with the terminal), for example according to displayed instructions. According to examples, the user can be instructed to enter fingerprints of several or all of his fingers using a fingerprint sensor, and/or to pick up pictures of his face (e.g. left, front, right pictures), using a camera (a conventional imaging camera, or any other type of camera such as thermal or infrared camera), and/or voice recordings by saying a list of words, letters, or figures displayed by the terminal UT, using a microphone. In step S12, the biometric data entered by the user are transmitted to the server ARSV and stored in the user database UDB. When the software component is executed at step S27, the user introduces the requested biometric data corresponding to the biometric challenge in the image frames displayed by the software component (step S28). In step S29, the biometric data introduced by the user are transmitted to the server ARSV. In steps S30, S31, the server ASRV compares the received biometric data with those stored in the user database UDB and corresponding to the user.

FIG. 20 which illustrates an example of such a biometric challenge, shows an example of an image frame FRM displayed by the user terminal UT when it executes the software component GC. The image frame FRM comprises a banner frame BNF displaying the message MSG. In the example of FIG. 20, the message MSG contains information related to a transaction to be validated by the user, for example “Order: transfer xx € to yyyy”. The image frame FRM further presents a biometric challenge requesting the user to capture a part of his face using a camera of the terminal UT or associated thereto, optionally in a secure way. To this purpose, the image frame FRM presents a stylized human head, the left, front and right sides of the head being associated with a respective randomly chosen number ND. The image frame FRM further presents a biometric challenge “Present side <number> of your face” and a validation key “V”, “<number>” corresponding to one of the displayed numbers ND. In the example of FIG. 20, the left, front and right sides of the face are numbered 3, 9 and 7, and the requested face side to capture is side 3, i.e. the left side of the face.

According to an embodiment, each time the user inputs an image and validates it, a new image frame FRM is generated using different values of the input data ADl, RDk, selected by new values of numbers NB1, NB2.

According to another embodiment, to prevent the displayed numbers ND from being acquired using a screenshot function of the terminal UT, the numbers ND are displayed using segments SG, for example seven segments, and only a part of the segments forming each displayed number ND is displayed in each image frame generated by the software component GC1. To this purpose, each visible segment SG to be displayed is present in an image frame FRM generated by the software component GC1 with a probability lower than 100%, for example equal to 50%. Thanks to the persistence property of the human visual system, the latter combines the image frames successively displayed by the terminal UT. Thus the displayed numbers ND become intelligible to the user, but cannot be captured in an efficient way using a screenshot function.

FIG. 21 illustrates another example of an image frame FRM displayed by the user terminal UT when it executes the software component GC. The image frame FRM comprises the banner frame BNF displaying the message MSG. The image frame FRM further presents another biometric challenge requesting the user to enter fingerprints of designated fingers using for instance a fingerprint sensor of the terminal UT or connected thereto. To this purpose, the image frame FRM presents stylized left and right human hands, each finger being associated with a randomly chosen number ND. The image frame FRM further presents a biometric challenge “Present fingers <number> then <number>” and a validation key “V”. The numbers ND are displayed using segments SG, for example seven segments. In the example of FIG. 21, the back faces of the hands are shown, the left hand being placed to the left of the right hand, and the ten fingers are associated respectively with the randomly chosen numbers (from left to right) 8, 3, 1, 2, 6, 7, 5, 4, 9 and 0. The requested fingerprints are numbered 0 then 6, which correspond to the fingerprints of the little finger of the right hand, and the thumb of the left hand.

FIG. 22 illustrates another example of an image frame FRM displayed by the user terminal UT when it executes the software component GC. The image frame FRM comprises the banner frame BNF displaying the message MSG. The image frame FRM further presents another biometric challenge requesting the user to pronounce one or more words, using a microphone of the terminal UT or connected thereto. To this purpose, the image frame FRM presents a list of words which can be selected in a dictionary, each word being associated with a randomly chosen number ND. The image frame FRM further presents a biometric challenge “Say the word <number>” and a validation key “V”. In the example of FIG. 10B, the displayed numbers ND appear in grey to a user when visible segments SG to be displayed are inserted in the frames FRM with a probability lower than 100%. In this example, the selected displayed words are “word1”, “word2” and “word3”, and are associated respectively with the numbers 3, 9 and 7, and the requested word to say is numbered 7, i.e. the word “word3”. Instead of words, the user can be requested to say letters (that can be part of displayed words) and/or numbers which can be displayed using segments SG, only a part of the segments forming each displayed letters or numbers being displayed in each image frame generated by the software component GC. The numbers ND are displayed using segments SG, for example seven segments.

