KR101677249B1 - Security Apparatus and Method for Controlling Internet of Things Device Using User Token - Google Patents

Security Apparatus and Method for Controlling Internet of Things Device Using User Token Download PDF

Info

Publication number
KR101677249B1
KR101677249B1 KR1020150084418A KR20150084418A KR101677249B1 KR 101677249 B1 KR101677249 B1 KR 101677249B1 KR 1020150084418 A KR1020150084418 A KR 1020150084418A KR 20150084418 A KR20150084418 A KR 20150084418A KR 101677249 B1 KR101677249 B1 KR 101677249B1
Authority
KR
South Korea
Prior art keywords
control
request
user
pairing
token
Prior art date
Application number
KR1020150084418A
Other languages
Korean (ko)
Inventor
박영길
Original Assignee
주식회사 명인소프트
박영길
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 명인소프트, 박영길 filed Critical 주식회사 명인소프트
Priority to KR1020150084418A priority Critical patent/KR101677249B1/en
Application granted granted Critical
Publication of KR101677249B1 publication Critical patent/KR101677249B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are a security processing apparatus and a method thereof. According to an embodiment, the security processing apparatus may include: a user terminal which generates a control preamble generated in a user token, requests the generation of a control cryptograph about the control preamble generated in the user token, and receives the control cryptograph from the user token to transmit the control cryptograph to internet of things; and the user token which encodes the control preamble received from the user terminal through a private key to generate the control cryptograph, and transmits the generated control cryptograph to the user terminal.

Description

[0001] The present invention relates to a security processing apparatus and method for controlling an object Internet device using a user token,

And more particularly, to a security processing apparatus and method using a user token having an encryption function for controlling an object Internet device.

In recent years, the Internet has been studied to connect to the Internet by incorporating sensors and communication functions into various objects. Here, objects are systematically recognizable objects and can be various embedded systems such as home appliances, mobile equipment, and wearable computers.

The object Internet device can incorporate a sensor for data acquisition from an external environment, and can receive and control information from objects by transmitting / receiving data between devices based on wireless communication. However, if all objects are connected to the open Internet, they can be targets of hacking, etc. Therefore, strong security is required along with the development of the Internet of things.

Korean Patent Publication No. 20150035971 (2015.04.07)

It is an object of the present invention to provide a security processing apparatus and method for encrypting a user request for controlling a thing Internet device using a user token.

According to an aspect of the present invention, a security processing apparatus for controlling an object Internet apparatus generates a control message for controlling the object Internet apparatus, requests control ciphertext generation for a control message generated in the user token, And a user token for encrypting the control telegram received from the user terminal and the control telegraph received from the user terminal to generate a control ciphertext and transmitting the generated control ciphertext to the user terminal.

According to another aspect of the present invention, a user terminal includes a request receiver for receiving a request for registering a user token for controlling a thing Internet device from a user, a public key request unit for requesting a public key in a user token when a registration request is received, And a registration requesting unit for requesting registration of the public key by transmitting the registration specialist generated in the object Internet control apparatus to the registration specialist generating unit for generating the registration special based on the received public key.

According to another aspect, the user terminal includes a master token determination unit for determining whether a master token corresponding to the object Internet apparatus exists, and, if the master token exists as a determination result, requesting generation of a registration cipher text for the registration specialization generated in the master token The registration request unit may request registration of the public key by transmitting the received registration cipher text to the object Internet control apparatus when the registration cipher text is received from the master token.

According to another aspect of the present invention, a user terminal receives a request to establish or cancel a pairing with a destination Internet device from a user, and transmits an identifier of the user token to the destination Internet control device A ciphertext receiving unit for receiving a pairing cipher text obtained by encrypting at least one of an ID of an object Internet apparatus, a pairing time, and a random number of the object Internet apparatus from a public key of a user token, And a pairing requesting unit for requesting the pairing to be concluded or released by transmitting to the token.

According to another aspect of the present invention, a user token includes a request receiving unit for receiving a pairing or releasing request from a user terminal, a decryption unit for decrypting the pairing ciphertext with a private key when a pairing or canceling request is received from the user terminal, The Internet device ID, the pairing time, and the random number of the object Internet device on the basis of the object Internet device ID and the device random number And a pairing control unit for releasing the pairing based on at least one.

According to another aspect, the pairing control unit logs the control cipher generation time each time the control cipher is generated according to the control encryption request of the user terminal, and performs a pairing with other object Internet devices based on the generated control cipher text generation time The engagement can be controlled.

According to another aspect, the user token includes a request receiver for receiving a message authentication code (MAC) generation request for the object Internet device from the user terminal, A message authentication code generation unit for generating a message authentication code using a random number, and a communication unit for transmitting the generated message authentication code to the user terminal, wherein the user terminal attaches a message authentication code to the generated control message, Lt; / RTI >

According to one aspect, a security processing method for controlling an object Internet device includes the steps of: a user terminal generating a control telegram for controlling the object Internet apparatus and requesting generation of a control ciphertext for the control telegram generated in the user token; Generating a control ciphertext by encrypting the control telegraph received from the user terminal with a private key, generating a control ciphertext, transmitting the control ciphertext generated the user token to the user terminal, and receiving the control ciphertext from the user token, To the device.

