KR101085848B1 - Member Registration Secure Protocol in ubiquitous computing network - Google Patents

Abstract

The present invention relates to a series of procedures and methods for managing an initial device (hereinafter referred to as a member) by an administrator in a UCN (Ubiquitous Computing Network) environment.

The present invention will be described by dividing the member management in the UCN environment into three forms of registration, deletion, change. First, in the member registration process, a security server (hereafter referred to as a security server for security privacy) is sent a registration request message to a new member, and the member responds and requires administrator authentication to access his secure memory. . Through the administrator authentication process, the secure memory of the member is allowed and the security server generates a master key (hereinafter referred to as master key) through the member's information and the administrator's information and stores it in its own database. Thereafter, when the master key is transmitted to the member to be registered, the member completes the initial registration process of the member by safely storing the master key in its secure memory.

The second deletion process is performed when the registered member needs to be deleted, and can be divided into two ways. One of them is the process of deleting by the administrator. When the administrator accesses the security server and requests the security server to delete the master key, the security server requests the member to delete the master key or initialize the secure memory. After the member completes the master key deletion or initialization, the execution completion message is sent to the security server. The security server finishes by deleting the member's master key from its database and sending the member deletion completion message to the administrator. Another method is to delete a member due to a problem or detachment. This process involves a user accessing a member for service, which must pass through a security server to start the service. The security server goes through the process of sending and receiving messages with the members in the service process, and if the message does not return for a certain time or a pattern that can be judged to be a problem is displayed, it notifies the user or administrator using a log record. Based on this, the administrator requests the security server to delete the problem member and the security server completes the deletion of the problem or the missing member by deleting the member's master key from the database.

 Finally, when changing the master key, the administrator accesses the security server, requests the member to change the master key, and the security server requests the use of the secure memory of the member to be changed. After receiving the secure memory usage response from the member, the security server creates a new master key, updates its database, and sends the new master key to the member. The received member updates its master key with a new master key and informs the security server of the completion message. Finally, the security server completes the change process by sending a member change completion message to the administrator.

UCN, Security, Key Exchange, Member Registration, Device Registration, Registration Protocol, Authentication, Master Key, Master Key

Description

Member Registration Secure Protocol in ubiquitous computing network

The present invention relates to a series of procedures and methods for the administrator to initially manage (register / delete / change) a device (hereinafter referred to as a member) in a UCN (Ubiquitous Computing Network) environment.

In the meantime, many service technologies have been developed in Korea to build UCN environment. In order to use these service technologies, an initial process of registering and authenticating users and devices (hereinafter referred to as members) is essential. It must be done during the registration and authentication process of users and members, and measures such as authentication, confidentiality, integrity, and non-repudiation must be in place, and time stamps and challenge / response to prevent any possible external attacks. In this case, secure communication should be made by using key distribution for encryption communication. In particular, the need for protocols and procedures for registration has emerged so that members can be registered and used securely on a security server (hereafter referred to as Security Server).

In order to securely register and use members, we can consider three aspects of registration. Firstly, the member must be registered with the security server in order to be used in UCN environment. Secondly, the registered member has to be deleted due to problems or moving or discarding. Finally, consider the case where a member in the same position changes.

An object of the present invention is to provide a management method of a member in the UCN environment in order to solve the problems of the prior art as described above. That is, the present invention is to enable a secure communication to meet the requirements and to prepare for an attack that can occur during the registration process with respect to the three aspects of member registration in the above-described UCN environment.

In order to achieve the above object, according to a preferred embodiment of the present invention, in a member management method in a ubiquitous computing network environment, (a1) when a new member is detected in the ubiquitous computing network, the security server detects Requesting registration with the member; (a2) the member receiving a registration request transmitted from the security server and transmitting a registration response message to the security server; (a3) receiving, by the security server, a registration response message sent from the member, and transmitting a registration request and an authentication request message to an administrator terminal; (a4) the administrator terminal receiving and outputting a registration status and an authentication request message, and then transmitting authentication information and registration status information according to a manager's operation to the security server; (a5) the security server receiving information transmitted from the administrator terminal to perform administrator authentication, and if the authentication is successful, determining whether to permit the registration of the member; (a6) if the registration of the member is permitted, transmitting the registration permission information and the secure memory access permission request to the member by the security server; (a7) the member receiving the registration permission information and the secure memory access permission request, granting the secure memory access right to the security server, encrypting the product information and the member public key, and transmitting the encrypted server information to the secure server; (a8) the security server receiving and decrypting the encrypted member public key and the product information, generating and storing a master key, and encrypting the generated master key and transmitting the encrypted master key to the member; And (a9) receiving and decrypting the encrypted master key by the member, storing the encrypted master key in a secure memory, and recovering the secure memory access right of the management server, and transmitting a member registration completion message to the secure server. A member management method in a ubiquitous computing network environment is provided.