In another embodiment, the biometric challenge is for instance “Say the words <number1>, <number2> and <number3>” or “Pronounce the letters <number1> and <number2> of the <number3> word”.

According to an embodiment, each time the user inputs a response in the examples of FIGS. 21 and 22, and validates it, the image frame FRM is regenerated using different input values of the input data ADl, RDk. In this way, the displayed numbers ND change each time the user inputs an answer to a biometric challenge. According to an embodiment, the image frame FRM may be regenerated using different input values of the input data ADl, RDk at randomly chosen instants.

According to an embodiment, only a part of the segments forming each displayed number is displayed in each displayed image frame generated by the software component GC. To this purpose, each visible segment SG to be displayed is present in an image frame FRM generated by the software component GC with a probability lower than 100%, for example equal to 50%.

When the user is authenticated on the basis of a biometric challenge (FIGS. 20, 21, 22), a complete sequence of numbers NB1, NB2 to be used to determine the input values ADl and RDk selecting the displayed numbers ND, may be transmitted by the server ASRV to the terminal UT. In this way, the displayed numbers ND can change each time the user inputs a response to a biometric challenge, and the server knows which numbers are displayed in each displayed image frame. New numbers NB1, NB2 may be selected at a random frequency provided by the server.

In the embodiments using garbled circuits, the generation of a software component, performed by the server ASRV in step S22, comprises generating random values representing the binary states 0 and 1 of the input bits and of the output bits of the logic gates of the software component, some of the logic gate outputs corresponding to outputs of the garbled circuit. The generation of a software component further comprises randomly selecting the interconnection matrices XM1, XM2, i.e. randomly selecting the links between the inputs of the software component and the inputs of the logic gates of the software component, and between the outputs of some logic gates and the inputs of other logic gates (definition of the table GTW). The generation of a software component further comprises defining the truth tables GTT of the logic gates of the software component, and encrypting each value of these truth tables using an encryption key. According to an example, each four values G (=GTT[IN1{0} I/IN2{0}]) of the truth table of a logic gate of the software component GC can be computed as follows:

G=PF2(IN1,IN2,OV) (4)

for each possible combination of the valid values of the inputs IN1, IN2 and the output OV, when considering the binary states corresponding to the valid values of IN1, IN2 and OV, and the logic operation performed by the logic gate, PF2 representing a non-reversible function. According to the example defined by equation (2), each four values G of the truth table of a logic gate can be computed as follows:

G=AES(GCK,K)^⊕K^⊕OV (5)

with K=CF(IN1, IN2)^⊕T.

As a consequence, it is very difficult to determine the binary states of the input and output values and the function of the logic gates of the software component. Therefore, the functioning of the software component GC cannot be easily determined. In addition, the software component can process only the two valid values of each input of the circuit, among a huge number of invalid values. Therefore, it is not possible to apply any values to the inputs of the software component. For more details on garbled circuits, reference may be made to the document “Foundations of Garbled Circuits”, Mihir Bellare, Viet Tung Hoang, Phillip Rogaway, dated Oct. 1, 2012.

A hacker or a malware program executed by the terminal UT may be able to get the password PC input by the user in step S10. However, the knowledge of this password is not sufficient for the hacker to be authenticated in steps S21 to S32 since the typed positions POSi correspond to the keypad KYP and validation code CC displayed by the execution of the software component GC transmitted to the terminal UT in step S23. The hacker or malware has a very short time to get the keypad key layout by analyzing the displayed image frames FRM or by executing or analyzing the software component.

When the server ASRV generates the software component GC, it can be decided to use another bit rank in the values of the wires of the software component for defining the corresponding binary state of these values. The bits at the selected bit rank in the input values a logic gate AGi are used to select a data in the truth table GTT of the logic gate, and the bits at the selected bit rank in the output values PXi of the software component GC are extracted and applied to the module XRG.

