KR20160111190A - Method for authentication using user apparatus, digital system, and authentication system thereof - Google Patents

Method for authentication using user apparatus, digital system, and authentication system thereof Download PDF

Info

Publication number
KR20160111190A
KR20160111190A KR1020150036027A KR20150036027A KR20160111190A KR 20160111190 A KR20160111190 A KR 20160111190A KR 1020150036027 A KR1020150036027 A KR 1020150036027A KR 20150036027 A KR20150036027 A KR 20150036027A KR 20160111190 A KR20160111190 A KR 20160111190A
Authority
KR
South Korea
Prior art keywords
authentication
information
digital system
user
user device
Prior art date
Application number
KR1020150036027A
Other languages
Korean (ko)
Inventor
김동진
김대진
심충섭
Original Assignee
주식회사 씽크풀
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 씽크풀 filed Critical 주식회사 씽크풀
Priority to KR1020150036027A priority Critical patent/KR20160111190A/en
Publication of KR20160111190A publication Critical patent/KR20160111190A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A user authentication method using a user device, a digital system therefor, and an authentication system are disclosed. The method of authenticating a user using the user device includes the steps of: receiving a server generation key from an authentication system, the digital system transmitting the server generation key to the user device through communication with the user device, And generating the authentication information on the basis of the server creation key when the communication is performed, wherein the server creation key is a key for authenticating the authentication Includes time information of the system.

Description

Technical Field [0001] The present invention relates to a user authentication method using a user device, a digital system for the same, and an authentication system using the same,

The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly to a digital authentication system and a user authentication method using a user who wants to use various services (for example, financial transactions such as login, Authentication method and system using the user device and the digital system (e.g., mobile terminal) when the user authentication is to be performed.

In particular, the authentication system generates the server creation key, the generated server creation key is transmitted to the digital system, the user apparatus or the digital system generates the authentication information using the transmitted server creation key, To a secure and simple yet highly secure authentication method and system thereof.

Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.

For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.

Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.

The i-PIN is a method of authenticating the user by using a virtual identification number used on the Internet. The user must know a new identification number in advance, and it is difficult to perform a normal authentication function once an exposure is performed as in an ID password method There are constraints.

In addition, the authentication of the mobile phone itself is problematic in that it is susceptible to smsing and the like by a method of authenticating occupation of the mobile phone by using the authentication number.

Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.

In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.

Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.

In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.

In this case, the authentication request and the authentication action to be performed by a legitimate user can be separated so that the authentication request and the authentication request are authenticated, so that the information necessary for authentication can be easily exposed to the other person. A technical idea that allows the use of the service without requiring the service is required.

In order to use conventional one-time information (e.g., OTP), a client (e.g., OTP token) and an authentication side (e.g., OTP authentication server) , And time information). Especially, in order to generate one-time information through the time synchronization method which is widely used recently, time synchronization between the client and the authentication side is very important. In order to synchronize the time, the client side must be able to confirm the time. However, according to the technical idea of the present invention, the user device (e.g., a smart card or the like) may not have a timer. Even if a timer is provided in a user device or a digital system, it may be difficult to substantially synchronize the time with the timer of the user device and the authentication side (e.g., authentication system).

Korean Patent Application Publication No. 10-2013-0029983 "Method, apparatus and recording medium for authentication processing using local area communication"

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.

In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.

In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.

In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.

In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .

Further, the digital system or the user apparatus generates authentication information including one-time information using a server generation key (e.g., a random number value, a time value, or OTP) generated in the authentication side This is to provide a high authentication method. The present invention provides a technical idea that can use the server generation key even when one-time information is generated by a user apparatus that can not directly communicate with the authentication side.

In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without storing the terminal identification information or the device identification information itself It is possible to authenticate the digital system and the user device by storing the predetermined medium specific information (e.g., the terminal identification information and the hash value using the device identification information), and even if the authentication system is attacked, To provide an authentication scheme in which device identification information may not be exposed.

In addition, although the digital system may simply include the server generation key and at least the terminal identification information and / or the device identification information in the authentication information for authentication, the media identification information (e.g., the hash value ), And generates authentication information (e.g., medium specific information and a hash value of the server generation key) based on the generated medium specific information (e.g., the terminal identification information and the hash value of the apparatus identification information) , The server generation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked due to an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated by simply comparing the authentication information received from the digital system with the authentication information received from the digital system, thereby providing an authentication method in which a simple authentication procedure can be performed.

The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.

In addition, a digital system to be used for the authentication operation and a user apparatus that is paired with the digital system are set in advance, and authentication is successful only when communication (for example, contact or non-contact type) So as to provide a technical idea capable of providing a synergistic effect of remarkable security.

In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ), It is possible to provide a technical idea that can fundamentally control the smoothing and the memory hacking that may occur due to the distinction between them.

It is also possible to synchronize the time with an authentication side (e.g., an authentication system) that may occur when the client side (e.g., digital system or user device) generates authentication information using a timer of the user device or digital system (Time information) of a digital system, or a problem caused by arbitrary change.

According to another aspect of the present invention, there is provided a method for authenticating a user, comprising: receiving a server generation key from an authentication system of a digital system; And receiving the authentication information generated by the user device based on the transmitted server generated key, or when the communication is performed, the digital system generates authentication information based on the server generated key , And the server creation key includes time information of the authentication system.

The method for authenticating a user using the user device may further include transmitting the confirmation signal including the authentication information to the authentication system without displaying the authentication information in the digital system.

The method of authenticating a user using the user device further includes performing a time validity checking procedure in which the digital system compares the server generated key with time information of the digital system, The digital system transmits the server creation key to the user device, generates authentication information using the server creation key, or transmits the authentication information generated by the user device or the digital system to valid authentication information Can be processed.

And the server creation key is information protected in the digital system so as to correspond to the user apparatus.

The authentication method using the user device further comprises a step of determining whether the digital system is a preset pair so that the user equipment corresponds to the digital system, And transmits an authentication signal including the authentication signal to the authentication system.

According to another aspect of the present invention, there is provided an authentication method including: receiving a server generation key from an authentication system of a digital system; generating time information to be used as information based on generation of one- Wherein the time information is validating the first time information of the digital system or the second time information of the user apparatus communicating with the digital system, The authentication information generated by the user apparatus based on the second time information that has been verified, or the authentication information based on the first time information whose validity is confirmed, To the user device to generate authentication information, wherein the server creation key And time information of the authentication system.

According to another aspect of the present invention, there is provided an authentication method including the steps of transmitting an authentication system to a digital system of a user with a server creation key, the server creation key including time information of the authentication system, Or authentication information from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system communicates with a predetermined user device, Wherein the authentication system is operable to perform an authentication procedure to authenticate the received authentication information, and wherein the authentication process is successful from the data processing apparatus or the digital system to the authentication system Or a service time associated with the authentication system It may comprise the step of processing the successful authentication request outputted to the system.

Wherein the authentication information is to be verified by the digital system for time validity, the server generation key is transmitted to the user device to be generated by the user device, generated by the digital system, And the authentication information generated by the digital system is processed as valid authentication information by the digital system.

Wherein the authentication method using the user device further comprises a step of protecting the server generation key so that the authentication system corresponds to the user device and the protected server generation key is transmitted to the digital system can do.

Wherein the authentication method using the user device further includes a step of determining whether the authentication system is a preset pair so that the user device and the digital system correspond to each other, It is possible to make a judgment.

According to another aspect of the present invention, there is provided an authentication method including the steps of transmitting an authentication system to a digital system of a user with a server creation key, the server creation key including time information of the authentication system, Or authentication information from the data processing device of the user when the digital system communicates with a predetermined user device, the authentication information being generated by the user device or generated by the digital system, The method comprising the steps of: performing an authentication procedure to authenticate the authentication information received by the authentication system; and transmitting, from the data processing apparatus or the digital system, The authentication system or the authentication system And the authentication information is transmitted to the digital system or the user device based on first time information of the digital system whose legitimacy has been verified using the server generation key, Or information generated by the user apparatus based on second time information of the user apparatus that has been confirmed as being legitimate.

The above method can be implemented by a computer program installed in the data processing apparatus.

According to an aspect of the present invention, there is provided a digital system comprising a user device communication module for performing communication with a predetermined user device, a communication module for receiving a server generation key from the authentication system, A control module for receiving authentication information generated by the user device based on the server generated key transmitted to and transmitted from the user device or generating authentication information based on the server generated key when the communication is performed And the server creation key includes time information of the authentication system.

The control module transmits an authentication signal including the authentication information to the authentication system without displaying the authentication information received or generated in the digital system.

The control module performs a time validity check procedure for comparing the server generated key with the time information of the digital system and transmits the server generated key to the user device when the time validity is confirmed as a result of the execution, Or the authentication information generated by the user apparatus or the digital system may be treated as legitimate authentication information.

According to an aspect of the present invention, there is provided a digital system including a user equipment communication module for performing communication with a predetermined user device, a communication module for receiving a server generation key including time information of the authentication system from the authentication system, Time information to be used as basic information for generation of one-time information using a server creation key, the time information being information about a first time information of the digital system or a second time information of a user apparatus performing communication with the digital system Wherein the authentication information generated by the user device is received based on the second time information whose validity has been verified through communication with the user device, Time information, and based on the first time information, To receive, or on the basis of the first time information, the validity is confirmed that a control module for generating the authentication information.

According to another aspect of the present invention, there is provided an authentication system for generating a server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, An authenticating unit for authenticating the authentication information included in the received confirmation signal; an authentication unit for transmitting the server generation key to the digital system; and the authentication information from the digital system, The information being generated by the user device or generated by the digital system and being generated based on the server creation key when the communication device is communicating with the user device of the communication device, From the processing device or the digital system And a control unit for successively processing the authentication request output to the system or the service system connected to the authentication system.

Wherein the authentication information is transmitted to the user device and generated by the user device or generated by the digital system so that the time validity is verified by the digital system, And the generated authentication information is processed as valid authentication information by the digital system.

The authentication unit may further include a step of protecting the server generation key so as to correspond to the user apparatus, and the communication unit transmits the server generation key, which is protected, to the digital system.

The authentication unit determines whether the user apparatus and the digital system are a preset pair so that they correspond to each other, and determines that the authentication check procedure is successful if the pair is a predetermined pair.

According to another aspect of the present invention, there is provided an authentication system for generating a server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, An authenticating unit for authenticating the authentication information included in the received confirmation signal; an authentication unit for transmitting the server generation key to the digital system; and the authentication information from the digital system, The information being generated by the user device or generated based on the time information generated by the digital system and the validity of which is confirmed, From the data processing apparatus or the digital system And a control unit for successively processing an authentication request output to the authentication system or the service system connected to the authentication system, wherein the authentication information is based on first time information of the digital system whose validity is confirmed using the server generation key And information generated by the digital system or the user device based on second time information of the user device generated or validated by the user device.

According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.

In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.

In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.

The present invention also provides a highly secure authentication method using a server creation key (for example, a random number value, a server time value, etc.) generated by an authentication side (e.g., an authentication system). In particular, in the case of using the server generation key, the authentication side and the client side must be able to communicate with each other. According to the technical idea of the present invention, communication with the authentication side is performed via the digital system capable of performing communication with the authentication side. There is an effect that authentication can be performed also by a user apparatus that can not be performed. That is, it is necessary to carry two authentication tools of digital system and user device that the user generally possesses, so that authentication can be successful, but at least one of the authentication tools (for example, IC card or the like) It is possible to perform authentication using one-time information. Also, even when the user device can not communicate with the authentication side among the authentication tools, authentication can be performed by performing communication through the digital system as the remaining authentication tool.

Further, when the client side (e.g., a digital system or a user apparatus) generates authentication information using a timer (time information) by a user apparatus or a digital system, the time information of the digital system is not used, (Time information) is used, or only when the time information of the digital system matches the time information of the server generation key transmitted from the server side, the client side and the authentication side (e.g., the authentication system) A problem of time synchronization, a problem caused by abuse or arbitrary change of a timer (time information) of a digital system, and the like.

In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.

In addition, since the digital system to be used for authentication of the user can be preset and specified, it has the effect of having a strong characteristic against attack such as smishing or man in the middle attack. Online crime can be actively blocked.

In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without the terminal identification information or the device identification information itself (E.g., hash value using device identification information and device identification information). In this case, even if the authentication system attacks, the terminal identification information and / or the device identification information of the user are not exposed There is a safe effect.

