KR101743951B1 - Digital Signature Device and Digital Signature Method Using It - Google Patents

Digital Signature Device and Digital Signature Method Using It Download PDF

Info

Publication number
KR101743951B1
KR101743951B1 KR1020150154272A KR20150154272A KR101743951B1 KR 101743951 B1 KR101743951 B1 KR 101743951B1 KR 1020150154272 A KR1020150154272 A KR 1020150154272A KR 20150154272 A KR20150154272 A KR 20150154272A KR 101743951 B1 KR101743951 B1 KR 101743951B1
Authority
KR
South Korea
Prior art keywords
digital signature
biometric information
unit
security token
user
Prior art date
Application number
KR1020150154272A
Other languages
Korean (ko)
Other versions
KR20170052162A (en
Inventor
홍주형
이기훈
이상준
Original Assignee
주식회사 시큐센
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐센 filed Critical 주식회사 시큐센
Priority to KR1020150154272A priority Critical patent/KR101743951B1/en
Publication of KR20170052162A publication Critical patent/KR20170052162A/en
Application granted granted Critical
Publication of KR101743951B1 publication Critical patent/KR101743951B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an electronic signature apparatus and an electronic signature method using the same, and more particularly, to an electronic signature apparatus and an electronic signature method using the same that enhance security and user convenience based on biometric information recognition.

Description

Technical Field [0001] The present invention relates to a digital signature device and a digital signature method using the same,

The present invention relates to an electronic signature apparatus and an electronic signature method using the same, and more particularly, to an electronic signature apparatus and an electronic signature method using the same that enhance security and user convenience based on biometric information recognition.

With the development of personal computers and the Internet, transactions and services using open networks such as Internet banking, electronic transactions, and electronic information services are being activated. In such electronic transactions and the like, digital signatures, which prevent forgery and alteration of electronic documents and provide functions such as non-repudiation to electronic transaction acts, are becoming essential elements along with the establishment of the accredited certificate system.

Generally, electronic signatures are widely used as a means of subscriber authentication in a login step such as internet banking, a cyber securities transaction, a credit card homepage, etc., an account transfer step, or a credit card payment step. Conventionally, a digital signature process using a public certificate is performed on a PC used by a user. In this case, a user authentication module in the form of a plug-in that operates on a web browser must be installed in the user PC. In the conventional authorized authentication module, the user interface for digital signature generation has the following configuration.

- Menu to select certificate to use for digital signature

- Input window to enter the certificate password

- buttons (for example, hard disk, removable disk, storage token, security token, mobile phone, etc.)

In this user interface configuration, when the user selects the hard disk button, the authorized authentication module can search the authorized certificate stored in the hard disk of the user PC and list the authorized certificate in the certificate selection window. Likewise, if the user selects the mobile disk button, the authorized authentication module can search the USB memory device connected to the user PC and list the USB memory device in the certificate selection window. The user can then select one of the listed certificates. After that, the user can input the certificate password into the input window using a keyboard or the like to proceed the digital signature. When the certificate password is inputted, the authorized authentication module performs digital signature using the selected public key certificate, electronic signature key, and certificate password, and transmits the generated digital signature value to the requested Internet banking, cyber securities transaction, credit It can be transmitted to the corresponding web site as means of subscriber authentication at the login step such as the card homepage, the account transfer step, or the credit card payment step.

Normally, a public certificate and an electronic signature key can be stored in a hard disk of a user PC, or a universal serial bus (USB) memory. One of the most common cases is to store a public certificate and an electronic signature key on the PC's hard disk. However, in this case, when a keyboard hacking program, a malicious virus, or the like is installed on the PC, or when the user accesses the phishing site unintentionally, the authentication certificate, the digital signature key, and / or the authorized certificate password are exposed to a third party There was a risk of being able to.

In order to prevent such exposure, a technology of a security token (Hardware Security Module) has been developed as a storage medium that can more safely manage and carry a subscriber's private key.

Such a security token is an apparatus capable of generating and storing an encryption key in independent hardware, and can encrypt, decrypt, and digitally sign with the encryption key inside the apparatus. However, since the encryption key itself is not leaked out, It has security.

Such a security token operates by its own controller or firmware, and interfaces with an external device according to the standard. However, such a security token typically has a small amount of memory, such as 32 KB, and can not handle application programs or complex operations on its own.

 Accordingly, when a security token is used in a user terminal, an ActiveX or other application program downloaded from a homepage of a financial server or an authentication server of a user terminal is installed in the user terminal, and thereafter, the user terminal connects to the security token, Signing step can be performed.

However, in the case of such ActiveX or application programs, there is a problem of completing with other programs such as OS, a problem of security vulnerability during downloading and installation, an error in using ActiveX or application program itself, There are many problems such as user inconvenience in the course of the process. In addition, in the case of the conventional security token, it is troublesome to install the smart card reader driver in the user terminal connecting the security token.

Meanwhile, in order to further enhance security, an authentication procedure using fingerprint information has been proposed. However, when authentication is performed using only such fingerprint information, the risk of hacking from outside increases, and problems such as leakage of fingerprint information may occur. Further, in order to drive a terminal for reading fingerprint information and extract a fingerprint template from the fingerprint information, a separate Active X or application program must be installed in the user terminal, and such an Active X or application program also causes problems .

Korean Registered Patent No. 10-1543222 'Financial transaction relay system having multiple security lock functions and processing method thereof' Korean Patent Laid-Open Publication No. 10-2005-0050280 'Authentication method using fingerprint information and authentication number'

An object of the present invention is to provide an electronic signature apparatus and an electronic signature method using the same that enhance security and user convenience based on biometric information recognition.