According to another aspect, a security processing method includes receiving a registration request of a user token for controlling a thing Internet device from a user, requesting a public key from a user token when the user terminal receives a registration request, A step of generating a registration telegram based on the received public key when the terminal receives the public key from the user token and a step of requesting registration of the public key by transmitting the registration telegram generated by the user terminal to the object Internet control device .

According to another aspect, a security processing method includes: receiving a request for a pairing or release of a pairing with a destination Internet apparatus from a user terminal; receiving, when a user terminal issues a pairing or releasing request, Receiving a pairing cipher text in which the user terminal encrypts at least one of the ID of the object Internet apparatus, the pairing time, and the object internet apparatus random number with the public key of the user token from the object Internet control apparatus; And transmitting the pairing cipher text received by the mobile subscriber station to the user token to request paired ringing or cancellation.

It is possible to authenticate the user's access by encrypting and transmitting the request of the user for controlling the Internet device of the object, and it is possible to prevent the tampering of the user request.

1 is a block diagram of an object Internet system according to an exemplary embodiment of the present invention.
2 is a block diagram of a user terminal according to an exemplary embodiment of the present invention.
3 is a configuration diagram of a control processing unit according to an embodiment.
4 is a configuration diagram of a registration processing unit according to an embodiment.
5 is a configuration diagram of a paging processing unit according to an embodiment.
6 is a configuration diagram of a user token according to an embodiment.
7 is a flowchart illustrating a control-dedicated transmission method according to a user request according to an exemplary embodiment.
8 is a flowchart illustrating a method of registering a user token according to an embodiment.
9 is a flow chart illustrating a piercing engagement and release method according to one embodiment.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. In addition, the terms described below are defined in consideration of the functions of the present invention, which may vary depending on the intention of the user, the operator, or the custom. Therefore, the definition should be based on the contents throughout this specification.

Hereinafter, embodiments of the security processing apparatus and method will be described in detail with reference to the drawings.

1 is a block diagram of an object Internet system according to an exemplary embodiment of the present invention.

Referring to FIG. 1, the object Internet system may include a security processing apparatus 10 and an object Internet control apparatus 300. In addition, the security processing apparatus 10 may include a user terminal 100 and a user token 200.

According to an aspect, the security processing apparatus 10 can perform wired or wireless communication with the object Internet control apparatus 300. The object Internet control apparatus 300 may be connected to the object Internet apparatus itself or to at least one object Internet apparatus (not shown) to control the object internet apparatus and receive status information from the object internet apparatus. At this time, the object Internet control apparatus 300 can receive the control signal from the security processing apparatus 10 to control the object Internet apparatus, receive the status information of the object Internet apparatus, and transmit it to the security processing apparatus 10 Can be provided to the user.

According to one example, the Internet device for objects includes all kinds of objects such as home appliances such as a heating / heating device, a television, a security device such as a door lock, a surveillance camera, a wearable device such as a smart location, smart glasses, .

According to an example, the object Internet control apparatus 300 performs authentication of a user request received from the user terminal 100 such as a gateway and a server, performs registration and pairing of the user token 200, An interface for controlling an object Internet device, a memory, and a processor.

According to an aspect, the user terminal 100 generates a control telegram for control of the object Internet device, requests control ciphertext generation for the control telegram generated in the user token 200, And transmits the ciphertext to the object Internet control apparatus 300.

For example, the user terminal 100 may receive a request from a user to control the device. At this time, the user's request may be to select the object Internet device to be controlled or to select the operation of the object Internet device. When the user terminal 100 receives the control request from the user, the user terminal 100 may generate the control message including the identifier of the object Internet device and the contents of the control operation. In addition, the generated control specification may be transmitted to the user token 200 to request the control to be encrypted using the user token private key of the user token 200.

In this case, the user token 200 can encrypt the control telegram received from the user terminal 100 with the private key to generate the control ciphertext, and transmit the generated control ciphertext to the user terminal 100. According to one example, the user token 200 can be either an electronic identification card or credit card having an IC chip, an OTP (One Time Password) device capable of communication, and a digital terminal separate from the user terminal 200 And the user token 200 can perform a contact or non-contact communication with the user terminal. To this end, the user token 200 may perform RFID communication or NFC communication. However, these examples do not limit the scope of rights.

 The user terminal 100 may receive the ciphertext from the user token 200 and merge it with the ciphertext, and may transmit the ciphertext and the ciphertext to the ciphertext internet controller 300.

2 is a configuration diagram of a user terminal 100 according to an embodiment.

2, the user terminal 100 includes a request receiving unit 110, a control processing unit 130, a registration processing unit 150, a paging processing unit 170, a storage unit 180, and a transmission / reception unit 190 can do.

According to one example, the request receiver 110 may receive a request from the user to control the object Internet device. At this time, the user's request includes a control request including selection of object Internet apparatus and operation selection information for controlling the object Internet apparatus, a registration request for registering the user token 200, and a request for pairing the object Internet apparatus and the user token Lt; / RTI >

When the request receiving unit 110 receives a control request from the user, the control processing unit 130 generates a control message based on the information included in the control request and transmits the control message to the user token 200 through the transmitting / Control ciphers can be requested to generate control ciphers. Upon receiving the control ciphertext from the user token, the control processor 130 may merge the control ciphertext and the control ciphertext to the object Internet control device 300.