Here, in the above-described step (a6), the security server further transmits a certificate of the security server to the member, and in step (a7), the member receives the security server certificate to determine validity, and then, the security server certificate. Can be configured to grant secure memory access only if is valid.

Further, in the above-described step (a6), the security server further transmits a security server public key to the member, and in step (a7), the member receives the security server public key and receives the received security server public key. And encrypting the product information and the member public key by using, and in the step (a8), the security server may be configured to decrypt the encrypted product information and the member public key by using a private key corresponding to the security server public key. have.

Further, in the above-described step (a8), the security server encrypts the master key using the member public key, and in step (a9), the member encrypts the master key encrypted using the private key corresponding to the member public key. Can be configured to decrypt.

In addition, in the above-described step (a8), the security server may be configured to generate a master key based on at least one or more information of administrator authentication information and member product information.

In order to achieve the above object, according to another preferred embodiment of the present invention, in the member management method in a ubiquitous computing network environment, (b1) the administrator terminal requests authentication information and member deletion according to the operation of the administrator Transmitting to the secure server; (b2) the security server receiving the information transmitted from the administrator terminal to perform administrator authentication, and if the authentication is successful, transmitting a secure memory access right request and a master key deletion request to a member whose deletion has been requested; (b3) the member receives the secure memory access permission request and the master key deletion request, grants the secure memory access right to the secure server, deletes the master key stored in the secure memory, and sends the master key deletion information to the secure server. Transmitting; And (b4) the security server receiving master key deletion information, deleting the stored master key of the member, and transmitting a member deletion completion message to the administrator terminal. A member management method is provided.

In order to achieve the above object, according to another preferred embodiment of the present invention, in a member management method in a ubiquitous computing network environment, (c1) a user terminal sends a service request to a security server according to a user's operation Transmitting; (c2) the security server transmitting a service execution request to a member to perform a service according to a user's request; (c3) The security server determines whether to receive a response message from the member, and if a response message is not received for a predetermined time or more, determines that a problem has occurred in the member, generates / stores problem occurrence information, and then manages it. Transmitting to a terminal; (c4) receiving and outputting problem occurrence information by the administrator terminal, and transmitting authentication information and a member deletion request according to the operation of the administrator to the security server; (c5) the security server receives the information transmitted from the manager terminal to perform administrator authentication, and if the authentication is successful, deletes the master key of the member requested to be deleted and sends a member deletion completion message to the manager terminal; There is provided a member management method in a ubiquitous computing network environment, comprising the steps of:

In order to achieve the above object, according to another preferred embodiment of the present invention, in the member management method in a ubiquitous computing network environment, (d1) the administrator terminal changes the authentication information and master key according to the operation of the administrator Sending a request to a secure server; (d2) the security server receiving information transmitted from the administrator terminal to perform administrator authentication, and if the authentication is successful, transmitting a secure memory access permission request to a member whose master key change is requested; (d3) receiving, by the member, a secure memory access permission request, granting secure memory access right to the secure server, and transmitting the secure memory access right to the secure server; (D4) receiving, by the security server, secure memory access right grant information, changing / stored the stored master key of the member, and transmitting the changed master key to the member; And (d5) receiving and decrypting the modified master key encrypted by the member, changing the master key stored in the secure memory, recovering the secure memory access right of the management server, and then sending a master key change complete message to the secure server. There is provided a member management method in a ubiquitous computing network environment, including transmitting.

In order to achieve the above object, according to another preferred embodiment of the present invention, in a member management method in a ubiquitous computing network environment, (e1) the security server determines whether the master key change period has arrived, and master When the key change period arrives, transmitting a secure memory access right request to a corresponding member; (e3) receiving, by the member, a request for a secure memory access right, granting secure memory access right to the secure server, and transmitting the secure memory access right to the secure server; (E4) receiving, by the security server, secure memory access right grant information, changing / stored the stored master key of the member, and transmitting the changed master key to the member; (e5) The member receives and decrypts the encrypted changed master key, changes the master key stored in the secure memory, recovers the secure memory access right of the management server, and transmits a master key change complete message to the secure server. There is provided a member management method in a ubiquitous computing network environment, comprising the steps of: a.