According to an aspect of the present invention, there is provided a web server comprising: a web server unit receiving a digital signature request from a user terminal and transmitting the generated digital signature to a user terminal; A biometric information recognition module for recognizing biometric information and verifying the recognized biometric information; A security token for generating a digital signature when verification of the biometric information is confirmed in the biometric information recognition module; And an electronic signature generation unit, connected to the web server unit, for performing a task request to the security token and the biometric information recognition module, wherein the web server unit comprises: A signature device is provided.

In the present invention, the digital signature device further includes an electronic signature generation unit, wherein the digital signature generation unit includes: a web server unit interfacing unit for performing interfacing with the web server unit; A security token interfacing unit for interfacing with the security token; And a biometric information recognition module interfacing unit for performing interfacing with the biometric information recognition module.

In the present invention, the biometric information recognition module may include: a biometric information recognition unit for performing biometric information recognition; A biometric information verifying unit for verifying previously stored biometric information and recognized biometric information; And an electronic signature request unit for requesting the electronic signature generation unit to generate an electronic signature when the biometric information recognized by the biometric information verification unit is verified.

In the present invention, the security token interfacing unit may include a standard API of PKCS # 11, and may interface with the security token according to the PKCS # 11 standard.

In the present invention, the security token may be operated independently of the digital signature generation unit.

In the present invention, the web server unit receives a digital signature request from a user terminal in accordance with the HTTPS standard, and the web server unit sends an electronic signature request to the digital signature generation unit, and the digital signature generation unit transmits the digital signature to the biometric information recognition module interfacing unit Wherein the digital signature generation unit receives a biometric information verification request from the biometric information recognition module and transmits the security token digital signature to the security token through the security token interfacing unit, And the web server unit may transmit the digital signature generated in the security token to the user terminal through communication according to the HTTPS standard.

In the present invention, the digital signature apparatus further includes a digital signature history management unit, wherein the digital signature history management unit stores the digital signature request received from the user terminal, the generated digital signature transmitted to the user terminal, The history of the signature request and the generated digital signature transmitted to the user terminal can be recorded.

In the present invention, the digital signature history management unit may transmit the recorded history related to the digital signature to the external digital signature management server through the web server unit.

In the present invention, the biometric information of two or more users can be registered in the digital signature device, and the biometric information verification unit verifies whether the recognized biometric information matches one of the biometric information of the two or more registered users .

In the present invention, the digital signature apparatus further includes a digital signature history management unit, wherein the digital signature history management unit stores the digital signature request received from the user terminal, the generated digital signature transmitted to the user terminal, A signature request and a history of the generated digital signature sent to the user terminal and authenticated user information.

According to an aspect of the present invention, there is provided a web server comprising: a web server unit receiving a user password and an electronic signature request from a user terminal and transmitting the generated digital signature to a user terminal; A biometric information recognition module for recognizing biometric information and verifying the recognized biometric information; A security token that generates an electronic signature; A web server interfacing unit for interfacing with the web server unit, a security token interfacing unit for interfacing with the security token, a biometric information recognition module interfacing unit for interfacing with the biometric information recognition module, And a user password storing and verifying unit for verifying whether a user password stored in the user information storage unit and stored in the user information storage unit is stored in the storage unit and the user password received from the user terminal matches the user password of the legitimate user, Verification is confirmed and the user's password received from the user terminal matches the user's password stored in the user password storage and verification unit, the web server unit generates a digital signature, and the web server unit communicates with the user terminal in accordance with the HTTPS standard To do And it provides an electronic signature device.

According to an aspect of the present invention, there is provided an electronic signature requesting method, comprising: receiving an electronic signature request from a user terminal through a communication according to HTTPS standard; A first digital signature generation request step in which the web server unit issues a digital signature generation request to the digital signature generation unit; A biometric information recognition and verification request step in which the digital signature generation unit performs a biometric information recognition and verification request to the biometric information recognition module; A biometric information recognition and verification step of receiving biometric information of a user from the outside in the biometric information recognition module and discriminating whether or not the biometric information matches the biometric information of a previously stored user; A second digital signature generation step of performing a digital signature generation request to the digital signature generation unit by the biometric information recognition module when the biometric information of the user inputted from the biometric information recognition module coincides with the biometric information of the user, ; A third digital signature generation request step in which the digital signature generation unit performs a digital signature generation request to the security token; Performing an electronic signature in which the security token performs a digital signature; A first digital signature transmission step in which the security token transmits an electronic signature to the digital signature generation unit; The digital signature generation unit may include: a second digital signature transmission step of transmitting the received digital signature to the web server unit; And an electronic signature transmission step of the web server unit transmitting an electronic signature to the user terminal by communication according to the HTTPS standard.

In the present invention, the web server unit, the digital signature generation unit, and the biometric information recognition module may be operated by a single independent operating system, and the security token may be controlled by a controller independent of the operating system.

In the present invention, one or both of the biometric information recognition and verification request step and the third digital signature creation request step may be performed by an internal API stored in the digital signature generation unit.

In the present invention, the third digital signature creation request step may be performed according to the standard of PKCS # 11.

The present invention may further include an electronic signature history recording step of recording a history of one or both of the first digital signature creation request step and the digital signature performing step.

The present invention may further comprise a signature history transmission step of transmitting the recorded digital signature related history to an external digital signature management server through the web server unit.

According to an aspect of the present invention, there is provided an electronic signature method using an electronic signature apparatus including a web server unit, an electronic signature generation unit, a security token, and a biometric information recognition module, An electronic signature request receiving step of receiving an electronic signature request by communication according to a standard; A biometric information recognition and verification step of receiving biometric information of a user from the outside in the biometric information recognition module and discriminating whether or not the biometric information matches the biometric information of a previously stored user; Performing an electronic signature on the security token when the biometric information of the user inputted from the biometric information recognition module is identical to the biometric information of the user; And a digital signature transmission step in which the web server unit transmits a digital signature to a user terminal through communication according to the HTTPS standard, and the digital signature generation unit generates a digital signature based on a PKCS # 11 standard for interfacing with the security token And an electronic signature is requested to the security token using an interfacing API.

