WO2023204411A1 - Method for verifying certificate by using blockchain and system therefor - Google Patents

Method for verifying certificate by using blockchain and system therefor Download PDF

Info

Publication number
WO2023204411A1
WO2023204411A1 PCT/KR2023/002102 KR2023002102W WO2023204411A1 WO 2023204411 A1 WO2023204411 A1 WO 2023204411A1 KR 2023002102 W KR2023002102 W KR 2023002102W WO 2023204411 A1 WO2023204411 A1 WO 2023204411A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
verification
certification authority
smart contract
server
Prior art date
Application number
PCT/KR2023/002102
Other languages
French (fr)
Korean (ko)
Inventor
서광준
박상길
Original Assignee
주식회사 블로코
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020220048471A external-priority patent/KR102479987B1/en
Priority claimed from KR1020220048469A external-priority patent/KR102479985B1/en
Priority claimed from KR1020220048470A external-priority patent/KR102479986B1/en
Application filed by 주식회사 블로코 filed Critical 주식회사 블로코
Publication of WO2023204411A1 publication Critical patent/WO2023204411A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a certificate verification method and a system for the same, and specifically to a method and system that allows a verification agency server to perform verification by querying the revocation list stored in the blockchain network when a request for verification of a certificate is made. will be.
  • a certificate refers to an electronic signature required for authentication when using various services over a network. These certificates are created with an electronic signature from a trusted Certificate Authority, and are used by the Certificate Authority to notarize public keys. do.
  • a certificate since a certificate has an expiration date and is a medium that must guarantee reliability, its validity needs to be continuously verified when a user uses the certificate.
  • CRL Certificate Revocation List
  • OSCP Online Status Certificate Protocol
  • the present invention is intended to provide an improvement over conventional methods in terms of establishing an environment in which certificate validity verification can be performed efficiently and quickly in real time.
  • the present invention was invented to solve the technical problems discussed above, as well as to provide additional technical elements that cannot be easily invented by those skilled in the art.
  • the purpose of the present invention is to provide an environment in which certificate validity can be verified more effectively than conventional means.
  • the purpose of the present invention is to provide an improved validation environment while maintaining the existing certificate use environment by inserting only essential information into the certificate within the framework of the certificate standard.
  • the purpose of the present invention is to ensure the integrity and stability of certificates by utilizing a highly reliable infrastructure called a blockchain network.
  • the method of verifying a certificate using a blockchain includes the steps of: (a) a verification agency server receiving a first user certificate from a verification requestor terminal; (b) a verification agency server verifying the validity of the first user certificate itself; (c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. It may include the step of verifying whether the first user certificate has been revoked by checking the first revocation list.
  • the method of verifying a certificate using the blockchain includes the steps of: a verification authority server obtaining a first CA certificate issued by the first certification authority from a higher level certification authority from the first smart contract; Verifying, by a verification agency server, the validity of the first CA certificate itself; It further includes a step of the verification agency server verifying whether the first CA certificate has been revoked by querying the second revocation list from the second smart contract for certificate management of the second certification authority that issued the first CA certificate. can do.
  • a certificate verification method includes the steps of: (a) a verification agency server receiving a first user certificate from a verification requestor terminal; (b) a verification agency server verifying the validity of the first user certificate itself; (c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. Obtaining a plurality of higher level certification authority certificates; (d) a step of the verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the plurality of higher level certification authority certificates.
  • the process of verifying whether the certificate has been revoked in step (d) includes: searching a revocation list from the smart contract with reference to the smart contract identifier of the upper certification authority that issued the certificate to be verified; It may include the step of inquiring whether the identifier of the certificate to be verified exists in the searched revocation list.
  • the smart contract identifier of the higher-level certification authority that issued the certificate to be verified may be recorded in the certificate to be verified.
  • a certificate verification method includes the steps of: (a) a verification authority server receiving a first user certificate and a plurality of higher level certification authority certificates from a verification requestor terminal; (b) a step of the verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the first user certificate and a plurality of higher level certification authority certificates.
  • the process of verifying whether the certificate has been revoked in step (b) includes: searching a revocation list from the smart contract with reference to the smart contract identifier of the upper certification authority that issued the certificate to be verified; It may include the step of inquiring whether the identifier of the certificate to be verified exists in the searched revocation list.
  • step (b) in the certificate verification method may be characterized in that the repeated execution ends at the stage of self-verification of the certificate issued by the root certification authority.
  • Figure 1 schematically shows a system according to the invention.
  • FIG. 2 is a conceptual diagram for easily understanding the present invention.
  • Figure 3 shows the prerequisites for implementing the present invention, particularly the process in which a certificate is issued by a certification authority and then stored in a smart contract.
  • FIG. 4 shows the detailed structure of the certificate used in the present invention.
  • Figure 5 shows the prerequisites for implementing the present invention, particularly the process in which the disposal list is stored in a smart contract.
  • Figure 6 shows a first embodiment of the present invention.
  • Figure 7 shows a second embodiment of the present invention.
  • Figure 8 shows a third embodiment of the present invention.
  • Figure 9 shows a fourth embodiment of the present invention.
  • FIG. 1 shows a system in which the certificate verification method according to the present invention can be implemented.
  • the certificate verification system may first include a certification authority server 100, which is the issuing entity of the certificate, a verification requester terminal 300 that requests verification of the certificate, and a verification authority server that performs the actual verification ( 400) is necessarily included. Additionally, a blockchain network 50 in which all of these components are accessible may be further included. A detailed explanation of each configuration is as follows.
  • the certification authority server 100 can be understood as a server operated by a certification authority, and a certification authority is an organization on a network that determines security eligibility, issues public keys for message encryption, and manages the issued public keys. can be defined.
  • a certification authority can be viewed as an organization that plays a similar role in issuing certificates upon user requests and providing guarantees for the issued certificates.
  • the certification authority server 100 can perform several functions, such as the function of generating a public key pair, the function of testing public key parameters, the function of issuing a certificate to a lower-level certification authority, and the function of issuing an identifier ( Function to check the Distinguished Name, function to verify and authenticate the identity of the certificate applicant, function to create and check electronic signatures, function to create, manage, and distribute CRLs, function to maintain records of issued certificates, system It can perform functions such as creating and managing audit records, creating or obtaining timestamps, and revoking certificates.
  • functions such as the function of generating a public key pair, the function of testing public key parameters, the function of issuing a certificate to a lower-level certification authority, and the function of issuing an identifier ( Function to check the Distinguished Name, function to verify and authenticate the identity of the certificate applicant, function to create and check electronic signatures, function to create, manage, and distribute CRLs, function to maintain records of issued certificates, system It can perform functions such as creating and managing audit records, creating or
  • the verification requester terminal 300 may be a terminal of a general user who wants to use a service in a network space, especially a user who wants to use a financial service.
  • the verification requester terminal 300 can provide at least one certificate to the verification agency server 400, and the desired service can be used after verification of the provided certificate or certificates is completed.
  • the verification requester terminal 300 is assumed to be equipped with a central processing unit and memory, and may naturally include communication means for network connection.
  • the verification requester terminal 300 may refer to all devices owned or carried by the user, and may include portable terminals such as smartphones, PDAs, tablet PCs, etc., as well as installed terminals such as desktops. .
  • the verification agency server 400 may refer to a server that operates logic to verify whether a certificate is valid.
  • the verification agency server 400 may query the revocation list in the process of verifying whether the certificate is valid, as will be described later.
  • the servers mentioned in this detailed description may preferably be implemented as server computers, if they are computing devices equipped with a central processing unit and memory. It can be used to implement such a server computer.
  • the central processing unit may also be called a controller, microcontroller, microprocessor, microcomputer, etc. Additionally, the central processing unit may be implemented by hardware, firmware, software, or a combination thereof. When implemented using hardware, an application specific integrated circuit (ASIC) or a digital signal processor (DSP) is used.
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • DSPD digital signal processing device
  • PLD programmable logic device
  • FPGA field programmable gate array
  • firmware or software if implemented using firmware or software, a module, procedure or function that performs the above functions or operations.
  • the firmware or software may be configured to include.
  • memory includes ROM (Read Only Memory), RAM (Random Access Memory), EPROM (Erasable Programmable Read Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory, SRAM (Static RAM), It can be implemented with HDD (Hard Disk Drive), SSD (Solid State Drive), etc.
  • certification authority server or verification authority server may not be implemented with only one server computer, but may also be implemented as a system composed of a plurality of server computers. However, in this case, a more appropriate term would be certification authority system or verification authority system, but in this detailed description, the terms certification authority server and verification authority server will continue to be used for uniformity of terminology.
  • the certification authority server or verification authority server may not necessarily be implemented in the form of a server computer, but may be implemented in the form of a cloud server, that is, a cloud server managed and operated by another operating entity.
  • blockchain refers to a distributed data storage technology that connects blocks that record transaction information for a certain period of time in a chain and replicates and stores them on numerous computers simultaneously.
  • the blockchain network 50 connects data like a chain and makes transaction records public for anyone to view rather than storing them on a centralized server, preventing data forgery or alteration from the beginning, that is, mutual surveillance of transaction records. It is a P2P structured data storage method that allows this. Data recorded on the blockchain is very difficult to forge or falsify through hacking, so anyone can trust it. Additionally, because the data recorded on the blockchain is distributed and stored on multiple computers, DDoS attacks or ransomware attacks on specific nodes are possible. It is also safe from Furthermore, because blockchain can be maintained and operated autonomously by equal participants, it has more flexible characteristics compared to the existing server-client structure where all information was concentrated on a central server.
  • Blockchain technology can be used in various fields such as cryptocurrency, smart contracts, logistics management, document management, identity verification, etc.
  • certificate verification method in relation to the certificate verification method according to the present invention, in particular, blockchain technology can be used in smart contracts.
  • a smart contract is a function that automatically executes the contents of a contract when certain conditions are met, and is a digital electronic contract function that allows you to conclude a desired contract on P2P without a third party guarantee agency in the middle. For example, when a random transaction occurs, a block for that transaction is created and broadcast, and each node that receives the block adds the block to the end of its blockchain and executes the transaction stored in the block. Apply it to synchronize your smart contract database.
  • certificate verification is performed on the premise that the certificate authority server 100 has stored (recorded) the certificate in a smart contract distributed on the blockchain network.
  • the nodes of the blockchain network are smart By sharing the contract database, the integrity, safety, and stability of the certificate can be guaranteed.
  • arbitrary data e.g. certificates
  • storage terms such as state DB, ledger, etc.
  • it is stored in (also referred to as).
  • 'the CA certificate is stored in the smart contract' means 'the data called the CA certificate is stored in the storage of the smart contract allocated when the smart contract is deployed on the blockchain network.
  • FIG. 2 is a diagram for intuitive understanding of the certificate verification method according to the present invention.
  • a user who wants to use a financial service can request verification of the validity of the certificate by providing a certificate to the verification agency, and the verification institution can query the blockchain network to verify the validity of the certificate, so-called data. You can check whether the certificate is valid by obtaining the revocation list. More precisely, the verification agency can use the blockchain network to query the certificates of the higher-level certification authorities and query the revocation list.
  • the main feature of the certificate verification method according to the present invention is that the verification agency refers to the revocation list shared on the blockchain network when verifying the validity of the certificate.
  • Figure 3 shows a process in which the verification requester terminal 300 issues and stores a user certificate, that is, a user certificate issuance process.
  • the first certification authority server 100 is a server of a relatively lower certification authority
  • the second certification authority server 250 is a server of a relatively higher certification authority. More preferably, the second certification authority server 250 may be a root certification authority server.
  • the second certification authority server 250 can distribute a second smart contract for certificate management on the blockchain network 50 (S301).
  • this step can also be understood as a step in which the second certification authority server 250 prepares in advance a medium that can be shared by multiple nodes, particularly a medium that can store certificates. This can also be applied to all steps in which other certification authority servers distribute smart contracts to the blockchain network 50.
  • Step S301 a step of generating an R certificate (S302) and a step of storing the R certificate in a second smart contract for certificate management (S303) may be performed in that order.
  • Steps S301 to S303 may also be understood as steps in which the root certification authority server prepares to issue a certificate.
  • the term R certificate can refer to a certificate created and issued by a root certification authority, and the term R certificate is used to distinguish it from the CA certificate, which will be described later.
  • the first certification authority server 100 may also execute a step (S304) of distributing the first smart contract for certificate management to the blockchain network 50, and then the first certification authority server 100 may execute the first smart contract for certificate management.
  • a step (S305) requesting the certification authority server 250 to issue a CA certificate may be performed.
  • the first certification authority server 100 provides an identifier that can identify the first smart contract for certificate management, that is, a first smart contract identifier for certificate management, to the second certification authority server 250.
  • identifier may be the address of the smart contract distributed by the certification authority server on the blockchain network.
  • the first smart contract identifier for certificate management could be "0x466BDA20T86GgA9037kxd00792".
  • the second certification authority server 250 After step S305, the second certification authority server 250 generates a CA certificate in response to the issuance request, and the first certification authority server 100 receives the above CA certificate from the second certification authority server 250. (S306).
  • the CA certificate may include the first smart contract identifier for certificate management that was previously transmitted to the second certification authority server 250 in step S305.
  • the first certification authority server 100 may store the CA certificate in the first smart contract for certificate management (S307).
  • the first certification authority server 100 can record the CA certificate issued to it on the blockchain network 50 so that the CA certificate can be viewed by anyone at any time.
  • the second certification authority server 250 issues a CA certificate to the first certification authority server 100, which is a subordinate certification authority, it tracks its smart contract identifier (second smart contract identifier for certificate management) by leaving it in the CA certificate. This can be made possible.
  • FIG. 4 shows the structure of the certificate used in the present invention. That is, certificates issued by certification authority servers and certificates stored in smart contracts distributed on a blockchain network may have the structure shown in FIG. 4.
  • the certificate contains the version, certificate unique serial number (AlgorithmIdentifier), certificate period of validity (Period of Validity), subject information (Subject), subject's public key information (Public Key Information), and issuer name ( Issuer Unique ID), subject name (Subject Unique ID), smart contract identifier (CA Smart Contract Identifier) of the certification authority that requested issuance, issuer CA Smart Contract Identifier (Issuer CA Smart Contract Identifier), or issuer signature (Signature) It may include information such as the like.
  • the certificate may contain the subject's other name (SubjectAltName), policy information (PolicyMappings), name constraints (NameConstraints), policy constraints (PolicyContraints), issuer's other name (IssuerAltName), issuer key identifier (AuthorityKeyIdentifier), and subject as necessary.
  • Information such as key identifier (SubjectKeyIdentifier), basic constraints (BasicConstraints), or CRL acquisition location (CRLDistributionPoints) may be additionally included.
  • the smart contract identifier (CA Smart Contract Identifier) of the certification authority that requested issuance and the smart contract identifier (Issuer CA Smart Contract Identifier) of the issuing certification authority are essentially included in the certificate. , This information can be recorded in the extensions area provided by the certificate standard format.
  • the verification requester terminal 300 requests the first certification authority server 100 to issue a user certificate (S308), and the first certification authority server 100 issues the user certificate.
  • a step of generating (S309) and a step of issuing a user certificate by the first certification authority server 100 (S310) may be performed.
  • the smart contract identifier (CA Smart Contract Identifier) area of the certification authority that requested issuance is empty.
  • CA Smart Contract Identifier is not included in the user certificate issued to general users.
  • step S307 stores only the CA certificate issued by the first certification authority server 100 from the second certification authority server 250 in the first smart contract for certificate management.
  • the first certification authority server 100 not only holds the CA certificate issued by the first certification authority, but also a certification authority that exists higher than the second certification authority server 200.
  • CA certificates issued by servers can also be stored.
  • the first certification authority server 100 uses the first smart certificate for certificate management.
  • not only the certificate issued by the second certification authority server 250 but also all CA certificates issued to lower level certification authorities by other certification authority servers can be stored.
  • the first certification authority server 100 may use the second certification authority server 200; root The second certification authority server 200 obtains the CA certificate issued by the third certification authority server by referring to the issuing certificate authority's smart contract identifier (Issuer CA Smart Contract Identifier) in the CA certificate issued from the (non-certification authority) server. You can also repeatedly obtain a CA certificate issued by a fourth-party certification authority server by referring to the smart contract identifier (Issuer CA Smart Contract Identifier) of the issuing certification authority in the CA certificate issued by a third-party certification authority server. Multiple CA certificates can be obtained by tracking the smart contract identifier within the CA certificates.
  • the first certification authority server 100 As another method for the first certification authority server 100 to obtain CA certificates issued by higher-level certification authority servers, the first certification authority server 100 is originally a second certification authority server 200; it is not a root certification authority. When receiving a CA certificate from ), not only those issued by the second certification authority server 200 but also all CA certificates issued by third and fourth certification authority servers can be received. In other words, from the perspective of the lower-level certification authority server, it can receive multiple CA certificates from the higher-level certification authority server, and the multiple CA certificates received in this way can be stored on the blockchain network.
  • the first certification authority server 100 may be implemented to obtain a plurality of CA certificates and may be implemented to store the plurality of CA certificates in the first smart contract for certificate management.
  • the first certification authority server 100 is shown as issuing only a user certificate to the verification requester terminal 300.
  • the first certification authority server 100 may issue multiple certificates. It can also be implemented to further deliver CA certificates to the verification requester terminal 300. That is, the first certification authority server 100 also sends CA certificates issued by higher-level certification authority servers, for example, the second certification authority server 200, or the third certification authority servers, to the verification requester terminal 300. can be delivered together.
  • the certificate that the first certification authority server 100 can deliver to the verification requester terminal 300 may even include a certificate issued by the root certification authority server.
  • the first certification authority server 100 may obtain CA certificates issued by higher-level certification authority servers. This was previously discussed in the description of the modified embodiment of S307, so detailed description will be omitted here. do.
  • FIG. 5 is a diagram illustrating a situation that must be a prerequisite for implementing the certificate verification method according to the present invention, especially a situation in which a list of revoked certificates is recorded in the blockchain network 50.
  • Figure 5 relates to a situation where management of revoked certificates is based on a blockchain network.
  • management of revoked certificates can begin from the step (S501) in which the CA certificate is first revoked.
  • the CA certificate is irreversibly revoked.
  • the CA certificate may be revoked if there are circumstances such as a specific entity posting a false document, providing incorrect information about software operation, or violating other policies.
  • revoked CA certificates generally refer to those that were revoked or canceled for special reasons as above before the expiration of their validity period.
  • the second certification authority server 200 may store the identifier of the revoked CA certificate in the revocation list of the second smart contract for certificate management (S502).
  • the second certification authority server 200 may allocate a separate recording area for the purpose of separately managing the “revocation list” within the second smart contract for certificate management distributed in advance, and in the event that a CA certificate is actually discarded, The identifier of the corresponding CA certificate can be stored in the revocation list.
  • the “revocation list” in the second smart contract for certificate management may be publicly viewable and viewable, and depending on the characteristics of the blockchain network, sharing and viewing may be possible within a very short period of time.
  • the second certification authority server 200 may periodically organize the revocation list of the second smart contract for certificate management, that is, identifiers of CA certificates that have expired a predetermined period (or validity period) are removed from the revocation list. It can be deleted periodically (S503).
  • the selection of the deletion target is not a subject of discussion in the description of the present invention, so detailed description is omitted.
  • the identifier of the revoked CA certificate may be recorded in the revoked list for at least the original validity period of the revoked CA certificate. Even if any CA certificate is revoked, since it was a normal CA certificate before it was revoked, it would have been issued normally by the certification authority, so the certificate can be revoked by recording it in the revocation list at least until the expiration date given to the relevant CA certificate. It is possible to enable inquiries by the entities verifying.
  • the second certification authority server 200 when the second certification authority server 200 periodically organizes the revocation list, it maintains a record in the revocation list for a period equal to the original validity period of the revoked CA certificate plus 10% of the validity period, so that other verification subjects can use it. This can prevent their discomfort.
  • the identifier of the revoked user certificate can be stored in the “revocation list” of the first smart contract for certificate management (S505).
  • the first certification authority server 100 may periodically delete user certificate identifiers recorded in the revocation list (S506).
  • each certification authority server records and updates the revocation list in the blockchain network 50, more precisely in the smart contract, thereby making it possible to check the validity of the certificate.
  • FIG. 6 shows the certificate verification method according to the first embodiment of the present invention in sequence.
  • the first embodiment may begin with the step (S601) in which the verification requester terminal 300 provides the first user certificate to the verification agency server 400.
  • This step corresponds to a step in which the verification requester terminal 300 requests verification of the validity of the first user certificate in order to use a specific service (financial service) on the network.
  • the verification agency server 400 verifies the validity of the first user certificate itself (S602), which verifies matters that can be confirmed with the certificate itself, such as the validity period and electronic signature of the first user certificate. It can also be understood as stages. At this stage, if it is determined that there is a problem with the certificate itself, the verification agency server 400 immediately returns a failure result to the verification requester terminal 300.
  • the verification agency server 400 checks whether the first user certificate is a revoked certificate, which means that the verification agency server 400 uses the blockchain network (50), more precisely, search for the first revocation list in the first smart contract for certificate management of the first certification authority (the certification authority that issued the first user certificate) distributed in the blockchain network (50) (S603 ), and inquiring (S604) whether the identifier of the first user certificate exists in the first revocation list. If the identifier of the first user certificate exists as a result of the search, it can be verified as an abnormal certificate, and if it does not exist, it can be verified as a normal certificate.
  • the first user certificate may include a smart contract identifier of the certification authority that issued the first user certificate, which may be the first smart contract identifier for certificate management of the first certification authority, and the verification authority server ( 400) can search and query the first discard list by referring to this. Meanwhile, in step S604, if the identifier of the first user certificate exists in the first revocation list, the verification agency server 400 may return a verification failure result to the verification requester terminal 300.
  • the verification agency server 400 can obtain the first CA certificate stored in the first smart contract for certificate management (S605), and the certificate itself, such as the validity period of the first CA certificate and the electronic signature, etc. You can verify (S606) the items that can be confirmed from . If there is a problem with the validity itself, the verification agency server 400 may return a failure result to the verification requester terminal 300, that is, a result indicating that verification has failed because the certificate is not valid.
  • the second revocation list is searched (S607) from the smart contract of the upper certification authority, that is, the second smart contract of the second certification authority that issued the first CA certificate, here You can check whether the first CA certificate is revoked by checking whether the identifier of the first CA certificate exists (S608).
  • the verification agency server 400 can search the second smart contract and the second revocation list by entering the smart contract of the second certification authority, that is, the certification authority that issued the first CA certificate, within the first CA certificate. This is because the contract identifier (address) is recorded. If it is confirmed that the identifier of the first CA certificate exists in the revocation list in step S608, the verification agency server 400 may return a failure result to the verification requester terminal 300.
  • the verification agency server 400 may deliver the result to the verification requester terminal 300 after the revocation list search for the first CA certificate is completed (S609).
  • This step may exist separately from the step of verifying the validity of the certificate itself described above, or the step of the verification agency server 400 returning a failure result to the verification requester terminal 300 in the revocation list inquiry step, or in some cases, step S609. may be omitted.
  • the embodiment shown in FIG. 6 is explained in that self-validation and revocation list are performed only for the first user certificate and the first CA certificate.
  • the validation cycle of validation of the certificate itself and revocation list inquiry is performed only for the first user certificate and the first CA certificate. It can be performed repeatedly as many times as there are. That is, in the first embodiment, the verification agency server 400 verifies the validity of the root certificate by recursively finding the smart contract of the certificate issuing agency and checking whether each certificate identifier exists in the revocation list. This can be considered a major feature.
  • Figure 7 sequentially shows the certificate verification method according to the second embodiment of the present invention.
  • the second embodiment is characterized in that the verification agency server 400 acquires a plurality of certificates from the first smart contract for certificate management and recursively verifies the validity of each certificate. That is, the second embodiment is premised and characterized by the fact that higher-level certification authority certificates are stored in the first smart contract for certificate management.
  • steps S701 to S704 of the second embodiment are substantially the same as steps S601 to S604 of the first embodiment.
  • step S705 the verification authority server 400 generates a plurality of higher level certification authority certificates from the first smart contract for certificate management distributed in the blockchain network, that is, a smart contract previously created by the first certification authority server 100. can be obtained.
  • the first certification authority server can acquire or collect a plurality of higher-level certification authority certificates and store them in the first smart contract for certificate management. Since this was briefly explained previously, detailed explanation will be omitted here.
  • step S705 the verification agency server 400 verifies each certificate itself (S706), searches the revocation list from the smart contract of the upper certification authority, and checks whether the identifier of each certificate exists in the revocation list. (S707, S708) can be performed repeatedly. At this time, repetition will be carried out to the stage of verifying the validity of the R certificate issued by the root certification authority server.
  • the verification agency server 400 can notify the verification requester terminal 300 of the verification result (S709).
  • certificates issued by a second certification authority server, a third certification authority server, etc. that exist at a higher level than the first certification authority. may be stored, and the verification agency server 400 searches the smart contract identifier of the issuer (higher certification authority) recorded in each certificate and the revocation list stored there to verify all The validity of certificates can be verified.
  • the verification agency server 400 secures certificates subject to verification all at once, which has the effect of enabling certificate validity verification at a faster speed.
  • the verification agency server 400 can parallel search the smart contract identifier and revocation list of the issuer (issuer) recorded in each certificate, so faster validation can be possible compared to the first embodiment.
  • Figure 8 shows the certificate verification method according to the third embodiment of the present invention in sequence.
  • the third embodiment is characterized in that the verification requester terminal 300 provides a plurality of certificates to the verification agency server 400 from the beginning.
  • the third embodiment begins with the step (S801) in which the verification requester terminal 300 provides the first user certificate and certificates (CA certificate, R certificate) of higher level certification authorities to the verification authority server 400. do. That is, in this embodiment, it is assumed that the verification requester terminal 300 stores and possesses not only the first user certificate but also certificates issued by a higher-level certification authority server.
  • step S801 the verification agency server 400 verifies the validity of each certificate itself (S802), searches and searches the revocation list from the upper certification authority's smart contract (S803, S804), and the verification result is delivered.
  • the step (S805) may proceed.
  • steps S802 to S804 may be performed individually and repeatedly for all certificates provided from the verification requester terminal 300, and in particular, verify the validity of the R certificate issued by the root certification authority server. It can be done up to this stage.
  • the third embodiment is largely similar to the second embodiment, with the only difference being the step in which the verification requester terminal 300 provides a certificate to the verification agency server 400.
  • Figure 9 is similar to Figure 8, but the validation step (S902) of the certificate itself is executed for a plurality of certificates at once, and only the revocation list search (S903) and revocation list search (S904) steps are performed repeatedly. In this respect, there is a difference from the embodiment of FIG. 8.
  • the verification agency server 400 can first perform only the certificate self-verification (S902), including the validity period and electronic signature, for all certificates provided from the verification requester terminal 300, Through this step, you can check whether there are any problems with a specific certificate.
  • S902 certificate self-verification
  • the verification agency server 400 searches the revocation list from the smart contract of the upper certification authority (S903) and searches the revocation list (S904) to identify a specific certificate. You can check whether the certificate is a revoked certificate.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention relates to a method for verifying a certificate and a system therefor and, more specifically, to a method and system that enables a verification authority server to verify a certificate by querying a revocation list stored in a blockchain network when a verification request for the certificate is received. According to the present invention, it is possible to provide an environment capable of efficiently verifying a certificate in real time, and to store and verify a certificate without an additional change since an existing certificate format is substantially utilized as is.