The illustrations described herein are intended to provide a general understanding of the structure of various embodiments. These illustrations are not intended to serve as a complete description of all of the elements and features of apparatus, processors and systems that utilizes the structures or methods described therein. Many other embodiments or combinations thereof may be apparent to those of ordinary skills in the art upon reviewing the disclosure by combining the disclosed embodiments. Other embodiments may be utilized and derived from the disclosure, such that structural and logical substitutions and changes may be made without departing from the scope of the disclosure.

The methods disclosed herein may be totally or partially implemented by software programs executable by the main processor HP (CPU) of the user terminal UT, and/or at least partially by the graphic processor GP of the user terminal UT.

Further, the methods disclosed herein are not limited to displaying sensitive information such as a keypad with a randomly selected layout and a validation code. Indeed, the object of such a display is to check that the user knows a secret data shared with the server ASRV and perceives information presented by the terminal in a way perceptible only by a human. Alternative challenge-response schemes can be implemented in other embodiments. According to an embodiment, the displayed message MSG may request the user to input a combination such as the sum or the multiplication of the digits of the displayed validation code CC.

In addition to this or in another embodiment, the generated frames may comprise differences with a previously generated frame.

According to another embodiment, the flickering or blinking of segments may be controlled directly in/by the graphic processor, by setting pixel intensity, additive or subtractive pixel color, pixel refresh rate, or pixel flickering parameters of the graphic processor.

According to embodiments, the display screen DSP may be separated from the user terminal UT. For example, the display screen may be the one of a smartwatch, a smart glass or a virtual reality or an augmented reality headset, and the user terminal may be a smartphone, a tablet or a laptop/desktop computer. In some embodiments, the communication link between the display and the user terminal may be wireless. For example, the communication link may be a one or a combination of Bluetooth®, Wi-Fi, or any other radio frequency or wireless communication technology.

According to some embodiments, the biometric sensor is separated from (e.g. not part of) the user terminal UT. In addition, the biometric data BIOD may be acquired using various sensors used separately or in combination. In the example of a heart-rate monitor, a smartwatch may provide the biometric sensor and the display to be used to display the biometric challenge. In another embodiment, a glucose monitor wore separately may be used. Also, in other embodiments, a heart-rate monitor may be combined with a thermal imaging camera. In some embodiments, the communication link between the biometric sensor(s) and the user terminal may be wireless. In some embodiments, some if not all communication links may use secure protocols.

The challenge can be transmitted to the user using other means than by displaying it on a display screen. For instance, the challenge can be transmitted to the user by audio means using an audio cryptographic algorithm such as described in “Simple Audio Cryptography”, by Yusuf Adriansyah, dated Apr. 29, 2010. According to this algorithm, an original audio sequence is decomposed into a number of source audio sequences of the same length as the original audio sequence, in a way such that the original audio sequence can be reconstructed only by simultaneously playing all the source audio sequences generated by the decomposition, and such that it is very difficult to reconstruct the original audio sequence if any one of the source audio sequence is missing. Provision may be made to play two source audio sequences simultaneously, one via the terminal UT and the other via other means such as a portable device having a memory storing a source audio sequence and a headphone playing the stored source audio sequence without a microphone of the terminal hearing it. If the user hears an intelligible audio message by playing the two source audio sequences simultaneously, it means that the source audio sequence played by the portable device complements the source audio sequence.

According to another embodiment, the user records his fingerprints in step S10. In step S27, the software component GC displayed a message requesting the user to input one or two particular fingerprints, for example the thumb print and the ring finger print. This message is displayed using segments, as the digits representing the key labels KYL and validation code CC. In step S28, the user inputs the requested fingerprints, and at the verification steps S30 and S31, the server ASRV compares the input fingerprints with the one it stored after step S10. Here, the shared secret data are the fingerprints and the information to be perceived by the user is the designation of the requested fingers.

Further, the methods disclosed herein are not limited to authenticating a user in view of validating a transaction. The methods disclosed herein may be applied to securely transmit secret or sensible information to or from a user, or more generally to securely perform a sensitive operation in a non-secure environment.