As described above, according to the present invention, by defining a secure registration procedure and method of a member in the UCN environment, it is possible to prevent an attack that may occur in the registration process of the member in advance and to perform secure communication.

In addition, the secure server enables encrypted communication with each other by securely exchanging symmetric keys for secure communication with the members. In addition, this symmetric key is composed of information between each other and can be used to distinguish members.

Prior to the description of the preferred embodiment of the present invention, the definitions of terms used below are as follows.

UCN: Ubiquitous Computing Network,

Security Server: Centralized server responsible for device authentication and community formation,

Device member: A local device (hereinafter referred to as `` member '') that is certified within the UCN environment.

MK: Symmetric key-based master key (hereinafter referred to as ‘MK’) shared between security server and device,

Community: Dynamic network area that enables members to communicate with each other.

Community Tokens: Keys needed for community formation and data encryption within communities,

Secure Memory: Secure storage such as memory on a member.

First, a brief look at the functions required in the preferred embodiment according to the present invention in order to achieve the object of the present invention as described above.

First, secure symmetric key exchange between secure server and member should be done to secure communication server, so that this symmetric key can be checked whether it is symmetric key generated by administrator to store in secure memory of member. You will have to go through the administrator certification process.

In addition, the procedure for membership registration will be divided into three categories: registration, deletion, and change. First, in the registration process, a state must be established where the member can trust the security server and the security server can trust the member. Once the state is created, it should be able to encrypt the member information by dividing the symmetric keys that can be encrypted and decrypted by each other for fast encrypted communication based on the trust between the security server and the member.

 Second, the deletion process can be divided into the case where the administrator wants to delete the member and the deletion due to the problem of the member itself. Member deletion by the administrator requires the process of deleting the symmetric key for communication between the security server and the member, and in the deletion process due to the member's problem, the security server confirms the member's departure and the administrator checks this. By deleting the symmetric key of the member of the member, another problem caused by re-access of the deleted member can be prevented.

Lastly, in the change process, if the long-term secret key is used for a long time, the symmetric key of the security server and member can be changed every time. You should be able to update it safely.

Hereinafter, with reference to the accompanying drawings will be described in detail a preferred embodiment of the present invention having the function as described above.

1 is an overall schematic diagram of member management according to a preferred embodiment of the present invention. With reference to FIG. 1, the member management method in the ubiquitous computing network environment according to the present invention will be described.

The present invention relates to a series of procedures and a method for an administrator to initially manage a device (hereinafter referred to as a member) in a ubiquitous computing network (UCN) environment.

The present invention will be described by dividing member management in UCN environment into three types of registration, deletion, and change. First, in the member registration process, a security server (hereafter referred to as a security server for security privacy) is sent a registration request message to a new member, and the member responds and requires administrator authentication to access his secure memory. . Through the administrator authentication process, the secure memory of the member is allowed, and the security server generates a master key (MK) from the member's information and the administrator's information and stores it in its own database. After that, if the master key is sent to the member to be registered, the member completes the initial registration process by safely storing the master key in its secure memory.

The second deletion process is performed when the registered member needs to be deleted, and can be divided into two ways. One of them is the process of deleting by the administrator. When the administrator operates the administrator terminal to access the security server and requests the security server to delete the master key of the member, the security server deletes the master key from the member or initializes the secure memory. You will be asked. After the member completes the deletion or initialization of the master key, the execution completion message is sent to the security server. The security server deletes the member's master key from its database and sends the member deletion completion message to the administrator terminal. It is finished.

Another method is to delete a member when there is a problem with the member or when the member is separated. In this process, when a user operates a user terminal to access a member to receive a specific service, the user must go through a security server to start the corresponding service. The security server performs a process of sending and receiving a message with a member in the service process. If a message does not return for a certain time or a pattern that can be judged to be a problem is seen, the log server is used to log to a user terminal or an administrator terminal. You will be notified of this. Based on this, the administrator requests the security server to delete the problem member and the security server completes the deletion of the problem or the missing member by deleting the member's master key from the database.