Description

블록체인을 활용한 인증서 검증 방법 및 이를 위한 시스템Certificate verification method and system using blockchain
본 발명은 인증서 검증 방법 및 이를 위한 시스템에 관한 것으로, 구체적으로는 인증서에 대한 검증요청이 있을 때 검증기관 서버가 블록체인 네트워크에 저장된 폐기리스트를 조회하여 검증을 할 수 있게 한 방법 및 시스템에 관한 것이다.The present invention relates to a certificate verification method and a system for the same, and specifically to a method and system that allows a verification agency server to perform verification by querying the revocation list stored in the blockchain network when a request for verification of a certificate is made. will be.
인증서란 네트워크를 통한 각종 서비스 이용시 인증을 위해 필요한 전자서명을 일컫는 것으로, 이러한 인증서는 신뢰할 수 있는 인증기관(Certificate Authority)이 전자서명하여 생성하며, 인증기관이 공개키를 공증해 주기 위한 용도로 활용된다. A certificate refers to an electronic signature required for authentication when using various services over a network. These certificates are created with an electronic signature from a trusted Certificate Authority, and are used by the Certificate Authority to notarize public keys. do.
한편, 인증서는 유효기간이 있으며, 또한 신뢰성이 담보되어야 하는 매개체이므로 사용자가 인증서를 이용할 시에는 그 유효성이 지속적으로, 검증될 필요가 있다. Meanwhile, since a certificate has an expiration date and is a medium that must guarantee reliability, its validity needs to be continuously verified when a user uses the certificate.
현재 인증서의 유효성을 확인하기 위한 수단으로는 CRL(Certificate Revocation List)과 OSCP(Online Status Certificate Protocol)가 존재한다. 그러나 CRL은 리스트를 매번 다운로드 받아야 하므로 시간이 많이 소요되는 문제가 있으며, OSCP의 경우에도 다수의 웹사이트들로부터 대량의 조회 요청이 수신되면 유효성 확인이 어려워지는 문제, 그리고 유효성 검증 때마다 소정의 비용이 발생하는 문제가 있다. Currently, CRL (Certificate Revocation List) and OSCP (Online Status Certificate Protocol) exist as means to check the validity of a certificate. However, CRL has the problem of taking a lot of time because the list must be downloaded every time, and in the case of OSCP, validation becomes difficult when a large number of inquiry requests are received from multiple websites, and a certain cost is incurred each time validation is performed. There is a problem that arises.
본 발명은 이와 같이 인증서의 유효성 검증을 효율적으로, 그리고 실시간으로 빠르게 수행할 수 있는 환경을 구축하는 관점에서 종래의 수단 대비 개선된 방향을 제시하고자 한 것이다. 또한, 본 발명은 이상에서 살핀 기술적 문제점을 해소시킬 수 있음은 물론, 본 기술분야에서 통상의 지식을 가진 자가 용이하게 발명할 수 없는 추가적인 기술요소들을 제공하기 위해 발명되었다. The present invention is intended to provide an improvement over conventional methods in terms of establishing an environment in which certificate validity verification can be performed efficiently and quickly in real time. In addition, the present invention was invented to solve the technical problems discussed above, as well as to provide additional technical elements that cannot be easily invented by those skilled in the art.
또한 참고로 본 발명은 아래의 국가연구개발사업으로부터 지원을 받은 것이다. Also, for reference, this invention received support from the following national research and development projects.
[과제고유번호] 1711152919 [Assignment number] 1711152919
[과제번호] 2021-0-00590-002 [Assignment number] 2021-0-00590-002
[부처명] 과학기술정보통신부[Ministry Name] Ministry of Science and ICT
[과제관리(전문)기관명] 정보통신기획평가원 [Project management (professional) organization name] Information and Communications Planning and Evaluation Institute
[연구사업명] 데이터경제를위한블록체인기술개발(R&D) [Research project name] Blockchain technology development for data economy (R&D)
[연구과제명] 대규모 노드에서 블록단위의 효율적인 거래 확정을 위한 최종성 보장 기술개발 [Research project name] Development of finality guarantee technology for efficient block-level transaction confirmation in large-scale nodes
[기여율] 1/1 [Contribution rate] 1/1
[과제수행기관명] 한양대학교산학협력단[Name of project carrying out organization] Hanyang University Industry-Academic Cooperation Foundation
[연구기간] 2022.01.01 ~ 2022.12.31[Research period] 2022.01.01 ~ 2022.12.31
본 발명은 인증서의 유효성 검증이 종래의 수단 대비 더 효과적으로 이루어질 수 있는 환경을 제공하는 것을 목적으로 한다.The purpose of the present invention is to provide an environment in which certificate validity can be verified more effectively than conventional means.
또한 본 발명은 인증서 표준의 틀을 벗어나지 않는 범위에서 반드시 필요한 필수정보들만을 인증서 내에 삽입시킴으로써 기존 인증서 사용환경을 그대로 유지한 채 개선된 유효성 검증 환경이 갖추어질 수 있게 하는 것을 목적으로 한다.In addition, the purpose of the present invention is to provide an improved validation environment while maintaining the existing certificate use environment by inserting only essential information into the certificate within the framework of the certificate standard.
또한 본 발명은 블록체인 네트워크라는 신뢰성 높은 인프라를 활용함으로써 인증서의 무결성 및 안정성을 담보하는 것을 목적으로 한다.Additionally, the purpose of the present invention is to ensure the integrity and stability of certificates by utilizing a highly reliable infrastructure called a blockchain network.
한편, 본 발명의 기술적 과제들은 이상에서 언급한 기술적 과제들로 제한되지 않으며, 언급되지 않은 또 다른 기술적 과제들은 아래의 기재로부터 통상의 기술자에게 명확하게 이해될 수 있을 것이다.Meanwhile, the technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.
위와 같은 문제점을 해결하기 위한 것으로, 본 발명에 따라 블록체인을 활용하여 인증서를 검증하는 방법은, (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서를 수신하는 단계; (b) 검증기관 서버가, 상기 제1 사용자인증서 자체의 유효성을 검증하는 단계; (c) 검증기관 서버가, 블록체인 네트워크 상의 인증서 관리용 제1 스마트 컨트랙트 - 상기 인증서 관리용 제1 스마트 컨트랙트는, 상기 제1 사용자인증서를 발급한 제1 인증기관이 기 배포한 것임 - 에 저장되어 있는 제1 폐기리스트를 조회하여 상기 제1 사용자인증서가 폐기되었는지 여부를 검증하는 단계;를 포함할 수 있다.In order to solve the above problem, the method of verifying a certificate using a blockchain according to the present invention includes the steps of: (a) a verification agency server receiving a first user certificate from a verification requestor terminal; (b) a verification agency server verifying the validity of the first user certificate itself; (c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. It may include the step of verifying whether the first user certificate has been revoked by checking the first revocation list.
또한, 상기 블록체인을 활용하여 인증서를 검증하는 방법은, 검증기관 서버가, 상기 제1 스마트 컨트랙트로부터 상기 제1 인증기관 이 상위 인증기관으로부터 발급 받은 제1 CA인증서를 획득하는 단계; 검증기관 서버가, 상기 제1 CA인증서 자체의 유효성을 검증하는 단계; 검증기관 서버가, 상기 제1 CA인증서를 발급한 제2 인증기관의 인증서 관리용 제2 스마트 컨트랙트로부터 제2 폐기리스트를 조회하여 상기 제1 CA인증서가 폐기되었는지 여부를 검증하는 단계;를 더 포함할 수 있다. In addition, the method of verifying a certificate using the blockchain includes the steps of: a verification authority server obtaining a first CA certificate issued by the first certification authority from a higher level certification authority from the first smart contract; Verifying, by a verification agency server, the validity of the first CA certificate itself; It further includes a step of the verification agency server verifying whether the first CA certificate has been revoked by querying the second revocation list from the second smart contract for certificate management of the second certification authority that issued the first CA certificate. can do.
본 발명의 또 다른 실시예에 따른 인증서 검증 방법은, (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서를 수신하는 단계; (b) 검증기관 서버가, 상기 제1 사용자인증서 자체의 유효성을 검증하는 단계; (c) 검증기관 서버가, 블록체인 네트워크 상의 인증서 관리용 제1 스마트 컨트랙트 - 상기 인증서 관리용 제1 스마트 컨트랙트는, 상기 제1 사용자인증서를 발급한 제1 인증기관이 기 배포한 것임 - 에 저장되어 있는 복수 개의 상위 인증기관 인증서들을 획득하는 단계; (d) 검증기관 서버가, 상기 복수 개의 상위 인증기관 인증서들 각각에 대해 인증서 자체 검증 및 인증서 폐기 여부 검증을 반복적으로 실시하는 단계;를 포함한다.A certificate verification method according to another embodiment of the present invention includes the steps of: (a) a verification agency server receiving a first user certificate from a verification requestor terminal; (b) a verification agency server verifying the validity of the first user certificate itself; (c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. Obtaining a plurality of higher level certification authority certificates; (d) a step of the verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the plurality of higher level certification authority certificates.
또한, 상기 인증서 검증 방법에 있어서 상기 (d) 단계에서 인증서 폐기 여부 검증을 하는 과정은, 검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자를 참고하여 상기 스마트 컨트랙트로부터 폐기리스트를 탐색하는 단계; 상기 탐색된 폐기리스트 내 상기 검증 대상 인증서의 식별자가 존재하는지 여부를 조회하는 단계;를 포함할 수 있다.In addition, in the certificate verification method, the process of verifying whether the certificate has been revoked in step (d) includes: searching a revocation list from the smart contract with reference to the smart contract identifier of the upper certification authority that issued the certificate to be verified; It may include the step of inquiring whether the identifier of the certificate to be verified exists in the searched revocation list.
또한, 상기 인증서 검증 방법에 있어서, 상기 검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자는, 상기 검증 대상 인증서 내에 기록되어 있는 것을 특징으로 할 수 있다.Additionally, in the certificate verification method, the smart contract identifier of the higher-level certification authority that issued the certificate to be verified may be recorded in the certificate to be verified.
본 발명의 또 다른 실시예에 따른 인증서 검증 방법은, (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서 및 복수 개의 상위 인증기관 인증서들을 수신하는 단계; (b) 검증기관 서버가, 상기 제1 사용자인증서 및 복수 개의 상위 인증기관 인증서들 각각에 대해 인증서 자체 검증 및 인증서 폐기 여부 검증을 반복적으로 실시하는 단계;를 포함한다.A certificate verification method according to another embodiment of the present invention includes the steps of: (a) a verification authority server receiving a first user certificate and a plurality of higher level certification authority certificates from a verification requestor terminal; (b) a step of the verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the first user certificate and a plurality of higher level certification authority certificates.
또한, 상기 인증서 검증 방법에 있어서 상기 (b) 단계에서 인증서 폐기 여부 검증을 하는 과정은, 검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자를 참고하여 상기 스마트 컨트랙트로부터 폐기리스트를 탐색하는 단계; 상기 탐색된 폐기리스트 내 상기 검증 대상 인증서의 식별자가 존재하는지 여부를 조회하는 단계;를 포함할 수 있다.In addition, in the certificate verification method, the process of verifying whether the certificate has been revoked in step (b) includes: searching a revocation list from the smart contract with reference to the smart contract identifier of the upper certification authority that issued the certificate to be verified; It may include the step of inquiring whether the identifier of the certificate to be verified exists in the searched revocation list.
또한, 상기 인증서 검증 방법에 있어서 상기 (b)단계는, 루트 인증기관에서 발급한 인증서의 자체 검증을 실시하는 단계에서 반복실시가 종료되는 것을 특징으로 할 수 있다.In addition, step (b) in the certificate verification method may be characterized in that the repeated execution ends at the stage of self-verification of the certificate issued by the root certification authority.
본 발명에 따르면 실시간으로, 그리고 효율적으로 인증서를 검증할 수 있는 환경이 마련되는 효과가 있다.According to the present invention, there is an effect of providing an environment in which certificates can be verified in real time and efficiently.
또한 본 발명에 따르면 기존의 인증서 포맷을 실질적으로 그대로 활용하게 되므로 부가적인 변경 없이 인증서를 저장 및 검증할 수 있게 되는 효과가 있다.In addition, according to the present invention, since the existing certificate format is utilized substantially as is, it is possible to store and verify the certificate without additional changes.
한편, 본 발명에 의한 효과는 이상에서 언급한 것들로 제한되지 않으며, 언급되지 않은 또 다른 기술적 효과들은 아래의 기재로부터 통상의 기술자에게 명확하게 이해될 수 있을 것이다.Meanwhile, the effects of the present invention are not limited to those mentioned above, and other technical effects not mentioned will be clearly understood by those skilled in the art from the description below.
도 1은 본 발명에 따른 시스템을 간략히 도시한 것이다.Figure 1 schematically shows a system according to the invention.
도 2는 본 발명을 쉽게 이해하기 위한 개념도이다.Figure 2 is a conceptual diagram for easily understanding the present invention.
도 3은 본 발명을 구현하는 데에 있어 전제가 되는 상황, 그 중에서도 인증기관에서 인증서가 발급된 후 스마트 컨트랙트에 저장되는 과정을 도시한 것이다.Figure 3 shows the prerequisites for implementing the present invention, particularly the process in which a certificate is issued by a certification authority and then stored in a smart contract.
도 4는 본 발명에서 사용되는 인증서의 세부구조를 도시한 것이다.Figure 4 shows the detailed structure of the certificate used in the present invention.
도 5는 본 발명을 구현하는 데에 있어서 전제가 되는 상황, 그 중에서도 폐기 리스트가 스마트 컨트랙트에 저장되는 과정을 도시한 것이다.Figure 5 shows the prerequisites for implementing the present invention, particularly the process in which the disposal list is stored in a smart contract.
도 6은 본 발명의 제1 실시예를 도시한 것이다.Figure 6 shows a first embodiment of the present invention.
도 7은 본 발명의 제2 실시예를 도시한 것이다.Figure 7 shows a second embodiment of the present invention.
도 8은 본 발명의 제3 실시예를 도시한 것이다. Figure 8 shows a third embodiment of the present invention.
도 9는 본 발명의 제4 실시예를 도시한 것이다.Figure 9 shows a fourth embodiment of the present invention.
본 발명의 목적과 기술적 구성 및 그에 따른 작용 효과에 관한 자세한 사항은 본 발명의 명세서에 첨부된 도면에 의거한 이하의 상세한 설명에 의해 보다 명확하게 이해될 것이다. 첨부된 도면을 참조하여 본 발명에 따른 실시예를 상세하게 설명한다.Details regarding the purpose and technical configuration of the present invention and its operational effects will be more clearly understood by the following detailed description based on the drawings attached to the specification of the present invention. Embodiments according to the present invention will be described in detail with reference to the attached drawings.
본 명세서에서 개시되는 실시예들은 본 발명의 범위를 한정하는 것으로 해석되거나 이용되지 않아야 할 것이다. 이 분야의 통상의 기술자에게 본 명세서의 실시예를 포함한 설명은 다양한 응용을 갖는다는 것이 당연하다. 따라서, 본 발명의 상세한 설명에 기재된 임의의 실시예들은 본 발명을 보다 잘 설명하기 위한 예시적인 것이며 본 발명의 범위가 실시예들로 한정되는 것을 의도하지 않는다.The embodiments disclosed herein should not be construed or used as limiting the scope of the present invention. It is obvious to those skilled in the art that the description, including embodiments, of this specification has various applications. Accordingly, any embodiments described in the detailed description of the present invention are illustrative to better explain the present invention and are not intended to limit the scope of the present invention to the embodiments.