Also, in the authentication information for authentication, the digital system may simply include a server creation key and at least device identification information (in addition to the device identification information, information about an object to be authenticated may be included in the authentication information. (For example, account information to be remitted) may be included according to the kind of service (for example, account transfer) to be authenticated. However, the digital system and the user (E.g., a hash value) based on information about each device (e.g., terminal identification information and device identification information), and generates medium specific information (e.g., hash of terminal identification information and device identification information (For example, medium specific information and a hash value of a server generated key) based on the server generated key There is an effect that the server creation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked by an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated and compared with the authentication information simply received from the digital system, the authentication verification procedure can be performed, so that a simple authentication procedure can be performed.

In addition, since a user apparatus constituting a pair (pair) with the digital system can be set in advance, it is possible to set up a pair of apparatuses without having all the apparatuses constituting the pair (that is, The apparatus can not be normally authenticated), thereby remarkably improving the security.

In addition, when the financial transaction is performed using a predetermined data processing apparatus or a digital system, the account identification information of a predetermined receiving account is included in the information for performing authentication of the principal, so that it is possible to fundamentally block the transfer of the account outside the legitimate account, Hacking can be fundamentally blocked.

In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ) Can be prevented by preventing the smashing that may occur. In addition, there is a side effect that the transference account is displayed when the customer conducts the smsing and performs the authentication, thereby enhancing the customer's vigilance.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.
8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.
FIG. 9 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
10 is a diagram for explaining an example in which the authentication method according to the embodiment of the present invention is applied to account transfer (remittance).
11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.

Referring to FIG. 1, a digital system 100, an authentication system 200, and a user device 300 may be provided to implement a user authentication method using a user device according to an embodiment of the present invention. Depending on the implementation, a predetermined data processing apparatus 400 may be further provided. Further, a service system 500 connected to the authentication system 200 and capable of providing a predetermined service to the digital system 100 and / or the data processing apparatus 400 may be further provided.

The digital system 100 can implement the technical idea of the present invention while transmitting and receiving necessary information through the wired / wireless network with the authentication system 200. The digital system 100 may also communicate with the user device 300 to provide information necessary for the technical idea of the present invention from the user device 300 Authentication information to be generated, etc.). In addition, according to an embodiment, the digital system 100 communicates with the user device 300 so that the user device 300 can access information necessary for the technical idea of the present invention (e.g., by the authentication system 200) Generated server creation key, etc.).

The digital system 100 may perform contact or non-contact communication with the user device 300. For example, the user device 300 may be implemented as a smart card, an IC card, or a transportation card capable of performing contact or non-contact communication with the digital system 100. In particular, the user device 300 may be a payment IC card (e.g., a credit card, a check card, etc.). The user device 300 may be a USIM card that may be mounted to the digital system 100 (e.g., a mobile phone).

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, various types of digital devices, such as a device capable of proving an identity (e.g., an electronic identification card), a communicatable OTP device, or a user's mobile phone, a wearable device separate from the digital system 100, ).

According to another embodiment, the user device 300 may be a device that stores biometric information (fingerprint, irregularity, etc.) of a user. In this case, the identification information of the user device 300, Not only the identification information of the user device 300 itself but also the digital information in which the biometric information is digitized in a predetermined manner.

Therefore, in the present invention, if the identification information of the user device 300 is information that can identify the user device 300, not only the identification information of the hardware of the user device 300 but also the identification information of the user device 300 may be stored in the user device 300 Which may be unique identification information.

Hereinafter, for convenience of description, the user device 300 will be described as a payment IC card, but the scope of the present invention is not limited thereto. Although the digital system 100 and the user device 300 perform short-range wireless communication (e.g., NFC communication, Bluetooth, etc.), the scope of the present invention is not limited thereto.

The digital system 100 may perform short-range wireless communication with the user device 300. [ To this end, the user may tag the digital system 100 and the user device 300.

In this specification, tagging refers to the case where the digital system 100 and the user device 300 are located within a certain distance (for example, 10 cm or less when the NFC communication is used) in order to carry out contactless communication such as RFID communication and NFC communication. Or the like). The user can perform tagging by bringing the digital system 100 or the user device 300 into a predetermined distance to the user device 300 or the digital system 100. [

If the user device 300 is a payment card, the user device 300 may be a financial transaction means. The user device 300 may include a predetermined communication device (e.g., an RF antenna, an RF tag, and the like) to perform tagging communication with the digital system 100. [ In addition, the user device 300 may further include a storage device in which information necessary for realizing the technical idea of the present invention can be stored. For example, the user device 300 may be implemented as an IC card having an IC chip or various types of smart cards. Of course, the user device 300 may be an apparatus that can not independently perform financial transactions as described above. Even if the user device 300 is not a financial transaction device, according to the technical idea of the present invention, a user device 300 (e.g., an ID, a mobile phone separate from the digital system 100) Etc.) can be used to easily perform authentication of the user. For example, since the user can easily perform the identity authentication only by the tagging operation of the digital system 100 and the user device 300, the user can input the ID / password, select the authorized certificate, As compared with the conventional complicated authentication process, it is possible to perform the self-authentication with high security, which is much simpler.

Of course, another conventional authentication method (for example, authentication using an authorized certificate, etc.) may be performed before or after the authentication of the user according to the technical idea of the present invention is performed for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.

According to one embodiment, the user device 300 may generate certain one-time information, which is to define the one-time information generated by the user device 300 as 'device one-time information'. The one-time information generated by the digital system 100 is defined as terminal one-time information. The one-time information used to implement the technical idea of the present invention may be device one-time information or terminal one-time information. The device one-time information and the terminal one-time information may be the same or similar to each other only in the generation of one-time information.

For example, when the user device 300 is a payment card, when the card is tagged with the digital system 100, the card is supplied with power through electromagnetic induction, and through the IC chip mounted on the card, One-time information can be generated. The processor included in the IC chip may generate the device one-time information when power is supplied through the communication with the digital system 100, and may enable the digital system 100 to read the generated device one-time information . Of course, at this time, the digital system 100 may be required to be an authorized system capable of reading the device one-time information. For this purpose, authenticated software capable of reading the device one-time information can be installed in the digital system 100.

Meanwhile, the device one-time information may be information generated by using a server generation key generated by the authentication system 200 as an input value of a predetermined algorithm capable of generating one-time information. The server creation key may be communicated from the authentication system 200 to the user device 300 through the digital system 100. For example, when the digital system 100 and the user device 300 perform an authentication operation for communicating with each other, the digital system 100 transmits the server generation key received from the authentication system 200 to the user device 300, . Then, the user device 300 can generate the one-time information using the received server generation key as an input value (key or seed).

The server creation key may be a random number value generated by the authentication system 200 or an OTP. The server creation key may include time information of the authentication system 200. In this case, the user device 300 may generate the one-time information using the random number value or the like.

The method of generating the one-time information by the user device 300 using the server creation key may be such that the user device 300 generates one-time information even when the timer for using the time synchronization method is not provided, It is possible to easily judge whether the information is authentic or not. In addition, even when using the user device 300 equipped with the timer, it may be very difficult to synchronize the time of the user device 300 and the authentication system 200 on a user-by-user basis. Also, it is possible to cope with various types of attacks through the digital system 100, such as a timer operation of the digital system 100. Also, it is possible to easily generate the one-time information even if the user device (e.g., IC card 300) possessed by the user is used instead of the OTP client specially designed for generating the one-time information.

According to the technical idea of the present invention, problems of time synchronization between the user device 300 (or the digital system 100) and the authentication system 200, abuse of the timer (time information) of the digital system, Can be easily solved.

For example, when the digital system 100 or the user device 300 generates one-time information, a server generation key (e.g., time information) transmitted by the authentication system 200 may be used. That is, the digital system 100 and / or the user device 300 does not generate the one-time information based on the time information of the digital system 100 and / or the time information of the user device 300, Only when the time information of the digital system 100 and / or the user device 300 corresponds to the time information of the server generation key of the authentication system 200 .

In order to determine whether the time information of the digital system 100 and / or the user device 300 corresponds to the time information of the server generation key of the authentication system 200, the digital system 100 and / The time information of the user device 300 and the time information of the server generation key of the authentication system 200 should be compared. This process can be defined as a time validation procedure in this specification.

The digital system 100 may include time information of its own time information (or time information of the user device 300 received from the user device 300 with a timer), time information of the digital device 100 The time validity checking procedure is described through the time information of the digital system 100, but the present invention can be easily applied to the time information of the user apparatus 300. That is, It can be easily understood by the average experts in the technical field to which the server belongs) and the server generation key correspond to each other (i.e., within the same or a constant error range). If they do not correspond to each other, that is, if there is no time validity, the digital system 100 may prevent the user device 300 or itself from generating one-time information. Or even if one-time information is generated, the one-time information may not be treated as legitimate information.

For example, when the user device 300 generates one-time information, the digital system 100 may generate the server creation key and / or the server creation key if there is no validity of the time information (hereinafter referred to as 'first time information' And / or may not transmit the first time information to the user device 300. [ Or one time information from the user device 300 in response to the transmission of the server creation key and / or the first time information, or does not transmit the one-time information to the authentication system 200, May not be processed as legitimate authentication information.

For example, when the user device 300 generates one-time information, and the user device 300 determines that the time information (hereinafter referred to as 'second time information') of the user device 300 is based on the basic information of the one- The digital system 100 can confirm the time validity by receiving the second time information through communication with the user device 300. [ Alternatively, the digital system 100 may transmit the server creation key to the user device 300 so that the user device 300 confirms the validity of the second time information. When the digital system 100 confirms the time validity, the server 300 transmits the server generation key to the user device 300, or transmits the second time information whose validity is confirmed again, or a signal indicating that the validity is confirmed, To the device (300). Then, the user device 300 may generate the one-time information based on the server generation key, the second time information for which the validity is confirmed, or the time information to be revalidated from the timer of the user device 300. Preferably, the generation of the one-time information based on the server generation key is efficient in time synchronization with the authentication system 200, but since the time validity has been confirmed, the user device 300 generates second time information confirmed from its timer It may generate one-time information based on the first time information received from the digital system 100. [ When the user device 300 confirms the time validity, it can generate the one-time information based on the received server generation key or its own time information.

For example, when the user device 300 generates one-time information and the user device 300 does not have a timer, the user device 300 transmits the server generation key (digital Time information in which time validity has been confirmed by the system may be included), or may generate one-time information based on the first time information of the digital system 100 whose time validity has been confirmed.

When the digital system 100 generates the one-time information, the digital system 100 does not generate the one-time information if there is no validity of the time information (hereinafter referred to as 'first time information') . Or even if the one-time information is generated based on the server generation key and / or the first time information, an error message may not be output or the one-time information may not be transmitted to the authentication system 200 have. It is preferable to generate the one-time information based on the server generation key in order to synchronize time with the authentication system 200. However, since the time validity has been verified, the digital system 100 has the first time information The one-time information may be generated.

According to another embodiment of the present invention, the authentication system 200 may protect the server creation key so as to correspond to the user device 300. The protection process corresponding to the user device 300 means that only the user device 300 can protect the data in a predetermined manner so that the server generation key can be restored or the time information can be checked based on the server generation key It can mean.

For example, the server creation key may be encrypted to be decrypted by the user device 300. For this, the authentication system 200 and the user device 300 may perform encryption / decryption using a symmetric key or an asymmetric key protocol. The symmetric key or the asymmetric key may be defined based on the identification information of the user device 300 or the identification information of the user device 300 so that the server generation key may be protected to correspond to the user device 300 .

According to an embodiment, the server creation key may be transmitted to the user device 300 using a message authentication code. The authentication system 200 inserts a message authentication code into a server creation key and transmits an encrypted message authentication code corresponding to the user device 300 together with the server creation key, The integrity of the key can be confirmed. Then, the user device 300 can be implemented so that integrity is confirmed to generate one-time information. It is needless to say that predetermined software (for example, an applet) for implementing the technical idea of the present invention may be installed in the user device 300 for this purpose. In addition, various methods may be applied to allow the user device 300 to check the integrity of the message by using the server creation key as a message.

As described above, according to the technical idea of the present invention, by preventing the case where the server generation key transmitted from the authentication system 200 is changed by the digital system 100 (for example, mobile phone) which is relatively vulnerable to attack, As a result, security weakness of user authentication using one-time information (OTP) can be strengthened.