The registration processing unit 150 requests the public key from the user token 200 to be registered when the request receiving unit 110 receives the registration request of the new user token 200 from the user, It is possible to request registration of the user token to the object Internet control apparatus 300 by generating a registration telegram based on the public key of the token. Also, the registration processing unit 150 can receive the registration result from the object Internet control apparatus 300, and when the user token 200 is registered, stores the identifier of the user token for the pairing of the user token and the object Internet apparatus (180). ≪ / RTI >

The paging processor 170 reads an identifier of a user token to perform pairing from the storage unit 180 when the request receiver 110 receives a request to conclude or cancel the pairing from the user, To the object Internet control apparatus 300 so as to request the pairing or cancellation.

According to one example, the identifier of the user token may be at least one of the IC chip unique number or the hash value of the public key of the user token.

When the pairing request is received from the user terminal 100, the object Internet control apparatus 300 pads at least one of the device ID, the pairing time, and the random number of the object Internet apparatuses of the object Internet apparatuses to which the pairing is to be performed To generate a ciphertext with the public key of the user token to be concatenated. In addition, the object Internet control apparatus 300 concludes the pairing of at least one of the device IDs of the object Internet apparatuses and the object Internet apparatus random numbers to which the demultiplexing is to be performed according to the demage release request of the user terminal 200 The public key of the user token can be used to generate the ciphertext.

The paging processing unit 170 may receive the ciphertext required for paired or released pairing from the object Internet control apparatus 300 and transmit the ciphertext to the user token 200 to request the concatenation or cancellation of the pairing.

According to one embodiment, the storage unit 180 may store the identifier of the user token 200 after registering the user token 200, and the stored identifier may be used when concluding the pairing.

According to one embodiment, the transceiver 190 may perform contact or non-contact communication with the user token 200. For this, the transceiver 190 may perform short-range wireless communication, for example, RFID communication or NFC communication. However, the scope of the present invention is not limited thereto.

3 is a configuration diagram of the control processing unit 130 according to an embodiment.

3, the control processing unit 130 may include a control telegram generation unit 131, a cipher text generation request unit 133, and a control request unit 135.

When receiving the control request from the user, the control message generator 131 may generate the control message based on the information included in the control request. At this time, the control request of the user may be a request to select the kind of object Internet device to be controlled and the operation to be controlled. For example, if the user wishes to perform an operation of opening the door lock, the user can select the door lock of the object Internet device, and may request to select and control the door opening operation during the door lock operation. In this case, the control message generator 131 may generate a control message including the current time, the ID of the object Internet device, and the operation code of the operation to be controlled.

The cipher text generation requesting unit 133 can request the control to generate the control cipher text of the control message generated in the user token 200. [ For this, the cipher text generation unit 133 may transmit the generated control text to the transmitter / receiver unit 190 and transmit it to the user token 200.

The control request unit 135 may merge the control ciphertext with the control ciphertext received from the user token 200 and transmit the combined control ciphertext to the object Internet control apparatus 300. [

4 is a configuration diagram of the registration processing unit 150 according to an embodiment.

4, the registration processor 150 includes a public key requester 151, a registration professional generator 153, a registration requester 155, a master token decider 157, and a ciphertext generation requester 159, . ≪ / RTI >

The public key request unit 151 may request the public key from the user token 200 when the registration request is received. According to an example, when the user requests registration of a new user token 200, the public key request unit 151 uses the public key request unit 151 to interpret the ciphertext generated by the user token 200 The user token 200 may request the public key of the user token 200 to do so. According to another example, the user can request registration of the user token 200 to be used for controlling the object Internet device by selecting all or a part of the one or more object internet devices managed by the object Internet control device 300. [ According to another example, a plurality of user tokens 200 may request registration to be used to control the same object Internet device.

When the public key is received from the user token 200, the registration special-purpose generating unit 153 can generate the registration special based on the received public key. According to an example, the registration professional generation unit 153 can generate a registration telegram using the identifier and the public key of the user token 200 to be registered. According to another example, when the object Internet control apparatus 300 registers the user token 200, the registration special-purpose generating unit 153 may store the identifier in the storage unit 180. [

The registration request unit 155 may request the registration of the public key by transmitting the generated registration message to the object Internet control apparatus. For example, the registration request unit 155 can request registration of the public key by merging the special header into the registration telegram and transmitting it to the object Internet control apparatus 300.

The master token judging unit 157 can judge whether or not a master token corresponding to the object Internet apparatus exists (not shown). The master token may be a token provided with the object Internet device to control only a specific object Internet device. For example, if the object Internet device is a door lock, it may be a card key provided with the door lock and used for controlling the door lock.

According to an example, if there is a master token corresponding to the object Internet apparatus, a separate procedure may be required to register the user token 200 for controlling the object internet apparatus. Accordingly, the master token determination unit 157 can determine whether there is a corresponding master token among the object Internet devices managed by the object Internet control apparatus 300. [ According to one example, the master token deciding unit 157 receives information on the existence of a master token from the object Internet control apparatus 300 and determines whether the master token exists, can do.