도면에 표시되고 아래에 설명되는 기능 블록들은 가능한 구현의 예들일 뿐이다. 다른 구현들에서는 상세한 설명의 사상 및 범위를 벗어나지 않는 범위에서 다른 기능 블록들이 사용될 수 있다. 또한, 본 발명의 하나 이상의 기능 블록이 개별 블록들로 표시되지만, 본 발명의 기능 블록들 중 하나 이상은 동일 기능을 실행하는 다양한 하드웨어 및 소프트웨어 구성들의 조합일 수 있다.The functional blocks shown in the drawings and described below are only examples of possible implementations. Other functional blocks may be used in other implementations without departing from the spirit and scope of the detailed description. Additionally, although one or more functional blocks of the present invention are shown as individual blocks, one or more of the functional blocks of the present invention may be a combination of various hardware and software components that perform the same function.
또한, 어떤 구성요소들을 포함한다는 표현은 “개방형”의 표현으로서 해당 구성요소들이 존재하는 것을 단순히 지칭할 뿐이며, 추가적인 구성요소들을 배제하는 것으로 이해되어서는 안 된다.Additionally, the expression including certain components is an “open” expression and simply refers to the presence of the components and should not be understood as excluding additional components.
나아가 어떤 구성요소가 다른 구성요소에 “연결되어” 있다거나 “접속되어” 있다고 언급될 때에는, 그 다른 구성요소에 직접적으로 연결 또는 접속되어 있을 수도 있지만, 중간에 다른 구성요소가 존재할 수도 있다고 이해되어야 한다. Furthermore, when a component is referred to as being “connected” or “connected” to another component, it should be understood that although it may be directly connected or connected to the other component, other components may exist in between. do.
도 1은 본 발명에 따른 인증서 검증 방법이 구현될 수 있는 시스템을 도시한 것이다. 도면을 참고할 때 인증서 검증 시스템에는 가장 먼저 인증서의 발급 주체가 되는 인증기관 서버(100)가 포함될 수 있으며, 인증서의 검증을 요청하는 검증요청자 단말기(300), 그리고 실제 검증을 수행하는 검증기관 서버(400)가 필수적으로 포함된다. 또한 이들 구성들이 모두 접근 가능한 블록체인 네트워크(50)가 더 포함될 수 있다. 각 구성들에 대해 구체적으로 설명하면 아래와 같다.Figure 1 shows a system in which the certificate verification method according to the present invention can be implemented. Referring to the drawing, the certificate verification system may first include a certification authority server 100, which is the issuing entity of the certificate, a verification requester terminal 300 that requests verification of the certificate, and a verification authority server that performs the actual verification ( 400) is necessarily included. Additionally, a blockchain network 50 in which all of these components are accessible may be further included. A detailed explanation of each configuration is as follows.
인증기관 서버(100)란, 인증기관에서 운영하는 서버로 이해될 수 있으며, 인증기관이란 보안 적격 여부 및 메시지 암호화를 위한 공개키의 발급, 그리고 발급한 공개키를 관리하는 네트워크 상에서의 한 기관으로 정의될 수 있다. 즉, 인증기관은 사용자의 요청에 따라 인증서를 발급하고, 발급한 인증서에 대해서는 보증을 서 주는 것과 유사한 역할을 하는 기관으로 볼 수 있다. The certification authority server 100 can be understood as a server operated by a certification authority, and a certification authority is an organization on a network that determines security eligibility, issues public keys for message encryption, and manages the issued public keys. can be defined. In other words, a certification authority can be viewed as an organization that plays a similar role in issuing certificates upon user requests and providing guarantees for the issued certificates.
한편, 인증기관 서버(100)에서는 여러 기능들을 수행할 수 있는데, 예를 들어 공개키 쌍을 생성하는 기능, 공개키 파라미터에 대한 테스트를 하는 기능, 하위 인증기관에 인증서를 발급하는 기능, 식별자(Distinguished Name)를 확인하는 기능, 인증서 신청인에 대한 신원 확인 및 인증하는 기능, 전자서명을 생성 및 검사하는 기능, CRL을 생성, 관리, 분배하는 기능, 발행된 인증서에 대한 기록을 유지하는 기능, 시스템 감사 기록을 생성하고 관리하는 기능, 타임스탬프를 생성하거나 획득하는 기능, 인증서를 취소하는 기능 등을 수행할 수 있다. Meanwhile, the certification authority server 100 can perform several functions, such as the function of generating a public key pair, the function of testing public key parameters, the function of issuing a certificate to a lower-level certification authority, and the function of issuing an identifier ( Function to check the Distinguished Name, function to verify and authenticate the identity of the certificate applicant, function to create and check electronic signatures, function to create, manage, and distribute CRLs, function to maintain records of issued certificates, system It can perform functions such as creating and managing audit records, creating or obtaining timestamps, and revoking certificates.
검증요청자 단말기(300)는 네트워크 공간에서 서비스를 이용하고자 하는 일반사용자, 특히 금융서비스를 이용하고자 하는 사용자의 단말기일 수 있다. 검증요청자 단말기(300)는 검증기관 서버(400) 측에 적어도 하나 이상의 인증서를 제공할 수 있으며, 제공한 인증서 또는 인증서들에 대한 검증이 완료된 후 이용하고자 하는 서비스 이용이 가능할 수 있다. 상기 검증요청자 단말기(300)는 중앙처리유닛 및 메모리를 갖출 것을 전제로 하며, 당연히 네트워크 접속을 위한 통신수단을 포함할 수 있다. 또한 상기 검증요청자 단말기(300)는 사용자가 보유하거나 소지하고 다니는 장치 전반을 의미할 수 있으며, 여기에는 스마트폰, PDA, 태블릿PC 등과 같이 휴대가 가능한 단말기는 물론 데스크탑 등과 같은 설치형 단말기도 포함될 수 있다.The verification requester terminal 300 may be a terminal of a general user who wants to use a service in a network space, especially a user who wants to use a financial service. The verification requester terminal 300 can provide at least one certificate to the verification agency server 400, and the desired service can be used after verification of the provided certificate or certificates is completed. The verification requester terminal 300 is assumed to be equipped with a central processing unit and memory, and may naturally include communication means for network connection. In addition, the verification requester terminal 300 may refer to all devices owned or carried by the user, and may include portable terminals such as smartphones, PDAs, tablet PCs, etc., as well as installed terminals such as desktops. .
검증기관 서버(400)는 인증서가 유효한지 여부를 검증하는 로직이 작동하는 서버를 의미할 수 있다. 검증기관 서버(400)는, 후술하겠지만 인증서가 유효한지 여부를 검증하는 과정에서 폐기리스트를 조회할 수 있다. The verification agency server 400 may refer to a server that operates logic to verify whether a certificate is valid. The verification agency server 400 may query the revocation list in the process of verifying whether the certificate is valid, as will be described later.
참고로, 본 상세한 설명에서 언급되는 서버들, 예를 들어 인증기관 서버(100), 검증기관 서버(400)들은 바람직하게는 서버 컴퓨터로 구현될 수 있으며, 중앙처리유닛 및 메모리를 갖춘 연산장치라면 상기 이러한 서버 컴퓨터를 구현하는 데에 활용될 수 있다. 중앙처리유닛은 컨트롤러(controller), 마이크로 컨트롤러(microcontroller), 마이크로 프로세서(microprocessor), 마이크로 컴퓨터(microcomputer) 등으로도 불릴 수 있다. 또한 중앙처리유닛은 하드웨어(hardware) 또는 펌웨어(firmware), 소프트웨어, 또는 이들의 결합에 의해 구현될 수 있는데, 하드웨어를 이용하여 구현하는 경우에는 ASIC(application specific integrated circuit) 또는 DSP(digital signal processor), DSPD(digital signal processing device), PLD(programmable logic device), FPGA(field programmable gate array) 등으로, 펌웨어나 소프트웨어를 이용하여 구현하는 경우에는 위와 같은 기능 또는 동작들을 수행하는 모듈, 절차 또는 함수 등을 포함하도록 펌웨어나 소프트웨어가 구성될 수 있다. 또한, 메모리는 ROM(Read Only Memory), RAM(Random Access Memory), EPROM(Erasable Programmable Read Only Memory), EEPROM(Electrically Erasable Programmable Read-Only Memory), 플래쉬(flash) 메모리, SRAM(Static RAM), HDD(Hard Disk Drive), SSD(Solid State Drive) 등으로 구현될 수 있다. For reference, the servers mentioned in this detailed description, for example, the certification authority server 100 and the verification authority server 400, may preferably be implemented as server computers, if they are computing devices equipped with a central processing unit and memory. It can be used to implement such a server computer. The central processing unit may also be called a controller, microcontroller, microprocessor, microcomputer, etc. Additionally, the central processing unit may be implemented by hardware, firmware, software, or a combination thereof. When implemented using hardware, an application specific integrated circuit (ASIC) or a digital signal processor (DSP) is used. , DSPD (digital signal processing device), PLD (programmable logic device), FPGA (field programmable gate array), etc., if implemented using firmware or software, a module, procedure or function that performs the above functions or operations. The firmware or software may be configured to include. In addition, memory includes ROM (Read Only Memory), RAM (Random Access Memory), EPROM (Erasable Programmable Read Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory, SRAM (Static RAM), It can be implemented with HDD (Hard Disk Drive), SSD (Solid State Drive), etc.
또한, 상기 인증기관 서버나 검증기관 서버는 어느 하나의 서버 컴퓨터로만 구현이 가능한 것은 아닐 수 있으며, 복수 개의 서버 컴퓨터에 의해 구성된 하나의 시스템으로도 구현이 가능할 수 있다. 다만, 이 경우 더 적합한 용어는 인증기관 시스템 또는 검증기관 시스템이 될 것이나, 본 상세한 설명에서는 용어의 통일성을 위해 인증기관 서버, 검증기관 서버라는 용어를 계속하여 사용하기로 한다. Additionally, the certification authority server or verification authority server may not be implemented with only one server computer, but may also be implemented as a system composed of a plurality of server computers. However, in this case, a more appropriate term would be certification authority system or verification authority system, but in this detailed description, the terms certification authority server and verification authority server will continue to be used for uniformity of terminology.
또 다른 한편, 상기 인증기관 서버나 검증기관 서버는 반드시 서버 컴퓨터의 형태가 아닐지라도 클라우드 서버의 형태, 즉 다른 운영 주체에 의해 관리 및 운영되는 클라우드 서버의 형태로 구현이 될 수도 있다.On the other hand, the certification authority server or verification authority server may not necessarily be implemented in the form of a server computer, but may be implemented in the form of a cloud server, that is, a cloud server managed and operated by another operating entity.
마지막으로, 블록체인이란 일정기간 동안의 거래정보를 기록하고 있는 블록(block)들을 체인 형태로 연결하여 수많은 컴퓨터에 동시에 복제해 저장한 분산형 데이터 저장 기술을 일컫는다. 블록체인 네트워크(50)는 이처럼 데이터를 체인과 같이 연결하여 중앙 집중형 서버에 거래기록을 보관하지 않고 누구나 열람할 수 있게 공개함으로써 데이터 위조나 변조가 애초부터 이루어질 수 없게, 즉 거래기록을 서로 감시할 수 있게 한 P2P 구조의 데이터 저장 수단이다. 블록체인에 기록된 데이터는 해킹을 통한 위변조가 매우 어렵기 때문에 누구나 신뢰할 수 있다는 특징이 있으며, 또한 블록체인에 기록된 데이터는 여러 컴퓨터에 분산 저장되기 때문에 특정 노드에 대한 디도스 공격이나 랜섬웨어 공격 등으로부터도 안전하다. 나아가 블록체인은 평등한 참여자들에 의해 자율적으로 유지되고 운영될 수 있으므로 기존에 모든 정보가 중앙 서버로 집중되던 서버 클라이언트 구조에 비해 유연한 특성을 가진다. Lastly, blockchain refers to a distributed data storage technology that connects blocks that record transaction information for a certain period of time in a chain and replicates and stores them on numerous computers simultaneously. The blockchain network 50 connects data like a chain and makes transaction records public for anyone to view rather than storing them on a centralized server, preventing data forgery or alteration from the beginning, that is, mutual surveillance of transaction records. It is a P2P structured data storage method that allows this. Data recorded on the blockchain is very difficult to forge or falsify through hacking, so anyone can trust it. Additionally, because the data recorded on the blockchain is distributed and stored on multiple computers, DDoS attacks or ransomware attacks on specific nodes are possible. It is also safe from Furthermore, because blockchain can be maintained and operated autonomously by equal participants, it has more flexible characteristics compared to the existing server-client structure where all information was concentrated on a central server.
블록체인 기술은 암호화폐, 스마트 컨트랙트, 물류관리, 문서관리, 신원확인 등등 다양한 분야에서 활용될 수 있는데, 본 발명에 따른 인증서 검증 방법과 관련하여서는 특히 블록체인 기술이 스마트 컨트랙트에 활용될 수 있음에 주목할 필요가 있다. 스마트 컨트랙트는 일정 조건이 만족되면 자동으로 계약 내용이 실행되도록 하는 기능이자, 중간에 제3의 보증기관을 두지 않은 채 P2P 상에서 원하는 계약을 체결할 수 있도록 해 주는 디지털 전자계약 기능이다. 일 예로, 임의의 트랜잭션이 발생됐을 때, 해당 트랜잭션에 대한 블록이 생성 및 브로드캐스팅 되며, 블록을 전달 받은 각 노드들은 해당 블록을 자신의 블록체인 맨 끝에 추가하고, 해당 블록에 저장되어 있는 트랜잭션을 적용시켜 자신의 스마트 컨트랙트 데이터베이스를 동기화 한다. 후술하겠지만, 본 발명은 인증기관 서버(100)가 블록체인 네트워크 상에 배포해 둔 스마트 컨트랙트에 인증서를 저장(기록)해 둔 상황을 전제로 인증서 검증이 이루어지는데, 이렇듯 블록체인 네트워크의 노드들이 스마트 컨트랙트 데이터베이스를 공유하게 함으로써 인증서의 무결성, 안전성, 안정성이 담보될 수 있다. Blockchain technology can be used in various fields such as cryptocurrency, smart contracts, logistics management, document management, identity verification, etc. In relation to the certificate verification method according to the present invention, in particular, blockchain technology can be used in smart contracts. It is worth paying attention. A smart contract is a function that automatically executes the contents of a contract when certain conditions are met, and is a digital electronic contract function that allows you to conclude a desired contract on P2P without a third party guarantee agency in the middle. For example, when a random transaction occurs, a block for that transaction is created and broadcast, and each node that receives the block adds the block to the end of its blockchain and executes the transaction stored in the block. Apply it to synchronize your smart contract database. As will be described later, in the present invention, certificate verification is performed on the premise that the certificate authority server 100 has stored (recorded) the certificate in a smart contract distributed on the blockchain network. In this way, the nodes of the blockchain network are smart By sharing the contract database, the integrity, safety, and stability of the certificate can be guaranteed.
참고로 본 상세한 설명에서는 임의의 데이터(예. 인증서)가 스마트 컨트랙트에 저장된다는 표현이 사용되는데, 이는 스마트 컨트랙트가 블록체인 네트워크에 배포될 시 당연하게 할당되는 스토리지(state DB, ledger 등의 용어로도 지칭됨)에 저장됨을 의미한다. 예를 들어, 'CA인증서가 스마트 컨트랙트에 저장된다'는 것의 의미는 'CA인증서라는 데이터가 스마트 컨트랙트가 블록체인 네트워크에 배포될 시 할당받은 상기 스마트 컨트랙트의 스토리지에 저장된다'는 것을 의미하는 것으로 이해된다.For reference, in this detailed explanation, the expression that arbitrary data (e.g. certificates) is stored in a smart contract is used, which refers to storage (terms such as state DB, ledger, etc.) that are naturally allocated when a smart contract is deployed on a blockchain network. It means that it is stored in (also referred to as). For example, 'the CA certificate is stored in the smart contract' means 'the data called the CA certificate is stored in the storage of the smart contract allocated when the smart contract is deployed on the blockchain network.' I understand.
도 2는 본 발명에 따른 인증서 검증 방법을 직관적으로 이해하기 위한 도면이다. 도면을 참고할 때, 금융서비스를 이용하고자 하는 사용자는 검증기관 측에 인증서를 제공하면서 인증서의 유효성 검증을 요청할 수 있고, 검증기관에서는 블록체인 네트워크를 조회하여 인증서의 유효성을 검증할 수 있는 자료, 소위 폐기리스트를 획득하여 인증서가 유효한지 여부를 확인할 수 있다. 더 정확하게는, 검증기관이 블록체인 네트워크를 이용해 상위 인증기관의 인증서를 조회 및 폐기리스트를 조회할 수 있다. Figure 2 is a diagram for intuitive understanding of the certificate verification method according to the present invention. Referring to the drawing, a user who wants to use a financial service can request verification of the validity of the certificate by providing a certificate to the verification agency, and the verification institution can query the blockchain network to verify the validity of the certificate, so-called data. You can check whether the certificate is valid by obtaining the revocation list. More precisely, the verification agency can use the blockchain network to query the certificates of the higher-level certification authorities and query the revocation list.