 Finally, when changing the master key, the administrator accesses the security server through the administrator terminal and requests the member's master key to be changed, and the security server requests the use of the secure memory of the member to be changed. After receiving the secure memory usage response from the member, the security server creates a new master key, updates its database, and sends the new master key to the member. The received member updates its master key with a new master key and informs the security server of the completion message. Finally, the security server completes the change process by sending a member change completion message to the administrator.

1 is an overall schematic diagram of member management according to an exemplary embodiment of the present invention, and FIG. 2 is a system configuration diagram for member management according to an exemplary embodiment of the present invention.

As shown in FIG. 2, the system according to the present invention includes an administrator terminal 100, a user terminal 200, a member 300, a wired / wireless communication network 400, an application service server 500, and a security server 600. can do.

The manager terminal 100 accesses the security server 600 according to the operation of the administrator to register or delete the member 300 or the master key of the member 300 stored in the member 300 and the security server 600. Will change the function.

The user terminal 200 is connected to the security server 600 through a communication path such as the Internet according to the user's operation to control the operation of the member 300 constituting the UCN. The user terminal 200 may be implemented as an information communication device such as a personal computer, a notebook, a mobile phone, and the like configured to perform data communication through a network.

Member 300 is a device for information communication devices such as mobile phones, home appliances, personal computers, and the like, telephones, facsimiles, video recording / playback devices that can participate in the UCN according to the present invention by performing data communication, security server The function may be controlled by the 600 and the application service server 500. The ubiquitous computing network according to the present invention may be configured to include a plurality of members, but the gist of the present invention lies in the management (registration / deletion / change) of members. A preferred embodiment according to the present invention will be described with reference to).

When the member 300 newly enters the ubiquitous computing network according to the present invention, the member 300 receives a registration request transmitted from the security server 600 that detects the new member 300, and responds with security. By storing the master key transmitted from the server 600 in the secure memory (), a series of registration processes are completed.

The master key is a symmetric key for encrypted communication between the security server 600 and the member 300 and at the same time an identification value for identifying the member 300. The symmetric key decryption algorithm is a simple reverse operation of encryption (eg, addition is subtraction, multiplication is division), in which the sender and receiver share a key, so that the key used for encryption and decryption is the same. This is simply a technique for encrypting and decrypting data with a single private key. Since symmetric key-based cryptography is performed by repeating simple bit operations, the amount of data that can be encrypted per unit time is relatively large. Therefore, the symmetric key-based encryption / decryption method is suitable for handling a large amount of data, and the encryption and decryption keys are the same, so that the processing speed is fast and the service can be smoothly performed even in a low resource device. Such a master key is generated and assigned a unique value to each local member, and stored in the database 610 of the security server 600 and the secure memory () of the local member and used for encryption and decryption during data communication. That is, when the master key for the first local member is referred to as the first master key and the master key for the second local member is referred to as the second master key, the first master key and the first key are included in the database 610 of the security server 600. Both master keys are stored, the first master key is stored in the security area of the first local member, and the second master key is stored in the security area of the second local member to be used for authentication and decryption.

The security server 600 performs a function of configuring / managing a ubiquitous computing network, and in more detail, is a centralized server that manages the members 300 participating in the network and forms a community, and the user terminal 200. By receiving a service request transmitted from the application service server 500 to control the function of the member 300.

The application service server 500 performs a function of providing various applications required for driving the member 300 and the security server 600. That is, in the ubiquitous computing network environment, the network basically includes an application service server 500 that controls each member constituting the network to perform a desired service. In order for a user to access the application service server 500 and control a function of the desired member 300, the user must pass through a secure server 600 using the user terminal 200.

With reference to the accompanying Figures 1 and 2 described in detail, the member registration process in the UCN environment can be viewed from three perspectives to greatly register, delete, change, the registration process is a new member 300 by wired and wireless communication (400) Is detected by the security server 600, the security server 600 requests registration to the member 300 and obtains the secure memory access rights of the member 300 by the administrator terminal 100 security server 600 The master key (MK) to be used as a symmetric key in the data communication between the member 300 and stored in the database 610, and transmits the master key to the member 300 is stored in the member's secure memory 320. Thereafter, the security server 600 completes the registration process by transmitting a completion message to the manager terminal 100.

In the deletion process, it can be divided into deletion by an administrator and deletion due to a problem of the member 300. First, the deletion by the administrator can delete the member 300 by deleting each other the master key stored in the security server (600) and the secure memory () of the member 300, the member of the 300 The deletion caused by the problem is that the security server 600 confirms the departure of the member 300, and then the administrator who confirms the master key of the corresponding member of the security server 600 through the administrator terminal 100 in the database 610 You can delete a member by deleting it.