When a user token 200 is registered using a master token according to an example, a third party such as a hacker attacks the user terminal 100 to register an arbitrary user token, It is possible to prevent the control operation.

The ciphertext creation request unit 159 may request the generation of a registration ciphertext for the registration specialist generated in the master token if the master token exists as a result of the determination. For example, if there is a master token, the registration specialist 153 may transmit the registration specialist generated by the registration specialist generation unit 153 to the master token to request the generation of the ciphertext using the private key of the master token.

5 is a configuration diagram of a paging processing unit 170 according to an embodiment. Pairing may be concluded between one user token 200 and one of the toll Internet devices for a certain period of time. In this case, the to-be-paired Internet device can be controlled only by the paired user token. This can prevent the control of other object Internet devices by using the registered user token by controlling only one object Internet device while the user token 200 is used, thereby preventing abuse of a third party such as a hacker have.

5, the paging processing unit 170 may include an identifier transmission unit 171, a ciphertext receiving unit 173, and a pairing request unit 175.

According to one embodiment, the identifier transmission unit 171 may transmit an identifier of the user token to the things Internet control device 300 when the request for pinging or canceling is received. According to an example, when a pairing is requested from a user, the identifier transmitting unit 171 can read the identifier of the user token to be paired from the storing unit 180. [ According to one example, the identifier of the user token may be at least one of the IC chip unique number or the hash value of the public key of the user token. The identifier transmitting unit 171 may transmit the identifier of the read user token to the object Internet control apparatus 300 to request pairing.

According to another example, pairing may be a pairing between one user token 200 and one Internet connection. In this case, when the pairing is concluded, the corresponding user token 200 can control only the Internet connection of the pairing. In other words, the things Internet control device 300 can only allow encrypted requests to be paired with the user token 200 until the next paging request.

According to another example, when the object Internet control apparatus 300 receives the pairing request, the object Internet control apparatus 300 generates a device random number of the object Internet apparatus to which the pairing is to be concluded, identifies the ID of the object Internet apparatus to be paired, And a pairing time of the user token to be paired with the public key of the user token. Then, the object Internet control apparatus 300 can transmit the generated ciphertext to the user terminal 100. [

For example, the ID of the object Internet device may include a manufacturer ID for identifying a company manufacturing and producing the object Internet device, a product model ID for identifying the object Internet device product model number, and a object Internet device product serial number And an extended ID for identifying a product serial ID and an object Internet device that has not been given an object identifier.

In another example, when receiving a pairing request for a door lock from a user, the identifier transmitting unit 171 transmits an identifier of the user token 200 to be paired with the door lock to the things Internet control device 300 , The object Internet control apparatus 300 may generate the ID of the door lock, the pairing time, and the device random number of the door lock to generate a cipher text using the public key of the user token 200.

 At this time, the paging time may include at least one of the current time of the object Internet control apparatus 300 and the period information to be paired with the object internet apparatus.

In one embodiment, the object Internet control apparatus 300 can manage the paging time, i.e., the period of performing the pairing, for each object Internet apparatus according to the characteristics of the object Internet apparatus.

When the object Internet control apparatus 300 receives the pairing request with the door lock, the object Internet control apparatus 300 transmits a pairing cipher text (or a pair of cipher texts) so as to include at least one of the current time and the time to perform pairing with the door lock Can be generated.

The ciphertext receiving unit 173 can receive a pairing cipher text obtained by encrypting at least one of the ID of the object Internet apparatus, the pairing time, and the object Internet apparatus random number from the object Internet control apparatus 300 using the public key of the user token. The pairing request unit 175 may transmit the received pairing ciphertext to the user token 200 to request the pairing or cancellation. At this time, the pairing request unit 175 may transmit the current time information to the user token 200 by attaching the current time information to the cipher text.

6 is a configuration diagram of a user token 200 according to an embodiment.

6, the user token 200 includes a request receiving unit 210, a cipher text generating unit 220, a public key processing unit 230, a decrypting unit 240, a pairing control unit 250, an authentication code generating unit 260, a communication unit 270, and a storage unit 280.

According to an example, the request receiver 210 may receive a request for a ciphertext generation request, a pairing or cancel request from a user terminal, or a message authentication code (MAC) generation request for a destination Internet device from a user terminal .

The ciphertext generation unit 220 may generate a control ciphertext by encrypting the received control ciphertext with the private key when receiving the ciphertext request for the control telegraph from the user terminal 100. [ According to one embodiment, the cipher text generation unit 220 may generate the control cipher text using asymmetric cryptography. Asymmetric encryption uses a public key and a private key. The public key is a key that anyone can know. A user token 200 is provided to the object Internet control device 300 at the time of registration. The private key is a user token 200).

When the public key processing unit 230 receives a request for a public key from the user terminal 100, the public key processing unit 230 may read the public key from the storage unit 280 and transmit the public key to the user terminal 100. For example, in order to use asymmetric encryption, the things Internet control device 300 needs to know the public key of the user token 200. Accordingly, when registering the user token 200, the user terminal 100 requests the public key from the user token 200, and the public key processing unit 230 receives the public key from the storage unit 280 The public key corresponding to the private key can be read and transmitted to the user terminal 100.

