KR20160111190A - Method for authentication using user apparatus, digital system, and authentication system thereof - Google Patents
Method for authentication using user apparatus, digital system, and authentication system thereof Download PDFInfo
- Publication number
- KR20160111190A KR20160111190A KR1020150036027A KR20150036027A KR20160111190A KR 20160111190 A KR20160111190 A KR 20160111190A KR 1020150036027 A KR1020150036027 A KR 1020150036027A KR 20150036027 A KR20150036027 A KR 20150036027A KR 20160111190 A KR20160111190 A KR 20160111190A
- Authority
- KR
- South Korea
- Prior art keywords
- authentication
- information
- digital system
- user
- user device
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A user authentication method using a user device, a digital system therefor, and an authentication system are disclosed. The method of authenticating a user using the user device includes the steps of: receiving a server generation key from an authentication system, the digital system transmitting the server generation key to the user device through communication with the user device, And generating the authentication information on the basis of the server creation key when the communication is performed, wherein the server creation key is a key for authenticating the authentication Includes time information of the system.
Description
The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly to a digital authentication system and a user authentication method using a user who wants to use various services (for example, financial transactions such as login, Authentication method and system using the user device and the digital system (e.g., mobile terminal) when the user authentication is to be performed.
In particular, the authentication system generates the server creation key, the generated server creation key is transmitted to the digital system, the user apparatus or the digital system generates the authentication information using the transmitted server creation key, To a secure and simple yet highly secure authentication method and system thereof.
Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.
For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.
Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.
The i-PIN is a method of authenticating the user by using a virtual identification number used on the Internet. The user must know a new identification number in advance, and it is difficult to perform a normal authentication function once an exposure is performed as in an ID password method There are constraints.
In addition, the authentication of the mobile phone itself is problematic in that it is susceptible to smsing and the like by a method of authenticating occupation of the mobile phone by using the authentication number.
Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.
In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.
Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.
In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.
In this case, the authentication request and the authentication action to be performed by a legitimate user can be separated so that the authentication request and the authentication request are authenticated, so that the information necessary for authentication can be easily exposed to the other person. A technical idea that allows the use of the service without requiring the service is required.
In order to use conventional one-time information (e.g., OTP), a client (e.g., OTP token) and an authentication side (e.g., OTP authentication server) , And time information). Especially, in order to generate one-time information through the time synchronization method which is widely used recently, time synchronization between the client and the authentication side is very important. In order to synchronize the time, the client side must be able to confirm the time. However, according to the technical idea of the present invention, the user device (e.g., a smart card or the like) may not have a timer. Even if a timer is provided in a user device or a digital system, it may be difficult to substantially synchronize the time with the timer of the user device and the authentication side (e.g., authentication system).
SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.
In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.
In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.
In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.
In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .
Further, the digital system or the user apparatus generates authentication information including one-time information using a server generation key (e.g., a random number value, a time value, or OTP) generated in the authentication side This is to provide a high authentication method. The present invention provides a technical idea that can use the server generation key even when one-time information is generated by a user apparatus that can not directly communicate with the authentication side.
In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without storing the terminal identification information or the device identification information itself It is possible to authenticate the digital system and the user device by storing the predetermined medium specific information (e.g., the terminal identification information and the hash value using the device identification information), and even if the authentication system is attacked, To provide an authentication scheme in which device identification information may not be exposed.
In addition, although the digital system may simply include the server generation key and at least the terminal identification information and / or the device identification information in the authentication information for authentication, the media identification information (e.g., the hash value ), And generates authentication information (e.g., medium specific information and a hash value of the server generation key) based on the generated medium specific information (e.g., the terminal identification information and the hash value of the apparatus identification information) , The server generation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked due to an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated by simply comparing the authentication information received from the digital system with the authentication information received from the digital system, thereby providing an authentication method in which a simple authentication procedure can be performed.
The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.
In addition, a digital system to be used for the authentication operation and a user apparatus that is paired with the digital system are set in advance, and authentication is successful only when communication (for example, contact or non-contact type) So as to provide a technical idea capable of providing a synergistic effect of remarkable security.
In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ), It is possible to provide a technical idea that can fundamentally control the smoothing and the memory hacking that may occur due to the distinction between them.
It is also possible to synchronize the time with an authentication side (e.g., an authentication system) that may occur when the client side (e.g., digital system or user device) generates authentication information using a timer of the user device or digital system (Time information) of a digital system, or a problem caused by arbitrary change.