Further, the methods disclosed herein are not limited to a method comprising displaying image frames and introduction of secret data (PC, CC) using a single user terminal. The methods disclosed herein may be applied to securely authenticate a user on another connected device, the frame images being displayed on the user terminal or on a remote display such as a smartwatch, virtual or augmented reality glasses or lenses, or projected on a surface or in the form of a 3D image, or any IoT (Internet of Things) device having a display function or the like. Similarly, the biometric data may be input in another device connected to the user terminal. Similarly, the secret data may be input in another device connected to the user terminal or using voice or gesture. Therefore, the words “user terminal” may designate a single device or a set of devices including a terminal without a display, an IoT device, a smart home terminal, and any input terminal that allows the user to enter data.

The user terminal UT may be controlled by voice or gesture. Voice command may be translated to command. Each recognized command being equivalent to one of the positions POSi. The keypad may be replaced by any other representations such as the ones using a gesture, following a geometric figure or tracing links between dots. Further, the input terminal may be a 3D input terminal with which the user may interact by 3D gestures in the air. Therefore the positions POSi may be 3D coordinate positions in space.

In other embodiments, the display may be any display including for example an ATM, a vending machine, a TV, a public display, a projected display, a virtual display a 3D display or a hologram. In other embodiments, the terminal may be any input equipment including for example a touch screen, a game accessory, a gesture acquisition system, a voice or sound command system.

In other embodiments, the images frames FRM are generated without applying the mask IMSK, and are displayed separately from the mask IMSK using two display devices, one of the two display devices being transparent, such as a display device in the form of eye lenses, the displayed images becoming intelligible to the user when they are superimposed with the displayed mask IMSK, the displayed white pixels of the mask being transparent and the displayed black pixels of the mask being opaque.

Further, the methods disclosed herein, introducing randomization in the execution of the software component protected against tampering and reverse-engineering, are not limited to generate blinking pixel in an image or an image frame. More generally, these methods can be used in any application in which a random state is used in a sensitive software function, protected against reverse-engineering and tampering, the software function receiving input data and providing output data. For example, these methods can be applied to protection of data without using encryption or decryption keys which are exposed to key theft. In this example, the software component is configured to provide a part of the protected data as a function of a set of random input data, each random input data having two possible values. Each combination of the random input values applied to the software component is used to compute a respective part of the protected data. The number of combinations of the random input values defines the number of data parts that can be computed by executing the software component. As an example, the data to be protected can be images, and the data parts of such images can be pixel values of an image or color component values of the image pixels, the execution of the software component providing a pixel value or a part thereof and a position of the pixel in the image (see “Secure Image Datasets in Cloud Computing”, X. Arogya Presskila, P. Sobana Sumi, in International Journal of Advanced Research in Computer Science and Software Engineering, Vol. 4, Issue 3, March 2014). The parts of the data to be protected that are each computed by one execution of the software component applied to one combination of the input values can be as small as desired. For instance, the software component can be configured to provide by one execution a point of a Gaussian curve or a value that is used to compute a histogram, the data part value corresponding to the highest value computed by the software component or to the value having the highest occurrence number in the histogram. Only a part of the protected data can be made accessible when only a part of the two alternative values of the input data of the software component is provided, only one value being provided for the other input data of the software component.

Further, the methods disclosed herein are not limited to an implementation involving an authentication server. Other implementations can involve a secure element within the user terminal, such as the secure processor SE shown in FIG. 2, or a secure domain within the main processor HP of the terminal. In the methods disclosed herein, all operations performed by the server ASRV can be performed by such a secure element. FIG. 23 illustrates authentication steps S41 to S44 performed by the user terminal UT and a secure element SE linked to the main processor HP of the terminal UT, and enabling the secure element to authenticate the user. In step S41, the terminal UT transmits a command CMD to the secure element SE, this command requesting authentication of the user before being executed by the secure element. Then the secure element SE and the terminal UT performs steps S22, S23, and S25 to S30, as previously disclosed. The secure element SE performs steps S22, S23, S26 and S30, in place of the server ASRV. Then the secure element SE performs steps S42 to S44. In step S42, the secure element SE compares the password PC1 and validation code CC1 input by the user to corresponding values PC and CC securely stored by secure element SE. If the password PC1 and validation code CC1 typed by the user match the values PC and CC stored by the secure element SE, the latter performs step S43 in which it executes the command CMD requested in step S41. In step S44, the secure element SE transmits an execution report RS of the command CMD. In this way, the secure element SE executes the command CMD only if and when the user of the terminal UT authorizes it.