The decryption unit 240 can decrypt the pairing ciphertext with a private key when a pairing or release request is received from the user terminal. According to one example, when the pairing is engaged or released, the user terminal 100 requests a piercing connection or termination to the object Internet control apparatus 300, and the object Internet control apparatus 300 transmits Encrypts the necessary information with the public key of the user token 200, and provides the encrypted information to the user terminal 100. Then, the user terminal 100 transmits the received information to the user token 200, and requests the user to conclude or cancel the pairing. In this case, the decryption unit 240 can decrypt the received ciphertext using the private key and obtain the pairing concatenation or cancellation information.

The pairing control unit 250 performs a pairing with the object Internet apparatus based on at least one of the object internet apparatus ID and the pairing time in response to the request for pairing and transmits the object Internet apparatus ID and the object Internet apparatus ID It is possible to cancel the pairing based on at least one of the device random numbers. The pairing controller 250 stores the ID, the device random number, and the paging time of the Internet device decrypted by the decryption unit 240 in the storage unit 280, The ring can be fastened.

For example, the pairing controller 250 may check the validity of the pairing request using the paging time. That is, when the current time information exists at the paging time included in the cipher text received from the user terminal 100, the validity of the paired connection can be checked using the current time information.

For example, the pairing controller 250 includes the current time information at the paging time of the pairing ciphertext received from the user terminal 100, and the current time information of the user terminal in the pairing cipher text by the user terminal 100 The pairing control unit 250 compares the current time generated by the object Internet control apparatus 300 with the current time generated by the user terminal 100. If the difference between the two times is within a predetermined time, It is determined that the ring request is valid and the pairing can be concluded.

As another example, if the period information for performing the pairing at the paging time is included, the user token A can control the door lock (device ID: B) as the object Internet device to be paired for 10 minutes of the paging time. In this case, the user token A will control only the door lock B for 10 minutes when the pairing is engaged.

According to another example, when the pairing control unit 250 receives the demarcation request, the decryption unit 250 receives the ID of the object Internet apparatus and the device random number from the decryption unit, and obtains the ID of the object Internet apparatus stored in the storage unit, Comparison can be made, and if the information matches, the pairing can be canceled.

For example, the pairing controller 250 may reject an additional pairing request for a certain period of time after releasing the pairing. At this time, the pairing controller 250 may log the release time when the pairing is released, and may reject another pairing request for a predetermined short time (e.g., 10 seconds, 20 seconds) from the logging time. For example, when receiving a pairing request from the user terminal 100, the pairing control unit 250 compares the current time included in the pairing time of the received pairing cipher text with the logged pairing canceling time, If it is within the time limit, the pairing request can be rejected.

According to another example, the pairing control unit 250 logs the control cipher generation time each time the control cipher text is generated according to the control encryption request of the user terminal, and transmits the control cipher text to the other object Internet devices Can be controlled.

For example, each time the ciphertext generation unit 220 generates a ciphertext, the pairing control unit 250 generates a ciphertext generation time period based on the current time information included in the control telegram, the registration telegram, and the like transmitted from the user terminal 100 Can be logged. The pairing controller 250 can use the current time information of the logged time and the paging time to determine whether the pairing is requested within a predetermined time (e.g., 10 minutes, 20 minutes) from the recently logged time have. As a result of the determination, when paired with another object Internet apparatus is requested within the preset time, if the period information to perform the pairing is included in the paging time of the pairing ciphertext received from the user terminal 100, The ring control unit 250 calculates the final connection time from the last logging time for the object Internet apparatus and keeps the pairing for a period during which the pairing is to be performed and rejects the pairing request with another object Internet apparatus .

For example, the pairing control unit 250 may log the paging time and prevent the paging from being concluded again at the current time after the paired fastening or termination at the future time. For example, if the pairing is set at 00:00 and the present time is 00:05, the third party can make the pairing cancel command at 00:15, which is after 00:10, When the ringing is requested and the pairing is requested at 00:05, the pairing controller 250 can reject the pairing based on the current time.

When the message authentication code generation request is received, the authentication code generation unit 260 may generate a message authentication code using the device random number for the object Internet device. According to an example, the user token 200 may check the ID of the paired object Internet device when receiving a request for generating a message authentication code from the user terminal 100 when the pairing is concluded. Thereafter, the authentication code generation unit 260 may generate a message authentication code using the device random number of the object Internet apparatus to which the pairing is performed, instead of generating the cipher text using the private key. The generated message authentication code can be transmitted to the user terminal through the communication unit 270.

The storage unit 280 may store the private key and the public key of the user token, and may store the ID of the object Internet device, the device random number, and the paging time.

7 is a flowchart illustrating a control-dedicated transmission method according to a user request according to an exemplary embodiment.