According to another aspect of the present invention, there is provided a method for authenticating a user, comprising: receiving a server generation key from an authentication system of a digital system; And receiving the authentication information generated by the user device based on the transmitted server generated key, or when the communication is performed, the digital system generates authentication information based on the server generated key , And the server creation key includes time information of the authentication system.
The method for authenticating a user using the user device may further include transmitting the confirmation signal including the authentication information to the authentication system without displaying the authentication information in the digital system.
The method of authenticating a user using the user device further includes performing a time validity checking procedure in which the digital system compares the server generated key with time information of the digital system, The digital system transmits the server creation key to the user device, generates authentication information using the server creation key, or transmits the authentication information generated by the user device or the digital system to valid authentication information Can be processed.
And the server creation key is information protected in the digital system so as to correspond to the user apparatus.
The authentication method using the user device further comprises a step of determining whether the digital system is a preset pair so that the user equipment corresponds to the digital system, And transmits an authentication signal including the authentication signal to the authentication system.
According to another aspect of the present invention, there is provided an authentication method including: receiving a server generation key from an authentication system of a digital system; generating time information to be used as information based on generation of one- Wherein the time information is validating the first time information of the digital system or the second time information of the user apparatus communicating with the digital system, The authentication information generated by the user apparatus based on the second time information that has been verified, or the authentication information based on the first time information whose validity is confirmed, To the user device to generate authentication information, wherein the server creation key And time information of the authentication system.
According to another aspect of the present invention, there is provided an authentication method including the steps of transmitting an authentication system to a digital system of a user with a server creation key, the server creation key including time information of the authentication system, Or authentication information from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system communicates with a predetermined user device, Wherein the authentication system is operable to perform an authentication procedure to authenticate the received authentication information, and wherein the authentication process is successful from the data processing apparatus or the digital system to the authentication system Or a service time associated with the authentication system It may comprise the step of processing the successful authentication request outputted to the system.
Wherein the authentication information is to be verified by the digital system for time validity, the server generation key is transmitted to the user device to be generated by the user device, generated by the digital system, And the authentication information generated by the digital system is processed as valid authentication information by the digital system.
Wherein the authentication method using the user device further comprises a step of protecting the server generation key so that the authentication system corresponds to the user device and the protected server generation key is transmitted to the digital system can do.
Wherein the authentication method using the user device further includes a step of determining whether the authentication system is a preset pair so that the user device and the digital system correspond to each other, It is possible to make a judgment.
According to another aspect of the present invention, there is provided an authentication method including the steps of transmitting an authentication system to a digital system of a user with a server creation key, the server creation key including time information of the authentication system, Or authentication information from the data processing device of the user when the digital system communicates with a predetermined user device, the authentication information being generated by the user device or generated by the digital system, The method comprising the steps of: performing an authentication procedure to authenticate the authentication information received by the authentication system; and transmitting, from the data processing apparatus or the digital system, The authentication system or the authentication system And the authentication information is transmitted to the digital system or the user device based on first time information of the digital system whose legitimacy has been verified using the server generation key, Or information generated by the user apparatus based on second time information of the user apparatus that has been confirmed as being legitimate.
The above method can be implemented by a computer program installed in the data processing apparatus.
According to an aspect of the present invention, there is provided a digital system comprising a user device communication module for performing communication with a predetermined user device, a communication module for receiving a server generation key from the authentication system, A control module for receiving authentication information generated by the user device based on the server generated key transmitted to and transmitted from the user device or generating authentication information based on the server generated key when the communication is performed And the server creation key includes time information of the authentication system.
The control module transmits an authentication signal including the authentication information to the authentication system without displaying the authentication information received or generated in the digital system.
The control module performs a time validity check procedure for comparing the server generated key with the time information of the digital system and transmits the server generated key to the user device when the time validity is confirmed as a result of the execution, Or the authentication information generated by the user apparatus or the digital system may be treated as legitimate authentication information.
According to an aspect of the present invention, there is provided a digital system including a user equipment communication module for performing communication with a predetermined user device, a communication module for receiving a server generation key including time information of the authentication system from the authentication system, Time information to be used as basic information for generation of one-time information using a server creation key, the time information being information about a first time information of the digital system or a second time information of a user apparatus performing communication with the digital system Wherein the authentication information generated by the user device is received based on the second time information whose validity has been verified through communication with the user device, Time information, and based on the first time information, To receive, or on the basis of the first time information, the validity is confirmed that a control module for generating the authentication information.