According to an embodiment, the secure element SE in FIG. 23 can be implemented by or can be part of an external terminal connected to the user terminal UT by means of a communication link such as NFC (Near Field Communication) or Bluetooth®, or the like. The external terminal can be a point-of-sale terminal.

Further, the methods disclosed herein are not limited to garbled circuits comprising gates having only two inputs and one output. Other types of gates with three or more inputs and one or more outputs or receiving data having more than two valid states may be implemented using truth tables having more than four lines. Therefore, the randomness obtained by transmitting and selecting one of the possible values RNiV1 and RNiV2 of the input RNi, may also be obtained by transmitting and randomly selecting one value among three or more valid values of an input of the garbled circuit.

Further, the methods disclosed herein are not limited to an implementation of the software component by a garbled circuit. Other implementations of the software component such as including obfuscated programs can be used to hide parts of the program loaded in the main processor of the terminal UT, and/or to prevent sensitive parts of the program from being unveiled or modified by unauthorized persons. Methods of obfuscating programs are disclosed for example in the documents “Obfuscating Circuits via Composite-Order Graded Encoding” Benny Applebaumy, Zvika Brakerskiz, IACR-TCC 12 Jan. 2015, and “How to Obfuscate Programs Directly”, Joe Zimmerman, IACR, 30 Sep. 2014.

More generally, the conception of a garbled circuit can be performed by translating a program written in language such as C or C++ into a circuit design language such as VHDL or Verilog to obtain a logic or Boolean circuit comprising logic gates.

Further, the methods disclosed herein are not limited to the use of a software component protected against tampering and reverse-engineering, such as generated using obfuscation or garbled circuit methods. As an example of such an application, the methods disclosed herein may be used to perform operations that do not utilize a high security level, such as for data privacy protection, including video games (e.g. management of available virtual lives) or medical eye testing.

Further, the methods disclosed herein are not limited to an implementation involving a mask such the image mask IMSK to decrypt output values of the software component. Other implementations can generate and execute a software component directly outputting the pixels values to be displayed. In addition, the message MSG can be directly provided in the output pixel values. In addition the mask can be transmitted separately from the software component or the structure and content data thereof, e.g. via different transmission means, optionally after the execution of the software component, totally or in several parts.

Further, the methods disclosed herein can be implemented with a user terminal UT that only comprises a hardware keypad, the displayed frames FRM being displayed just to assign other key labels to the physical keypad. Thus, instead to touch positions of the display screen to input the positions POSi, the user activates hardware keys of the keypad in correspondence with the assigned labels shown in the displayed frames FRM.

The term pixel, as used herein for a standard display screen, may be understood as coordinates, either 2D coordinates for a 2D display or 3D coordinates for a 3D or stereo display or for a projected display or the like.

Further, the disclosure and the illustrations are to be considered as illustrative rather than restrictive, and the appended claims are intended to cover all such modifications, enhancements and other embodiments, or combinations thereof, which fall within the true spirit and scope of the description. Therefore, the scope of the following claims is to be determined by the broadest permissible interpretation of the claims and their equivalents, and shall not be restricted or limited by the foregoing description.

Claims

1. A method for authenticating a user, the method comprising:

receiving, from a secure processor, a software component configured to generate an image frame including information intelligible to the user, and a plurality of input data of the software component, the input data including a plurality of first input data each having two randomly-selected valid values and invalid values, the software component including a plurality of first inputs, each first input being configured to receive respectively the first input data, the received input data including the valid values of the first input data;

performing a plurality of times: selecting one of the valid values of each of the first input data in the received input data, executing the software component by applying the received input data to inputs of the software component and the selected valid values to the first inputs of the software component, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid values of the first input data and forming an image of the user intelligible information, displaying the image frame, and acquiring, from the user, a response depending on the user intelligible information in the displayed image frame; and

transmitting the acquired response to the secure processor.