In the present invention, the web server unit, the digital signature generation unit, and the biometric information recognition module may be operated by a single independent operating system, and the security token may be controlled by a controller independent of the operating system.

The present invention may further include an electronic signature history recording step of recording a history of one or both of the digital signature request receiving step and the digital signature performing step.

In order to solve the above problems, there is provided an electronic signature requesting step of performing an electronic signature request to a web server unit while a user terminal transmits a user password inputted by a user by communication according to the HTTPS standard to a web server unit. A first digital signature generation request step in which the web server unit requests the digital signature generation unit to generate an electronic signature; A user password verification step of verifying whether the user's password received from the user terminal matches the user's password of a previously stored legitimate user; A biometric information recognition and verification step of performing a biometric information recognition and verification request to the biometric information recognition module when the digital signature generation unit verifies whether the user password is matched; A biometric information recognition and verification step of receiving biometric information of a user from the outside in the biometric information recognition module and discriminating whether or not the biometric information matches the biometric information of a previously stored user; A second digital signature generation step of performing a digital signature generation request to the digital signature generation unit by the biometric information recognition module when the biometric information of the user inputted from the biometric information recognition module coincides with the biometric information of the user, ; A third digital signature generation request step in which the digital signature generation unit performs a digital signature generation request to the security token; Performing an electronic signature in which the security token performs a digital signature; A first digital signature transmission step in which the security token transmits an electronic signature to the digital signature generation unit; The digital signature generation unit may include: a second digital signature transmission step of transmitting the received digital signature to the web server unit; And an electronic signature transmission step in which the web server unit transmits a digital signature to a user terminal by communication according to the HTTPS standard.

INDUSTRIAL APPLICABILITY The present invention can realize an electronic signature authentication procedure without causing problems of call completion, security vulnerability, use error, and user inconvenience due to downloading, installation, and driving of an active X or an application program .

Since the present invention can be used immediately by connecting an electronic signature device to a user terminal via a USB or the like when only an Internet connection is available, the convenience of the user can be maximized.

According to the present invention, since security is strengthened by biometric information authentication based on excellent security of the security token itself, it is possible to exert security at a level of zero defectiveness.

The present invention uses an internal web server unit in the digital signature device, although it combines the two methods of security token and biometric information authentication. Therefore, And it is possible to maximize the convenience of use without requiring a drive.

The present invention can exhibit strong security in the form of combining a security token and biometric information authentication by virtually connecting a user's own digital signature device to a user terminal and inputting only biometric information such as a fingerprint, It is possible to exhibit very high security against user's investment in time.

The present invention can exhibit an effect that a fingerprint of a plurality of users is registered in the digital signature generation of a corporation so that the digital signature can be easily converted and used even in the form of generating a digital signature of a corporation.

1 is a conceptual diagram showing a system of an electronic signature apparatus according to the present invention;
2 is an internal configuration diagram of an electronic signature apparatus according to the present invention;
3 is a detailed internal configuration diagram of an electronic signature apparatus according to the present invention;
Figure 4 is a step diagram of an electronic signature method according to the present invention;
5 is a diagram illustrating a signature history transmission process of an electronic signature method according to the present invention.
6 is a detailed step diagram of an electronic signature method according to the present invention.
7 is a detailed internal configuration diagram of an electronic signature apparatus according to another embodiment of the present invention;
8 is a detailed step diagram of an electronic signature method according to another embodiment of the present invention.
9 is a step diagram of an electronic signature method according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Prior to the detailed description of the present invention, terms and words used in the present specification and claims should not be construed as limited to ordinary or dictionary terms. Therefore, the embodiments described in this specification and the configurations shown in the drawings are merely the most preferred embodiments of the present invention and do not represent all the technical ideas of the present invention. Therefore, It is to be understood that equivalents and modifications are possible.

In the present specification, the term "biometric information" refers to identifiable information obtained from a human body, and is a concept including information obtained from fingerprints, handwriting, DNA, iris, face, telegraph, However, in the present specification, an electronic document is generated and verified using information obtained from a fingerprint for convenience of explanation.

As used herein, the term "user terminal" may be any of a variety of computing devices such as a personal computer (PC), desktop, notebook, tablet, smart phone, PDA, It corresponds to a terminal that can connect to an institution.

As used herein, the term " module " includes any software installed and executed in a computing device, hardware within a computing device, or a combination of software and hardware.

1 is a conceptual diagram showing a system of an electronic signature apparatus 100 according to the present invention. 1, the digital signature apparatus 100 of the present invention is directly connected to a user terminal 200, and the user terminal 200 is directly connected to a verification server 300.

Here, the verification server 300 may be an institution that performs a financial settlement operation directly such as a bank or a financial institution, or may be an accredited certification authority or an accredited certification-related relaying institution. Alternatively, the verification server 300 may correspond to the verification server 300 if it corresponds to an organization that receives the digital signature and determines that it is a legitimate user, such as an in-house security server and an in-house approval server.

Meanwhile, according to the present invention, a digital signature is requested, generated and transmitted by the following steps.