According to another aspect of the present invention, there is provided an authentication system for generating a server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, An authenticating unit for authenticating the authentication information included in the received confirmation signal; an authentication unit for transmitting the server generation key to the digital system; and the authentication information from the digital system, The information being generated by the user device or generated by the digital system and being generated based on the server creation key when the communication device is communicating with the user device of the communication device, From the processing device or the digital system And a control unit for successively processing the authentication request output to the system or the service system connected to the authentication system.
Wherein the authentication information is transmitted to the user device and generated by the user device or generated by the digital system so that the time validity is verified by the digital system, And the generated authentication information is processed as valid authentication information by the digital system.
The authentication unit may further include a step of protecting the server generation key so as to correspond to the user apparatus, and the communication unit transmits the server generation key, which is protected, to the digital system.
The authentication unit determines whether the user apparatus and the digital system are a preset pair so that they correspond to each other, and determines that the authentication check procedure is successful if the pair is a predetermined pair.
According to another aspect of the present invention, there is provided an authentication system for generating a server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, An authenticating unit for authenticating the authentication information included in the received confirmation signal; an authentication unit for transmitting the server generation key to the digital system; and the authentication information from the digital system, The information being generated by the user device or generated based on the time information generated by the digital system and the validity of which is confirmed, From the data processing apparatus or the digital system And a control unit for successively processing an authentication request output to the authentication system or the service system connected to the authentication system, wherein the authentication information is based on first time information of the digital system whose validity is confirmed using the server generation key And information generated by the digital system or the user device based on second time information of the user device generated or validated by the user device.
According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.
In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.
In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.
The present invention also provides a highly secure authentication method using a server creation key (for example, a random number value, a server time value, etc.) generated by an authentication side (e.g., an authentication system). In particular, in the case of using the server generation key, the authentication side and the client side must be able to communicate with each other. According to the technical idea of the present invention, communication with the authentication side is performed via the digital system capable of performing communication with the authentication side. There is an effect that authentication can be performed also by a user apparatus that can not be performed. That is, it is necessary to carry two authentication tools of digital system and user device that the user generally possesses, so that authentication can be successful, but at least one of the authentication tools (for example, IC card or the like) It is possible to perform authentication using one-time information. Also, even when the user device can not communicate with the authentication side among the authentication tools, authentication can be performed by performing communication through the digital system as the remaining authentication tool.
Further, when the client side (e.g., a digital system or a user apparatus) generates authentication information using a timer (time information) by a user apparatus or a digital system, the time information of the digital system is not used, (Time information) is used, or only when the time information of the digital system matches the time information of the server generation key transmitted from the server side, the client side and the authentication side (e.g., the authentication system) A problem of time synchronization, a problem caused by abuse or arbitrary change of a timer (time information) of a digital system, and the like.
In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.
In addition, since the digital system to be used for authentication of the user can be preset and specified, it has the effect of having a strong characteristic against attack such as smishing or man in the middle attack. Online crime can be actively blocked.
In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without the terminal identification information or the device identification information itself (E.g., hash value using device identification information and device identification information). In this case, even if the authentication system attacks, the terminal identification information and / or the device identification information of the user are not exposed There is a safe effect.
Also, in the authentication information for authentication, the digital system may simply include a server creation key and at least device identification information (in addition to the device identification information, information about an object to be authenticated may be included in the authentication information. (For example, account information to be remitted) may be included according to the kind of service (for example, account transfer) to be authenticated. However, the digital system and the user (E.g., a hash value) based on information about each device (e.g., terminal identification information and device identification information), and generates medium specific information (e.g., hash of terminal identification information and device identification information (For example, medium specific information and a hash value of a server generated key) based on the server generated key There is an effect that the server creation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked by an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated and compared with the authentication information simply received from the digital system, the authentication verification procedure can be performed, so that a simple authentication procedure can be performed.
In addition, since a user apparatus constituting a pair (pair) with the digital system can be set in advance, it is possible to set up a pair of apparatuses without having all the apparatuses constituting the pair (that is, The apparatus can not be normally authenticated), thereby remarkably improving the security.
In addition, when the financial transaction is performed using a predetermined data processing apparatus or a digital system, the account identification information of a predetermined receiving account is included in the information for performing authentication of the principal, so that it is possible to fundamentally block the transfer of the account outside the legitimate account, Hacking can be fundamentally blocked.
In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ) Can be prevented by preventing the smashing that may occur. In addition, there is a side effect that the transference account is displayed when the customer conducts the smsing and performs the authentication, thereby enhancing the customer's vigilance.
BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.
8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.
FIG. 9 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
10 is a diagram for explaining an example in which the authentication method according to the embodiment of the present invention is applied to account transfer (remittance).
11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.
In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.
Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.
BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
Referring to FIG. 1, a
The
The
According to another embodiment, the
According to another embodiment, the
Therefore, in the present invention, if the identification information of the
Hereinafter, for convenience of description, the
The
In this specification, tagging refers to the case where the
If the
Of course, another conventional authentication method (for example, authentication using an authorized certificate, etc.) may be performed before or after the authentication of the user according to the technical idea of the present invention is performed for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.
According to one embodiment, the
For example, when the
Meanwhile, the device one-time information may be information generated by using a server generation key generated by the
The server creation key may be a random number value generated by the
The method of generating the one-time information by the
According to the technical idea of the present invention, problems of time synchronization between the user device 300 (or the digital system 100) and the
For example, when the
In order to determine whether the time information of the
The
For example, when the
For example, when the
For example, when the
When the
According to another embodiment of the present invention, the
For example, the server creation key may be encrypted to be decrypted by the
According to an embodiment, the server creation key may be transmitted to the
As described above, according to the technical idea of the present invention, by preventing the case where the server generation key transmitted from the
As a result, the method using the server generation key of the present invention can be compared with the conventional challenge response method, and the conventional challenge response method requires the client to be able to communicate with the
The
Then, the
According to another embodiment, the one-time information may simply include the server creation key and information about an object to be authenticated. The subject to be authenticated may be
In particular, when the authentication method according to the technical idea of the present invention is applied to the account transfer service, which is an object of authentication, identification information of an account to be remitted may be included in the authentication information as information on a service authentication object. It is important to authenticate the account to be remitted, so that the service authentication object can be the service authentication object. Therefore, unauthorized attacks such as a method of replacing the remittance account with an account desired by the attacker can be prevented when the user successfully authenticates after inputting the remittance account for the transfer, such as the conventional memory hacking, You can send money only to the account you want to transfer. It goes without saying that the type of service authentication object that can be included in the authentication information may vary according to the service. Such an example will be described later in Fig.
As a result, the one-time information may simply include the server creation key and information about the authentication object (e.g., device identification information, terminal identification information, and / or additional service authentication objects necessary for the service).
For example, the one-time information may be information including any one of a server generation key and device identification information or terminal identification information, which is identification information of the
In this case, the device one-time information is transmitted to the
According to the embodiment, the information about the authentication object (for example, the server generation key, the device identification information, and / or the terminal identification information) itself is not included in the device one-time information but the information The one-time information may be generated in a predetermined manner.
As a result, the device one-time information can be generated based on the basic information, with the information on a predetermined authentication object as basic information.
The fact that the one-time information is generated by the predetermined basic information includes a case where the basic information is included in itself or included (or mixed) in a predetermined manner. According to an embodiment, information in which each of the plurality of pieces of basic information is protected (e.g., encoded, encrypted, and / or hashed) in a predetermined manner is included in the one-time information, (Or mixed) in the manner of the protection processing information, or all of the plurality of basic information may be overlapped (or mixed) in a predetermined manner to include the protection processed information.
In any manner, the authentication side (i.e., the authentication system 200) knows the information corresponding to each of the basic information on which the one-time information is generated and generates the one-time information in a manner corresponding to the manner in which the one- One-time server information that can be authenticated can be specified.