2. The method of claim 1, wherein first valid values of the first input data used for generating and displaying a first image frame are selected as a function of a data provided by the secure processor, and second valid values of the first input data are selected as a function of the response acquired from the user from a previously displayed image frame, for generating and displaying another image frame.

3. The method of claim 1, wherein the valid values of the first input data selected for generating and displaying the image frames at each successive executions of the software component, are randomly selected, and a signature of data defining each generated image frame is transmitted to the secure processor.

4. The method of claim 1, wherein the software component is configured to generate the image frame, wherein the user intelligible information is displayed using random pixels having a probability lower than 100% to be visible in the image frame, such that the user intelligible information is machine non-visibly recognizable, the software component being executed a plurality of times to generate a plurality of image frames which are displayed at frame display rate such that the user intelligible information becomes intelligible to the user.

5. The method of claim 1, wherein the user intelligible information:

includes a plurality of labels of a keypad ordered as a function of the first input data, the response from the user including key positions of keys of the keypad selected by the user,

includes a plurality of labels of a keypad ordered as a function of the first input data, and one symbol belonging to a validation code, the response from the user including key positions of keys of the keypad selected by the user, or

specifies a biometric challenge, the response from the user including biometric data input by the user using a biometric sensor.

6. The method of claim 4, wherein the software component is configured to provide, in response to a random selection of valid values of second input data, output data in one of two binary states with a probability set to a value between 12.5% and 87.5%.

7. The method of claim 1, wherein the software component is configured to store a plurality of image frame configurations, which are selected by selecting valid values of the first input data.

8. The method of claim 1, wherein the software component is configured to generate encrypted parts of an image frame, the generation of each image frame including:

decrypting each generated encrypted image frame part using a decrypting mask, the decrypting mask being transmitted from the secure processor; and

inserting each decrypted image frame part in an image frame background to generate a respective image frame.

9. The method of claim 8, further comprising:

transmitting the response from the user to the secure processor; and

authenticating the user by the secure processor when the response corresponds to the information and to a secret data known to the user and included the secure processor.

10. The method of claim 1, wherein the software component is encoded as a garbled circuit, the garbled circuit including circuit inputs, circuit outputs, logic gates and wires, each logic gate having two inputs and one output, each wire having a first end connected to one of the circuit inputs or to one of the logic gate outputs, and a second end connected to one of the logic gate inputs or to one of the circuit outputs, the garbled circuit being generated by selecting a valid data value for each binary state of each of the wires, and by computing, for one logic gate of the garbled circuit, truth table values as a function of each valid data value of each input of the logic gate, each valid data value of the output of the logic gate and a logic operation performed by the logic gate.

11. A user terminal configured to:

receive from a secure processor, a software component configured to generate an image frame including information intelligible to the user, and a plurality of input data of the software component, the input data including a plurality of first input data each having two randomly-selected valid values and invalid values, the software component including a plurality of first inputs configured to receive respectively the first input data, the received input data including the valid values of the first input data;

perform a plurality of times: selecting one of the valid values of each of the first input data in the received input data, executing the software component by applying the received input data to inputs of the software component and the selected valid value to the first input of the software component, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid values of the first input data and forming an image of the user intelligible information, displaying the image frame, acquiring, from the user, a response depending on the user intelligible information in the displayed image frame; and

transmit the acquired response to the secure processor.

12. The terminal of claim 11, configured to:

select first valid values of the first input data as a function of a data provided by the secure processor, for generating and displaying a first image frame, and

select second valid values of the first input data, as a function of the response acquired from the user from a previously displayed image frame, for generating and displaying another image frame.

13. The terminal of claim 11, further configured to:

randomly select the valid values of the first input data used for generating and displaying the image frames at each successive executions of the software component; and

compute and transmit a signature of data defining each generated image frame to the secure processor.

14. The terminal of claim 11, wherein the software component is configured to generate the image frame, wherein the user intelligible information is displayed using random pixels having a probability lower than 100% to be visible in the image frame, such that the user intelligible information is machine non-visibly recognizable, the software component being executed a plurality of times to generate a plurality of image frames which are displayed at frame display rate such that the user intelligible information becomes intelligible to the user.