As a result, the method using the server generation key of the present invention can be compared with the conventional challenge response method, and the conventional challenge response method requires the client to be able to communicate with the authentication system 200. However, according to the technical idea of the present invention, it is possible to generate the device one-time information in a similar manner to the challenge response method using the user device 300 that can not directly communicate with the authentication system 200. This is because, in order to authenticate through the technical idea of the present invention, the user must perform an authentication operation communicating the digital system 100 and the user device 300, that is, two authentication tools, (200). ≪ / RTI >

The user device 300 can communicate with the digital system 100 and the digital system 100 can communicate with the authentication system 200 according to the technical concept of the present invention, May obtain a server generation key from the authentication system 200 and use it to generate device one-time information. Of course, in addition to the server creation key, the identification information of the user device 300 may be further used as an input value (key or seed) for generating device one-time information. Various one-time information generation algorithms for generating one-time information using a predetermined input value, that is, a fixed value such as the server generated key (e.g., a random number value) and / or a device Therefore, a detailed description thereof will be omitted.

Then, the authentication system 200 generates the server one-time information using the server generation key, and determines whether the generated server one-time information corresponds to the device one-time information included in the confirmation signal, can do.

According to another embodiment, the one-time information may simply include the server creation key and information about an object to be authenticated. The subject to be authenticated may be user device 300 or digital system 100, depending on the embodiment. Further, information on an additional service authentication object (for example, an account to be remitted) necessary for the service (for example, identification information of an account to be remitted) may be further included depending on the type of the service to be authenticated. Therefore, if the user to be authenticated is the user device 300, the one-time information may simply include identification information of the user device 300, that is, device identification information. If the authentication target is the user device 300 and the digital system 100, the device identification information and the terminal identification information may be included in the authentication information together with the server creation key. According to an embodiment, information on an additional service authentication object (for example, identification information of an account to be remitted) may be included in the server generation key.

In particular, when the authentication method according to the technical idea of the present invention is applied to the account transfer service, which is an object of authentication, identification information of an account to be remitted may be included in the authentication information as information on a service authentication object. It is important to authenticate the account to be remitted, so that the service authentication object can be the service authentication object. Therefore, unauthorized attacks such as a method of replacing the remittance account with an account desired by the attacker can be prevented when the user successfully authenticates after inputting the remittance account for the transfer, such as the conventional memory hacking, You can send money only to the account you want to transfer. It goes without saying that the type of service authentication object that can be included in the authentication information may vary according to the service. Such an example will be described later in Fig.

As a result, the one-time information may simply include the server creation key and information about the authentication object (e.g., device identification information, terminal identification information, and / or additional service authentication objects necessary for the service).

For example, the one-time information may be information including any one of a server generation key and device identification information or terminal identification information, which is identification information of the user device 300. Or the information including the server creation key, the device identification information, and the terminal identification information, which is identification information of the digital system 100. Or the information including the server creation key and the device identification information and / or the terminal identification information and the information about the service authentication object. Of course, this one-time information may be encrypted. When only the server creation key and the device identification information are included in the one-time information, the authentication system 200 may separately acquire the terminal identification information through communication with the digital system 100 and authenticate the terminal identification information based on the previously stored medium identification information have.

In this case, the device one-time information is transmitted to the authentication system 200 through the digital system 100, and the authentication system 200 transmits the server generation key included in the device one-time information to the digital system 100 And determines whether or not the device identification information and / or the terminal identification information previously registered in the authentication system 200 and the device identification information and / or the terminal identification information included in the device one-time information correspond to each other Authentication may be performed. Of course, when the service authentication target is further included in the authentication information, it may be further determined whether the information about the service authentication object stored in advance in the authentication system 200 corresponds to the information about the service authentication object included in the authentication information have.

According to the embodiment, the information about the authentication object (for example, the server generation key, the device identification information, and / or the terminal identification information) itself is not included in the device one-time information but the information The one-time information may be generated in a predetermined manner.

As a result, the device one-time information can be generated based on the basic information, with the information on a predetermined authentication object as basic information.

The fact that the one-time information is generated by the predetermined basic information includes a case where the basic information is included in itself or included (or mixed) in a predetermined manner. According to an embodiment, information in which each of the plurality of pieces of basic information is protected (e.g., encoded, encrypted, and / or hashed) in a predetermined manner is included in the one-time information, (Or mixed) in the manner of the protection processing information, or all of the plurality of basic information may be overlapped (or mixed) in a predetermined manner to include the protection processed information.

In any manner, the authentication side (i.e., the authentication system 200) knows the information corresponding to each of the basic information on which the one-time information is generated and generates the one-time information in a manner corresponding to the manner in which the one- One-time server information that can be authenticated can be specified.

For example, the device identification information and / or the terminal identification information may be registered in the authentication system 200 in advance. In addition, the server creation key is information generated by the authentication system 200, so it may be stored in the authentication system 200 as a matter of course.

As a result, the one-time information may be information generated based on at least one of a server generation key, terminal identification information that is identification information of the digital system 100, or identification information of the user device 300.

In the authentication system 200, terminal identification information and device identification information capable of realizing the technical idea of the present invention may be previously stored in association with each other. That is, the digital system 100 and the user device 300, which can implement the technical idea of the present invention, may be set in advance in a pair. In the authentication system 200, terminal identification information and device identification information may be stored so as to correspond to each other. According to another embodiment, a determination value determined based on the terminal identification information and the device identification information which are pairs of each other, that is, the medium specific information, may be stored.

The media specific information herein may be unique information that is determined based on the media participating in the user's authentication behavior (i.e., communication between the digital system 100 and the user device 300). According to an example, the medium specific information may be a hash value generated through a predetermined hash algorithm using terminal identification information and device identification information as input values. If a hash value is used, it is possible to know whether or not the input values are the same (i.e., whether two media participating in the authentication operation are two predetermined media), based on whether the compared hash values are the same or not. However, It is not possible to restore the input values (i.e., the terminal identification information and the device identification information), and thus there is an effect that it is safe to attack. In this specification, the case where the medium specific information generates input values (i.e., device identification information and terminal identification information) through hashing is described as an example, but a new unique value is generated using one or a plurality of input information Any algorithm that can do this is acceptable. That is, if the input information is the same, the output values are the same, and if not, any algorithm that is different from the output value may be used to generate the medium specific information.

That is, the authentication system 200 may not store the terminal identification information and / or the device identification information itself, but may store the medium specific information. In the former case, the authentication system 200 generates medium specific information based on the terminal identification information and / or device identification information stored for the authentication check procedure, and then, based on the generated medium specific information and the server generation key, One-time information can be generated. In the latter case, the server one-time information can be generated based on the medium specific information and the server generation key stored in advance.

When the authentication information is not stored in the authentication system 200 itself but the medium specific information is stored in the authentication system 200, the authentication system 200 can recognize the terminal identification information or the device identification information even if the authentication system 200 is attacked There is no security effect. Hereinafter, the information related to the media stored in the authentication system 200 and participating in the authentication operation of the user will be defined as medium identification information. Therefore, the medium identification information may be information stored in the terminal identification information and / or the device identification information itself (in advance correspondence), unique information determined based on the terminal identification information and the device identification information, .

Whether the device one-time information is one-time information generated by using a server generation key as an input value, information obtained by simply encrypting the server generation key with a predetermined encryption key, or device identification information and / Whether simply including the information, the server generation key may be a random number value generated by the authentication system 200 as described above, but is not necessarily limited thereto. That is, the server creation key suffices to be information (e.g., time information, etc.) that can be confirmed by the authentication system 200 at a certain point in time. In addition, the server generation key may be information generated one time to prevent reuse. Or an OTP in which the server creation key itself is generated in a predetermined manner.

In addition, one-time information may be generated by the digital system 100. [ Like the device one-time information, the terminal one-time information may be one-time information generated by using a server generation key received from the authentication system 200 as an input value, information obtained by encrypting a server generation key, Information including information and / or device identification information and the server creation key. Or information including the medium specific information and the server generation key as described above, or information generated based on the medium specific information and the server generation key.

The device one-time information may be information that can be authenticated by the authentication system 200. To this end, the authentication system 200 may be provided with an authentication unit for authenticating the device one-time information. The authentication unit may generate one-time information by itself to authenticate the device one-time information, as will be described later. Of course, at this time, the authentication unit may generate the one-time information using the server generation key transmitted to the user device 300 through the digital system 100. [ That is, the user device 300 may operate as an OTP client, for example, and the authentication unit may operate as an OTP server. Hereinafter, the one-time information generated by the authentication system 200 will be defined as 'server one-time information' for convenience of explanation.

As described above, according to the technical idea of the present invention, the user device 300 generates device one-time information, and the created device one-time information can be authenticated by the authentication system 200. Accordingly, when the user device 300 is authenticated using fixed device identification information such as UID (Unique Identification Number) of the card 300 that can be acquired from the user device 300, There is an effect that the risk of forgery and falsification of the identification information can be remarkably lowered.

Also, according to one embodiment, the user device 300 may be a payment card. Then, the device one-time information generated by the user device 300 may be generated by using the server generation key as an input value, and using the settlement financial information of the settlement card, that is, the information stored in the IC chip of the card (E.g., UID, time information, or any value) irrelevant to the information (e.g., card number, validity period, CVC code, etc.). In this case, since the settlement financial information may not be distributed to the digital system 100 or the authentication system 200, the security can be enhanced. In this case, even though the device one-time information and device one-time information generation algorithm are leaked, there is no risk that the settlement financial information is leaked through reverse engineering or the like.

1, the digital system 100 can communicate with the authentication system 200 via a wired / wireless network, and can communicate with the user device 300 through a predetermined communication (e.g., a local area wireless communication) May be defined to include any type of data processing device capable of communicating over a network. For example, the digital system 100 may be a data processing device, such as a tablet, a music player, or the like, which is easy for the user to carry around. Of course, the digital system 100 is preferably capable of communicating with the authentication system 200 and / or the data processing apparatus 400 via a network.

In addition, the digital system 100 may be implemented so as to generate predetermined one-time information in order to implement the technical idea of the present invention. The one-time information generated by the digital system 100 is defined as 'terminal one-time information' in this specification. The function of the digital system 100 to generate the terminal one-time information may be implemented by installing predetermined software in the digital system 100 to implement the technical idea of the present invention.

Also, the terminal one-time information may be generated by using the server generation key generated by the authentication system 200 as an input value. Of course, according to an embodiment, the digital system 100 may include a timer and may be relatively easy to perform time synchronization with the authentication system 200 relative to the user device 300. [ However, as described above, the digital system 100 generates the one-time information by using the server generation key instead of generating the one-time information using the time information of the digital system 100, The time information must correspond to the time information to generate the one-time information.

In any case, the terminal one-time information may also be authenticated by the authentication unit included in the authentication system 200. The authentication unit may generate corresponding one-time server information for authenticating the terminal one-time information.

As a result, according to the technical idea of the present invention, the digital system 100 may include the device one-time information generated by the user device 300 in an acknowledgment signal and transmit it to the authentication system 200, May be included in the confirmation signal and transmitted to the authentication system 200. Of course, according to an embodiment, the device one-time information and the terminal one-time information may be included in the confirmation signal and transmitted to the authentication system 200. [ In any case, the information included in the confirmation signal for authentication is referred to as authentication information in this specification. That is, the authentication information may be the one-time information described above, that is, the device one-time information and / or the terminal one-time information. Then, the authentication unit of the authentication system 200 can authenticate the authentication information in various ways according to the embodiment of the authentication information.

For example, it is possible to generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the terminal one-time information, and if the device one-time information and / It can be judged to have succeeded. Of course, the authentication of the user device 300 by the device identification information as described below, the authentication of the digital system 100 by the terminal identification information, and / or the authentication of the digital system 100 and the user device 300, A pair authentication may be performed to authenticate whether or not the authentication is successful.

The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the authentication system 200. [ The acknowledgment signal does not necessarily mean one data set (or contiguous packet data), but may be temporally or physically separated information or signal. That is, the digital system 100 may output the confirmation signal to the authentication system 200 a plurality of times.

Of course, when the authentication information includes both the device one-time information and the terminal one-time information, and both are authenticated by the authentication system 200, the authentication using the device identification information or the terminal identification information may be optionally omitted.

In any case, according to the technical idea of the present invention, the digital system 100 can include the authentication information in the confirmation signal and transmit it to the authentication system 200, and the authentication information included in the confirmation signal is transmitted to the authentication system 200 ). ≪ / RTI >

Meanwhile, the digital system 100 can generate the terminal one-time information only when the digital system 100 communicates with the user apparatus 300. According to an embodiment, the digital system 100 may generate the one-time information in advance in response to the receipt of the authentication action request information or by a predetermined request of the user in advance, and when the communication is performed, Side system 200 to the settlement-side system 200. The settlement- In any case, the digital system 100 can transmit the confirmation signal to the authentication system 200 only when the digital system 100 and the user device 300 are in communication. Therefore, even if it is described that the authentication method according to the technical idea of the present invention includes a step in which the digital system and the user apparatus communicate with each other and the user apparatus generates the terminal one-time information, It should not be interpreted as a description specifying the sequence to be generated, and may be interpreted as including the case where the communication is performed after generation of the terminal one-time information.