For example, the device identification information and / or the terminal identification information may be registered in the
As a result, the one-time information may be information generated based on at least one of a server generation key, terminal identification information that is identification information of the
In the
The media specific information herein may be unique information that is determined based on the media participating in the user's authentication behavior (i.e., communication between the
That is, the
When the authentication information is not stored in the
Whether the device one-time information is one-time information generated by using a server generation key as an input value, information obtained by simply encrypting the server generation key with a predetermined encryption key, or device identification information and / Whether simply including the information, the server generation key may be a random number value generated by the
In addition, one-time information may be generated by the
The device one-time information may be information that can be authenticated by the
As described above, according to the technical idea of the present invention, the
Also, according to one embodiment, the
1, the
In addition, the
Also, the terminal one-time information may be generated by using the server generation key generated by the
In any case, the terminal one-time information may also be authenticated by the authentication unit included in the
As a result, according to the technical idea of the present invention, the
For example, it is possible to generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the terminal one-time information, and if the device one-time information and / It can be judged to have succeeded. Of course, the authentication of the
The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the
Of course, when the authentication information includes both the device one-time information and the terminal one-time information, and both are authenticated by the
In any case, according to the technical idea of the present invention, the
Meanwhile, the
As a result, even if the
When the terminal's one-time information is generated based on the server generation key, the terminal's one-time information may include at least one of the server generation key received from the
In addition, the terminal one-time information generated by the
In addition, since the confirmation signal transmitted to the
The device one-time information generated by the
In addition, the
In any case, the confirmation signal transmitted by the
The device one-time information generated by the
The
The authentication procedure includes a one-time information authentication procedure for authenticating terminal one-time information generated by the
Software installed in the
However, since the software may be leaked or the software may be forged or falsified by attack, the authentication procedure according to the technical idea of the present invention may be performed by authenticating the hardware of the
As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the
The procedure for authenticating the device identification information according to an embodiment may be performed by the
The authentication procedure performed by the
Meanwhile, the authentication request may be transmitted to the
Further, the
According to an embodiment, the
Of course, in some implementations, the
Although the
According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the
According to another embodiment, the authentication request may be output by the
When the authentication request is received and an acknowledgment signal is received from the
In addition, the authentication procedure may further include authenticating user authentication information (e.g., PIN) of the
When the authentication operation is performed by the user, the
The terminal identification information may include identification information (e.g., identification information of a USIM, IMSI, IMEI, MAC) of the digital system 100 (hardware included in the
Meanwhile, the terminal one-time information generated by the
However, according to the embodiment of the present invention, the terminal may be automatically included in the confirmation signal without displaying the one-time information or device one-time information and inputting by the user, thereby providing convenience of the authentication operation by the user. In addition, since there is no process of inputting terminal one-time information or device one-time information by the user, the risk of leakage of information through key logging or the like may be lowered. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the
The
For example, in the case of a payment service, the
Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of explanation, the
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
Referring to FIG. 2, the
Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.
The
The user
The
The
The
Also, the
When the
Alternatively, the
The terminal one-time
Then, the
The
The
If the confirmation signal further includes the device identification information, the
Meanwhile, the
The server creation key may be received together with the authentication action request information and may be received separately before or after the authentication action request information is received by the
Of course, only the signal indicating that the authentication request has been performed in the
The authentication action request information may be displayed on a display device (not shown) included in the
The
Meanwhile, the
Also, the
If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the
Or the
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
3, an
The configuration of the
Also, the
The
The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the
The
The
Also, the
Also, according to an embodiment, as described above, the
Also, as described above, the authentication information may be information that simply includes the medium specific information (or terminal identification information and / or device identification information) and the server generation key, or information that is generated based on the medium unique information and the server generation key . In this case, the
Wherein the authentication procedure includes an authentication procedure for authenticating one-time information included in the authentication information, the authentication using the device identification information, the authentication using the terminal identification information, As described above, at least one of authentication of whether the
When the one-time information includes the device one-time information, authentication using the device identification information may not be selectively included in the authentication confirmation procedure. If the one-time information includes terminal one-time information, The used authentication may optionally not be included in the authentication procedure. Of course, even if the one-time information includes the device one-time information or the one-time information includes terminal one-time information, the authentication using the device identification information and / or the authentication using the terminal identification information may be performed by the
If the
The
The
Then, the
For this, the
When the
Meanwhile, when the terminal identification information is included in the confirmation signal, the
The
When the user authentication information (for example, the PIN information of the payment card, etc.) of the
FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.
4 illustrates an example in which an authentication request is made via the
After confirming the authentication action request information, the user can communicate with the
Of course, the
Then, the
Then, the
As described above, the
FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.
5, the
The
Then, the user can perform the authentication operation in response to this (S220).
According to another embodiment, the
The
The
According to an embodiment, the
Then, the
Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the
For example, if the authentication requestor, who is an acquaintance of the user, should log in to the user's web account, receive a certificate on behalf of the user, or require payment by a third party, the
Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.
In this case, the
According to another embodiment, an authentication requestor that is not a user inputs identification information of the
The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the settlement request corresponding to the authentication action request information, the user can perform the authentication operation as described above. The
The
As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.
4 and 5, since only the identification information (e.g., telephone number) of the
FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.