이처럼, 본 발명에 따른 인증서 검증 방법은 검증기관이 인증서의 유효성을 검증할 때에 블록체인 네트워크 상에 공유되어 있는 폐기리스트를 참조하는 것을 주요한 특징으로 한다. As such, the main feature of the certificate verification method according to the present invention is that the verification agency refers to the revocation list shared on the blockchain network when verifying the validity of the certificate.
한편, 도 2에서와 같은 인증서 검증 방법을 구현해 내기 위해서는 몇몇 전제가 되는 상황들이 필요한데, 이하에서는 도면들을 참고하여 구체적으로 살펴보기로 한다.Meanwhile, in order to implement the certificate verification method as shown in FIG. 2, several prerequisite situations are required, which will be examined in detail below with reference to the drawings.
먼저 도 3은 검증요청자 단말기(300)가 사용자인증서를 발급 받아 저장하는 과정, 다시 말해 사용자인증서 발급 과정을 도시한 것이다. 참고로, 도면 상에서는 제1 인증기관 서버(100)가 상대적으로 하위에 있는 인증기관의 서버이며, 제2 인증기관 서버(250)는 상대적으로 상위에 있는 인증기관의 서버이다. 더 바람직하게는, 상기 제2 인증기관 서버(250)는 루트 인증기관 서버일 수 있다. First, Figure 3 shows a process in which the verification requester terminal 300 issues and stores a user certificate, that is, a user certificate issuance process. For reference, in the drawing, the first certification authority server 100 is a server of a relatively lower certification authority, and the second certification authority server 250 is a server of a relatively higher certification authority. More preferably, the second certification authority server 250 may be a root certification authority server.
도면을 참고할 때, 가장 먼저 제2 인증기관 서버(250)는 블록체인 네트워크(50) 상에 인증서 관리용 제2 스마트 컨트랙트를 배포(S301)할 수 있다. 본 단계는 개념적으로는 제2 인증기관 서버(250)가 다수의 노드들이 공유할 수 있는 매개체, 그것도 인증서를 저장해 둘 수 있는 매개체를 사전에 마련해 두는 단계로도 이해될 수 있다. 이는 타 인증기관 서버들이 블록체인 네트워크(50)에 스마트 컨트랙트를 배포하는 모든 단계들에도 마찬가지로 적용될 수 있다. Referring to the drawing, first, the second certification authority server 250 can distribute a second smart contract for certificate management on the blockchain network 50 (S301). Conceptually, this step can also be understood as a step in which the second certification authority server 250 prepares in advance a medium that can be shared by multiple nodes, particularly a medium that can store certificates. This can also be applied to all steps in which other certification authority servers distribute smart contracts to the blockchain network 50.
S301 단계 이후에는 R인증서를 생성하는 단계(S302), 인증서 관리용 제2 스마트 컨트랙트에 상기 R인증서를 저장하는 단계(S303)가 순서대로 수행될 수 있다. S301 단계 내지 S303 단계는, 바람직하게는 루트 인증기관 서버가 인증서 발급을 준비하는 단계로도 이해될 수 있다. 참고로, R인증서라는 용어는 루트 인증기관이 생성 및 발급한 인증서를 의미할 수 있으며, 후술하게 될 CA인증서와 구별하기 위해 R인증서라는 용어를 사용하였다. After step S301, a step of generating an R certificate (S302) and a step of storing the R certificate in a second smart contract for certificate management (S303) may be performed in that order. Steps S301 to S303 may also be understood as steps in which the root certification authority server prepares to issue a certificate. For reference, the term R certificate can refer to a certificate created and issued by a root certification authority, and the term R certificate is used to distinguish it from the CA certificate, which will be described later.
S303 단계 이후, 제1 인증기관 서버(100)도 블록체인 네트워크(50)에 인증서 관리용 제1 스마트 컨트랙트를 배포하는 단계(S304)가 실행될 수 있으며, 이후 제1 인증기관 서버(100)가 제2 인증기관 서버(250)측에 CA인증서를 발급해 줄 것을 요청하는 단계(S305)가 실행될 수 있다. 이 단계에서 제1 인증기관 서버(100)는 제2 인증기관 서버(250) 측에 상기 인증서 관리용 제1 스마트 컨트랙트를 식별할 수 있는 식별자, 즉 인증서 관리용 제1 스마트 컨트랙트 식별자(identifier)를 함께 전달할 수 있다. 특정 스마트 컨트랙트를 식별하기 위한 식별자에는 다양한 형태의 것들이 존재할 수 있으며, 바람직하게는 인증기관 서버가 블록체인 네트워크 상에 배포해 둔 스마트 컨트랙트의 주소가 식별자일 수 있다. 또한, 그 밖에 랜덤한 문자 및/또는 숫자로 조합된 텍스트가 스마트 컨트랙트를 식별하기 위한 식별자로 활용될 수도 있다. 굳이 예시를 들어본다면 상기 인증서 관리용 제1 스마트 컨트랙트 식별자는 "0x466BDA20T86GgA9037k쪋d00792"일 수 있다.After step S303, the first certification authority server 100 may also execute a step (S304) of distributing the first smart contract for certificate management to the blockchain network 50, and then the first certification authority server 100 may execute the first smart contract for certificate management. 2 A step (S305) requesting the certification authority server 250 to issue a CA certificate may be performed. At this stage, the first certification authority server 100 provides an identifier that can identify the first smart contract for certificate management, that is, a first smart contract identifier for certificate management, to the second certification authority server 250. We can deliver it together. There may be various types of identifiers for identifying a specific smart contract. Preferably, the identifier may be the address of the smart contract distributed by the certification authority server on the blockchain network. Additionally, text combined with random letters and/or numbers may be used as an identifier to identify a smart contract. If I were to give an example, the first smart contract identifier for certificate management could be "0x466BDA20T86GgA9037kxd00792".
S305 단계 이후에는 제2 인증기관 서버(250)가 상기 발급요청에 대한 응답으로 CA인증서를 생성하며, 제1 인증기관 서버(100)는 제2 인증기관 서버(250)로부터 위 CA인증서를 발급 받는다(S306). 이 때, 상기 CA인증서 내에는 앞서 S305 단계에서 제2 인증기관 서버(250) 측으로 전달되었던 인증서 관리용 제1 스마트 컨트랙트 식별자가 포함되어 있을 수 있다. After step S305, the second certification authority server 250 generates a CA certificate in response to the issuance request, and the first certification authority server 100 receives the above CA certificate from the second certification authority server 250. (S306). At this time, the CA certificate may include the first smart contract identifier for certificate management that was previously transmitted to the second certification authority server 250 in step S305.
S306 단계 이후, 제1 인증기관 서버(100)는 상기 인증서 관리용 제1 스마트 컨트랙트에 상기 CA인증서를 저장(S307)할 수 있다. 즉, 제1 인증기관 서버(100)는 자신에게 발급된 CA인증서를 블록체인 네트워크(50) 상에 기록을 해 둠으로써 CA인증서가 언제든지, 누구든지 조회 가능한 상태가 되도록 할 수 있다. After step S306, the first certification authority server 100 may store the CA certificate in the first smart contract for certificate management (S307). In other words, the first certification authority server 100 can record the CA certificate issued to it on the blockchain network 50 so that the CA certificate can be viewed by anyone at any time.
한편, 상기 S306 단계에서 발급된 CA인증서 내에는 제2 인증기관 서버(250)가 사전에 블록체인 네트워크 상에 배포해 둔 인증서 관리용 제2 스마트 컨트랙트를 식별하기 위한 식별자, 즉 인증서 관리용 제2 스마트 컨트랙트 식별자가 더 포함될 수 있다. 제2 인증기관 서버(250)는 하위 인증기관인 제1 인증기관 서버(100) 측에 CA인증서를 발급할 때에 자신의 스마트 컨트랙트 식별자(인증서 관리용 제2 스마트 컨트랙트 식별자)를 CA인증서 내에 남김으로써 추적이 가능하게 할 수 있다. Meanwhile, in the CA certificate issued in step S306, there is an identifier for identifying the second smart contract for certificate management that the second certification authority server 250 has previously distributed on the blockchain network, that is, the second smart contract for certificate management. A smart contract identifier may be further included. When the second certification authority server 250 issues a CA certificate to the first certification authority server 100, which is a subordinate certification authority, it tracks its smart contract identifier (second smart contract identifier for certificate management) by leaving it in the CA certificate. This can be made possible.
참고로 도 4에는 본 발명에서 사용되는 인증서의 구조가 도시되어 있다. 즉, 인증기관 서버들에 의해 발급되는 인증서들, 블록체인 네트워크 상에 배포되어 있는 스마트 컨트랙트에 저장되는 인증서들은 도 4와 같은 구조를 가질 수 있다. 도면을 참고할 때, 인증서는 버전(Version), 인증서 고유일련번호(AlgorithmIdentifier), 인증서 유효기간(Period of Validity), 주체의 정보(Subject), 주체의 공개키 정보(Public Key Information), 발급자 이름(Issuer Unique ID), 주체 이름(Subject Unique ID), 발급요청한 인증기관의 스마트 컨트랙트 식별자(CA Smart Contract Identifier), 발급한 인증기관의 스마트 컨트랙트 식별자(Issuer CA Smart Contract Identifier), 또는 발급자 서명(Signature) 등과 같은 정보들을 포함할 수 있다. For reference, Figure 4 shows the structure of the certificate used in the present invention. That is, certificates issued by certification authority servers and certificates stored in smart contracts distributed on a blockchain network may have the structure shown in FIG. 4. When referring to the drawing, the certificate contains the version, certificate unique serial number (AlgorithmIdentifier), certificate period of validity (Period of Validity), subject information (Subject), subject's public key information (Public Key Information), and issuer name ( Issuer Unique ID), subject name (Subject Unique ID), smart contract identifier (CA Smart Contract Identifier) of the certification authority that requested issuance, issuer CA Smart Contract Identifier (Issuer CA Smart Contract Identifier), or issuer signature (Signature) It may include information such as the like.
또한, 상기 인증서는 필요에 따라 주체의 다른 이름(SubjectAltName), 정책정보(PolicyMappings), 명칭제약(NameConstraints), 정책제약 (PolicyContraints), 발급자의 다른 이름(IssuerAltName), 발급자 키식별자(AuthorityKeyIdentifier), 주체의 키식별자(SubjectKeyIdentifier), 기본제약(BasicConstraints), 또는 CRL획득위치(CRLDistributionPoints) 등과 같은 정보들이 부가적으로 더 포함될 수 있다. In addition, the certificate may contain the subject's other name (SubjectAltName), policy information (PolicyMappings), name constraints (NameConstraints), policy constraints (PolicyContraints), issuer's other name (IssuerAltName), issuer key identifier (AuthorityKeyIdentifier), and subject as necessary. Information such as key identifier (SubjectKeyIdentifier), basic constraints (BasicConstraints), or CRL acquisition location (CRLDistributionPoints) may be additionally included.
본 발명에 따른 인증서 구조에서 주목할 점은 발급요청한 인증기관의 스마트 컨트랙트 식별자(CA Smart Contract Identifier)와 발급한 인증기관의 스마트 컨트랙트 식별자(Issuer CA Smart Contract Identifier)가 인증서 내에 필수적으로 포함되어 있는 점이며, 이러한 정보들은 인증서 표준 포맷에서 제공하는 확장(Extensions)영역에 기록될 수 있다는 점이다. What is noteworthy in the certificate structure according to the present invention is that the smart contract identifier (CA Smart Contract Identifier) of the certification authority that requested issuance and the smart contract identifier (Issuer CA Smart Contract Identifier) of the issuing certification authority are essentially included in the certificate. , This information can be recorded in the extensions area provided by the certificate standard format.
다시 도 3을 참고할 때, S307 단계 이후에는 검증요청자 단말기(300)가 제1 인증기관 서버(100)에 사용자인증서의 발급을 요청하는 단계(S308), 제1 인증기관 서버(100)가 사용자인증서를 생성하는 단계(S309), 그리고 제1 인증기관 서버(100)가 사용자인증서를 발급하는 단계(S310)가 실행될 수 있다. 이 때 유의할 점은, 검증요청자 단말기(300), 즉 일반 사용자 단말기가 발급 받는 사용자인증서의 경우에는 발급요청한 인증기관의 스마트 컨트랙트 식별자(CA Smart Contract Identifier) 영역은 비어 있다는 점이다. 즉, 임의의 하위 인증기관 서버가 상위 인증기관 서버로부터 발급 받는 CA인증서와 달리 일반사용자가 발급 받게 되는 사용자인증서 내에는 CA Smart Contract Identifier 가 포함되지 않는다.Referring to FIG. 3 again, after step S307, the verification requester terminal 300 requests the first certification authority server 100 to issue a user certificate (S308), and the first certification authority server 100 issues the user certificate. A step of generating (S309) and a step of issuing a user certificate by the first certification authority server 100 (S310) may be performed. What to note at this time is that in the case of a user certificate issued by the verification requester terminal 300, that is, a general user terminal, the smart contract identifier (CA Smart Contract Identifier) area of the certification authority that requested issuance is empty. In other words, unlike the CA certificate issued by a random lower-level certification authority server from a higher-level certification authority server, the CA Smart Contract Identifier is not included in the user certificate issued to general users.
이상 도 3을 참고하여 검증요청자 단말기(300)가 사용자인증서를 발급 받는 과정에 대해 알아 보았다.With reference to FIG. 3, we have looked at the process of the verification requester terminal 300 issuing a user certificate.
한편, 앞서 살펴 본 사용자인증서 발급 과정과 관련하여, S307 단계는 제1 인증기관 서버(100)가 제2 인증기관 서버(250)로부터 발급 받은 CA인증서만 인증서 관리용 제1 스마트 컨트랙트에 저장하는 것을 기본으로 하나, 사용자인증서 발급 과정의 설계 변경된 실시예에서는 S307 단계에서 제1 인증기관 서버(100)는 자신이 발급 받은 CA인증서뿐만 아니라 제2 인증기관 서버(200)보다 더 상위에 존재하는 인증기관 서버들이 발급한 CA인증서들도 함께 저장하도록 할 수 있다. 예를 들어, 제1 인증기관 서버(100)와 제2 인증기관 서버(250) 사이에 또 다른 인증기관 서버들이 존재한다고 가정할 때, 제1 인증기관 서버(100)는 인증서 관리용 제1 스마트 컨트랙트 내에 제2 인증기관 서버(250)로부터 발급 받은 인증서뿐만 아니라 또 다른 인증기관 서버들이 하위 인증기관들에 발급한 CA인증서들을 모두 저장할 수 있다. Meanwhile, in relation to the user certificate issuance process discussed above, step S307 stores only the CA certificate issued by the first certification authority server 100 from the second certification authority server 250 in the first smart contract for certificate management. As a basic example, in an embodiment in which the design of the user certificate issuance process has been changed, in step S307, the first certification authority server 100 not only holds the CA certificate issued by the first certification authority, but also a certification authority that exists higher than the second certification authority server 200. CA certificates issued by servers can also be stored. For example, assuming that other certification authority servers exist between the first certification authority server 100 and the second certification authority server 250, the first certification authority server 100 uses the first smart certificate for certificate management. In the contract, not only the certificate issued by the second certification authority server 250 but also all CA certificates issued to lower level certification authorities by other certification authority servers can be stored.