Finally, the process of changing the master key allows the administrator to change the master key through the manager terminal 100 with respect to problems that may occur due to re-access of the member 300 or long-term secret key. Or to change the master key due to deletion due to a problem of the member 300. The administrator accesses the security server 600 through the administrator terminal 100 so that the administrator can safely update the master key having the security server 600 and the members stored in the database 610 of the security server 600. The master key change procedure is completed in order of resetting the master key of the corresponding member and transmitting and storing the reset master key to the corresponding member 300.

3 is a packet configuration of the present invention, and shows a message packet structure exchanged between a security server and a member for registration, deletion, and change of a member.

Referring to Figure 3 describes the configuration of a packet according to the present invention.

① Type

Size: 2 bits

-Display value: '1': register, '2': delete, '3': change

② Code

Size: 2 bits

-Display value: ‘0’ = Request, ‘1 = Response,‘ 2 = Success, ‘3’ = Failure

③ Identifier

Size: 1 byte

-Display value: Identifier value is determined in Request packet and Identifier value of Response must be equal to that of corresponding Request packet.

④ Total Length

Size: 1 byte

-Display value: The total length of the packet from the Code field to the Data field in bytes.

⑤Flags

Size: 4 bits

-Display values: ‘S’ = start, ‘D’ = data Length included, ‘C’ = Crypto setting, ‘CM’ = Crypto information, ‘KD’ = Kind of Data

⑥ Data Length

Size: 1 byte

Display Value:

# Indicates the data field length in bytes.

# Omitted if the Code field is Success or Failure.

Data Length and Data fields are determined by the Type, Code, and Flags field values.

4 shows a protocol flow upon successful member registration, and FIG. 5 shows a member registration flow chart. 4 and 5, the registration process of a new member will be described with reference to FIGS.

① Registration start request (Registration star Request): When the security server finds a new member (S601) and requests registration to the member (S602). 6 illustrates a packet transmitted from a security server to a member for registration start request.

② Registration start response (Registration star Response): The member receiving the registration request message from the security server transmits a response message to register to the security server (S603). 7 illustrates a packet transmitted from a member to a security server for registration start response.

③ Super User Request: The security server finds a new member and receives a response from the member who wants to register. Then, the security server inquires about the fact that the new member has been found and whether the found member is registered so that the new member can be registered. The registration of the administrator (S604) and the authentication request message is transmitted to the administrator terminal (S605).

④ Super User Response: The administrator sends the authentication information such as his / her ID / password and member's permission to the security server by operating the administrator's terminal to register the member, and the security server authenticates the received administrator. Administrator authentication is performed using the information (S607).

⑤ Super User Auth (Secure area open) Request: When the security server completes the administrator's authentication for new member registration (S606) and the administrator wants to register a new member according to the permission of registration (S608). In addition, the security server requests the administrator to grant a new member the fact that the administrator wants to register the new member and the member's secure area access to store the master key. At this time, the security server's certificate and public key are attached and sent together (S609). 8 illustrates a packet for an administrator registration request (Super User Auth (Secure area open) Request).

⑥ Super User Auth (Secure area open) Response: The new member receives the administrator's registration request and secure memory access permission request message from the security server and uses the received security server certificate / public key. After the verification process, if there is no error, the security memory access authority is granted and the message that the secure memory can be used and the product information such as its serial number and its public key are displayed. Encrypted by using the transmission to the security server (S610). A packet for an administrator registration response (Super User Auth (Secure area open) Response) is illustrated in FIG. 9.

⑦ Master Key Send (MK Send): After receiving the message that the security server can use the secure memory from the new member, the master key (symmetric) based on the administrator's authentication information (ID, password, etc.) PW and the member's product number. After the key is generated / stored, the master key is encrypted using the public key received from the new member and transmitted to the member (S611). In more detail, the master key generation algorithm can be applied in various ways. However, the master key can be mastered through an exclusive OR operation between a member's product number or administrator password and a random random value generated by the security server. It may also be configured to generate a key. 10 illustrates a packet for master key transmission.

⑧ Success: New member who receives the encrypted master key sent from the security server decrypts it using the member's own public key, saves the decrypted master key in the secure memory and retrieves access to the secure memory. And transmits a success message that the member registration is completed (s613). 11 illustrates a packet for transmission of a success message.