As a result, even if the digital system 100 is attacked by hacking or the like, the terminal's one-time information may not be generated unless the user has the user device 300. Or even if the terminal's one-time information is generated, the confirmation signal may not be transmitted, so that the authentication of the user is not successful.

When the terminal's one-time information is generated based on the server generation key, the terminal's one-time information may include at least one of the server generation key received from the authentication system 200, And may be information generated by further inputting a value {key or seed}. Herein, the identification information of the user device 300 may be fixed identification information (e.g., UID) of the user device 300. Of course, in this case, the key may also be registered in the authentication system 200. Therefore, as long as communication with the user device 300 is not performed, the terminal's one-time information may not be generated, and even if the confirmation signal including the terminal's one-time information is transmitted to the authentication system 200, It may not be authenticated by the authentication system 200.

In addition, the terminal one-time information generated by the digital system 100 may be generated based on information (e.g., terminal identification information, time information, an arbitrary value, etc.) irrelevant to the payment financial information. That is, as described in the device one-time information, the terminal's one-time information may be information that is irrelevant to the settlement financial information or information generated from irrelevant information. Therefore, there is no risk that the settlement financial information will be leaked even if leakage occurs in the terminal one-time information and terminal one-time information generation algorithm.

In addition, since the confirmation signal transmitted to the authentication system 200 by the digital system 100 may include only information (e.g., device identification information, terminal identification information, etc.) independent of the settlement financial information, The security of the authentication method according to the technical idea of the invention can be enhanced.

The device one-time information generated by the user device 300 may also be generated by the user device 300 only when the digital system 100 and the user device 300 communicate with each other. For example, when the user device 300 is a smart card such as a payment card or an electronic ID card, the smart card is not provided with power independently, so that communication with the digital system 100 must be performed to generate the device one- Of course. Also, even when the user device 300 is powered on and can generate device one-time information by itself, the user device 300 may be configured to generate the device one-time information only when communication with the digital system 100 is performed . And the server generation key generated by the authentication system 200 through the communication may be transmitted to the user device 300. [ Of course, in this case, software or an applet for implementing the technical idea of the present invention may also be installed in the user device 300.

In addition, the user device 300 may generate the device one-time information only when communication with the digital system 100 set in advance is performed. It is needless to say that information about the digital system 100 forming a pair with the user device 300 may be registered in the user device 300 in advance.

In any case, the confirmation signal transmitted by the digital system 100 to the authentication system 200 may include authentication information including the device one-time information and / or the terminal one-time information, It is preferable that the system 100 and the user apparatus 300 can be output from the digital system 100 to the authentication system 200 only when communication is performed. Therefore, even if either of the device one-time information or the terminal one-time information is included in the authentication information, there is an effect that the user is authenticated that another device (that is, the digital system 100 or the user device 300) .

The device one-time information generated by the user device 300 or the terminal one-time information generated by the digital system 100 may be displayed by the digital system 100. Then, the user can enter the displayed one-time information into the digital system 100 or input it into the predetermined data processing apparatus 400 used by the user. However, in such a case, there may be a problem that is vulnerable to key logging. Therefore, according to the technical idea of the present invention, the device one-time information or the terminal one-time information may not be displayed in the digital system 100 but may be transmitted directly to the authentication system 200. [

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the confirmation signal.

The authentication procedure includes a one-time information authentication procedure for authenticating terminal one-time information generated by the digital system 100 and / or device one-time information generated by the user apparatus 300. [ Whereby the legitimacy of the digital system 100 and / or the user device 300 can be authenticated. Meanwhile, the one-time information authentication procedure may be more strictly called the software (i.e., software for generating the terminal one-time information) installed in the digital system 100 and / or the one-time information generating device (E.g., an IC chip of a smart card, etc.) or software (e.g., software installed in the user device 300 that is a separate mobile phone and generating device one-time information, an applet installed on a smart card, etc.) .

Software installed in the digital system 100 or the user device 300 may be installed only in the digital system 100 or the user device 300 authenticated as a legitimate user's device. In this case, if the validity of the software is authenticated, the digital system 100 is also automatically authenticated.

However, since the software may be leaked or the software may be forged or falsified by attack, the authentication procedure according to the technical idea of the present invention may be performed by authenticating the hardware of the digital system 100 and / And may further include procedures. The authentication procedure of the digital system 100 and / or the hardware of the user device 300 may be performed by the authentication system 200 using the terminal identification information of the digital system 100 and / It may be a procedure of confirming the identification information and judging whether the terminal identification information and / or the device identification information is successful according to whether it corresponds to the information registered in advance in the authentication system 200.

As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the digital system 100 does not have the user device 300 registered in the authentication system 200 or holds the user device 300, If the digital system 100 registered in advance in the terminal 200 is not possessed, the authentication of the user is prevented from being successful.

The procedure for authenticating the device identification information according to an embodiment may be performed by the digital system 100. [ Or the procedure for authenticating the terminal identification information may be performed by the user device 300. [ That is, in the digital system 100, the identification information of the user apparatus 300 that can be used for the authentication operation is stored in advance, or the digital system 100 (which can be used for the authentication operation in advance) The digital system 100 or the user device 300 may determine whether the device communicating with the digital device 100 is a device registered in advance by the authentication system 200, There is an effect similar to that the identification information and / or the terminal identification information is authenticated. However, since the digital system 100 and / or the user device 300 may be at a greater risk of being falsified than the authentication system 200, the authentication system 200 may use the device identification information and / Or it may be desirable that the terminal identification information be authenticated.

The authentication procedure performed by the authentication system 200 may further include a pair authentication procedure for authenticating whether the digital system 100 and the user device 300 are a pair. That is, the digital system 100 and the user device 300 may be paired in advance. Only when the two devices forming the pair perform the communication, the authentication system 200 determines that authentication is successful . In this manner, the two devices used in the authentication operation for confirming the authentication request by the user (that is, the communication between the digital system 100 and the user device 300) must be a pair so that the authentication confirmation procedure can be succeeded. In this case, if the digital system 100 and the user device 300 are both registered by the authentication system 200, even if they are not paired with each other, the authentication confirmation process may not be successfully processed, It is possible to have a synergistic effect. Whether the two devices used in the authentication operation (digital system 100 and user device 300) are a pair may be authenticated by the authentication system 200, but may also be authenticated by the digital system 100 . That is, the digital system 100 can communicate with the digital system 100 only when it communicates with the user device 300, which is set to pair with the digital system 100 in advance. To this end, the digital system 100 may have previously stored information (e.g., device identification information) about the user device 300 that is paired with the digital system 100 in advance.

Meanwhile, the authentication request may be transmitted to the authentication system 200 before the authentication signal is transmitted to the authentication system 200. For example, the authentication request may be an authentication request transmitted from the predetermined data processing apparatus 400 to the authentication system 200. The data processing apparatus 400 is a device which is separate from the digital system 100 and used by a user of the digital system 100 and is connected to the authentication system 200 to request authentication, Mobile terminal, set-top box, IPTV, and the like. For example, a user may input identification information (e.g., a telephone number) of his or her digital system 100 through the data processing apparatus 400 to perform an authentication request.

Further, the data processing apparatus 400 may be implemented in various embodiments according to the types of services provided after the authentication according to the technical idea of the present invention succeeds. For example, if the service is a payment service, the data processing device 400 may be an agent terminal requesting payment for settlement. If the service is a service for opening a door, the data processing device 400 may be a device installed at a door. Various embodiments of the data processing apparatus 400 may be possible depending on the type of service.

According to an embodiment, the data processing apparatus 400 or the digital system 100 may make an authentication request to a predetermined service system 500. The service system 500 may transmit a predetermined service (for example, a request for authentication) to the authentication requesting device (for example, the data processing device 400 or the digital system 100) upon successful authentication of the user according to the technical idea of the present invention. Login, financial transaction, confirmation of specific information, issuance of a certificate, purchase of goods or services, payment, opening and closing of a door, etc.). A user may access the service system 500 through the data processing apparatus 400 or the digital system 100 and the service system 500 may be connected to the service system 500 in order to perform the service provided by the service system 500. [ And may request the data processing apparatus 400 or the digital system 100 to authenticate the user. In this case, the service system 500 allows the data processing apparatus 400 or the digital system 100 to access the authentication system 200 (for example, a web page or a UI provided by the authentication system 200) The data processing apparatus 400 or the digital system 100 may be controlled to receive the authentication from the authentication system 200 through the data processing apparatus 400 or the digital system 100 have. The data processing apparatus 400 or the digital system 100 may transmit the authentication request to the authentication system 200 by inputting information necessary for the authentication request (for example, identification information of the digital system 100) As shown in FIG.

Of course, in some implementations, the service system 500 may receive an authentication request from the data processing apparatus 400 or the digital system 100 and send the received authentication request to the authentication system 200 . That is, the service system 500 may mediate the authentication process according to the technical idea of the present invention. The fact that the data processing apparatus 400 or the digital system 100 transmits predetermined information or signals to the authentication system 200 is transmitted to the authentication system 200 through the service system 500 And the like. Of course, even when the authentication system 200 transmits predetermined information or signals to the data processing apparatus 400 or the digital system 100, the authentication system 200 may include the case of being transmitted through the service system 500 . ≪ / RTI >

Although the authentication system 200 and the service system 500 are implemented as separate physical devices in FIG. 1, the authentication system 200 may be included in the service system 500 . In other words, since the predetermined software that implements the function of the authentication system 200 is installed in the service system 500, the authentication according to the technical idea of the present invention may be performed.

According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the data processing apparatus 400 may be a predetermined merchant terminal (a POS device installed in a store, a mobile merchant terminal, or the like). In this case, the user or the merchant can transmit the authentication request to the authentication system 200 by inputting identification information (e.g., telephone number) of the digital system 100 of the user to the merchant terminal. In some cases, the user may notify identification information of his or her digital system 100 to a merchant site to perform payment at a remote site. Then, the merchant may transmit the authentication request to the authentication system 200 by inputting the identification information using the data processing apparatus 400, that is, a computer used at the merchant, or an affiliate terminal. If the authentication is successful by the authentication system 200, the payment requested by the data processing apparatus 400 may be finally approved. At this time, the service system 500 may be a predetermined card company system (or a financial institution system that performs card settlement). In addition, the authentication request and the payment request need not necessarily be performed separately. That is, the authentication request according to the embodiment of the present invention may be performed simultaneously with a predetermined service request (for example, payment, etc.). In this case, identification information of the digital system 100 for the authentication request Of course. Such an example will be described in detail later with reference to FIGS. 4 and 5. FIG.

According to another embodiment, the authentication request may be output by the digital system 100 and transmitted to the authentication system 200 together with the acknowledgment signal or separately from the acknowledgment signal. Such an example will be described with reference to FIG.

When the authentication request is received and an acknowledgment signal is received from the digital system 100, the authentication system 200 performs an authentication check procedure as described above based on the received acknowledgment signal. If the authentication is successful, Can successfully process the authentication of the data processing apparatus 400 or the digital system 100. That is, the received authentication request can be successfully processed. The service system 500 may then provide the data processing device 400 or a predetermined service requested by the digital system 100. Needless to say, another authentication of the user (for example, authentication using the authorized certificate, etc.) may be required after the authentication of the user according to the technical idea of the present invention succeeds.

In addition, the authentication procedure may further include authenticating user authentication information (e.g., PIN) of the user device 300. For example, when the user device 300 is a payment IC card, a password (i.e., a PIN number) set by the user may be preset in the user device 300. The user authentication information of the user device 300 may also be registered in the authentication system 200 in advance. Then, the authentication system 200 receives the user authentication information from the digital system 100 or the data processing apparatus 400, and if the received user authentication information corresponds to previously registered information, To be successful. Of course, the authentication of the user authentication information may be performed by the digital system 100 that communicates with the user device 300. In this case, the user authentication information of the user device 300 may be registered in the digital system 100 in advance.

When the authentication operation is performed by the user, the digital system 100 may output an acknowledgment signal to the authentication system 200, and the acknowledgment signal includes not only the device one-time information and / The device identification information of the device 300 and / or the terminal identification information of the digital system 100 may be further included so that the user device 300 and / or the hardware of the digital system 100 as described above The authentication can be performed as described above.