Referring to FIG. 7, the user terminal 100 may receive a control request from a user (710). Upon receipt of the control request from the user, the user terminal may generate the control message based on the information included in the control request (720). At this time, the control request of the user may be a request to select the kind of object Internet device to be controlled and the operation to be controlled. For example, if the user wishes to perform an operation of opening the door lock, the user can select the door lock of the object Internet device, and may request to select and control the door opening operation during the door lock operation. In this case, the control telegram generation unit 131 may generate the control telegram using the ID of the object Internet apparatus and the operation code of the operation to be controlled.

After generating the control telegram, the user terminal 100 requests the user token 200 to generate the ciphertext of the control telegram. When the user token 200 receives the ciphertext request for the control telegram from the user terminal 100, the received control ciphertext may be encrypted with the private key to generate the control ciphertext (740). According to one embodiment, the user token 200 may generate the controlled ciphertext using asymmetric encryption. Asymmetric encryption uses a public key and a private key. The public key is a key that anyone can know. A user token 200 is provided to the object Internet control device 300 at the time of registration. The private key is a user token 200).

When the ciphertext is generated, the user token 200 transmits the generated ciphertext to the user terminal 100 (750). Thereafter, the user terminal 100 merges the control ciphertext with the control ciphertext received from the user token, and transmits the control ciphertext to the object Internet control apparatus 300 (770).

8 is a flowchart illustrating a method of registering a user token according to an embodiment.

Referring to FIG. 8, the user terminal 100 may be requested to register a new user token from the user (810). Upon receipt of the registration request, the user terminal 100 may request a public key for the user token 200 (820). Upon receiving the registration request from the user terminal 100, the user token 200 reads the public key of the photograph (830) and transmits the read public key to the user terminal 100 (840). For example, in order to use asymmetric encryption, the things Internet control device 300 needs to know the public key of the user token 200. Accordingly, when registering the user token 200, the user terminal 100 requests the public key from the user token 200, and the user token 200 reads the public key corresponding to the private key of the user token 200 To the user terminal (100).

Thereafter, when the public key is received from the user token 200, the user terminal 100 generates a registration telegram based on the received public key (850). According to an example, the user terminal 100 may generate a registration telegram using the identifier and the public key of the user token 200 to be registered.

When the registration telegram is generated, the user terminal determines whether there is a master token corresponding to the object Internet apparatus managed by the object Internet control apparatus 300 (860). For example, if there is a master token corresponding to the object Internet apparatus, a separate procedure may be required to register the user token 200 for controlling the object Internet apparatus. Accordingly, the user terminal 100 can determine whether there is a corresponding master token among the object Internet devices managed by the object Internet control apparatus 300. [ According to an example, the user terminal 100 may receive information on whether or not a master token exists from the object Internet control apparatus 300, or may receive information on the presence or absence of a master token directly from a user have.

According to an example, if there is no master token, the user terminal 100 merges the special header and the specialization without separately encrypting the generated registration message (870), and transmits the merged message to the object Internet control apparatus 300 to request registration of the public key (880).

According to another example, if there is a master token, the user terminal 100 requests 850 the registration token encryption in the master token 400. In this case, the master token 400 generates a cipher text of the registration specialization using the private key of the master token it owns (981). Then, the master token 400 transmits the generated ciphertext to the user terminal 100 (Step 893). The user terminal merges the ciphertext and the special header (Step 895), and the merged ciphertext is sent to the object Internet control apparatus 300 And requests public key registration (897).

9 is a flow chart illustrating a piercing engagement and release method according to one embodiment.

Referring to FIG. 9, the user terminal 100 may receive a request to conclude or cancel the user token from the user (910). Upon receiving the request for pinging or canceling the connection, the user terminal 100 reads the identifier of the user token held by the user terminal 100 (920). According to one example, the identifier of the user token may be at least one of the IC chip unique number or the hash value of the public key of the user token.

Then, the user terminal 100 may transmit the identifier of the read user token to the object Internet control apparatus 300 to request the concatenation or cancellation of the pairing (930). In this case, when the object Internet control apparatus 300 receives the pairing request, it generates the device random number of the object Internet apparatus to which the pairing is to be concluded, identifies the ID of the object Internet apparatus to be paired, (940) with the public key of the user token to which the paging is to be concatenated. Thereafter, the object Internet control apparatus 300 may transmit the generated cipher text to the user terminal 100 (950).

When the user terminal 100 receives a pairing cipher text obtained by encrypting at least one of the ID, the pairing time and the object Internet apparatus random number of the object Internet apparatus from the object Internet control apparatus 300 using the public key of the user token, May send the received paired ciphertext to the user token to request pinging or release (960).

In this case, the user token 200 decrypts the pairing ciphertext with the private key to obtain the pairing concatenation / deactivation information, and transmits the pairing concatenation / deactivation information to the object Internet apparatus 200 based on at least one of the object internet apparatus ID and the pairing time (970) based on at least one of the object Internet apparatus ID and the device random number in response to the demarcation request.

One aspect of the present invention may be embodied as computer readable code on a computer readable recording medium. The code and code segments implementing the above program can be easily deduced by a computer programmer in the field. A computer-readable recording medium may include any type of recording device that stores data that can be read by a computer system. Examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical disk, and the like. In addition, the computer-readable recording medium may be distributed to networked computer systems and written and executed in computer readable code in a distributed manner.