이 경우 제1 인증기관 서버(100)가 상위 인증기관 서버들이 발급한 인증서들을 획득하는 방법은 다양할 수 있는데, 예를 들어 제1 인증기관 서버(100)는 제2 인증기관 서버(200; 루트 인증기관이 아닌 것)로부터 발급 받은 CA인증서 내의 발급 인증기관의 스마트 컨트랙트 식별자(Issuer CA Smart Contract Identifier)를 참고하여 제2 인증기관 서버(200)가 제3 인증기관 서버로부터 발급 받은 CA인증서를 획득할 수 있으며, 또한 제3 인증기관 서버로부터 발급 받은 CA인증서 내 발급 인증기관의 스마트 컨트랙트 식별자(Issuer CA Smart Contract Identifier)를 참고하여 제4 인증기관 서버로부터 발급 받은 CA인증서를 획득하는 등 반복적으로 상위 CA인증서들 내 스마트 컨트랙트 식별자를 추적해 감으로써 복수 개의 CA인증서들을 획득할 수 있다. In this case, there may be various methods for the first certification authority server 100 to obtain certificates issued by higher-level certification authority servers. For example, the first certification authority server 100 may use the second certification authority server 200; root The second certification authority server 200 obtains the CA certificate issued by the third certification authority server by referring to the issuing certificate authority's smart contract identifier (Issuer CA Smart Contract Identifier) in the CA certificate issued from the (non-certification authority) server. You can also repeatedly obtain a CA certificate issued by a fourth-party certification authority server by referring to the smart contract identifier (Issuer CA Smart Contract Identifier) of the issuing certification authority in the CA certificate issued by a third-party certification authority server. Multiple CA certificates can be obtained by tracking the smart contract identifier within the CA certificates.
제1 인증기관 서버(100)가 상위 인증기관 서버들이 발급한 CA인증서들을 획득하는 또 다른 방법으로, 제1 인증기관 서버(100)는 애초에 제2 인증기관 서버(200; 루트 인증기관이 아닌 것)로부터 CA인증서를 수신할 때에 제2 인증기관 서버(200)가 발급한 것뿐만 아니라 제3, 제4 인증기관 서버들이 발급한 CA인증서들을 모두 받을 수도 있다. 즉, 하위 인증기관 서버의 입장에서는 바로 위 상위 인증기관 서버로부터 복수 개의 CA인증서들을 수신할 수 있으며, 이렇게 수신된 복수 개의 CA인증서들을 블록체인 네트워크 상에 저장할 수 있다. As another method for the first certification authority server 100 to obtain CA certificates issued by higher-level certification authority servers, the first certification authority server 100 is originally a second certification authority server 200; it is not a root certification authority. When receiving a CA certificate from ), not only those issued by the second certification authority server 200 but also all CA certificates issued by third and fourth certification authority servers can be received. In other words, from the perspective of the lower-level certification authority server, it can receive multiple CA certificates from the higher-level certification authority server, and the multiple CA certificates received in this way can be stored on the blockchain network.
이 밖에도 제1 인증기관 서버(100)는 복수 개의 CA인증서들을 획득하도록 구현될 수 있으며, 복수 개의 CA인증서들을 인증서 관리용 제1 스마트 컨트랙트 내에 저장하도록 구현될 수 있다.In addition, the first certification authority server 100 may be implemented to obtain a plurality of CA certificates and may be implemented to store the plurality of CA certificates in the first smart contract for certificate management.
또한, S310 단계와 관련하여서도 도 3에서는 제1 인증기관 서버(100)가 검증요청자 단말기(300)에 사용자인증서만을 발급하는 것으로 도시하였으나, 구현 예에 따라 제1 인증기관 서버(100)가 복수 개의 CA인증서들을 검증요청자 단말기(300) 측에 더 전달하도록 구현할 수도 있다. 즉, 제1 인증기관 서버(100)는 상위의 인증기관 서버들, 예를 들어 제2 인증기관 서버(200), 혹은 제3 인증기관 서버들이 발급한 CA인증서들도 검증요청자 단말기(300) 측에 함께 전달할 수 있다. 제1 인증기관 서버(100)가 검증요청자 단말기(300)에 전달할 수 있는 인증서에는 루트(ROOT) 인증기관 서버에 의해 발급된 인증서까지도 포함할 수 있다. In addition, in relation to step S310, in FIG. 3, the first certification authority server 100 is shown as issuing only a user certificate to the verification requester terminal 300. However, depending on the implementation example, the first certification authority server 100 may issue multiple certificates. It can also be implemented to further deliver CA certificates to the verification requester terminal 300. That is, the first certification authority server 100 also sends CA certificates issued by higher-level certification authority servers, for example, the second certification authority server 200, or the third certification authority servers, to the verification requester terminal 300. can be delivered together. The certificate that the first certification authority server 100 can deliver to the verification requester terminal 300 may even include a certificate issued by the root certification authority server.
또한, 제1 인증기관 서버(100)가 상위 인증기관 서버들이 발급한 CA인증서들을 획득하는 방법은 다양할 수 있는데, 이는 앞서 S307의 변형 실시예에 대한 설명에서 논하였으므로 여기서는 자세한 설명을 생략하기로 한다. In addition, there may be various methods for the first certification authority server 100 to obtain CA certificates issued by higher-level certification authority servers. This was previously discussed in the description of the modified embodiment of S307, so detailed description will be omitted here. do.
한편, 도 5는 본 발명에 따른 인증서 검증 방법을 구현해 내기 위해 전제가 되어야 하는 상황, 그 중에서도 폐기된 인증서들의 리스트가 블록체인 네트워크(50)에 기록되는 상황을 설명하기 위한 도면이다. Meanwhile, FIG. 5 is a diagram illustrating a situation that must be a prerequisite for implementing the certificate verification method according to the present invention, especially a situation in which a list of revoked certificates is recorded in the blockchain network 50.
더 이상 유효하지 않은 인증서들은 폐기가 되며, 이렇게 폐기가 된 인증서들은 더 이상 인증에 활용되지 않도록 그 목록이 관리될 필요가 있다. 도 5는 폐기된 인증서들의 관리를 블록체인 네트워크 기반으로 하는 상황에 관한 것이다. Certificates that are no longer valid are discarded, and the list of revoked certificates needs to be managed so that they are no longer used for authentication. Figure 5 relates to a situation where management of revoked certificates is based on a blockchain network.
도면을 참고할 때, 폐기된 인증서들의 관리는 가장 먼저 CA인증서가 폐기되는 단계(S501)로부터 시작될 수 있다. 예를 들어, 인증기관(CA)이 CA인증서를 부적절하게 발급한 것이 발견되거나 프라이빗키(private key)가 손상되었다고 판단된 경우, CA인증서는 불가역적으로 폐기(revoke)된다. 또한, 특정 엔티티(entity)가 허위로 다큐먼트를 게시하였거나, 소프트웨어 동작에 대해 잘못된 정보를 전달하였거나, 기타 정책 위반을 하는 등의 사정이 있는 경우에도 CA인증서는 폐기 될 수 있다. 참고로, 폐기된 CA인증서는 일반적으로 유효기간 만료 되기 전에 위와 같은 특별한 사유로 해지, 취소가 된 것들을 가리킨다.Referring to the drawing, management of revoked certificates can begin from the step (S501) in which the CA certificate is first revoked. For example, if a certification authority (CA) is found to have improperly issued a CA certificate or if the private key is determined to be damaged, the CA certificate is irreversibly revoked. Additionally, the CA certificate may be revoked if there are circumstances such as a specific entity posting a false document, providing incorrect information about software operation, or violating other policies. For reference, revoked CA certificates generally refer to those that were revoked or canceled for special reasons as above before the expiration of their validity period.
S501 단계 후, 제2 인증기관 서버(200; 루트 인증기관이 아닌 것)는 인증서 관리용 제2 스마트 컨트랙트의 폐기리스트에 폐기된 CA인증서의 식별자를 저장할 수 있다(S502). 제2 인증기관 서버(200)는 사전에 배포해 둔 인증서 관리용 제2 스마트 컨트랙트 내에 "폐기리스트"를 따로 관리할 목적으로 별도 기록영역을 할애할 수 있으며, 실제 폐기되는 CA인증서가 발생하는 경우 해당 CA인증서의 식별자를 상기 폐기리스트 내에 저장할 수 있다. 물론, 상기 인증서 관리용 제2 스마트 컨트랙트 내 "폐기리스트"는 공개적으로 조회나 열람이 가능할 수 있으며, 블록체인 네트워크의 특성에 따라 매우 빠른 시간 내에 공유 및 조회가 가능할 수 있다. After step S501, the second certification authority server 200 (not the root certification authority) may store the identifier of the revoked CA certificate in the revocation list of the second smart contract for certificate management (S502). The second certification authority server 200 may allocate a separate recording area for the purpose of separately managing the “revocation list” within the second smart contract for certificate management distributed in advance, and in the event that a CA certificate is actually discarded, The identifier of the corresponding CA certificate can be stored in the revocation list. Of course, the “revocation list” in the second smart contract for certificate management may be publicly viewable and viewable, and depending on the characteristics of the blockchain network, sharing and viewing may be possible within a very short period of time.
한편, 상기 제2 인증기관 서버(200)는 상기 인증서 관리용 제2 스마트 컨트랙트의 폐기리스트를 주기적으로 정리할 수 있는데, 다시 말해 기 정해진 기간(또는 유효기간)이 지난 CA인증서의 식별자들을 폐기리스트로부터 주기적으로 삭제를 할 수 있다(S503). 참고로, 삭제 대상의 선정은 본 발명에 대한 설명에서는 논의의 대상이 아니므로 자세한 설명은 생략한다. Meanwhile, the second certification authority server 200 may periodically organize the revocation list of the second smart contract for certificate management, that is, identifiers of CA certificates that have expired a predetermined period (or validity period) are removed from the revocation list. It can be deleted periodically (S503). For reference, the selection of the deletion target is not a subject of discussion in the description of the present invention, so detailed description is omitted.
한편 다른 참고할 만한 사항으로, 상기 폐기리스트에는, 최소한 폐기 된 CA인증서의 원래 유효기간만큼은 상기 폐기 된 CA인증서의 식별자가 기록되도록 할 수 있다. 어느 임의의CA인증서가 폐기가 되었다 하더라도, 폐기가 되기 전에는 정상적인 CA인증서이었기에 인증기관에 의해 발급이 정상적으로 이루어졌을 것이므로, 적어도 해당 CA인증서에 부여되어 있던 유효기간까지는 폐기리스트에 기록을 해 둠으로써 인증서를 검증하는 주체들로 하여금 조회가 가능하게 할 수 있다. 필요에 따라, 제2 인증기관 서버(200)는 폐기리스트를 주기적으로 정리할 때에 폐기 된 CA인증서의 원래 유효기간에다가 유효기간의 10%만큼을 더한 기간만큼 폐기리스트에 기록을 유지해 둠으로써 타 검증주체들의 불편함을 방지할 수 있다.Meanwhile, as another matter of note, the identifier of the revoked CA certificate may be recorded in the revoked list for at least the original validity period of the revoked CA certificate. Even if any CA certificate is revoked, since it was a normal CA certificate before it was revoked, it would have been issued normally by the certification authority, so the certificate can be revoked by recording it in the revocation list at least until the expiration date given to the relevant CA certificate. It is possible to enable inquiries by the entities verifying. As necessary, when the second certification authority server 200 periodically organizes the revocation list, it maintains a record in the revocation list for a period equal to the original validity period of the revoked CA certificate plus 10% of the validity period, so that other verification subjects can use it. This can prevent their discomfort.
한편, 제1 인증기관 서버(100)의 입장에서도 사용자인증서가 폐기(S504)된 후에는 인증서 관리용 제1 스마트 컨트랙트의 "폐기리스트"에 상기 폐기된 사용자인증서의 식별자를 저장할 수 있다(S505). 또한, 같은 방식으로 제1 인증기관 서버(100)는 주기적으로 폐기리스트 내 기록되어 있던 사용자인증서 식별자들을 삭제할 수 있다(S506)Meanwhile, from the perspective of the first certification authority server 100, after the user certificate is revoked (S504), the identifier of the revoked user certificate can be stored in the “revocation list” of the first smart contract for certificate management (S505). . Additionally, in the same manner, the first certification authority server 100 may periodically delete user certificate identifiers recorded in the revocation list (S506).
이렇게 각 인증기관 서버들은 블록체인 네트워크(50)에, 더 정확하게는 스마트 컨트랙트에 폐기리스트를 기록 및 갱신함으로써 인증서의 유효성 조회가 가능하게 할 수 있다.In this way, each certification authority server records and updates the revocation list in the blockchain network 50, more precisely in the smart contract, thereby making it possible to check the validity of the certificate.
이상 도 3 내지 도 5를 참고하여 본 발명에 따른 인증서 검증 방법이 가능하기 위해 필요한 전제 상황들을 살펴 보았다. With reference to Figures 3 to 5, we looked at the prerequisites necessary to enable the certificate verification method according to the present invention.
도 6은 본 발명의 제1 실시예에 따른 인증서 검증 방법을 순서에 따라 도시한 것이다. 도면을 참고할 때, 제1 실시예는 검증요청자 단말기(300)가 검증기관 서버(400)에 제1 사용자인증서를 제공하는 단계(S601)로부터 시작될 수 있다. 본 단계는 검증요청자 단말기(300)가 네트워크 상에서 특정 서비스(금융서비스)를 이용하고자 제1 사용자인증서의 유효성 검증을 요청하는 단계에 해당한다.Figure 6 shows the certificate verification method according to the first embodiment of the present invention in sequence. Referring to the drawing, the first embodiment may begin with the step (S601) in which the verification requester terminal 300 provides the first user certificate to the verification agency server 400. This step corresponds to a step in which the verification requester terminal 300 requests verification of the validity of the first user certificate in order to use a specific service (financial service) on the network.
S601 단계 이후, 검증기관 서버(400)는 상기 제1 사용자인증서 자체의 유효성을 검증(S602)하게 되는데, 이는 상기 제1 사용자인증서의 유효기간, 전자서명 등 인증서 자체로 확인이 가능한 사항들을 검증하는 단계로도 이해될 수 있다. 본 단계에서 인증서 자체에 문제가 있는 것으로 판단되는 경우 검증기관 서버(400)는 곧바로 검증요청자 단말기(300) 측에 실패 결과를 반환한다.After step S601, the verification agency server 400 verifies the validity of the first user certificate itself (S602), which verifies matters that can be confirmed with the certificate itself, such as the validity period and electronic signature of the first user certificate. It can also be understood as stages. At this stage, if it is determined that there is a problem with the certificate itself, the verification agency server 400 immediately returns a failure result to the verification requester terminal 300.
한편, S602 단계에서 인증서 자체에는 문제가 없는 것으로 판단된 경우, 검증기관 서버(400)는 상기 제1 사용자인증서가 폐기된 인증서인지 여부를 확인하게 되는데, 이는 검증기관 서버(400)가 블록체인 네트워크(50)를, 더 정확하게는 블록체인 네트워크(50)에 배포되어 있는 제1 인증기관(제1 사용자인증서를 발급한 인증기관)의 인증서 관리용 제1 스마트 컨트랙트 내 제1 폐기리스트를 탐색(S603)하고, 제1 폐기리스트 내에 상기 제1 사용자인증서의 식별자가 존재하는지 여부를 조회(S604)함으로써 이루어질 수 있다. 조회 결과 제1 사용자인증서의 식별자가 존재한다면 비정상인 인증서로, 존재하지 않는다면 정상인 인증서로 검증할 수 있다. 상기 제1 사용자인증서 내에는 해당 제1 사용자인증서를 발급한 인증기관의 스마트 컨트랙트 식별자가 포함될 수 있는데, 이것이 바로 상기 제1 인증기관의 인증서 관리용 제1 스마트 컨트랙트 식별자일 수 있으며, 검증기관 서버(400)는 이를 참고하여 제1 폐기리스트를 탐색 및 조회할 수 있다. 한편, S604단계에서 상기 제1 폐기리스트 내에 상기 제1 사용자인증서의 식별자가 존재한다면 검증기관 서버(400)는 검증요청자 단말기(300) 측에 검증 실패 결과를 반환할 수 있다.Meanwhile, if it is determined in step S602 that there is no problem with the certificate itself, the verification agency server 400 checks whether the first user certificate is a revoked certificate, which means that the verification agency server 400 uses the blockchain network (50), more precisely, search for the first revocation list in the first smart contract for certificate management of the first certification authority (the certification authority that issued the first user certificate) distributed in the blockchain network (50) (S603 ), and inquiring (S604) whether the identifier of the first user certificate exists in the first revocation list. If the identifier of the first user certificate exists as a result of the search, it can be verified as an abnormal certificate, and if it does not exist, it can be verified as a normal certificate. The first user certificate may include a smart contract identifier of the certification authority that issued the first user certificate, which may be the first smart contract identifier for certificate management of the first certification authority, and the verification authority server ( 400) can search and query the first discard list by referring to this. Meanwhile, in step S604, if the identifier of the first user certificate exists in the first revocation list, the verification agency server 400 may return a verification failure result to the verification requester terminal 300.