12 shows a new member registration failure procedure. 12 and 5 will be described in detail the failed registration procedure of a new member.

① First, when the security server finds a new member (S601), the member requests a registration (S602). ② The member receiving the registration request message from the security server transmits a response message to register with the security server (S603). ③ The security server finds a new member, and after receiving a response from the member who wants to register, transmits a registration request (S608) and an authentication request message of the administrator (S606) who can register the new member. ④ If you are not an administrator or do not want to register as a manager (S608 N) member registration will fail.

13 shows a member deletion procedure by an administrator.

A member deletion procedure by the administrator will be described in detail with reference to FIGS. 13 and 15.

① After the administrator accesses the security server through the administrator authentication process by operating the administrator terminal (S604) ② When a member is deleted (S630) ③ The security server requests a member to access the secure memory for deleting the member by the administrator ( In step S609, the access right is granted to the security server (S610). The secure server granted access to the secure memory requests to delete or initialize the master key stored in the secure memory of the member (S631).

④ After this member deletes the master key stored in its own secure memory or initializes the secure memory and informs the security server of this fact (S632). ⑤ The server receiving the message deletes the master key of the member stored in the database (S633) and finishes the deletion process by sending a deletion completion message to the administrator terminal.

14 shows a member deletion procedure due to a member error or detachment.

14 and 15 will be described in detail a member deletion procedure due to member abnormality and detachment.

① When accessing a member to receive a service using a specific user user terminal, it goes through a security server to start a service.

② The security server goes through the process of sending and receiving messages with the member in the service process, and if this process does not receive the response of the message sent from the member for a certain time (S703) ③ judged that the member has a problem (S704) This is stored and transmitted to the user terminal and the administrator terminal through an alarm or log record (S704).

④ When the administrator checks the message that a problem has occurred in the member, the administrator accesses the security server using the administrator's terminal (S604). ⑤ Requests to delete the master key of the problem member (S630). By deleting the in the database (S633) it is possible to prevent problems due to the re-access of the member.

⑥ The security server completes the member deletion process by sending a member deletion completion message to the administrator terminal.

16 shows a procedure for changing a member master key.

The procedure for changing the member master key will be described in detail with reference to FIGS. 16 and 5.

As a solution to problems that can be caused by deleting a master key stored in a member on another network, or by using a long-term secret key, the administrator can change the master key.

① The administrator operates the administrator terminal to access the security server (S606) and performs the administrator authentication. ② Requests to change the master key of a specific member (S608).

③ The security server requests the secure memory access permission for changing the master key to the member designated by the administrator (S609), and the member ④ permits access to his secure memory (S610).

⑤ After that, the security server generates a new master key to update the old master key stored in the database (S611), and transmits the new master key to the member (S612).

⑥ The member receiving the new master key from the security server updates the master key stored in his security memory with the received master key, and when the master key change is completed, transmits a success message to the security server (S613).

⑦ The security server completes the master key change procedure of the member by sending a message that the master key change is completed to the administrator terminal.

On the other hand, according to another preferred embodiment of the present invention can be configured so that the master key change as described above can be made automatically according to a certain period without the intervention of the administrator.

Since the master key is used to encrypt and decrypt the token, there is a risk that a third party can take over the community if it is leaked, and thus, a periodic change of the master key is necessary. The problem with the conventional system is that although the master key change process exists, it is difficult for the user to periodically change the master key registered once. The present invention proposes a method in which the master key can be changed periodically without the intervention of an administrator to solve this problem.

The security server generates / stores the expiration date information (L _MK ) of the master key together when generating the master key during the registration process of a specific member, and transmits it to the member to be stored in the member's secure memory.

When the invention is configured to change the master key by judging the validity period of the master key in the security server itself, the security server determines whether the master key of a specific member expires and generates a new master key when the validity period expires. Save and send it to the member so that the master key stored in the member can be changed.

On the other hand, when the invention is configured to change the master key by judging the validity period of the master key in the member itself, the member determines whether the stored master key expires and if the validity period expires, the new master as a security server. After requesting a key, the security server creates / stores a new master key and sends it to the member so that the master key stored in the member can be changed.

Preferred embodiments of the present invention described above are disclosed for purposes of illustration, and those skilled in the art will be able to make various modifications, changes and additions within the spirit and scope of the present invention. Additions should be considered to be within the scope of the following claims.