6, when the user notifies or inputs the identification information of his / her
For example, when the user notifies the identification information of his / her
According to an embodiment, the
For example, when the technical idea of the present invention is applied to a payment service, when a settlement amount is input to a data processing apparatus (for example, an affiliate terminal 400), the user inputs the
In the case where the authentication action request information is transmitted from the
When the authentication operation is performed by the user (S320), the terminal one-time information generated by the
Then, the
On the other hand, as described above, when the authentication information includes merely a server generated key and medium specific information (or terminal identification information and / or device identification information), or the authentication information is determined based on the server generated key and medium unique information Value will be described with reference to FIG.
FIG. 9 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.
9, the
The
The
According to another embodiment, the
According to another embodiment, the
In this case, the
At this time, the server generation key may be transmitted to the
The
The
On the other hand, an example of the case where the authentication information includes additional information about the service authentication object or the authentication information is generated based on the information about the service authentication object may be as shown in FIG.
In the case of a conventional account transfer or remittance, when an authentication request (remittance request) including remittance account information to be remitted (information capable of identifying the remittance account) is performed by the sender's apparatus (mobile phone, computer, or the like) (Such as an authorized certificate and / or OTP) in a system (e.g., a financial institution system or an authentication center associated with a server of a performer performing a money transfer service). (The remittance processing system may be included in the authentication system or separately implemented and connected to the authentication system) that performs the remittance process if the authentication is successful, As shown in FIG. At this time, the malicious attacker resides in a specific place (for example, memory) of the malicious code remitter device distributed by the attacker, and the authentication is terminated, and the remittance processing system changes the remittance account information to the account desired by the attacker To the remittance processing system, and the remittance processing system transfers the remittance to the changed account. At this time, the remittance account information displayed on the remitter device is kept as inputted by the remitter, so that the user may not be able to recognize the remittance account information. However, according to the technical idea of the present invention, such an attack can be prevented by incorporating the remittance account information into the authentication information as information on the service authentication object or generating the authentication information based on the remittance account information.
10 is a diagram for explaining an example in which the authentication method according to an embodiment of the present invention is applied to account transfer (money transfer). In FIG. 10, the case where the remittance processing system is included in the
Referring to FIG. 10, a sender can transmit an authentication request (a transfer request) to the
The
Then, the
The authentication information may be information generated using the remittance account information as basic information. For example, the authentication information may be information generated based on a server generation key, device identification information and / or terminal identification information, and remittance account information. In some implementations, only the server generated key and remittance account information may be used as basic information of the authentication information. That is, according to the embodiment, the
In any case, the authentication information may be one-time information generated based on the server generation key and the remittance account information.
Such authentication information may be included in the confirmation signal and transmitted to the
Then, the remittance processing system may perform an authentication check procedure for authenticating the authentication information (S770). In addition, the apparatus for authenticating the sender according to the embodiment may be a separate apparatus from the remittance processing system. In this case, the authentication information may include information (server generation key, terminal identification information and / It is preferable that the apparatus identification information (or medium specific information) and the remittance account information (or the determination value based on the remittance account information) can be separately included.
In any case, the remittance processing system can determine whether the account to be remitted by the remittance accounting system corresponds to the remittance account information inputted by the remitter through the authentication confirmation procedure. That is, when the remittance account information (or the decision value) included in the authentication information corresponds to the remittance account information (or the decision value) to be remitted by itself, or when the authentication information itself is a decision value based on the remittance account information, It is possible to determine whether the authentication information corresponds to the authentication information received from the
As described above, according to the technical idea of the present invention, the remittance processing system can perform the authentication confirmation procedure for authenticating the authentication information received from the
Of course, after the remittance is performed, the
7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.
Referring to FIG. 7, the
If authentication of the authentication information (one-time information) is successful, it can be determined that the authentication confirmation process has succeeded (S460). If the authentication of the one-time information fails, it can be determined that the authentication confirmation process has failed (S450).
The
7, the authentication of the device identification information, the authentication of the terminal identification information, and the authentication of the pair are sequentially performed. However, it is needless to say that the sequence of such authentication can be changed at any time.
For example, if authentication of the one-time information is successful as shown in FIG. 7, the
When the
When the
8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.
Referring to FIG. 8, a user may input user authentication information (e.g., a PIN of a payment card) of the
The
In order for the
In any case, if the
Although FIG. 8 shows an example in which the user authentication is performed before the pair authentication, it is needless to say that the pair authentication may be performed first.
In FIG. 8, the user authentication information (e.g., PIN) of the
According to an embodiment, the
11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.