S604 단계 이후, 검증기관 서버(400)는 상기 인증서 관리용 제1 스마트 컨트랙트에 저장되어 있는 제1 CA인증서를 획득(S605)할 수 있으며, 상기 제1 CA인증서의 유효기간, 전자서명 등 인증서 자체로부터 확인 가능한 사항들을 검증(S606)할 수 있다. 만일 유효성 자체에 이상이 있다면 검증기관 서버(400)는 검증요청자 단말기(300) 측에 실패 결과, 다시 말해 인증서가 유효하지 않으므로 검증에 실패하였다는 결과를 반환할 수 있다. After step S604, the verification agency server 400 can obtain the first CA certificate stored in the first smart contract for certificate management (S605), and the certificate itself, such as the validity period of the first CA certificate and the electronic signature, etc. You can verify (S606) the items that can be confirmed from . If there is a problem with the validity itself, the verification agency server 400 may return a failure result to the verification requester terminal 300, that is, a result indicating that verification has failed because the certificate is not valid.
제1 CA 인증서 자체에 대한 유효성 검증 이후에는 상위 인증기관의 스마트 컨트랙트, 즉 상기 제1 CA 인증서를 발급한 제2 인증기관의 제2 스마트 컨트랙트로부터 제2 폐기리스트를 탐색(S607)하게 되며, 여기에 상기 제1 CA인증서의 식별자가 존재하는지 여부를 보아 폐기 여부를 조회(S608)할 수 있다. 이 때, 상기 검증기관 서버(400)가 제2 스마트 컨트랙트 및 제2 폐기리스트를 탐색할 수 있는 것은 상기 제1 CA인증서 내에 제2 인증기관, 즉 상기 제1 CA인증서를 발급한 인증기관의 스마트 컨트랙트 식별자(주소)가 기록되어 있기 때문이다. S608단계에서 폐기리스트 내에 제1 CA인증서의 식별자가 존재하는 것으로 확인된다면 검증기관 서버(400)는 검증요청자 단말기(300) 측에 실패 결과를 반환할 수 있다.After validating the first CA certificate itself, the second revocation list is searched (S607) from the smart contract of the upper certification authority, that is, the second smart contract of the second certification authority that issued the first CA certificate, here You can check whether the first CA certificate is revoked by checking whether the identifier of the first CA certificate exists (S608). At this time, the verification agency server 400 can search the second smart contract and the second revocation list by entering the smart contract of the second certification authority, that is, the certification authority that issued the first CA certificate, within the first CA certificate. This is because the contract identifier (address) is recorded. If it is confirmed that the identifier of the first CA certificate exists in the revocation list in step S608, the verification agency server 400 may return a failure result to the verification requester terminal 300.
한편, 검증기관 서버(400)는 제1 CA인증서에 대해 폐기리스트 조회가 마쳐진 이후 검증요청자 단말기(300) 측에 결과를 전달할 수 있다(S609). 본 단계는 앞서 설명한 인증서 자체의 유효성 검증 단계, 또는 폐기리스트 조회 단계에서 검증기관 서버(400)가 검증요청자 단말기(300)에 실패 결과를 반환하는 단계와 별도로 존재할 수 있으며, 또는 경우에 따라 S609단계는 생략이 가능할 수 있다. Meanwhile, the verification agency server 400 may deliver the result to the verification requester terminal 300 after the revocation list search for the first CA certificate is completed (S609). This step may exist separately from the step of verifying the validity of the certificate itself described above, or the step of the verification agency server 400 returning a failure result to the verification requester terminal 300 in the revocation list inquiry step, or in some cases, step S609. may be omitted.
참고로 도 6에 도시되어 있는 실시예는 제1 사용자인증서, 제1 CA인증서에 대해서만 자체 유효성 검증 및 폐기리스트가 이루어지는 것으로 설명하였으나, 인증서 자체의 유효성 검증 및 폐기리스트 조회라는 유효성 검증 싸이클은 인증서의 개수만큼 반복적으로 수행될 수 있다. 즉, 제1 실시예는 검증기관 서버(400)가 리커시브(recursive)하게 인증서 발급기관의 스마트 컨트랙트를 찾아 각 인증서 식별자가 폐기리스트에 존재하는지 여부를 확인함으로써 루트 인증서까지의 유효성을 검증하는 것을 주요한 특징으로 할 수 있다. For reference, the embodiment shown in FIG. 6 is explained in that self-validation and revocation list are performed only for the first user certificate and the first CA certificate. However, the validation cycle of validation of the certificate itself and revocation list inquiry is performed only for the first user certificate and the first CA certificate. It can be performed repeatedly as many times as there are. That is, in the first embodiment, the verification agency server 400 verifies the validity of the root certificate by recursively finding the smart contract of the certificate issuing agency and checking whether each certificate identifier exists in the revocation list. This can be considered a major feature.
도 7은 본 발명의 제2 실시예에 따른 인증서 검증 방법을 순서에 따라 도시한 것이다. 제1 실시예와 비교할 때, 제2 실시예는 검증기관 서버(400)가 인증서 관리용 제1 스마트 컨트랙트로부터 복수 개의 인증서들을 획득하고, 각 인증서의 유효성을 리커시브하게 검증하는 것을 특징으로 한다. 즉, 제2 실시예는 인증서 관리용 제1 스마트 컨트랙트에 상위 인증기관 인증서들이 저장되어 있는 것을 전제이자 특징으로 한다.Figure 7 sequentially shows the certificate verification method according to the second embodiment of the present invention. Compared to the first embodiment, the second embodiment is characterized in that the verification agency server 400 acquires a plurality of certificates from the first smart contract for certificate management and recursively verifies the validity of each certificate. That is, the second embodiment is premised and characterized by the fact that higher-level certification authority certificates are stored in the first smart contract for certificate management.
구체적으로 볼 때, 제2 실시예의 S701 단계 내지 S704 단계는 앞선 제1 실시예에서의 S601 단계 내지 S604 단계와 실질적으로 동일하다. In detail, steps S701 to S704 of the second embodiment are substantially the same as steps S601 to S604 of the first embodiment.
S705 단계에서, 검증기관 서버(400)는 블록체인 네트워크에 배포되어 있는 인증서 관리용 제1 스마트 컨트랙트, 즉 제1 인증기관 서버(100)가 사전에 생성해 둔 스마트 컨트랙트로부터 복수 개의 상위 인증기관 인증서들을 획득할 수 있다. 제1 인증기관 서버는 복수 개의 상위 인증기관 인증서들을 획득 내지 수집한 뒤 이들을 인증서 관리용 제1 스마트 컨트랙트에 저장할 수 있는데. 이에 대해서는 앞서에서도 잠시 설명을 하였으므로 여기서는 자세한 설명을 생략한다. In step S705, the verification authority server 400 generates a plurality of higher level certification authority certificates from the first smart contract for certificate management distributed in the blockchain network, that is, a smart contract previously created by the first certification authority server 100. can be obtained. The first certification authority server can acquire or collect a plurality of higher-level certification authority certificates and store them in the first smart contract for certificate management. Since this was briefly explained previously, detailed explanation will be omitted here.
S705 단계 이후, 검증기관 서버(400)는 각 인증서들 자체를 검증하는 단계(S706), 상위 인증기관의 스마트 컨트랙트로부터 폐기리스트를 탐색하고 각 인증서의 식별자가 폐기리스트에 존재하는지 여부를 조회하는 단계(S707, S708)를 반복적으로 수행할 수 있다. 이 때 반복은 루트 인증기관 서버가 발급한 R인증서의 유효성을 검증하는 단계까지 이루어질 것이다. After step S705, the verification agency server 400 verifies each certificate itself (S706), searches the revocation list from the smart contract of the upper certification authority, and checks whether the identifier of each certificate exists in the revocation list. (S707, S708) can be performed repeatedly. At this time, repetition will be carried out to the stage of verifying the validity of the R certificate issued by the root certification authority server.
그리고 마지막으로 검증기관 서버(400)는 폐기리스트 조회 단계에서 폐기된 인증서가 발견되면 그 검증결과를 검증요청자 단말기(300) 측에 알릴 수 있다.(S709)And finally, if a revoked certificate is found in the revocation list search step, the verification agency server 400 can notify the verification requester terminal 300 of the verification result (S709).
한편, S707, S708 단계와 관련하여서는, 예를 들어 상기 인증서 관리용 제1 스마트 컨트랙트 내에는 제1 인증기관보다 더 상위에 존재하는 제2 인증기관 서버, 제3 인증기관 서버 등이 발급한 인증서들(CA인증서, R인증서)이 저장되어 있을 수 있으며, 검증기관 서버(400)는 각 인증서들에 기록되어 있는 발급자(상위 인증기관)의 스마트 컨트랙트 식별자 및 여기에 저장되어 있는 폐기리스트를 조회하여 모든 인증서들의 유효성을 검증할 수 있다. Meanwhile, with regard to steps S707 and S708, for example, within the first smart contract for certificate management, certificates issued by a second certification authority server, a third certification authority server, etc. that exist at a higher level than the first certification authority. (CA certificate, R certificate) may be stored, and the verification agency server 400 searches the smart contract identifier of the issuer (higher certification authority) recorded in each certificate and the revocation list stored there to verify all The validity of certificates can be verified.
제2 실시예와 같은 인증서 검증 방법에서는 검증기관 서버(400)가 검증의 대상이 되는 인증서들을 한꺼번에 확보하여 두고 있기 때문에 보다 빠른 속도로 인증서 유효성 검증이 가능해지는 효과가 있다. 특히, 검증기관 서버(400)로서는 각 인증서에 기록되어 있는 발급자(발급기관)의 스마트 컨트랙트 식별자 및 폐기리스트 조회를 병렬적으로 진행할 수 있으므로 제1 실시예에 비해 더 빠른 유효성 검증이 가능할 수 있다. In the certificate verification method such as the second embodiment, the verification agency server 400 secures certificates subject to verification all at once, which has the effect of enabling certificate validity verification at a faster speed. In particular, the verification agency server 400 can parallel search the smart contract identifier and revocation list of the issuer (issuer) recorded in each certificate, so faster validation can be possible compared to the first embodiment.
도 8은 본 발명의 제3 실시예에 따른 인증서 검증 방법을 순서에 따라 도시한 것이다. 앞선 실시예들과 비교할 때, 제3 실시예는 검증요청자 단말기(300)가 처음부터 검증기관 서버(400)에 복수 개의 인증서들을 제공한다는 점에서 특징이 있다. Figure 8 shows the certificate verification method according to the third embodiment of the present invention in sequence. Compared to the previous embodiments, the third embodiment is characterized in that the verification requester terminal 300 provides a plurality of certificates to the verification agency server 400 from the beginning.
구체적으로, 제3 실시예는 검증요청자 단말기(300)가 검증기관 서버(400)에 제1 사용자인증서, 그리고 상위 인증기관들의 인증서들(CA인증서, R인증서)을 제공하는 단계(S801)로부터 시작된다. 즉, 본 실시예에서는 검증요청자 단말기(300)가 제1 사용자인증서뿐만 아니라 상위 인증기관 서버에서 발급된 인증서들도 함께 저장하여 가지고 있을 것을 전제로 한다. Specifically, the third embodiment begins with the step (S801) in which the verification requester terminal 300 provides the first user certificate and certificates (CA certificate, R certificate) of higher level certification authorities to the verification authority server 400. do. That is, in this embodiment, it is assumed that the verification requester terminal 300 stores and possesses not only the first user certificate but also certificates issued by a higher-level certification authority server.
S801 단계 이후에는 검증기관 서버(400)가 각 인증서 자체의 유효성을 검증하는 단계(S802), 상위 인증기관의 스마트 컨트랙트로부터 폐기리스트를 탐색하고 조회하는 단계(S803, S804), 그리고 검증결과가 전달되는 단계(S805)가 진행될 수 있다. After step S801, the verification agency server 400 verifies the validity of each certificate itself (S802), searches and searches the revocation list from the upper certification authority's smart contract (S803, S804), and the verification result is delivered. The step (S805) may proceed.
이 때, 상기 S802 단계 내지 S804 단계는 상기 검증요청자 단말기(300)로부터 제공 받은 모든 인증서들에 대해 개별적으로, 반복적으로 수행될 수 있으며, 특히 루트 인증기관 서버가 발급한 R인증서의 유효성을 검증하는 단계까지 이루어질 수 있다. 이렇듯 제3 실시예는 제2 실시예와 상당 부분 닮아 있으며, 단지 검증요청자 단말기(300)가 검증기관 서버(400)에 인증서를 제공하는 단계에서 차이가 있다. At this time, steps S802 to S804 may be performed individually and repeatedly for all certificates provided from the verification requester terminal 300, and in particular, verify the validity of the R certificate issued by the root certification authority server. It can be done up to this stage. As such, the third embodiment is largely similar to the second embodiment, with the only difference being the step in which the verification requester terminal 300 provides a certificate to the verification agency server 400.
도 9는 도 8과 유사하지만, 인증서 자체의 유효성 검증 단계(S902)가 복수 개의 인증서들에 대해 한꺼번에 실행이 되고, 이후 폐기리스트 탐색(S903) 및 폐기리스트 조회(S904) 단계만 반복적으로 수행된다는 점에서 도 8의 실시예와 차이가 있다.Figure 9 is similar to Figure 8, but the validation step (S902) of the certificate itself is executed for a plurality of certificates at once, and only the revocation list search (S903) and revocation list search (S904) steps are performed repeatedly. In this respect, there is a difference from the embodiment of FIG. 8.
즉, 도 9에 따른 실시예에서 검증기관 서버(400)는 검증요청자 단말기(300)로부터 제공 받은 모든 인증서들에 대해 유효기간 및 전자서명을 비롯한 인증서 자체 검증(S902)만을 먼저 수행할 수 있으며, 이 단계를 통해 특정 인증서에 이상이 있는지 없는지를 확인할 수 있다. That is, in the embodiment according to FIG. 9, the verification agency server 400 can first perform only the certificate self-verification (S902), including the validity period and electronic signature, for all certificates provided from the verification requester terminal 300, Through this step, you can check whether there are any problems with a specific certificate.
또한, 자체 검증 결과 모든 인증서들에서 문제점이 발견되지 않은 경우, 검증기관 서버(400)는 상위 인증기관의 스마트 컨트랙트로부터 폐기리스트를 탐색(S903)하고, 폐기리스트를 조회해 봄(S904)으로써 특정 인증서가 폐기된 인증서인지 여부를 확인할 수 있다. In addition, if no problems are found in all certificates as a result of self-verification, the verification agency server 400 searches the revocation list from the smart contract of the upper certification authority (S903) and searches the revocation list (S904) to identify a specific certificate. You can check whether the certificate is a revoked certificate.
이상 블록체인 네트워크를 활용한 인증서 검증 방법, 그리고 이를 위한 시스템에 대해 살펴보았다. 한편, 본 발명은 상술한 특정의 실시예 및 응용예에 한정되지 아니하며, 청구범위에서 청구하는 본 발명의 요지를 벗어남이 없이 당해 발명이 속하는 기술분야에서 통상의 지식을 가진 자에 의해 다양한 변형실시가 가능한 것은 물론이고, 이러한 변형실시들은 본 발명의 기술적 사상이나 전망으로부터 구별되어 이해되어서는 안 될 것이다.We have looked at the certificate verification method using the blockchain network and the system for this. Meanwhile, the present invention is not limited to the specific embodiments and application examples described above, and various modifications may be made by those skilled in the art without departing from the gist of the present invention as claimed in the claims. Of course, it is possible, but these modified implementations should not be understood separately from the technical idea or outlook of the present invention.