(Step 1) The user terminal 200 requests the verification server 300 for a service such as financial processing or authentication

(Step 2) The authentication server 300 transmits an authentication page to the user terminal 200

(Step 3) When the user terminal 200 sends an electronic signature request to the digital signature apparatus 100

(Step 4) After performing the biometric information recognition in the digital signature apparatus 100, the digital signature is generated and transmitted to the user terminal 200

(Step 5) The digital signature is transmitted from the user terminal 200 to the verification server 300

(Step 6) The verification server 300 transmits the verification result to the user terminal 200

In this regard, step 1 may be performed automatically by connecting the digital signature apparatus 100 according to the present invention to the user terminal 200. [ For this operation, the digital signature apparatus 100 sends an address of a page requesting a service such as banking, authentication and the like to the verification server 300 to the user terminal 200 via the embedded web server unit 140 and / Or related user information.

Meanwhile, in connection with the step 3, the user terminal 200 may create a original text using the information input by the user or the information stored in the user terminal 200, and may request the digital signature device 100 to perform an electronic signature Or the original text created in the verification server 300 in the process of step 2 and may transmit the original text to the digital signature apparatus 100 or the digital signature apparatus 100 may transmit the original data and the user information in step 4 You can also write the original text by using it. In the digital signature apparatus 100 according to the present invention, the time and the method of generating the specific original text are not limited.

Meanwhile, the digital signature apparatus 100 according to the present invention communicates with the user terminal 200 according to the HTTPS standard. To this end, the security token 130 and an application program for biometric information recognition and verification are transmitted to the digital signature apparatus 100 ).

2 is an internal configuration diagram of an electronic signature apparatus 100 according to the present invention. 2, the digital signature apparatus 100 according to the present invention includes a web server unit 140 for receiving a digital signature request from a user terminal 200 and transmitting the generated digital signature to the user terminal 200 ); A biometric information recognition module 110 for recognizing biometric information and verifying the recognized biometric information; A security token 130 for generating a digital signature when biometric information verification is confirmed in the biometric information recognition module 110; An electronic signature generation unit 120 connected to the web server unit 140 and performing a work request to the security token 130 and the biometric information recognition module 110; A user information storage unit 150 for storing user information, user biometric information, and the like; An OS unit 160 including an OS or a controller for operation of components inside the digital signature apparatus 100 other than the security token 130; And an electronic signature history management unit 170 for recording the history of users' attempts to generate or generate an electronic signature.

The web server unit 140 of the digital signature apparatus 100 according to the present invention communicates with the user terminal 200 according to the HTTPS standard and the user terminal 200 transmits only the electronic signature apparatus 100 and the user terminal 200

Fig. 3 shows a detailed internal configuration diagram of the digital signature apparatus 100 according to the present invention.

As shown in FIG. 3, the biometric information recognition module 110 includes a biometric information recognition unit 111 for performing biometric information recognition; A biometric information verification unit (112) for verifying previously stored biometric information and recognized biometric information; And an electronic signature request unit 113 for requesting the electronic signature generation unit 120 to generate a digital signature when the biometric information recognized by the biometric information verification unit 112 is verified. It is preferable that the biometric information such as the fingerprint of the user is stored in the user information storage unit 150. However, in order to further enhance the security of the biometric information recognition module 110 itself, Lt; / RTI >

The biometric information verification unit 112 verifies the recognized biometric information by comparing the recognized biometric information with the stored biometric information of a legitimate user. In the specification of the present invention, the matching of the biometric information means that the region of the matching portion is equal to or more than a preset reference% in the original text comparison, or the minutia information of the template extracted from the biometric information exceeds the preset reference Or more.

Preferably, in the present invention, the biometric information is verified only in the digital signature apparatus 100, and the template or the biometric information itself is encrypted or non-encrypted and operates in a manner not transmitted to the outside. According to such an operation method, it is possible to eliminate errors or security threats that may occur during leakage or processing of the user's biometric information. However, according to the operation environment of the verification server 300, the digital signature apparatus 100 according to the present invention may be configured such that the recognized biometric information or biometric information of a previously stored legitimate user (the recognized biometric information matches the biometric information of a legitimate user Or the extracted template may be encrypted or unencrypted in the security token 130 and transferred to the user terminal 200 through the web server unit 140. In this case,

3, the digital signature apparatus 100 according to the present invention further includes a digital signature generation unit 120. The digital signature generation unit 120 generates a digital signature using the digital signature generated by the web server unit 140, A web server interfacing unit 121 for performing interfacing with the web server; A security token interfacing part (122) for interfacing with the security token (130); And a biometric information recognition module interfacing unit 123 for performing interfacing with the biometric information recognition module 110. The digital signature generator 120 of the present invention may correspond to software installed and executed in the computing device, hardware in the computing device, or a combination of software and hardware. The digital signature generation unit 120 may be operated by the OS unit 160 and may include application programs for performing the above-described interfacing. The digital signature generation unit 120 may further include a controller unit 124 for controlling the operation of the components in the digital signature generation unit 120. [

The digital signature generation unit 120 according to the present invention receives an instruction from the web server unit 140 and performs interfacing with the biometric information recognition module 110 and the security token 130. For example, when the digital signature generation unit 120 first receives a digital signature generation request from the web server unit 140, the digital signature generation unit 120 generates biometric information for the biometric information recognition module 110, To perform recognition and verification. When the verification result is positive, that is, when the recognized biometric information matches the biometric information of the pre-stored legitimate user, the security token 130 transmits the biometric information to the security token 130, Requesting the generation of an electronic signature. In order to request the digital signature generation for the security token 130, an API capable of interfacing with the security token 130 is required. According to the present invention, Is installed in the security token interfacing part 122, not in the form of an application program.

Preferably, the security token interfacing unit 122 includes a standard API of the PKCS # 11, and may interface with the security token 130 according to the PKCS # 11 standard.

Meanwhile, the security token interfacing unit 122 of the digital signature generating unit 120 generates commands C_initialize, C_finalize, C_GetSlotList, and C_Initialize related to generation, management, initialization, and verification of an encryption key (private key and public key) C_CreateObject, C_DestroyObject, and C_Sign.