The terminal identification information may include identification information (e.g., identification information of a USIM, IMSI, IMEI, MAC) of the digital system 100 (hardware included in the digital system 100 Address, etc.). When the terminal identification information is included, the authentication system 200 can determine that the authentication check procedure is successful only when the terminal identification information is registered in advance. Therefore, if the confirmation signal is not received through the digital system 100, which is a pre-registered terminal, even if the confirmation signal is transmitted to the authentication system 200 by a predetermined device, Therefore, there is an effect that a predetermined service may not be provided to the user. That is, it is possible to designate a digital system, thereby blocking unauthorized service requests through other terminals. Further, since an authentication action (payment authentication action) can be performed only through the designated digital system, there is an effect that smearing or manned middle attack can be prevented.

Meanwhile, the terminal one-time information generated by the digital system 100 or the device one-time information generated by the user apparatus 300 is displayed by the digital system 100, and the user inputs the terminal one- , The inputted terminal's one-time information may be included in the confirmation signal.

However, according to the embodiment of the present invention, the terminal may be automatically included in the confirmation signal without displaying the one-time information or device one-time information and inputting by the user, thereby providing convenience of the authentication operation by the user. In addition, since there is no process of inputting terminal one-time information or device one-time information by the user, the risk of leakage of information through key logging or the like may be lowered. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the user device 300 and to authenticate the user by the authentication system 200 And ultimately by ensuring that the authentication procedure is successful.

The authentication system 200 includes all systems participating in receiving an authentication request, communicating with the digital system 100 and / or the data processing apparatus 400, or in deciding whether to grant an authentication request Can be defined as meaning. Of course, the authentication system 200 does not mean only one physical device, but may be a system that is organically coupled to a plurality of devices or systems to implement the technical idea of the present invention. For example, the authentication system 200 may receive the authentication request directly from the digital system 100 or the data processing apparatus 400, or may receive the authentication request via the service system 500 as described above have.

For example, in the case of a payment service, the authentication system 200 can directly transmit a settlement request (the settlement request is an authentication request) from the data processing apparatus 400, for example, a user's computer, an affiliate store terminal Or may receive a payment request (authentication request) via the service system (e.g., web server 500 that provides an online marketplace). In this case, the authentication system 200 may be a credit card company system that can settle the settlement request (authentication request) using the previously registered credit card information (the credit card company system in the present invention is not only an independent card company system, (Which means to include all financial institution systems (not shown) that perform card settlement). Also, according to an embodiment, a VAN system, a PG, or the like, which is connected to the card company system through a network and mediates a payment process, may be further included in the authentication system 200. [

Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of explanation, the digital system 100 is implemented as a mobile phone, and the identification information of the digital system 100 is a mobile phone number of the mobile phone. However, The scope of rights is not limited thereto.

2 shows a schematic configuration of a digital system according to an embodiment of the present invention.

Referring to FIG. 2, the digital system 100 includes a control module 110, a user equipment communication module 120, and a communication module 140. When the digital system 100 is implemented to generate terminal one-time information, the digital system 100 may further include a terminal one-time information generation module 130. [

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

The control module 110 may control the other components included in the digital system 100 such as the user device communication module 120, the terminal one-time information generation module 130, and / or the communication module 140 Functions and / or resources.

The user equipment communication module 120 may communicate with the user equipment 300. [ The communication may be contact or non-contact communication as described above. According to an example, the communication may be a contactless short range wireless communication (e.g., NFC communication). When the communication is the NFC communication, the user can be authenticated only by tagging the digital system 100 and the user device 300, so that the convenience of the user can be enhanced. In addition, even when the user device 300 is in a wallet or a pocket, the NFC communication can be performed without removing the user device 300, so that the convenience of authentication can be enhanced. The user equipment communication module 120 may be implemented by, for example, an NFC chip or a module provided in the digital system 100. In addition, it is a matter of course that the embodiment of the user equipment communication module 120 may be varied according to the embodiment of the communication performed by the digital system 100 and the user equipment 300.

The control module 110 may generate or transmit an acknowledgment signal according to the technical idea of the present invention.

The communication module 140 may communicate with the authentication system 200. And may perform communication with the data processing apparatus 400 according to an embodiment.

The control module 110 may communicate with the user device 300 through the user device communication module 120. Also, it may receive device one-time information and / or device identification information from the user device 300 according to an embodiment. Also, the server generation key received from the authentication system 200 through the user device communication module 120 may be transmitted to the user device 300. The transmission of the server creation key may be performed when an authentication operation performed by the user, that is, an operation of communicating the digital system 100 with the user apparatus 300 is performed. Of course, according to an embodiment, the server creation key may be transmitted to the user device 300 separately from the authentication operation. For example, in the case of NFC communication, the user may have to perform a plurality of tagging. The server creation key may be transmitted to the user device 300 through the tagging of any one of a plurality of tagging, and if another tagging is performed, the user may be regarded as having the authentication operation.

Also, the control module 110 may perform the time validity checking procedure as described above. The time information of the authentication system 200) or the first time information of the digital system 100 to the user device 300 before the time validity is confirmed. The user device 300 may generate the device one-time information based on the server generation key or the first time information. Or may control the terminal one-time information generation module 130 to generate terminal one-time information based on the server generation key or the first time information. Or device one-time information or terminal one-time information as legitimate authentication information (that is, displayed on the digital system 100 or transmitted to the authentication system 200).

When the user device 300 is a device equipped with a timer and the user device 300 generates one-time information as described above, the control module 110 determines that the user device 300 has received the second time information And confirm the legitimacy of the second time information based on the server generated key. When the validity of the second time information is confirmed, the server generation key is transmitted, or the second time information whose validity is confirmed is transmitted again to the user device 300, or a signal indicating that the validity of the second time information is merely verified is transmitted to the user device 300 ). Then, the user device 300 can generate the device one-time information based on the server generation key or the second time information.

Alternatively, the control module 110 may transmit the server generation key to the user device 300 to allow the user device 300 to confirm the time validity. If the time validity is confirmed, the control module 110 may generate the server generation key or the second time information To generate device one-time information.

The terminal one-time information generation module 130 may generate terminal one-time information. The terminal one-time information generation module 130 can generate the terminal one-time information based on the server generation key received from the authentication system 200 as described above. In addition, the terminal device may generate the terminal one-time information based on the device identification information of the user device 300 or the terminal identification information.

Then, the control module 110 generates an acknowledgment signal including authentication information including device one-time information and / or terminal one-time information received from the user device 300, and transmits the generated confirmation signal to the communication module 140 To the authentication system 200. The authentication system 200 of FIG.

The control module 110 may further include device identification information of the user device 300 obtained through the user device communication module 120 according to an embodiment. Also, the control module 110 may further include terminal identification information of the digital system 100. Or may include an authentication request in the acknowledgment signal. Alternatively, the confirmation signal may include an authentication signal indicating an authentication result using the user authentication information. It should be understood that the acknowledgment signal is not limited to one information or a continuously transmitted signal, and the acknowledgment signal may be transmitted to the authentication system 200 discontinuously in a plurality of times according to an embodiment.

The authentication system 200 may then perform an authentication procedure based on an acknowledgment signal including the authentication information. If the authentication confirmation process is successful, the authentication system 200 can process the authentication result as a successful authentication for the device (for example, the digital system 100 or the data processing device 400) that has output the authentication request . That is, the digital processing system 100 or the data processing apparatus 400 can successfully process the authentication request. For example, if the authentication confirmation process is successful, the authentication system 200 may transmit an authentication result indicating that the authentication of the user is successful to the data processing apparatus 400, the digital system 100, and / or the service system 500 Lt; / RTI >

If the confirmation signal further includes the device identification information, the authentication system 200 can authenticate the user device 300 based on the device identification information. Also, when the confirmation signal further includes the terminal identification information, the authentication system 200 can determine whether the digital system 100 is a terminal previously registered based on the terminal identification information.

Meanwhile, the communication module 140 may receive predetermined authentication action request information from the authentication system 200 or from the data processing apparatus 400. [ The authentication action request information may include information for requesting a user to perform an authentication operation, that is, to communicate the digital system 100 and the user device 300. [ In addition, the server generation key generated by the authentication system 200 may be received together with the authentication action request information. Also, the communication module 140 may receive a server generation key from the authentication system 200. [

The server creation key may be received together with the authentication action request information and may be received separately before or after the authentication action request information is received by the digital system 100. [ For example, in the digital system 100, predetermined software for implementing the technical idea of the present invention can be installed, and the technical idea of the present invention can be implemented only when the software is executed. In this case, the digital system 100 may automatically perform communication with the predetermined authentication system 200 when the software is executed. In this case, the server generation key may be received in advance. In any case, the digital system 100 may receive the server creation key from the authentication system 200 before the user performs an authentication operation.

Of course, only the signal indicating that the authentication request has been performed in the data processing apparatus 400 or the digital system 100 may be included in the authentication action request information.

The authentication action request information may be displayed on a display device (not shown) included in the digital system 100. The user can confirm the authentication action request information and perform authentication by requesting the digital system 100 and the user device 300 by tagging.

The communication module 140 may receive the authentication action request information from the authentication system 200 or may receive the authentication action request information from the data processing device 400. Such an example will be described later with reference to Figs.

Meanwhile, the control module 110 may determine whether the user device 300 is a device forming a pair with the digital system 100. And transmit the confirmation signal to the authentication system 200 only when the user device 300 is a device forming a pair with the digital system 100. [ Of course, the procedure for authenticating such a pair may be performed by the authentication system 200 as described above.

Also, the control module 110 requests predetermined user authentication information (e.g., PIN) before or after performing communication with the user device 300, and when the user authentication information is transmitted to the user device 300 (e.g., It is possible to generate the terminal one-time information only when it corresponds to the authentication information (for example, PIN information) of the IC card for payment) or transmit the confirmation signal including the device one-time information acquired from the user apparatus 300. [ It is possible to prevent the non-repudiation even if the user does not perform the process of checking the device one-time information or the terminal one-time information and directly inputting the device one-time information to the digital system 100 through the user authentication information.

If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the authentication system 200. For example, the digital system 100 may receive the user authentication information in advance before communicating with the user device 300. Or may receive the user authentication information from the user after the communication is performed. If the user authentication information does not correspond to the information set in the user device 300 in advance, the confirmation signal may not be transmitted. According to an embodiment, the user authentication using the user authentication information may be performed by the digital system 100 after the confirmation signal is transmitted. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication using the user authentication information to the authentication system 200 after transmitting the confirmation signal. Then, the authentication system 200 receiving the authentication signal may finally determine the success or failure of the authentication confirmation procedure.

Or the digital system 100 transmits the user authentication information received from the user to the authentication system 200 and determines whether the user authentication information corresponds to the user device 300 by the authentication system 200 .

3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.

3, an authentication system 200 according to an exemplary embodiment of the present invention includes a control unit 210, a communication unit 220, and an authentication unit 230. The authentication system 200 may further include a DB 240.

The configuration of the control unit 210, the communication unit 220, the authentication unit 230, and the DB 240 included in the authentication system 200 includes hardware for performing the technical idea of the present invention, And the functional and structural combination of the software. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

Also, the authentication system 200 does not mean any physical device. That is, an average expert in the technical field of the present invention can easily deduce that the authentication system 200 can be implemented by organically combining different physical devices through a network.

The authentication system 200 may be included in the service system 500 or may be implemented in a system separate from the service system 500. In addition, the operating system of the authentication system 200 and the service system 500 may be the same or different.

The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the communication unit 220, the authentication unit 230, and the DB 240) .

The communication unit 220 may perform communication with the digital system 100. In particular, the communication unit 220 may receive an acknowledgment signal from the digital system 100. Also, the communication unit 220 may transmit the server generation key to the digital system 100. [

The authentication unit 230 may generate the server generation key as described above. In addition, an authentication confirmation procedure may be performed based on the confirmation signal including the authentication information including the one-time information generated based on the server generation key. The authentication information may include one-time information, and the one-time information may include device one-time information and / or terminal one-time information. For this, the authentication unit 230 may generate server one-time information using the server generation key transmitted to the digital system 100. [ Of course, in addition to the server creation key, an average expert in the technical field of the present invention can generate the server one-time information by using information pre-agreed with the digital system 100 or the user apparatus 300 as an input value. I can reason.

Also, the authentication unit 230 may protect the server generated key to correspond to the user device 300 and transmit the protection key to the digital system 100. Of course, in this case, the user device 300 may generate the device one-time information. If the digital system 100 generates the terminal one-time information, the authentication unit 230 may protect the server generation key so as to correspond to the digital system 100 and transmit the server generation key.

Also, according to an embodiment, as described above, the authentication unit 230 simply decrypts the device one-time information and / or terminal one-time information, and determines whether the decrypted result corresponds to the server generation key, .