Claims (8)

  1. 블록체인을 활용하여 인증서를 검증하는 방법에 있어서,In the method of verifying a certificate using blockchain,
    (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서를 수신하는 단계;(a) a verification agency server receiving a first user certificate from a verification requester terminal;
    (b) 검증기관 서버가, 상기 제1 사용자인증서 자체의 유효성을 검증하는 단계;(b) a verification agency server verifying the validity of the first user certificate itself;
    (c) 검증기관 서버가, 블록체인 네트워크 상의 인증서 관리용 제1 스마트 컨트랙트 - 상기 인증서 관리용 제1 스마트 컨트랙트는, 상기 제1 사용자인증서를 발급한 제1 인증기관이 기 배포한 것임 - 에 저장되어 있는 제1 폐기리스트를 조회하여 상기 제1 사용자인증서가 폐기되었는지 여부를 검증하는 단계;를 포함하는,(c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. Verifying whether the first user certificate has been revoked by checking the first revocation list,
    블록체인을 활용하여 인증서를 검증하는 방법.How to verify certificates using blockchain.
  2. 제1항에 있어서,According to paragraph 1,
    검증기관 서버가, 상기 제1 스마트 컨트랙트로부터 상기 제1 인증기관 이 상위 인증기관으로부터 발급 받은 제1 CA인증서를 획득하는 단계;Obtaining, by the verification authority server, a first CA certificate issued by the first certification authority from a higher level certification authority from the first smart contract;
    검증기관 서버가, 상기 제1 CA인증서 자체의 유효성을 검증하는 단계;Verifying, by a verification agency server, the validity of the first CA certificate itself;
    검증기관 서버가, 상기 제1 CA인증서를 발급한 제2 인증기관의 인증서 관리용 제2 스마트 컨트랙트로부터 제2 폐기리스트를 조회하여 상기 제1 CA인증서가 폐기되었는지 여부를 검증하는 단계;Verifying, by a verification agency server, whether the first CA certificate has been revoked by querying a second revocation list from a second smart contract for certificate management of a second certification authority that issued the first CA certificate;
    를 더 포함하는,Containing more,
    블록체인을 활용하여 인증서를 검증하는 방법.How to verify certificates using blockchain.
  3. 인증서를 검증하는 방법에 있어서,In the method of verifying the certificate,
    (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서를 수신하는 단계;(a) a verification agency server receiving a first user certificate from a verification requester terminal;
    (b) 검증기관 서버가, 상기 제1 사용자인증서 자체의 유효성을 검증하는 단계;(b) a verification agency server verifying the validity of the first user certificate itself;
    (c) 검증기관 서버가, 블록체인 네트워크 상의 인증서 관리용 제1 스마트 컨트랙트 - 상기 인증서 관리용 제1 스마트 컨트랙트는, 상기 제1 사용자인증서를 발급한 제1 인증기관이 기 배포한 것임 - 에 저장되어 있는 복수 개의 상위 인증기관 인증서들을 획득하는 단계;(c) The verification agency server stores the first smart contract for certificate management on the blockchain network - the first smart contract for certificate management is already distributed by the first certification authority that issued the first user certificate. Obtaining a plurality of higher level certification authority certificates;
    (d) 검증기관 서버가, 상기 복수 개의 상위 인증기관 인증서들 각각에 대해 인증서 자체 검증 및 인증서 폐기 여부 검증을 반복적으로 실시하는 단계;(d) a verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the plurality of higher-level certification authority certificates;
    를 포함하는,Including,
    인증서를 검증하는 방법.How to verify a certificate.
  4. 제3항에 있어서,According to paragraph 3,
    상기 (d) 단계에서 인증서 폐기 여부 검증을 하는 과정은,The process of verifying whether the certificate is revoked in step (d) above is,
    검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자를 참고하여 상기 스마트 컨트랙트로부터 폐기리스트를 탐색하는 단계;Searching for a revocation list from the smart contract by referring to the smart contract identifier of the upper certification authority that issued the certificate to be verified;
    상기 탐색된 폐기리스트 내 상기 검증 대상 인증서의 식별자가 존재하는지 여부를 조회하는 단계;Checking whether an identifier of the certificate to be verified exists in the searched revocation list;
    를 포함하는 것을 특징으로 하는,Characterized in that it includes,
    인증서를 검증하는 방법.How to verify a certificate.
  5. 제4항에 있어서In paragraph 4
    상기 검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자는, 상기 검증 대상 인증서 내에 기록되어 있는 것을 특징으로 하는,The smart contract identifier of the upper certification authority that issued the certificate subject to verification is characterized in that it is recorded in the certificate subject to verification,
    인증서를 검증하는 방법.How to verify a certificate.
  6. 인증서를 검증하는 방법에 있어서,In the method of verifying the certificate,
    (a) 검증기관 서버가 검증요청자 단말기로부터 제1 사용자인증서 및 복수 개의 상위 인증기관 인증서들을 수신하는 단계;(a) a verification agency server receiving a first user certificate and a plurality of higher-level certification authority certificates from a verification requester terminal;
    (b) 검증기관 서버가, 상기 제1 사용자인증서 및 복수 개의 상위 인증기관 인증서들 각각에 대해 인증서 자체 검증 및 인증서 폐기 여부 검증을 반복적으로 실시하는 단계;(b) a verification authority server repeatedly verifying the certificate itself and verifying whether the certificate is revoked for each of the first user certificate and a plurality of higher level certification authority certificates;
    를 포함하는,Including,
    인증서를 검증하는 방법.How to verify a certificate.
  7. 제6항에 있어서,According to clause 6,
    상기 (b) 단계에서 인증서 폐기 여부 검증을 하는 과정은,The process of verifying whether the certificate is revoked in step (b) above is,
    검증 대상 인증서를 발급한 상위 인증기관의 스마트 컨트랙트 식별자를 참고하여 상기 스마트 컨트랙트로부터 폐기리스트를 탐색하는 단계;Searching for a revocation list from the smart contract by referring to the smart contract identifier of the upper certification authority that issued the certificate to be verified;
    상기 탐색된 폐기리스트 내 상기 검증 대상 인증서의 식별자가 존재하는지 여부를 조회하는 단계;Checking whether an identifier of the certificate to be verified exists in the searched revocation list;
    를 포함하는 것을 특징으로 하는,Characterized in that it includes,
    인증서를 검증하는 방법.How to verify a certificate.
  8. 제7항에 있어서,In clause 7,
    상기 (b)단계는, In step (b),
    루트 인증기관에서 발급한 인증서의 자체 검증을 실시하는 단계에서 반복실시가 종료되는 것을 특징으로 하는,Characterized in that the repeated implementation ends at the stage of self-verification of the certificate issued by the root certification authority.
    인증서를 검증하는 방법.How to verify a certificate.
PCT/KR2023/002102 2022-04-19 2023-02-14 Method for verifying certificate by using blockchain and system therefor WO2023204411A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR10-2022-0048469 2022-04-19
KR10-2022-0048470 2022-04-19
KR1020220048471A KR102479987B1 (en) 2022-04-19 2022-04-19 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates are obtained from the verification requester terminal
KR1020220048469A KR102479985B1 (en) 2022-04-19 2022-04-19 Certificate verification method using blockchain and system for the same
KR1020220048470A KR102479986B1 (en) 2022-04-19 2022-04-19 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates have been obtained from a blockchain network
KR10-2022-0048471 2022-04-19