Referring to FIG. 11, the
Further, a plurality of user devices (device identification information b1, b2) may be set as a pair in a specific digital system (terminal identification information B). At this time, B and b1 communicate with each other, and B and b2 communicate with each other, so that the authentication according to the technical idea of the present invention can be succeeded.
As shown in FIG. 11A, in the
However, as described above, the
For example, the medium specific information corresponding to the user 1 may be h1, and the medium specific information h1 may be a determination value (e.g., a hash value) determined by the terminal identification information A and the device identification information . In addition, the medium specific information h2 may be h2 and h3, and the medium specific information h2 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b1 ). The medium specific information h3 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b2. If the medium specific information is stored in the
The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.
Claims (21)
Wherein the digital system transmits the server creation key to the user apparatus through communication with the user apparatus and receives the authentication information generated by the user apparatus based on the transmitted server creation key,
When the communication is performed, the digital system generates authentication information based on the server generation key,
The server creation key includes:
And authenticating the user using the user device including the time information of the authentication system.
Wherein the digital system further comprises the step of transmitting an acknowledgment signal including the authentication information to the authentication system without displaying the authentication information in the digital system.
Further comprising performing a time validity checking procedure in which the digital system compares the server generated key with time information of the digital system,
If the time validity is confirmed as a result of performing the time validity checking procedure,
Transmitting the server creation key to the user device,
Generates authentication information using the server creation key,
And a user device that processes the authentication information generated by the user apparatus or the digital system as valid authentication information.
Wherein the digital system is information protected by the user apparatus so as to correspond to the user apparatus.
Further comprising the step of the digital system determining whether the user equipment is a preset pair to correspond to the digital system,
And transmitting the confirmation signal including the authentication information to the authentication system if the user device is a predetermined pair.
Time information to be used as basic information for generation of one-time information by using the server generation key received by the digital system, the time information being information of the first time of the digital system or of the user apparatus performing communication with the digital system Confirming the legitimacy of the second time information;
Wherein the digital system receives the authentication information generated by the user apparatus based on the second time information whose validity has been confirmed through communication with the user apparatus or receives the authentication information generated based on the first time information whose validity is confirmed, Or generating the authentication information by transmitting the first time information whose validity is confirmed to the user device,
The server creation key includes:
And authenticating the user using the user device including the time information of the authentication system.
Wherein the authentication system is configured to generate authentication information from the digital system or from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system is communicating with a predetermined user device And information generated based on the server creation key;
The authentication system performing an authentication procedure for authenticating the received authentication information; And
And successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system when the authentication confirmation process is successful.
Time validity has to be verified by the digital system,
Wherein the server creation key is transmitted to the user device and generated by the user device,
Generated by the digital system,
Wherein the authentication information generated by the user apparatus or the digital system is processed as valid authentication information by the digital system.
Further comprising the step of protecting the server creation key so that the authentication system corresponds to the user apparatus,
And transmits the protected server generation key to the digital system.
Further comprising the step of determining whether the authentication system is a preset pair so that the user device and the digital system correspond to each other,
And determining that the authentication confirmation process is successful if the authentication result is a predetermined pair.
Wherein the authentication system is configured to generate authentication information from the digital system or from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system is communicating with a predetermined user device And information generated based on time information for which validity is confirmed;
The authentication system performing an authentication procedure for authenticating the received authentication information; And
And successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system if the authentication confirmation process is successful,
The authentication information includes:
Generated by the digital system or the user apparatus based on first time information of the digital system whose legitimacy is confirmed using the server generation key,
Wherein the first authentication information is information generated by the user device based on second time information of the user device whose validity is confirmed.
A user device communication module for performing communication with a predetermined user device;
A communication module for receiving a server generation key from an authentication system; And
Transmitting the server generation key to the user device through the user equipment communication module and receiving the authentication information generated by the user device based on the transmitted server generation key,
And a control module for generating authentication information based on the server generation key when the communication is performed,
The server creation key includes:
And authenticating the user using the user apparatus including the time information of the authentication system.
And transmits an authentication signal including the authentication information to the authentication system without displaying the authentication information received or generated in the digital system.
A time validity checking procedure for comparing the server generated key with the time information of the digital system is performed,
Transmitting the server creation key to the user device,
Generates authentication information using the server creation key,
And authenticating the user using the user apparatus or the user apparatus that processes the authentication information generated by the digital system as valid authentication information.