The security token 130 is a hardware that includes a processor and a memory and does not expose a private key or the like stored in the memory to the outside of the security token 130 when the encryption algorithm is operated. The security token 130 according to the present invention may perform digital signature of a public key infrastructure (PKI). In the digital signature of the public key infrastructure (PKI), the HASH value of the original text is encrypted using the user's private key to generate a signature, and the signature is generated through the web server 140 and the user terminal 200 To the authentication server (300). The verification server 300 can usually obtain the HASH value of the original text by decrypting the signature with the public key, and comparing the HASH value of the original text with the HASH value of the original text, the authenticity of the digital signature can be confirmed. The security token 130 of the present invention preferably performs digital signature using an electronic signature scheme of the public key infrastructure, but is not limited thereto.

The security token 130 includes a key generation / management unit 131, an electronic signature execution unit 132, and a security token controller unit 133. The security token 130 may operate independently by its own memory and processor, and such operation is operated and controlled by the security token controller unit 133. [ The security token controller unit 133 may include a built-in OS, an application program, or firmware for operating the security token 130.

Meanwhile, the biometric information recognition module 110, the digital signature generation unit 120, the web server unit 140, the user information storage unit 150, and the digital signature history management unit 170 of the digital signature apparatus 100 according to the present invention May be operated by the OS unit 160 and operated. On the other hand, the security token 130 preferably operates separately from the OS unit 160 to perform digital signature.

In this configuration, the web server unit 140 receives an electronic signature request from the user terminal 200 in accordance with the HTTPS standard, and the web server unit 140 sends an electronic signature request to the electronic signature generation unit 120 The digital signature generation unit 120 performs a biometric information recognition and verification request to the biometric module through the biometric information recognition module interfacing unit 123, Upon receipt of the biometric information verification confirmation from the biometric information recognition module 110, the security token 130 requests the security token 130 to generate a digital signature through the security token interfacing unit 122, 140 transmits the digital signature generated in the security token 130 to the user terminal 200 through communication according to the HTTPS standard.

As described above, in the present invention, communication with the user terminal 200 is performed according to the HTTPS standard by the web server unit 140 disposed in the digital signature apparatus 100. Accordingly, the user terminal 200 receives the web document from the digital signature apparatus 100 without installing a separate ActiveX or application program, and performs the authentication procedure with the verification server 300 by the received web document Can be performed. That is, the digital signature apparatus 100 of the present invention is an apparatus including one web server unit 140.

Meanwhile, the digital signature apparatus 100 according to the present invention further includes a digital signature history management unit 170, and the digital signature history management unit 170 records and manages an operation history of the digital signature apparatus 100 . Specifically, the digital signature history management unit 170 receives an electronic signature request received from the user terminal 200, a generated digital signature transmitted to the user terminal 200, or an electronic signature request received from the user terminal 200 A history of the generated digital signature transmitted to the user terminal 200, biometric information input from the user, and the like. The recorded history can be confirmed by the user terminal 200 through the web server unit 140. [

In addition, the digital signature history management unit 170 may transmit the recorded history related to the digital signature to the external digital signature management server through the web server unit 140. [

The digital signature apparatus 100 of the present invention registers a plurality of biometric information in the user information storage unit 150 or the biometric information recognition module 110 itself when the biometric information is used in a corporation, The digital signature request unit 113 of the biometric information recognition module 110 may request the digital signature generation unit 120 to generate an electronic signature if it matches one of the biometric information of the registered legitimate user have.

In this case, the digital signature history management unit 170 may receive the digital signature request received from the user terminal 200, the generated digital signature transmitted to the user terminal 200, or the digital signature request received from the user terminal 200 And the history of the generated digital signature transmitted to the user terminal 200, together with the digital signature request, the user information related to the author signature generation, and the recognized biometric information of the user. That is, it is possible to record which biometric information a user requests for digital signature.

7 is a detailed internal configuration diagram of an electronic signature apparatus 100 according to another embodiment of the present invention.

7, the digital signature apparatus 100 according to another embodiment of the present invention receives a user's password and an electronic signature request from the user terminal 200, and transmits the generated digital signature to the user terminal 200 A web server unit 140 for transmitting data;

A biometric information recognition module 110 for recognizing biometric information and verifying the recognized biometric information;

A security token (130) for generating a digital signature;

A web server interfacing unit 121 for interfacing with the web server unit 140, a security token interface unit 122 for interfacing with the security token 130, and an interface unit for interfacing with the biometric information recognition module 110. [ And a user password storing and verifying unit 123 for verifying whether the user password of the legitimate user is stored and the user password received from the user terminal 200 matches the user password of the legitimate user, A controller unit 124 for controlling the operations of the web server interface unit 121, the security token interface unit 122, the biometric information recognition module interfacing unit 123 and the user password storage and verification unit 125, An electronic signature generation unit 120 that generates a digital signature;

A user information storage unit 150 for storing user information, user biometric information, and the like;

An OS unit 160 including an OS or a controller for operation of components inside the digital signature apparatus 100 other than the security token 130; And

And an electronic signature history management unit 170 for recording the history of the user's digital signature generation or digital signature generation attempt.

The web server unit 140 of the digital signature apparatus 100 according to the present invention shown in FIG. 7 performs communication according to the HTTPS standard with the user terminal 200, The digital signature apparatus 100 and the user terminal 200 can communicate with each other. With this configuration, the user terminal 200 can perform the digital signature process through biometric information recognition without a separate ActiveX or application program.