Publications (1)

Publication Number Publication Date
WO2023204411A1 true WO2023204411A1 (en) 2023-10-26

Family

ID=88420218

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/002102 WO2023204411A1 (en) 2022-04-19 2023-02-14 Method for verifying certificate by using blockchain and system therefor

Country Status (1)

Country Link
WO (1) WO2023204411A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180041055A (en) * 2017-09-06 2018-04-23 주식회사 코인플러그 Method for providing certificate service based on smart contract and server using the same
KR20190111042A (en) * 2017-07-26 2019-10-01 알리바바 그룹 홀딩 리미티드 Method and apparatus for communication between blockchain nodes, apparatus and electronic device, and Method and apparatus for blockchain based certificate management
KR20200086402A (en) * 2019-01-08 2020-07-17 주식회사 호윤 Block chain system and method thereof
KR102332226B1 (en) * 2019-11-15 2021-11-29 서강대학교 산학협력단 Blockchain network system being capable of verifying a blockchain ledger and method for verifying a blockchain ledger
KR102479985B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method using blockchain and system for the same
KR102479986B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates have been obtained from a blockchain network
KR102479987B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates are obtained from the verification requester terminal

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190111042A (en) * 2017-07-26 2019-10-01 알리바바 그룹 홀딩 리미티드 Method and apparatus for communication between blockchain nodes, apparatus and electronic device, and Method and apparatus for blockchain based certificate management
KR20180041055A (en) * 2017-09-06 2018-04-23 주식회사 코인플러그 Method for providing certificate service based on smart contract and server using the same
KR20200086402A (en) * 2019-01-08 2020-07-17 주식회사 호윤 Block chain system and method thereof
KR102332226B1 (en) * 2019-11-15 2021-11-29 서강대학교 산학협력단 Blockchain network system being capable of verifying a blockchain ledger and method for verifying a blockchain ledger
KR102479985B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method using blockchain and system for the same
KR102479986B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates have been obtained from a blockchain network
KR102479987B1 (en) * 2022-04-19 2022-12-22 주식회사 블로코 Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates are obtained from the verification requester terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MENEZES A J, VAN OORSCHOT P C, VANSTONE S A: "Handbook of Applied Cryptography", 1 January 1997, CRC PRESS , BOCA RATON, FL, US , ISBN: 978-0-8493-8523-0, pages: 39, 572 - 577, XP002423045, 022821 *

Similar Documents

Publication Publication Date Title
Yakubov et al. A blockchain-based PKI management framework
WO2018155822A1 (en) Method for providing simplified account registration service and user authentication service, and authentication server using same
WO2018151427A1 (en) Method for superseding log-in of user through pki-based authentication by using smart contact and blockchain database, and server employing same
WO2018043865A2 (en) Blockchain-based file management/search system and file management/search method
US9130916B2 (en) Cross-domain identity management for a whitelist-based online secure device provisioning framework
CN103098070B (en) For the methods, devices and systems of Data Position in monitoring network service
KR100339188B1 (en) System for electronic repository of data enforcing access control on data retrieval
WO2021066323A1 (en) Electronic document integrity verification system using blockchain technology and method for controlling same
WO2018151425A1 (en) Method for superseding log-in of user through pki-based authentication by using blockchain database of utxo-based protocol, and server employing same
EP2559219B1 (en) Online secure device provisioning framework
Yao et al. PBCert: privacy-preserving blockchain-based certificate status validation toward mass storage management
US11729175B2 (en) Blockchain folding
JP2007110377A (en) Network system
US11258771B2 (en) Systems and methods for sending user data from a trusted party to a third party using a distributed registry
WO2022177204A1 (en) Did-based decentralized system for storing and sharing user data
WO2019125041A1 (en) Authentication system using separation, then distributed storage of personal information using blockchain
KR20190120559A (en) System and Method for Security Provisioning based on Blockchain
WO2020138733A1 (en) Blockchain system for providing anonymity of private information and method for providing anonymity of private information in blockchain
WO2019125069A1 (en) Authentication system using separation, then combination of personal information using blockchain
US20050240765A1 (en) Method and apparatus for authorizing access to grid resources
KR20230149201A (en) Certificate verification method using blockchain and system for the same
WO2023204411A1 (en) Method for verifying certificate by using blockchain and system therefor
KR102479986B1 (en) Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates have been obtained from a blockchain network
KR102479987B1 (en) Certificate verification method and system therefor in an environment in which a plurality of higher-level certification authority certificates are obtained from the verification requester terminal
CN111769956A (en) Service processing method, device, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23791994

Country of ref document: EP

Kind code of ref document: A1