Also, as described above, the authentication information may be information that simply includes the medium specific information (or terminal identification information and / or device identification information) and the server generation key, or information that is generated based on the medium unique information and the server generation key . In this case, the authentication unit 230 authenticates the medium specific information (or the terminal identification information and / or device identification information) included in the authentication information based on the medium identification information stored in advance in the authentication system 200, The server generation key included in the authentication information can be authenticated based on the server generation key transmitted to the system 100. Alternatively, the authentication unit 230 may determine whether the digital system 100 or the user device 300 has generated the authentication information based on the medium identification information (e.g., medium specific information) (For example, a hashing algorithm) to generate verification authentication information. In addition, an authentication confirmation procedure may be performed by determining whether the generated authentication information for authentication and the authentication information received from the digital system 100 correspond to each other.

Wherein the authentication procedure includes an authentication procedure for authenticating one-time information included in the authentication information, the authentication using the device identification information, the authentication using the terminal identification information, As described above, at least one of authentication of whether the system 100 and the user device 300 are paired and / or authentication of the user authentication information set in the user device 300 may be selectively included.

When the one-time information includes the device one-time information, authentication using the device identification information may not be selectively included in the authentication confirmation procedure. If the one-time information includes terminal one-time information, The used authentication may optionally not be included in the authentication procedure. Of course, even if the one-time information includes the device one-time information or the one-time information includes terminal one-time information, the authentication using the device identification information and / or the authentication using the terminal identification information may be performed by the authentication unit 230 And in this case, the one-time information is to authenticate a specific device or software that generates the one-time information, whereas the authentication using the device identification information and / or the terminal identification information may be to authenticate the other hardware. Therefore, even if the device one-time information is authenticated by the authentication unit 230, there is a benefit even if the authentication using the device identification information is separately performed. Similarly, even if the terminal one-time information is authenticated by the authentication unit 230, authentication may be performed using the terminal identification information separately.

If the authentication unit 230 has succeeded in the authentication process, the control unit 210 can successfully process the authentication request that is already received or the authentication request included in the confirmation signal. The control unit 210 may send a signal indicating the authentication result to the service system 500 for success processing.

The DB 240 may previously store medium identification information (e.g., terminal identification information, device identification information, medium specific information, etc.) according to the technical idea of the present invention as described above. Also, the server generation key generated by the authentication unit 230 may be temporarily stored. Information on pair formation of the digital system 100 and the user apparatus 300, that is, information on which digital system 100 and which user apparatus 300 are formed in pairs, that is, pair setting information, Can be.

The communication unit 220 may receive an authentication request from the data processing apparatus 400 or the digital system 100. Needless to say, the authentication request may include identification information (e.g., telephone number) of the digital system 100. The identification information of the digital system 100 may be the identification information unique to the hardware of the digital system 100 or may be information different from the identification information of the digital system 100, May be varied according to the embodiment of FIG. Then, the control unit 210 may transmit authentication action request information to the digital system 100 or the data processing apparatus 400 through the communication unit 220. [ The user can confirm the authentication action request information and communicate the digital system 100 and the user device 300. [ Then, the communication unit 220 can receive an acknowledgment signal output from the digital system 100.

Then, the authentication unit 230 may perform the authentication procedure.

For this, the authentication unit 230 may generate server one-time information corresponding to the digital system 100 or the user device 300. [ Of course, it is also possible to generate server one-time information corresponding to the digital system 100 and server one-time information corresponding to the user apparatus 300, respectively. To this end, the authentication unit 230 may provide at least one input value (key or seed) for generating one-time information for each digital system 100 and / or for each user equipment 300, Shared with the digital system 100 and / or each user device 300, or may share the manner (or algorithm) of obtaining the at least one key. Of course, the server creation key may be included in the at least one input value. Of course, a function or algorithm for generating the server one-time information is also the same as the function or algorithm in which the digital system 100 or the user device 300 generates the terminal one-time information or the device 300 one-time information can do.

When the authentication unit 230 generates server one-time information, the authentication unit 230 authenticates the digital system 100 by determining whether the generated server one-time information corresponds to the one-time information included in the confirmation signal An authentication procedure can be performed. It should be noted that there are various embodiments of at least one input value and one-time information generation algorithm for the digital system 100, the user apparatus 300, and the authentication unit 230, respectively, to generate one- The average expert in the field will be able to easily reason.

Meanwhile, when the terminal identification information is included in the confirmation signal, the authentication unit 230 determines whether the terminal identification information corresponds to the information previously registered in the DB 240, It can be judged that the procedure is successful.

The authentication unit 230 determines whether the digital system 100 and the user device 300 form a pair with each other based on information previously registered in the DB 240, The digital system 100 and the user device 300 form a pair to determine that the authentication confirmation procedure is successful.

When the user authentication information (for example, the PIN information of the payment card, etc.) of the user device 300 is received from the digital system 100, the authentication unit 230 transmits the user authentication information to the DB 240) to determine that the authentication check procedure is successful. Or may determine whether the authentication procedure is successful based on the authentication signal received from the digital system 100. [

FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.

4 illustrates an example in which an authentication request is made via the digital system 100. Referring to FIG. 4, the digital system 100 may send a predetermined authentication request to the authentication system 200 (S100 ). The authentication request may be a request for transmission of a server generation key for requesting generation of an OTP for the user to authenticate itself. The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ). The authentication action request information may include a server creation key generated by the authentication system 200. The server creation key may be protected information corresponding to the user device 300 or the digital system 100. [ Of course, the server creation key may not be displayed by the digital system 100. In addition, the server generation key may be transmitted to the digital system 100 separately from the authentication action request information.

After confirming the authentication action request information, the user can communicate with the digital system 100 and the user device 300 (S120). The server creation key may be transmitted to the user device 300 through the communication. Then, the user device 300 may generate device one-time information based on the server creation key (S130). In this case, the digital system 100 may acquire the device one-time information, and may further acquire the identification information of the user device 300 according to an embodiment (S140). The digital system 100 may display the acquired device one-time information on the digital system 100. [ The user may then enter or input the one-time information (e.g., OTP) displayed on the digital system 100 into the digital system 100 or into the data processing apparatus 400. [ An acknowledgment signal including the inputted one-time information is transmitted to the authentication system 200, and an authentication confirmation procedure can be performed by the authentication system 200. [ Or an acknowledgment signal including the device one-time information may be automatically transmitted to the authentication system 200.

Of course, the digital system 100 may generate terminal one-time information (S130-1). The terminal one-time information may also be generated based on the server generation key. The control module 110 of the digital system 100 may control the terminal to generate the one-time information only when the communication is performed. In some cases, the terminal may generate the one-time information before the communication is performed (S130-1).

Then, the digital system 100 may transmit at least one of the terminal's one-time information or the device one-time information to the authentication system 200 (S150). Of course, the device identification information or the terminal identification information of the digital system 100 may be further included in the confirmation signal.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S160). If the authentication verification process is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S170). Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

As described above, the authentication system 200 determines whether the device identification information corresponds to previously registered information, whether the terminal identification information corresponds to previously registered information, and / or whether the digital system 100 and / It is of course also possible to determine the success or failure of the authentication procedure based further on whether the user device 300 forms a pair.

FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

5, the data processing apparatus 400 receives an authentication request by inputting identification information of the digital system 100, and transmits the authentication request to the data processing apparatus 400. [ To the authentication system 200 (S200).

The data processing apparatus 400 may be a computer or the like used by the user of the digital system 100. [ For example, the user can request an authentication online (S200) through a computer or the like, and in response, the authentication system 200 can transmit authentication action request information to the computer (S210-1). The user may perform an authentication operation to confirm the authentication action request information displayed on the computer and to communicate the digital system 100 and the user device 300 in operation S220. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S210). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 transmits the authentication action request information to the data processing apparatus 400, and the server creation key may be transmitted to the digital system 100.

Then, the user can perform the authentication operation in response to this (S220).

According to another embodiment, the data processing apparatus 400 may be an affiliate terminal. That is, the user may want to perform settlement. In this case, the authentication request may be a payment request. The user can notify the merchant in the off-line store of the identification information of his / her digital system 100 or can input the identification information himself / herself. Alternatively, at a remote location, the user may request the merchant to perform a payment (authentication) request for a predetermined payment through telephone, messaging, or e-mail. Then, an authentication (payment) request may be transmitted to the authentication system 200 by inputting the identification information of the digital system 100 to the merchant terminal (S200). At this time, the authentication action request information may also be transmitted to the merchant terminal and / or the digital system 100 (S200, S200-1). Of course, the server creation key may be transmitted to the digital system 100. In response, the user may communicate an authentication action, i.e., the digital system 100 and the user device 300 (S220). The server creation key may be transmitted to the user device 300 through the communication.

The digital system 100 may then obtain the device one-time information generated by the user device 300 (S230, S240). And may further acquire device identification information of the user device 300 according to an embodiment. Also, the digital system 100 may generate terminal one-time information (S230-1).

The digital system 100 may include at least the terminal one-time information or the device one-time information in the authentication system 200, and may further include the device identification information or the terminal identification information of the digital system 100, (S250).

According to an embodiment, the digital system 100 may acquire only the device identification information without acquiring the device one-time information of the user device 300, or simply acquire the device identification information of the user device 300 . In this case, the digital system 100 preferably generates the terminal one-time information. This is because, according to the technical idea of the present invention, it is preferable that at least one of the user equipment 300 and the terminal one-time information of the digital system 100 is included in the confirmation signal information.

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S260). Then, the authentication result may be transmitted to the digital system 100 (S270). Or may be transmitted to the data processing apparatus 400 (S270-1). Of course, the authentication result may be transmitted to the service system 500.

Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the digital system 100. For example, an authentication requester other than the user (that is, a person who performs authentication confirmation) such as a family member, a relative or an acquaintance of the user inputs the identification information of the user to the data processing apparatus 400, (200).

For example, if the authentication requestor, who is an acquaintance of the user, should log in to the user's web account, receive a certificate on behalf of the user, or require payment by a third party, the service system 500 There may be cases. In this case, conventionally, it is not easy to inform the authentication requestor of information (for example, login information, authorized certificate password, etc.) for authentication or to implement it. However, according to the technical idea of the present invention, the authentication request and the authentication operation can be performed in a spatially separated state, and since the authentication requestor does not need to perform the authentication operation, there is an effect that the information for authentication is not informed to the other person.

Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.

In this case, the authentication system 200 may transmit the authentication action request information and the server generation key to the digital system 100 of the user, and the authentication operation as described above may be performed by the user. Then, if an authentication confirmation procedure is performed by the authentication system 200 and the authentication confirmation procedure is successful, the authentication (payment) result can be transmitted to the data processing apparatus 400 and the digital system 100.

According to another embodiment, an authentication requestor that is not a user inputs identification information of the digital system 100 to the data processing apparatus (e.g., a computer, a mobile terminal of an authentication requestor, etc.) 400, The franchisee can input the identification information of the digital system 100 to the data processing device (for example, the franchisee terminal 400) when the identification information of the user is presented face to face or remotely. Then, the data processing apparatus 400 may transmit authentication action request information (that is, payment related information including payment details, etc.) to the digital system 100. Of course, in order to achieve this, predetermined software may be installed in the data processing apparatus 400 to implement the technical idea of the present invention.

The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the settlement request corresponding to the authentication action request information, the user can perform the authentication operation as described above. The digital system 100 may then send an acknowledgment signal as described above to the authentication system 200. At this time, the confirmation signal may further include not only the one-time information on the terminal and / or the one-time information on the terminal but also information necessary for a payment request (for example, information on an affiliate shop, payment details, etc.). That is, the confirmation signal may further include an authentication (settlement) request to be transmitted to the authentication system 200.

The authentication system 200 may then perform an authentication procedure based on the acknowledgment signal. The authentication system 200 can transmit the authentication result to the data processing apparatus 400 and / or the digital system 100. [0050] FIG. Of course, in the case of payment, if the authentication confirmation procedure is successful, the authentication system 200 or the service system 500 determines whether or not the payment is approved and transmits the payment result to the data processing apparatus 400 and / (100).

As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.

4 and 5, since only the identification information (e.g., telephone number) of the digital system 100 is required for the authentication request, the authentication request is easy, The user merely communicates (e.g., tagging) his or her own digital device 100 with his / her own user device 300. As described above, although the authentication request is easy and the authentication is easy, the security can be very high as described above. Also, as shown in FIG. 4 and FIG. 5, the user can easily determine whether the authentication request is allowed even in the two-channel authentication due to the ease of authentication request and the convenience of the payment confirmation operation. Further, Authentication information, login information, authorized certificate password, OTP, etc.) to be authenticated.

FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

6, when the user notifies or inputs the identification information of his / her digital system 100, the data processing apparatus 400 receives the identification information (S300) To the digital system 100 (S310). It is needless to say that predetermined software for implementing the technical idea of the present invention may be installed in the data processing apparatus 400.

For example, when the user notifies the identification information of his / her digital system 100 or inputs the payment information to his / her mobile terminal 400 without providing a payment card to the store, the data processing apparatus 400 may transmit the identification information (S300) and transmits the authentication action request information corresponding to the authentication to the digital system 100 (S310). Then, the user can wirelessly communicate the digital system 100 to the data processing apparatus 400 in situ or in the car, and can easily perform settlement. In this case, the settlement financial information of the user device 300 as well as the user device 300 may not be transmitted to the merchant, so that it can be a safe settlement solution.

According to an embodiment, the data processing apparatus 400 and the digital system 100 may perform short-range wireless communication. In this case, the authentication action request information may be transmitted to the digital system 100 by the short distance wireless communication between the data processing apparatus 400 and the digital system 100. At this time, the identification information of the digital system 100 may not need to be input to the data processing apparatus 400.

For example, when the technical idea of the present invention is applied to a payment service, when a settlement amount is input to a data processing apparatus (for example, an affiliate terminal 400), the user inputs the digital system 100 to the data processing apparatus 400 It is possible to perform short-range wireless communication. Then, the authentication operation request information including the payment details including the payment amount (for example, merchant identification information, etc.) may be transmitted to the digital system 100. The user can then remotely communicate the digital system 100 with his / her user device (e.g., the payment IC card 300). With this two short-distance wireless communication, the user can easily make a payment. In this case, the identification information of the digital system 100 of the user is not required to be notified to the merchant, and the settlement financial information of the user device 300 may not be transmitted to the merchant.

In the case where the authentication action request information is transmitted from the data processing apparatus 400 to the digital system 100, in this case, the authentication action request information includes information (payment related information) required for an authentication request (payment request) . When the authentication action request information is received, the digital system 100 can communicate with the authentication system 200 and receive a server creation key (S310-1)

When the authentication operation is performed by the user (S320), the terminal one-time information generated by the digital system 100 and / or the device one-time information generated by the user device 300 and the authentication request (payment request) May be included in the confirmation signal and transmitted to the authentication system 200 (S320, S330, S330-1, S340, S350). Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S360). If the authentication confirmation process is successful, the authentication result may be transmitted to the digital system 100 (S380-1). Of course, the data may be transmitted to the data processing apparatus 400 (S380). Or to a given service system 500.

On the other hand, as described above, when the authentication information includes merely a server generated key and medium specific information (or terminal identification information and / or device identification information), or the authentication information is determined based on the server generated key and medium unique information Value will be described with reference to FIG.

FIG. 9 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

9, the digital system 100 may perform an authentication request to an authentication system 200 (S600. Of course, as described above, a given data processing apparatus 400 may perform an authentication request , Which will be described in detail above, so that a detailed description thereof will be omitted.

The authentication system 200 may then transmit the server creation key to the digital system 100. In operation S620, the user can communicate with the digital device 100 and the user device 300 through the authentication process. Of course, the server creation key may be transmitted to the digital system 100 after the communication.

The digital system 100 may receive the device identification information of the user device 300 from the user device 300 through the communication (S630). The digital system 100 may then selectively include the device identification information and its terminal identification information. The fact that the terminal identification information may be omitted is that the digital system 100 is connected to the authentication system 200, , The authentication for the digital system 100 may already be performed separately and may also authenticate the user device 300 without limitation to the specific digital system 100 The authentication information including the received server creation key is generated (S640), and the generated authentication information is included in the generated authentication information To the authentication system 200 (S650). Further, as described above, information on a service authentication object may be further included in the authentication information.

According to another embodiment, the digital system 100 receives the device identification information (S630). Specific information that is determined based on at least the received device identification information. That is, in addition to the device identification information, the medium unique information may be selectively generated based on the terminal identification information. In operation S650, the authentication information including the medium unique information and the server creation key is generated in operation S540, and an authentication signal including the generated authentication information may be transmitted to the authentication system 200 in operation S650.

According to another embodiment, the digital system 100 receives the device identification information (S630). Specific information that is determined based on at least the received device identification information. In operation S650, authentication information including the medium unique information and the server generated key is generated (S540), and an authentication signal including the generated authentication information is transmitted to the authentication system 200 (S650).

In this case, the digital system 100 generates the authentication information, and the user device 300 may generate the authentication information as described above.

At this time, the server generation key may be transmitted to the user device 300 via the communication (S620). The terminal identification information may be further transmitted to the user device 300 as needed.

The user device 300 generates authentication information (device one-time information) based on the received server generation key and device identification information, generates authentication information based on the server generation key, device identification information, and terminal identification information, The authentication information can be generated based on the generation key and the medium specific information. The generated authentication information is transmitted to the digital system 100, and the digital system 100 can transmit the confirmation signal including the authentication information to the authentication system 200. [

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the received confirmation signal (S660). Then, the authentication result can be transmitted to the digital system 100 (S670).

On the other hand, an example of the case where the authentication information includes additional information about the service authentication object or the authentication information is generated based on the information about the service authentication object may be as shown in FIG.

In the case of a conventional account transfer or remittance, when an authentication request (remittance request) including remittance account information to be remitted (information capable of identifying the remittance account) is performed by the sender's apparatus (mobile phone, computer, or the like) (Such as an authorized certificate and / or OTP) in a system (e.g., a financial institution system or an authentication center associated with a server of a performer performing a money transfer service). (The remittance processing system may be included in the authentication system or separately implemented and connected to the authentication system) that performs the remittance process if the authentication is successful, As shown in FIG. At this time, the malicious attacker resides in a specific place (for example, memory) of the malicious code remitter device distributed by the attacker, and the authentication is terminated, and the remittance processing system changes the remittance account information to the account desired by the attacker To the remittance processing system, and the remittance processing system transfers the remittance to the changed account. At this time, the remittance account information displayed on the remitter device is kept as inputted by the remitter, so that the user may not be able to recognize the remittance account information. However, according to the technical idea of the present invention, such an attack can be prevented by incorporating the remittance account information into the authentication information as information on the service authentication object or generating the authentication information based on the remittance account information.

10 is a diagram for explaining an example in which the authentication method according to an embodiment of the present invention is applied to account transfer (money transfer). In FIG. 10, the case where the remittance processing system is included in the authentication system 200 for illustrative convenience is exemplarily shown. However, the remittance processing system may be provided separately from the authentication system 200 as described above.

Referring to FIG. 10, a sender can transmit an authentication request (a transfer request) to the authentication system 200 using the digital system 100 (S700). Of course, as described above, it is also possible to perform an authentication request (request for remittance) to the data processing apparatus 400 that is separate from the digital system 100. In this case, detailed description will be omitted since it is the same as described above. Also, the sender may input the remittance account information before the authentication request (the remittance request), or may input the remittance account information after the authentication request (the remittance request) (S740). In this case, the remittance account information inputted to the data processing apparatus 400 may be transmitted to the authentication system 200, To the digital system 100 via the Internet. The digital system 100 can receive the remittance account information to generate the authentication information by any route.

The authentication system 200 may transmit the server creation key to the digital system 100 at step S710 and the digital system 100 may communicate with the user device 300 at step S720. The digital system 100 may then receive the device identification information from the user device 300 (S730).

Then, the digital system 100 may generate authentication information (S750).

The authentication information may be information generated using the remittance account information as basic information. For example, the authentication information may be information generated based on a server generation key, device identification information and / or terminal identification information, and remittance account information. In some implementations, only the server generated key and remittance account information may be used as basic information of the authentication information. That is, according to the embodiment, the user device 300 may be excluded from the information about the authentication object, and in this case, the communication S720 may be omitted.

In any case, the authentication information may be one-time information generated based on the server generation key and the remittance account information.

Such authentication information may be included in the confirmation signal and transmitted to the authentication system 200. [

Then, the remittance processing system may perform an authentication check procedure for authenticating the authentication information (S770). In addition, the apparatus for authenticating the sender according to the embodiment may be a separate apparatus from the remittance processing system. In this case, the authentication information may include information (server generation key, terminal identification information and / It is preferable that the apparatus identification information (or medium specific information) and the remittance account information (or the determination value based on the remittance account information) can be separately included.

In any case, the remittance processing system can determine whether the account to be remitted by the remittance accounting system corresponds to the remittance account information inputted by the remitter through the authentication confirmation procedure. That is, when the remittance account information (or the decision value) included in the authentication information corresponds to the remittance account information (or the decision value) to be remitted by itself, or when the authentication information itself is a decision value based on the remittance account information, It is possible to determine whether the authentication information corresponds to the authentication information received from the digital system 100. For example,

As described above, according to the technical idea of the present invention, the remittance processing system can perform the authentication confirmation procedure for authenticating the authentication information received from the digital system 100 before remittance (or at least the remittance account information (or remittance account information (S780). Since the authentication information is one-time information based on the remittance account information, the remittance account information input by the user (that is, the service It is possible to prevent the remittance from being carried out to an account different from the account to be authenticated.

Of course, after the remittance is performed, the authentication system 200 may transmit the remittance result to the digital system 100 (S790).

7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.

Referring to FIG. 7, the authentication unit 230 determines whether the authentication information (that is, the terminal's one-time information and / or the device one-time Information) can be obtained (S410). Then, the authentication unit 230 can authenticate the authentication information as described above. For example, after generating server one-time information based on a server generation key transmitted to the digital system 100 (S411), one-time information for determining whether the generated server one-time information and the terminal one-time information and / (S412). Of course, the device one-time information may be generated in a time synchronization manner, and in this case, the server one-time information may be generated using time information, that is, the server generation key as an input value.

If authentication of the authentication information (one-time information) is successful, it can be determined that the authentication confirmation process has succeeded (S460). If the authentication of the one-time information fails, it can be determined that the authentication confirmation process has failed (S450).

The authentication unit 230 may perform only authentication of the one-time information. However, according to an embodiment, authentication of the device identification information (i.e., authentication of the user device 300) (I. E., Authentication of the hardware of the digital system 100), and / or authentication of the pair. In step S460, it is determined that the authentication is successful if all of the certificates are successful.

7, the authentication of the device identification information, the authentication of the terminal identification information, and the authentication of the pair are sequentially performed. However, it is needless to say that the sequence of such authentication can be changed at any time.

For example, if authentication of the one-time information is successful as shown in FIG. 7, the authentication unit 230 may authenticate the user device 300 using the device identification information (S420). If the authentication of the user device 300 is successful, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication using the terminal identification information (S430). If the authentication of the user device 300 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the authentication using the terminal identification information at step S430, the authentication unit 230 determines the terminal identification information of the digital system 100 included in the confirmation signal and the terminal identification information of the DB 240, The hardware of the digital system 100 may be authenticated by determining whether the information registered in advance corresponds to the information registered in the digital system 100 (S430). If the hardware of the digital system 100 is successfully authenticated, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication of the pair (S430). If the authentication of the hardware of the digital system 100 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the pair authentication (S430), the authentication unit 230 transmits the pair setting information registered in advance in the DB 240, that is, information about the digital system and the user apparatus constituting the pair (Step S440), and confirms whether the digital system 100 and the user device 300 used in the payment confirmation operation are a pair. If the pair authentication is successful, it can be determined that the entire authentication check procedure is successful (S460). Of course, if the pair authentication fails, the authentication unit 230 may determine that the entire authentication verification procedure has failed (S450).

8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.

Referring to FIG. 8, a user may input user authentication information (e.g., a PIN of a payment card) of the user device 300 through a predetermined application installed in the digital system 100 to perform an authentication operation (S500). The digital system 100 may communicate with the user device 300 (S510). Then, the digital system 100 can receive the device identification information of the user device 300 through the communication (S520).

The digital system 100 may perform user authentication to determine whether the user authentication information input from the user through the communication with the user device 300 corresponds to the information set in the user device 300 in operation S530. If the user authentication is successful, the digital system 100 generates an acknowledgment signal including the one-time information and transmits the acknowledgment signal to the authentication system 200 (S550). Of course, if the user authentication fails (S530), the digital system 100 can terminate the process (S560). According to an embodiment, the digital system 100 may perform pair authentication (S540). In step S550, the digital system 100 may transmit an acknowledgment signal to the mobile station 100 in order to verify that the pair authentication is successful.

In order for the digital system 100 to perform pair authentication, the device identification information of the user device 300 forming a pair with the digital system 100 may be registered in the digital system 100 in advance. According to an embodiment of the present invention, identification information or terminal identification information of the digital system 100 forming a pair with the user device 300 may be stored in the storage device of the user device 300. In this case, the digital system 100 may perform pair authentication by checking the information stored in the storage device.