1 is an overall schematic diagram of member management in accordance with one preferred embodiment of the present invention.

2 is a system configuration diagram for member management according to an embodiment of the present invention.

3 is a packet structure for member registration, deletion, and change according to an embodiment of the present invention.

4 is a new member registration success procedure according to an embodiment of the present invention.

Figure 5 is a flow chart for a new member registration according to an embodiment of the present invention.

Figure 6 is an illustration of a Registration start Request packet of the member registration process according to an embodiment of the present invention.

Figure 7 is an illustration of a Registration start Response packet of the member registration process according to an embodiment of the present invention.

8 is an exemplary diagram of an administrator secure area open (Auth) Request packet of a member registration process according to an embodiment of the present invention.

9 is an exemplary diagram of an administrator secure area open (Auth) Response packet of a member registration process according to an embodiment of the present invention.

10 is an exemplary diagram of a master key Send packet of a member registration process according to an embodiment of the present invention.

11 is an exemplary diagram of a Success packet of a member registration process according to an embodiment of the present invention.

12 is a new member registration failure procedure according to an embodiment of the present invention.

13 is a member deletion procedure by an administrator according to an embodiment of the present invention.

14 is a procedure for deleting a member due to a member abnormality and detachment according to an exemplary embodiment of the present invention.

15 is a flowchart illustrating a member deletion process according to an embodiment of the present invention.

16 is a procedure for changing a member master key according to an embodiment of the present invention.

Explanation of symbols on the main parts of the drawings

100: manager terminal

110: security device program in the administrator terminal

200: general user terminal

210: security device program in the general user terminal

300: new member device

310: Security device program in the new member device

320: Secure memory access right control and physical part of security device program of new member device

400: wired or wireless communication (general communication)

500: service management server for providing services in the UCN environment

600: security server (hereafter referred to as Security Privacy Gateway.)

601: database of the security server

Security server: Communication management server for secure communication in UCN environment

Member: Device Device Superuser: Administrator

Master Key: Master Key (symmetric key for encrypted communication between security server and device member device and identification value for distinguishing members at the same time)

Claims (9)

In the member management method in the ubiquitous computing network environment, (a1) if a new member is detected in the ubiquitous computing network, requesting registration with the detected member by a security server; (a2) the member receiving a registration request transmitted from the security server and transmitting a registration response message to the security server; (a3) receiving, by the security server, a registration response message sent from the member, and transmitting a registration request and an authentication request message to an administrator terminal; (a4) the administrator terminal receiving and outputting a registration status and an authentication request message, and then transmitting authentication information and registration status information according to a manager's operation to the security server; (a5) the security server receiving authentication information and registration information transmitted from the administrator terminal to perform administrator authentication, and if the authentication is successful, determining whether to permit registration of the member; (a6) if the registration of the member is permitted, transmitting the registration permission information and the secure memory access permission request to the member by the security server; (a7) the member receiving the registration permission information and the secure memory access permission request, granting the secure memory access right to the security server, encrypting the product information and the member public key, and transmitting the encrypted server information to the secure server; (a8) receiving and decrypting the encrypted member public key and product information by the security server, generating and storing a master key, encrypting the generated master key and transmitting the encrypted master key to the member; And (a9) receiving and decrypting the encrypted master key by the member, storing the same in a secure memory, and recovering the secure memory access right, and transmitting a member registration completion message to the secure server. Member management method in ubiquitous computing network environment. The method of claim 1, In the step (a6), the security server further transmits a certificate of the security server to the member, In step (a7), the member receives the security server certificate and determines the validity, and then grants secure memory access rights only if the security server certificate is valid, characterized in that the member management method in a ubiquitous computing network environment. The method of claim 1, In step (a6), the security server further transmits a security server public key to the member, In step (a7), the member receives the security server public key, encrypts the product information and the member public key using the received security server public key, In the step (a8), the security server decrypts the encrypted product information and member public key using a private key corresponding to the security server public key, member management method in a ubiquitous computing network environment. The method of claim 1, In the step (a8), the security server encrypts the master key using the member public key, And in the step (a9), the member decrypts the encrypted master key using a private key corresponding to the member public key. The method of claim 1, In the step (a8), the security server generates a master key based on at least one or more information of the administrator authentication information, product information of the member member management method in a ubiquitous computing network environment. delete delete delete delete

Images