7, a user password of a legitimate user is stored therein, and a user password storage and verification unit 125 for verifying whether the user password received from the user terminal 200 matches the user password of the legitimate user ). Or a user password of a legitimate user may be stored in the user information storage unit 150. [

When the digital signature generating unit 120 verifies the user's password received from the user terminal 200, the digital signature generating unit 120 requests the biometric information recognizing module 110 to recognize and verify biometric information When the biometric information recognized by the biometric information recognition module 110 is verified, that is, when two conditions of the password and the biometric information are satisfied, the digital signature generation unit 120 sends a digital signature generation request .

That is, the security token 130 may be configured such that biometric information verification is confirmed in the biometric information recognition module 110, and the user password received from the user terminal 200 is stored in the user password storage and verification unit 125 If it matches the password, generate a digital signature.

In this embodiment, it is possible to secure better security than the digital signature apparatus 100 shown in Fig.

Hereinafter, a digital signature method using the digital signature apparatus 100 of the present invention will be described.

6 is a detailed step diagram of the digital signature method according to the present invention.

6, an electronic signature method according to the present invention is a method in which a user terminal 200 transmits an electronic signature request to the web server unit 140 of the digital signature apparatus 100 by communication according to the HTTPS standard Signing request step (S300). The digital signature apparatus 100 according to the present invention is configured such that the web server unit 140 of the digital signature apparatus 100 communicates with the user terminal 200 in a web format according to the HTTPS standard, Since a program for biometric information recognition and security token operation is built in the inside, the user can quickly and conveniently perform enhanced security combining a security token 130 and biometric information recognition without a separate ActiveX or application program The digital signature can be generated.

Then, the web server unit 140 performs a first digital signature generation request (S410) for requesting the digital signature generation unit 120 to generate a digital signature. In this way, the web server unit 140 communicates with the outside through communication according to the HTTPS standard, and delivers the input signal from the outside to the digital signature generation unit 120. [

When the digital signature generation unit 120 receives a first digital signature generation request from the web server unit 140, the digital signature generation unit 120 generates biometric information through the biometric information recognition module interfacing unit 123, A biometric information recognition and verification request step S420 of requesting the recognition module 110 to perform biometric information recognition and verification is performed.

Hereinafter, the biometric information recognition module 110 receives biometric information of a user from outside and performs a biometric information recognition and verification step (S430) for determining whether or not the biometric information matches the previously stored biometric information of the user, When the biometric information of the user input from the information recognition module 110 matches the biometric information of the user stored in the biometric information recognition module 110 itself or the user information storage unit 150, (S440) a digital signature generation request to the digital signature generation unit 120 to perform a digital signature generation request. The second digital signature generation request step S440 is substantially the same as transmitting the biometric information authentication result that the biometric information recognized by the biometric information recognition module 110 is authenticated.

The digital signature generation unit 120 performs a third digital signature generation step S450 for requesting a digital signature generation request to the security token 130 so that the security token 130 generates a digital signature (S460).

Hereinafter, the security token 130 performs a first digital signature transmission step (S470) of transmitting the digital signature generated in the digital signature generation unit 120. The digital signature generation unit 120 generates a digital signature The web server unit 140 performs a second digital signature transmission step S480 of transmitting the digital signature to the web server unit 140 and finally the web server unit 140 transmits the digital signature to the user terminal 200 by communication according to the HTTPS standard And an electronic signature transmission step (S500) for transmitting the digital signature.

The web server unit 140, the digital signature generation unit 120 and the biometric information recognition module 110 are controlled by a single independent operating system, that is, the OS unit 160, (130) is controlled by a controller independent of the operating system.

The security token 130 is a hardware that includes a processor and a memory and does not expose a private key or the like stored in the memory to the outside of the security token 130 when the encryption algorithm is operated. The security token 130 according to the present invention may perform digital signature of a public key infrastructure (PKI). In the digital signature of the public key infrastructure (PKI), the HASH value of the original text is encrypted using the user's private key to generate a signature, and the signature is generated through the web server 140 and the user terminal 200 To the authentication server (300). The verification server 300 can usually obtain the HASH value of the original text by decrypting the signature with the public key, and comparing the HASH value of the original text with the HASH value of the original text, the authenticity of the digital signature can be confirmed. The security token 130 of the present invention preferably performs digital signature using an electronic signature scheme of the public key infrastructure, but is not limited thereto.

Meanwhile, in the digital signature method of the present invention, one or both of the biometric information recognition and verification request step and the third digital signature creation request step are performed by the internal API stored in the digital signature generation unit 120 desirable. According to the digital signature method of the present invention, the web server unit 140 of the present invention communicates with the user terminal 200 according to the HTTPS standard, It is possible to perform an electronic signature having both the security token 130 and the advantage of biometric information without installing an X or an application program.

Preferably, the third digital signature generation request step is performed according to the standard of PKCS # 11, and the API of the PKCS # 11 standard is embedded in the digital signature generation unit 120 of the digital signature apparatus 100 have.

Preferably, the digital signature method according to the present invention records the history of one or both of the first digital signature generation request step (S410) and the digital signature execution step (S460) in order to record the details of the digital signature The electronic signature history recording step can be further performed.

The first digital signature creation request step (S410) represents the history of the attempted generation of the digital signature, and the digital signature execution step (S460) represents the history of the digital signature generation finally. When biometric information of a plurality of users is registered, individual information of the user who has attempted to generate the digital signature and / or biometric information individually recognized can be recorded.

FIG. 5 is a flowchart illustrating a signature history transmission process of the digital signature method according to the present invention. 5, when the digital signature apparatus 100 performs the digital signature generation step S400, the digital signature apparatus 100 transmits the digital signature history transmission step S900 to an external digital signature management server Can be performed.