The present invention has been described with reference to the preferred embodiments. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the scope of the present invention should not be limited to the above-described embodiments, but should be construed to include various embodiments within the scope of the claims.

10: Security processing device 100: User terminal
110: request receiver 130: control processor
150: Registration processor 170: Pairing processor
180: Storage unit 190: Transmitting /
200: user token 210: request receiver
220: cipher text generation unit 230: public key processing unit
240: Decoding unit 250: Pairing control unit
260: Authentication code generation unit 270:
280: storage unit 300: object Internet control device

Claims (10)

A security processing device for controlling an object Internet device,
A user terminal for generating a control telegram for controlling the Internet device, requesting a user token to generate a control ciphertext for the generated control telegram, receiving the control ciphertext from the user token, and transmitting the control ciphertext to the Internet control device; And
A user token for receiving the control telegram from a user terminal using contact or near field communication, generating a control cipher text by encrypting the received control telegram with a private key, and transmitting the generated control cipher text to a user terminal; / RTI >
Wherein the user token is one of an electronic ID card, a credit card, and an OTP (One Time Password) device, which is a terminal device separate from the user terminal. The method according to claim 1,
The user terminal
A request receiving unit for receiving a registration request of a user token for controlling a destination Internet device from a user;
A public key request unit for requesting a public key in a user token when the registration request is received;
A registration professional generating unit for generating a registration special based on the received public key when the public key is received from the user token; And
A registration request unit for requesting registration of the public key by transmitting the generated registration telegram to the object Internet control apparatus; The security processing apparatus comprising: 3. The method of claim 2,
The user terminal
A master token determination unit for determining whether or not a master token corresponding to the object Internet apparatus exists; And
Further comprising a ciphertext generation requesting unit for requesting a master token to generate a registration ciphertext for the generated registration specialist if the master token exists as a result of the determination,
The registration request unit
And when the registration ciphertext is received from the master token, transmits the received registered ciphertext to the object Internet control apparatus to request registration of the public key. The method according to claim 1,
The user terminal
A request receiving unit for receiving a request to conclude or cancel a pairing with a destination Internet apparatus;
An identifier transmitting unit for transmitting an identifier of the user token to the object Internet control apparatus when the paired affixing or canceling request is received;
A ciphertext receiving unit for receiving a pairing ciphertext obtained by encrypting at least one of an ID of an object Internet apparatus, a pairing time, and a random number of the object Internet apparatus from the object Internet control apparatus using a public key of a user token; And
A pairing request unit for transmitting the received pairing cipher text to a user token to request a pairing or canceling; The security processing apparatus comprising: 5. The method of claim 4,
The user token
A request receiver for receiving a pairing or canceling request from a user terminal;
A decryption unit decrypting the pairing ciphertext with a private key when a pairing or release request is received from the user terminal; And
And performs a pairing with the object Internet apparatus based on at least one of the object internet apparatus ID, the pairing time, and the random number of the object Internet apparatus in response to the request for paired ringing, And a pairing controller for releasing the pairing based on at least one of the device random number. 6. The method of claim 5,
The pairing control unit
Wherein each time a control ciphertext is generated in response to a control encryption request of a user terminal, a control ciphertext generation time is logged and a pairing control with another object Internet apparatus is controlled based on the logged control ciphertext generation time. The method according to claim 1,
The user token
A request receiving unit for receiving a message authentication code (MAC) generation request for the object Internet device from the user terminal;
A message authentication code generation unit for generating a message authentication code using the device random number for the object Internet device when the message authentication code generation request is received; And
And a communication unit for transmitting the generated message authentication code to a user terminal,
The user terminal
And attaches the message authentication code to the generated control message to transmit to the object Internet control device. A security processing method for controlling an object Internet device,
The user terminal generates a control telegram for controlling the object Internet device, and requests the user token to generate a control ciphertext for the generated control telegram;
Receiving a control telegram from a user terminal using a user token using contact or near field communication;
Encrypting the received control telegram with a private key to generate a control ciphertext;
The user token sending the generated control ciphertext to the user terminal; And
The user terminal receiving the control ciphertext from the user token and transmitting the control ciphertext to the object Internet control device; Lt; / RTI >
Wherein the user token is one of an electronic ID card, a credit card, and an OTP (One Time Password) device, which is a terminal device separate from a user terminal. 9. The method of claim 8,
The security processing method
Receiving a registration request of a user token for controlling a destination Internet device from a user terminal;
Requesting a public key in a user token when a user terminal receives a registration request;
If the user terminal receives a public key from the user token, generating a registration telegraph based on the received public key; And
The user terminal transmits the generated registration message to the object Internet control device to request registration of the public key; Further comprising: 9. The method of claim 8,
The security processing method
The method comprising the steps of: a user terminal receiving a pairing or cancel request from a user with a destination Internet device;
Transmitting an identifier of the user token to the object Internet control apparatus when the user terminal receives the request for paired connection or release;
Receiving a pairing cipher text in which a user terminal encrypts at least one of an ID of an object Internet device, a pairing time, and a random number of the object Internet device from the object Internet control device using a public key of a user token; And
The user terminal transmits the received pairing cipher text to a user token to request a pairing or cancellation; Further comprising:
KR1020150084418A 2015-06-15 2015-06-15 Security Apparatus and Method for Controlling Internet of Things Device Using User Token KR101677249B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150084418A KR101677249B1 (en) 2015-06-15 2015-06-15 Security Apparatus and Method for Controlling Internet of Things Device Using User Token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150084418A KR101677249B1 (en) 2015-06-15 2015-06-15 Security Apparatus and Method for Controlling Internet of Things Device Using User Token