15. The terminal of claim 11, wherein the user intelligible information:

includes a plurality of labels of a keypad ordered as a function of the first input data, the response from the user including key positions of keys of the keypad selected by the user,

includes a plurality of labels of a keypad ordered as a function of the first input data, and one symbol belonging to a validation code, the response from the user including key positions of keys of the keypad selected by the user, or

specifies a biometric challenge, the response from the user including biometric data input by the user using a biometric sensor.

16. The terminal of claim 14, wherein the software component is configured to provide, in response to a random selection of valid values of second input data, output data in one of two binary states with a probability set to a value between 12.5% and 87.5%.

17. The terminal of claim 11, wherein the software component is configured to store a plurality of image frame configurations, which are selected by selecting valid values of the first input data.

18. The terminal of claim 11, wherein the software component is configured to generate encrypted parts of an image frame, the generation of each image frame further including:

decrypting each generated encrypted image frame part using a decrypting mask, the decrypting mask being transmitted from the secure processor; and

inserting each decrypted image frame part in an image frame background to generate a respective image frame.

19. The terminal of claim 18, further configured to transmit the response from the user to the secure processor, the user being authenticated by the secure processor when the response corresponds to the information and to a secret data known to the user and included the secure processor.

20. The terminal of claim 11, wherein the software component is encoded as a garbled circuit, the garbled circuit including circuit inputs, circuit outputs, logic gates and wires, each logic gate having two inputs and one output, each wire having a first end connected to one of the circuit inputs or to one of the logic gate outputs, and a second end connected to one of the logic gate inputs or to one of the circuit outputs, the garbled circuit being generated by selecting a valid data value for each binary state of each of the wires, and by computing, for one logic gate of the garbled circuit, truth table values as a function of each valid data value of each input of the logic gate, each valid data value of the output of the logic gate and a logic operation performed by the logic gate.

21. The terminal of claim 11, wherein the secure processor is a secure element connected to a main processor of the terminal.

22. The terminal of claim 11, wherein the secure processor belongs to a remote server linked to the terminal through a data transmission network.

23. A secure element connected to a processor of a terminal and configured to:

transmit to the processor of the terminal, a software component configured to generate an image frame including information intelligible to a user of the terminal, and a plurality of input data of the software component, the input data including a plurality of first input data each having two randomly-selected valid values and invalid values, the software component including a plurality of first inputs, each first input being configured to receive respectively the first input data, the received input data including the valid values of the first input data, the software component being configured to be executed a plurality of times, with one of the valid values of each of the first input data in the received input data, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid values of the first input data and forming an image of the user intelligible information; and

receive a response acquired by the terminal from the user, the response depending on the user intelligible information in the generated image frame.

24. A server linked to a terminal through a data transmission network and configured to:

generate and transmit to the terminal, a software component configured to generate an image frame including information intelligible to a user of the terminal, and a plurality of input data of the software component, the input data including a plurality of first input data each having two randomly-selected valid values and invalid values, the software component including a plurality of first inputs, each first input being configured to receive respectively the first input data, the transmitted input data including the valid values of the first input data, the software component being configured to be executed a plurality of times, with one of the valid values of each of the first input data in the transmitted input data, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid values of the first input data and forming an image of the user intelligible information; and

receive a response acquired by the terminal from the user, the response depending on the user intelligible information in the generated image frame.

25. A computer program product loadable into a computer memory and comprising code portions which, when carried out by a computer, configure the computer to:

receive from a secure processor, a software component configured to generate an image frame including information intelligible to a user, and a plurality of input data of the software component, the input data including a plurality of first input data each having two randomly-selected valid values and invalid values, the software component including a plurality of first inputs configured to receive respectively the first input data, the received input data including the valid values of the first input data;

perform a plurality of times: selecting one of the valid values of each of the first input data in the received input data, executing the software component by applying the received input data to inputs of the software component and the selected valid value to the first input of the software component, the execution of the software component generating the image frame which has pixels in a visible or invisible state, depending on the selected valid values of the first input data and forming an image of the user intelligible information, displaying the image frame, acquiring from the user a response depending on the user intelligible information in the displayed image frame; and

transmit the acquired response to the secure processor.