Alternatively, although not shown in FIG. 5, after the first digital signature creation request step is performed, the digital signature apparatus 100 may perform the digital signature history transmission step (S900) to an external digital signature management server. Similarly, the first digital signature creation request step 410 indicates a history of an attempt to generate a digital signature, and the digital signature execution step shows a history of the digital signature finally generated. When biometric information of a plurality of users is registered, individual information of the user who has attempted to generate the digital signature and biometric information individually recognized can be recorded and transmitted.

8 shows a detailed step diagram of an electronic signature method according to another embodiment of the present invention.

The electronic signature method of the present invention shown in Fig. 8 is a method in which the user terminal 200 transmits, by communication according to the HTTPS standard,

An electronic signature requesting step (S300) of sending an electronic signature request to the web server unit (140) while transmitting the user password inputted by the user to the web server unit (140);

A first digital signature generation request step (S410) in which the web server unit 140 requests the digital signature generation unit 120 to generate a digital signature;

A user password verification step (S415) of verifying whether the digital signature generating unit (120) matches a user password received from the user terminal (200) and a user password of a legitimate user previously stored;

A biometric information recognition and verification step (S420) of performing biometric information recognition and verification request to the biometric information recognition module 110 when the digital signature generation unit 120 verifies whether the user password is matched;

A biometric information recognition and verification step (S430) of receiving biometric information of a user from the outside in the biometric information recognition module 110 and discriminating whether or not the biometric information matches the biometric information of a previously stored user;

When the biometric information of the user input from the biometric information recognition module 110 matches the biometric information of the user, the biometric information recognition module 110 requests the digital signature generation unit 120 to generate a signature A second digital signature creation request step (S440); The second digital signature generation request step S440 is substantially the same as transmitting the biometric information authentication result that the biometric information recognized by the biometric information recognition module 110 is authenticated;

A third digital signature generation request step (S450) in which the digital signature generation unit 120 performs a digital signature generation request to the security token 130;

Performing an electronic signature (S460) in which the security token (130) performs a digital signature;

A first digital signature transmission step (S470) in which the security token (130) transmits an electronic signature to the digital signature generation unit (120);

The digital signature generation unit 120 may transmit the received digital signature to the web server unit 140 (S480). And

And an electronic signature transmission step (S500) in which the web server unit 140 transmits an electronic signature to the user terminal 200 by communication according to the HTTPS standard.

In this embodiment, the electronic signature can be finally generated only if the password entered by the user is the same as the pre-stored password of the legitimate user. Therefore, even if the biometric information is falsified or altered, .

9 is a flowchart illustrating an electronic signature method by the digital signature apparatus 100 including the web server unit 140, the digital signature generation unit 120, the security token 130, and the biometric information recognition module 110 of the present invention. Fig. Hereinafter, the digital signature method of the present invention will be described.

The digital signature method of the present invention includes: an electronic signature request receiving step (S300.1) wherein the web server unit 140 receives an electronic signature request from a user terminal 200 by communication according to the HTTPS standard;

A biometric information recognition and verification step (S430) of receiving biometric information of a user from the outside in the biometric information recognition module 110 and discriminating whether or not the biometric information matches the biometric information of a previously stored user;

An electronic signature performing step (S460) in which the security token (130) performs a digital signature when the biometric information of the user inputted from the biometric information recognition module (110) coincides with the biometric information of the user stored previously; And

And an electronic signature transmission step (S500) in which the web server unit 140 transmits the electronic signature by the user terminal 200 according to the HTTPS standard.

In this way, the digital signature generator 120 may perform an electronic signature on the security token 130 using an interfacing API of the PKCS # 11 standard that interfaces with the security token 130 built in the digital signature generator 120 .

In the digital signature method according to the present invention, the digital signature apparatus 100 communicates with the user terminal 200 according to the HTTPS standard, and the security token 130 and the API for biometric information recognition and verification are transmitted to the digital signature apparatus 100, the user can simultaneously perform the security token 130 and the biometric information recognition based authentication in a form using a general web without installing a separate ActiveX or application program.

Also, in the digital signature method of the present invention, the web server unit 140, the digital signature generation unit 120, and the biometric information recognition module 110 are performed by a single independent operating system, (130) is controlled by a controller independent of the operating system. With such a configuration, the convenience of the user can be increased while maintaining the security of the security token 130 itself.

INDUSTRIAL APPLICABILITY The present invention can realize an electronic signature authentication procedure without causing problems of call completion, security vulnerability, use error, and user inconvenience due to downloading, installation, and driving of an active X or an application program .

Since the present invention can be used immediately by connecting an electronic signature device to a user terminal via a USB or the like when only an Internet connection is available, the convenience of the user can be maximized.

According to the present invention, since security is strengthened by biometric information authentication based on excellent security of the security token itself, it is possible to exert security at a level of zero defectiveness.

Although the present invention combines two methods of security token and biometric information authentication, it uses an own web server in the digital signature device. Therefore, it is possible to provide an active X and application program for each security token and biometric information authentication, And it is possible to maximize the convenience of use without requiring a drive.

The present invention can exhibit strong security in the form of combining a security token and biometric information authentication by virtually connecting a user's own digital signature device to a user terminal and inputting only biometric information such as a fingerprint, It is possible to exhibit very high security against user's investment in time.

The present invention can exhibit an effect that a fingerprint of a plurality of users is registered in the digital signature generation of a corporation so that the digital signature can be easily converted and used even in the form of generating a digital signature of a corporation.

It will be understood by those skilled in the art that various changes and modifications may be made without departing from the scope of the present invention.