A user device communication module for performing communication with a predetermined user device;
A communication module for receiving a server generation key including time information of the authentication system from an authentication system; And
Time information to be used as basic information for generation of one-time information using the received server generation key, the time information including first time information of the digital system or second time information of a user apparatus communicating with the digital system - Check the legitimacy of -
Receiving authentication information generated by the user device based on the second time information for which validity is confirmed through communication with the user device,
Transmitting the first time information whose validity has been confirmed through communication with the user device, receiving the authentication information generated by the user device based on the first time information,
And a control module for generating authentication information based on the first time information for which the validity is confirmed.
A server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, and generates authentication information included in an acknowledgment signal received from the digital system or the data processing apparatus of the user An authentication unit for performing an authentication check process for authenticating the user;
Wherein the authentication information is transmitted from the digital system to the digital system when the digital system is in communication with a predetermined user device, And generating information based on the server creation key; And
And a control unit for successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system if the authentication confirmation process is successful.
Time validity must be verified by the digital system
Wherein the server creation key is transmitted to the user device and generated by the user device,
Generated by the digital system,
Wherein the authentication information generated by the user apparatus or the digital system is processed by the digital system as valid authentication information.
Further comprising the step of protecting the server generation key to correspond to the user apparatus,
Wherein,
And transmits the protected server generation key to the digital system.
Determines whether the user apparatus and the digital system are a predetermined pair so as to correspond to each other, and judges that the authentication check procedure is successful if it is determined that the pair is a predetermined pair.
A server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, and generates authentication information included in an acknowledgment signal received from the digital system or the data processing apparatus of the user An authentication unit for performing an authentication check process for authenticating the user;
Wherein the authentication information is transmitted from the digital system to the digital system when the digital system is in communication with a predetermined user device, The information being generated based on time information generated and validated; And
And a control unit for successfully processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
The authentication information includes:
Generated by the digital system or the user apparatus based on first time information of the digital system whose legitimacy is confirmed using the server generation key,
Wherein the first authentication information is information generated by the user device based on second time information of the user device whose validity is confirmed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150036027A KR20160111190A (en) | 2015-03-16 | 2015-03-16 | Method for authentication using user apparatus, digital system, and authentication system thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150036027A KR20160111190A (en) | 2015-03-16 | 2015-03-16 | Method for authentication using user apparatus, digital system, and authentication system thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20160111190A true KR20160111190A (en) | 2016-09-26 |
Family
ID=57068390
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150036027A KR20160111190A (en) | 2015-03-16 | 2015-03-16 | Method for authentication using user apparatus, digital system, and authentication system thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20160111190A (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20130029983A (en) | 2011-09-16 | 2013-03-26 | (주)에이티솔루션즈 | Recording medium, method and device for log-in or certification use of near field communication |
-
2015
- 2015-03-16 KR KR1020150036027A patent/KR20160111190A/en unknown
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20130029983A (en) | 2011-09-16 | 2013-03-26 | (주)에이티솔루션즈 | Recording medium, method and device for log-in or certification use of near field communication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA3017893C (en) | System and method for certificate issuance based on block chain | |
US20130219481A1 (en) | Cyberspace Trusted Identity (CTI) Module | |
JP2018516505A (en) | Authentication in the ubiquitous environment | |
KR20150072955A (en) | Method for payment using card, digital system, and settlment side system thereof | |
KR101467242B1 (en) | Digital system for pair user authentication, authentication system, and providing method thereof | |
KR101498120B1 (en) | Digital certificate system for cloud-computing environment and method thereof | |
KR101574169B1 (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR102122555B1 (en) | System and Method for Identification Based on Finanace Card Possessed by User | |
KR20160084789A (en) | Method for authentication, digital system, and authentication system thereof | |
KR20140020337A (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR20200022194A (en) | System and Method for Identification Based on Finanace Card Possessed by User | |
KR20150077379A (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR20160084786A (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR101491515B1 (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR101700833B1 (en) | Card User Authentication System and Authentication Server and Portable Device for the same | |
KR101621265B1 (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
KR101603684B1 (en) | Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof | |
KR20160111190A (en) | Method for authentication using user apparatus, digital system, and authentication system thereof | |
US11960581B2 (en) | Mobile device secret protection system and method | |
KR101682678B1 (en) | Card Transaction System and Encryption/Decryption Server for the same | |
KR20150088571A (en) | Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof | |
KR20140033189A (en) | Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof | |
KR20150089569A (en) | Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof | |
KR20200103615A (en) | System and Method for Identification Based on Finanace Card Possessed by User | |
KR20150075620A (en) | Method for authentication using user apparatus, digital system, and authentication system thereof |