In any case, if the digital system 100 and the user device 300 are not paired devices, the digital system 100 does not send the acknowledgment signal to the authentication system 200, (S560).

Although FIG. 8 shows an example in which the user authentication is performed before the pair authentication, it is needless to say that the pair authentication may be performed first.

In FIG. 8, the user authentication information (e.g., PIN) of the user device 300 may be input at any time after the confirmation signal is transmitted to the authentication system 200 before the authentication confirmation process is terminated. That is, after the digital system 100 transmits the confirmation signal to the authentication system 200, the digital system 100 may receive user authentication information of the user device 300 from the user and authenticate the user. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication to the authentication system 200. Then, the control unit 210 included in the authentication system 200 may determine the success or failure of the authentication confirmation process after confirming the authentication signal.

According to an embodiment, the digital system 100 transmits user authentication information to the authentication system 200, and the authentication of the user authentication information may be performed by the authentication system 200. In this case, the digital system 100 may transmit the user authentication information to the authentication system 200 at any time before the payment request is approved by the authentication system 200. For example, the user authentication information may be included in the confirmation signal, and the user authentication information may be transmitted to the authentication system 200 at any time before or after the transmission of the confirmation signal. Then, the authentication unit 230 included in the authentication system 200 can perform the user authentication using the user authentication information of the user device 300 stored in the DB 240. And, if the user authentication is successful, it may be determined that the authentication confirmation process is finally succeeded.

11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.

Referring to FIG. 11, the DB 240 of the authentication system 200 may store media unique identification information. The medium unique identification information may be information on which terminal identification information and / or device identification information capable of implementing the technical idea of the present invention are stored as described above. 10A, the identification information of each of the digital system 100 and the user device 300, which is set in a pair in advance, that is, the terminal identification information, The identification information may be stored so as to correspond to each other. For example, a predetermined digital system (terminal identification information A) may be set as a pair with a specific user apparatus (a). In this case, the digital system corresponding to A and the user apparatus corresponding to a can communicate with each other, and the authentication according to the technical idea of the present invention can be succeeded.

Further, a plurality of user devices (device identification information b1, b2) may be set as a pair in a specific digital system (terminal identification information B). At this time, B and b1 communicate with each other, and B and b2 communicate with each other, so that the authentication according to the technical idea of the present invention can be succeeded.

As shown in FIG. 11A, in the authentication system 200, the terminal identification information and the device identification information corresponding thereto can be stored as medium identification information.

However, as described above, the authentication system 200 may store medium specific information in order to increase security. Such an example may be as shown in FIG. 11B. The medium specific information may be stored so as to correspond to user identification information (e.g., name, telephone number, or terminal identification information).

For example, the medium specific information corresponding to the user 1 may be h1, and the medium specific information h1 may be a determination value (e.g., a hash value) determined by the terminal identification information A and the device identification information . In addition, the medium specific information h2 may be h2 and h3, and the medium specific information h2 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b1 ). The medium specific information h3 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b2. If the medium specific information is stored in the authentication system 200, the terminal identification information and / or the device identification information may not be exposed even if the authentication system 200 is attacked. Also, when the authentication information generated by the user device 300 or the digital system 100 is generated based on the server generation key and the medium specific information as described above, the authentication system 200 may store the previously stored medium unique information It is possible to generate verification authentication information capable of promptly authenticating the authentication information by using the authentication information.

The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (21)

The digital system receiving a server generation key from an authentication system;
Wherein the digital system transmits the server creation key to the user apparatus through communication with the user apparatus and receives the authentication information generated by the user apparatus based on the transmitted server creation key,
When the communication is performed, the digital system generates authentication information based on the server generation key,
The server creation key includes:
And authenticating the user using the user device including the time information of the authentication system.
The authentication method according to claim 1,
Wherein the digital system further comprises the step of transmitting an acknowledgment signal including the authentication information to the authentication system without displaying the authentication information in the digital system.
The authentication method according to claim 1,
Further comprising performing a time validity checking procedure in which the digital system compares the server generated key with time information of the digital system,
If the time validity is confirmed as a result of performing the time validity checking procedure,
Transmitting the server creation key to the user device,
Generates authentication information using the server creation key,
And a user device that processes the authentication information generated by the user apparatus or the digital system as valid authentication information.
The method according to claim 1,
Wherein the digital system is information protected by the user apparatus so as to correspond to the user apparatus.
The authentication method according to claim 1,
Further comprising the step of the digital system determining whether the user equipment is a preset pair to correspond to the digital system,
And transmitting the confirmation signal including the authentication information to the authentication system if the user device is a predetermined pair.
The digital system receiving a server generation key from an authentication system;
Time information to be used as basic information for generation of one-time information by using the server generation key received by the digital system, the time information being information of the first time of the digital system or of the user apparatus performing communication with the digital system Confirming the legitimacy of the second time information;
Wherein the digital system receives the authentication information generated by the user apparatus based on the second time information whose validity has been confirmed through communication with the user apparatus or receives the authentication information generated based on the first time information whose validity is confirmed, Or generating the authentication information by transmitting the first time information whose validity is confirmed to the user device,
The server creation key includes:
And authenticating the user using the user device including the time information of the authentication system.
Transmitting the server generation key to the digital system of the user, the server generation key including the time information of the authentication system;
Wherein the authentication system is configured to generate authentication information from the digital system or from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system is communicating with a predetermined user device And information generated based on the server creation key;
The authentication system performing an authentication procedure for authenticating the received authentication information; And
And successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system when the authentication confirmation process is successful.
8. The method according to claim 7,
Time validity has to be verified by the digital system,
Wherein the server creation key is transmitted to the user device and generated by the user device,
Generated by the digital system,
Wherein the authentication information generated by the user apparatus or the digital system is processed as valid authentication information by the digital system.
8. The authentication method according to claim 7,
Further comprising the step of protecting the server creation key so that the authentication system corresponds to the user apparatus,
And transmits the protected server generation key to the digital system.
8. The authentication method according to claim 7,
Further comprising the step of determining whether the authentication system is a preset pair so that the user device and the digital system correspond to each other,
And determining that the authentication confirmation process is successful if the authentication result is a predetermined pair.
Transmitting the server generation key to the digital system of the user, the server generation key including the time information of the authentication system;
Wherein the authentication system is configured to generate authentication information from the digital system or from the user's data processing device, the authentication information being generated by the user device or generated by the digital system when the digital system is communicating with a predetermined user device And information generated based on time information for which validity is confirmed;
The authentication system performing an authentication procedure for authenticating the received authentication information; And
And successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system if the authentication confirmation process is successful,
The authentication information includes:
Generated by the digital system or the user apparatus based on first time information of the digital system whose legitimacy is confirmed using the server generation key,
Wherein the first authentication information is information generated by the user device based on second time information of the user device whose validity is confirmed.
A recorded computer program for performing the method according to any one of claims 1 to 11, installed in a data processing apparatus.
In a digital system,
A user device communication module for performing communication with a predetermined user device;
A communication module for receiving a server generation key from an authentication system; And
Transmitting the server generation key to the user device through the user equipment communication module and receiving the authentication information generated by the user device based on the transmitted server generation key,
And a control module for generating authentication information based on the server generation key when the communication is performed,
The server creation key includes:
And authenticating the user using the user apparatus including the time information of the authentication system.
14. The control module according to claim 13,
And transmits an authentication signal including the authentication information to the authentication system without displaying the authentication information received or generated in the digital system.
14. The control module according to claim 13,
A time validity checking procedure for comparing the server generated key with the time information of the digital system is performed,
Transmitting the server creation key to the user device,
Generates authentication information using the server creation key,
And authenticating the user using the user apparatus or the user apparatus that processes the authentication information generated by the digital system as valid authentication information.
In a digital system,
A user device communication module for performing communication with a predetermined user device;
A communication module for receiving a server generation key including time information of the authentication system from an authentication system; And
Time information to be used as basic information for generation of one-time information using the received server generation key, the time information including first time information of the digital system or second time information of a user apparatus communicating with the digital system - Check the legitimacy of -
Receiving authentication information generated by the user device based on the second time information for which validity is confirmed through communication with the user device,
Transmitting the first time information whose validity has been confirmed through communication with the user device, receiving the authentication information generated by the user device based on the first time information,
And a control module for generating authentication information based on the first time information for which the validity is confirmed.
In an authentication system,
A server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, and generates authentication information included in an acknowledgment signal received from the digital system or the data processing apparatus of the user An authentication unit for performing an authentication check process for authenticating the user;
Wherein the authentication information is transmitted from the digital system to the digital system when the digital system is in communication with a predetermined user device, And generating information based on the server creation key; And
And a control unit for successively processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system if the authentication confirmation process is successful.
18. The method according to claim 17,
Time validity must be verified by the digital system
Wherein the server creation key is transmitted to the user device and generated by the user device,
Generated by the digital system,
Wherein the authentication information generated by the user apparatus or the digital system is processed by the digital system as valid authentication information.
18. The information processing apparatus according to claim 17,
Further comprising the step of protecting the server generation key to correspond to the user apparatus,
Wherein,
And transmits the protected server generation key to the digital system.
18. The information processing apparatus according to claim 17,
Determines whether the user apparatus and the digital system are a predetermined pair so as to correspond to each other, and judges that the authentication check procedure is successful if it is determined that the pair is a predetermined pair.
In an authentication system,
A server generation key to be transmitted to a digital system of a user, the server generation key including time information of the authentication system, and generates authentication information included in an acknowledgment signal received from the digital system or the data processing apparatus of the user An authentication unit for performing an authentication check process for authenticating the user;
Wherein the authentication information is transmitted from the digital system to the digital system when the digital system is in communication with a predetermined user device, The information being generated based on time information generated and validated; And
And a control unit for successfully processing an authentication request output from the data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
The authentication information includes:
Generated by the digital system or the user apparatus based on first time information of the digital system whose legitimacy is confirmed using the server generation key,
Wherein the first authentication information is information generated by the user device based on second time information of the user device whose validity is confirmed.
KR1020150036027A 2015-03-16 2015-03-16 Method for authentication using user apparatus, digital system, and authentication system thereof KR20160111190A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150036027A KR20160111190A (en) 2015-03-16 2015-03-16 Method for authentication using user apparatus, digital system, and authentication system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150036027A KR20160111190A (en) 2015-03-16 2015-03-16 Method for authentication using user apparatus, digital system, and authentication system thereof

Publications (1)

Publication Number Publication Date
KR20160111190A true KR20160111190A (en) 2016-09-26

Family

ID=57068390

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150036027A KR20160111190A (en) 2015-03-16 2015-03-16 Method for authentication using user apparatus, digital system, and authentication system thereof

Country Status (1)

Country Link
KR (1) KR20160111190A (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130029983A (en) 2011-09-16 2013-03-26 (주)에이티솔루션즈 Recording medium, method and device for log-in or certification use of near field communication

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130029983A (en) 2011-09-16 2013-03-26 (주)에이티솔루션즈 Recording medium, method and device for log-in or certification use of near field communication

Similar Documents

Publication Publication Date Title
CA3017893C (en) System and method for certificate issuance based on block chain
US20130219481A1 (en) Cyberspace Trusted Identity (CTI) Module
JP2018516505A (en) Authentication in the ubiquitous environment
KR20150072955A (en) Method for payment using card, digital system, and settlment side system thereof
KR101467242B1 (en) Digital system for pair user authentication, authentication system, and providing method thereof
KR101498120B1 (en) Digital certificate system for cloud-computing environment and method thereof
KR101574169B1 (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR102122555B1 (en) System and Method for Identification Based on Finanace Card Possessed by User
KR20160084789A (en) Method for authentication, digital system, and authentication system thereof
KR20140020337A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR20200022194A (en) System and Method for Identification Based on Finanace Card Possessed by User
KR20150077379A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR20160084786A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR101491515B1 (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR101700833B1 (en) Card User Authentication System and Authentication Server and Portable Device for the same
KR101621265B1 (en) Method for authentication using user apparatus, digital system, and authentication system thereof
KR101603684B1 (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof
KR20160111190A (en) Method for authentication using user apparatus, digital system, and authentication system thereof
US11960581B2 (en) Mobile device secret protection system and method
KR101682678B1 (en) Card Transaction System and Encryption/Decryption Server for the same
KR20150088571A (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof
KR20140033189A (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof
KR20150089569A (en) Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof
KR20200103615A (en) System and Method for Identification Based on Finanace Card Possessed by User
KR20150075620A (en) Method for authentication using user apparatus, digital system, and authentication system thereof