Claims (21)

An electronic signature device connected directly to a user terminal,
A web server unit receiving a digital signature request from a user terminal and transmitting the generated digital signature to a user terminal;
A biometric information recognition module for recognizing biometric information and verifying the recognized biometric information;
A security token for generating a digital signature when verification of the biometric information is confirmed in the biometric information recognition module;
An electronic signature generation unit, connected to the web server unit, for performing a task request to the security token and the biometric information recognition module; And
The web server unit; The biometric information recognition module; And an OS unit for operating and operating the digital signature generator,
The web server unit performs communication according to the HTTPS standard with the user terminal,
Wherein the digital signature generation unit comprises:
A web server interfacing unit for interfacing with the web server unit;
A security token interfacing unit for interfacing with the security token;
A biometric information recognizing module interfacing part for performing interfacing with the biometric information recognizing module; And
And a user password storage and verification unit for verifying whether a user password of a legitimate user is stored and a user password received from the user terminal matches the user password of the legitimate user,
Wherein the security token interfacing unit includes an API capable of interfacing with the security token,
Wherein the security token includes its own memory and a processor, and is operated independently from the digital signature generator,
The security token includes a key generation / management unit; An electronic signature performing unit; And a security token controller unit, wherein the security token controller unit includes an OS for operating the security token,
The web server unit receives an electronic signature request from a user terminal in accordance with the HTTPS standard,
Wherein the web server unit makes an electronic signature request to the electronic signature generation unit,
Wherein the digital signature generation unit performs a biometric information recognition and verification request to the biometric information recognition module through the biometric information recognition module interfacing unit,
Wherein the digital signature generation unit receives the biometric information verification confirmation from the biometric information recognition module and, when the user password received from the user terminal matches the user password stored in the user password storage and verification unit, transmits the digital signature to the security token interfacing unit Performing a security token digital signature generation request to the security token,
The web server unit transmits the digital signature generated in the security token to the user terminal through communication according to the HTTPS standard,
The biometric information recognition module comprises:
A biometric information recognizing unit for performing biometric information recognition;
A biometric information verifying unit for verifying previously stored biometric information and recognized biometric information; And
And a digital signature requesting unit for requesting the digital signature generation unit to generate a digital signature when the biometric information recognized by the biometric information verification unit is verified,
Wherein the digital signature apparatus further comprises an electronic signature history management unit,
The electronic signature history management unit records the history of the digital signature request received from the user terminal, the generated digital signature transmitted to the user terminal, or the digital signature request received from the user terminal and the generated digital signature transmitted to the user terminal ,
Wherein the electronic signature history management unit can transmit the recorded history related to the electronic signature to the external electronic signature management server through the web server unit.
delete delete The method according to claim 1,
The security token interfacing unit includes a standard API of PKCS # 11,
And performs interfacing with the security token according to the PKCS # 11 standard.
delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete delete
KR1020150154272A 2015-11-04 2015-11-04 Digital Signature Device and Digital Signature Method Using It KR101743951B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150154272A KR101743951B1 (en) 2015-11-04 2015-11-04 Digital Signature Device and Digital Signature Method Using It

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150154272A KR101743951B1 (en) 2015-11-04 2015-11-04 Digital Signature Device and Digital Signature Method Using It

Publications (2)

Publication Number Publication Date
KR20170052162A KR20170052162A (en) 2017-05-12
KR101743951B1 true KR101743951B1 (en) 2017-07-04

Family

ID=58739971

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150154272A KR101743951B1 (en) 2015-11-04 2015-11-04 Digital Signature Device and Digital Signature Method Using It

Country Status (1)

Country Link
KR (1) KR101743951B1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102007431B1 (en) * 2018-04-17 2019-08-05 주식회사 스마트솔루션 System and method for checking the truth to application information for automatic withdrawal registration
US11469903B2 (en) * 2019-02-28 2022-10-11 Microsoft Technology Licensing, Llc Autonomous signing management operations for a key distribution service

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100842838B1 (en) * 2007-08-13 2008-07-03 이태원 System and method for wireless public certification service with mobile terminal using mpg system
KR101348079B1 (en) * 2013-06-07 2014-01-08 라온시큐어(주) System for digital signing using portable terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100842838B1 (en) * 2007-08-13 2008-07-03 이태원 System and method for wireless public certification service with mobile terminal using mpg system
KR101348079B1 (en) * 2013-06-07 2014-01-08 라온시큐어(주) System for digital signing using portable terminal

Also Published As

Publication number Publication date
KR20170052162A (en) 2017-05-12

Similar Documents

Publication Publication Date Title
US20210409397A1 (en) Systems and methods for managing digital identities associated with mobile devices
KR100876003B1 (en) User Authentication Method Using Biological Information
CN106575326B (en) System and method for implementing one-time passwords using asymmetric encryption
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US10586229B2 (en) Anytime validation tokens
US8904495B2 (en) Secure transaction systems and methods
JP5066827B2 (en) Method and apparatus for authentication service using mobile device
EP2343678A1 (en) Secure transaction systems and methods
US20130219481A1 (en) Cyberspace Trusted Identity (CTI) Module
US20100180120A1 (en) Information protection device
US20150082390A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
EP2098985A2 (en) Secure financial reader architecture
US20090222383A1 (en) Secure Financial Reader Architecture
JP2000181871A (en) Device and method for authentication
NO340355B1 (en) 2-factor authentication for network connected storage device
KR101743951B1 (en) Digital Signature Device and Digital Signature Method Using It
KR20170109126A (en) Encryption system providing user cognition-based encryption protocol and method for processing on-line settlement, security apparatus and transaction approval server using thereof
KR20160008012A (en) User authentification method in mobile terminal
KR101835718B1 (en) Mobile authentication method using near field communication technology
AU2015200701B2 (en) Anytime validation for verification tokens
TWI778319B (en) Method for cross-platform authorizing access to resources and authorization system thereof
GB2607282A (en) Custody service for authorising transactions

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
AMND Amendment
X701 Decision to grant (after re-examination)