Publications (1)

Publication Number Publication Date
KR101677249B1 true KR101677249B1 (en) 2016-11-17

Family

ID=57542159

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150084418A KR101677249B1 (en) 2015-06-15 2015-06-15 Security Apparatus and Method for Controlling Internet of Things Device Using User Token

Country Status (1)

Country Link
KR (1) KR101677249B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018143510A1 (en) * 2017-02-02 2018-08-09 주식회사 시옷 Internet of things security module
KR20210090379A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based access control method for the internet of thing device
KR20210090372A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based authenticaton and revocation method for the internet of things gateway
KR20210090375A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based authenticaton and revocation method for the internet of things device
CN116318899A (en) * 2023-02-17 2023-06-23 深圳市创势互联科技有限公司 Data encryption and decryption processing method, system, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040012824A (en) * 2001-05-14 2004-02-11 마츠시타 덴끼 산교 가부시키가이샤 Electronic device control apparatus
KR20060058789A (en) * 2004-11-25 2006-06-01 한국전자통신연구원 Method and apparatus for data security on home network system
KR101491730B1 (en) * 2013-12-09 2015-02-09 에스케이 텔레콤주식회사 Method for Providing Machine to Machine Encryption Service and Apparatus Therefor
KR20150035971A (en) 2015-03-18 2015-04-07 문종섭 A secure Data Communication protocol between IoT smart devices or sensors and a Network gateway under Internet of Thing environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040012824A (en) * 2001-05-14 2004-02-11 마츠시타 덴끼 산교 가부시키가이샤 Electronic device control apparatus
KR20060058789A (en) * 2004-11-25 2006-06-01 한국전자통신연구원 Method and apparatus for data security on home network system
KR101491730B1 (en) * 2013-12-09 2015-02-09 에스케이 텔레콤주식회사 Method for Providing Machine to Machine Encryption Service and Apparatus Therefor
KR20150035971A (en) 2015-03-18 2015-04-07 문종섭 A secure Data Communication protocol between IoT smart devices or sensors and a Network gateway under Internet of Thing environment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018143510A1 (en) * 2017-02-02 2018-08-09 주식회사 시옷 Internet of things security module
KR20210090379A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based access control method for the internet of thing device
KR20210090372A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based authenticaton and revocation method for the internet of things gateway
KR20210090375A (en) 2020-01-10 2021-07-20 동서대학교 산학협력단 Blockchain-based authenticaton and revocation method for the internet of things device
CN116318899A (en) * 2023-02-17 2023-06-23 深圳市创势互联科技有限公司 Data encryption and decryption processing method, system, equipment and medium
CN116318899B (en) * 2023-02-17 2023-10-17 深圳市创势互联科技有限公司 Data encryption and decryption processing method, system, equipment and medium

Similar Documents

Publication Publication Date Title
US20160277933A1 (en) Secure Data Communication system between IoT smart devices and a Network gateway under Internet of Thing environment
JP4647903B2 (en) Information communication apparatus, communication system, and data transmission control program
JP4545197B2 (en) Wireless network system and communication method using the same
CN107659406B (en) Resource operation method and device
KR101677249B1 (en) Security Apparatus and Method for Controlling Internet of Things Device Using User Token
US20080109654A1 (en) System and method for RFID transfer of MAC, keys
JP4803145B2 (en) Key sharing method and key distribution system
JP2017514421A (en) Authentication apparatus and method
JP2011511350A (en) Access control management method and apparatus
KR20100071209A (en) Verification of device using device tag
KR20120072032A (en) The system and method for performing mutual authentication of mobile terminal
US10805276B2 (en) Device and methods for safe control of vehicle equipment secured by encrypted channel
KR101482938B1 (en) Method of preventing authorization message, server performing the same and user terminal performing the same
KR20190038632A (en) Method for provisioning a first communication device using a second communication device
US10511946B2 (en) Dynamic secure messaging
KR102322605B1 (en) Method for setting secret key and authenticating mutual device of internet of things environment
US11178137B2 (en) System for IoT devices communicating with server using a tentative common key
KR101745482B1 (en) Communication method and apparatus in smart-home system
KR20150005788A (en) Method for authenticating by using user's key value
JP2017108237A (en) System, terminal device, control method and program
JP7141723B2 (en) Apparatus, system and method for controlling actuators via wireless communication system
WO2018172776A1 (en) Secure transfer of data between internet of things devices
KR20190115489A (en) IOT equipment certification system utilizing security technology
US11003744B2 (en) Method and system for securing bank account access
KR101790121B1 (en) Method and System for certificating electronic machines

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20191002

Year of fee payment: 4