KR101737066B1 - User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same - Google Patents

User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same Download PDF

Info

Publication number
KR101737066B1
KR101737066B1 KR1020150171395A KR20150171395A KR101737066B1 KR 101737066 B1 KR101737066 B1 KR 101737066B1 KR 1020150171395 A KR1020150171395 A KR 1020150171395A KR 20150171395 A KR20150171395 A KR 20150171395A KR 101737066 B1 KR101737066 B1 KR 101737066B1
Authority
KR
South Korea
Prior art keywords
otp
opin
generation
generator
generated
Prior art date
Application number
KR1020150171395A
Other languages
Korean (ko)
Inventor
김연수
안순용
강우진
김근옥
Original Assignee
사단법인 금융결제원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 사단법인 금융결제원 filed Critical 사단법인 금융결제원
Priority to KR1020150171395A priority Critical patent/KR101737066B1/en
Application granted granted Critical
Publication of KR101737066B1 publication Critical patent/KR101737066B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

According to one embodiment of the present invention, provided is a user authentication method of an authentication server. The authentication method, performed by the authentication server, using the OTP, comprises the steps of: receiving a request for generating OPIN from a banking server or a user terminal; generating the OPIN through an OPIN generating algorithm on the basis of at least one among an OPIN generating key, the current time, trading information, and an institution code; transmitting the generated OPIN to the user terminal; performing the verification of the OPIN received from the user, and receiving an OTP from an OTP generator which generates an OTP only if a verification is successfully completed; and verifying whether the OTP is valid or not through an OTP verification algorithm on the basis of the OTP and at least one among an OTP generating key, the current time, trading information and the institution code. The present invention relates to a user authentication method using a one-time PIN and an OTP, an authentication server performing the same, and an OTP generator, and more specifically to a technology which improves safety by generating an OTP in an OTP generator only when a primary verification is completed through an OPIN generated in an authentication server.

Description

[0001] The present invention relates to a method and apparatus for authenticating a user using a one-time PIN and an OTP, an authentication server and an OTP generator for performing the authentication, and an OTP generator,

The present invention relates to a method for performing authentication using a disposable PIN and an OTP, an authentication server for performing the authentication, and an OTP generator. Specifically, the OTP is generated in the OTP generator only after the first verification is completed through the OPIN generated in the authentication server And a technique for improving security.

Along with the development of e-commerce, the way of verifying the identity of electronic transactions is continuing to develop. The most basic authentication method is that a user enters his / her ID and password and performs authentication of the user through the authentication.

However, the IDs and passwords of various web sites are often hacked by the hacking techniques that have been developed. Accordingly, a scheme of setting the passwords complicatedly and periodically changing the passwords has been performed. However, And the password was leaked, the third party who acquired it could take an unfair advantage through the ID and password of the other person, and the user who was hijacked the ID and the password could be unexpectedly damaged.

Various authentication schemes have been developed to prevent hacking. OTP (One Time Password) has been widely used. OTP means a one-time password used in a method of generating a password having a certain valid time each time authentication is performed and performing authentication using the password.

When the OTP is used, security is improved because a different password is used each time the authentication is performed. When the OTP generator generates an OTP using the OTP generation algorithm based on the time information and the OTP secret key, the user confirms the OTP using the OTP generation algorithm. You can enter OTP on the screen of the website. The OTP entered by the user is transmitted to the server side authenticating the OTP through the website, and the authentication server generates the OTP in the same manner as the OTP generator generates the OTP. That is, the authentication server generates the OTP through the same OTP generation algorithm based on the time information used by the OTP generator and the OTP secret key, compares the user input OTP received through the website with the self-generated OTP, You can do it successfully.

However, there is a disadvantage in that even in the authentication method using the OTP, an attacker, that is, a hacker can hack the OTP number of the desired time zone by manipulating the time information of the OTP generator. For example, if an OTP generator is a smartphone, an attacker can manipulate the smartphone's visual information in such a way as to plant a malicious code on the smartphone, and the smartphone can create an OTP of the desired time zone and seize it. In the future, an attacker can accomplish his / her purpose by carrying out identity verification through OTP at the time when he / she has tampered with it.

As described above, since the OTP generator including the smart phone receives the visual information from outside the security area, there is a security threat that the attacker manipulates the visual information. Accordingly, it has been necessary to develop an authentication method that can maintain the security even if the attacker manipulates the visual information.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems of the prior art.

SUMMARY OF THE INVENTION An object of the present invention is to provide a method for authenticating a user who is secure from a hacking means of modulating time information in authenticating the user through OTP.

According to another aspect of the present invention, there is provided a method of authenticating a user using an OTP, the method comprising: receiving an OPIN generation request from a banking server or a user terminal; Generating an OPIN through an OPIN generation algorithm based on at least one of an OPIN generation key, a current time, transaction information, and an authority code; Transmitting the generated OPIN to the user terminal; Receiving the self-generated OTP from an OTP generator that performs verification of the OPIN input from a user and generates an OTP only when verification is successfully completed; And verifying that the OTP is valid through the OTP verification algorithm based on at least one of the OTP generation key, the current time, the transaction information, and the authority code and the OTP.

The step of transmitting the generated OPIN to the user terminal may further include displaying the OPIN on the financial transaction screen displayed on the user terminal.

The OPIN generation algorithm or the transaction information input to the OTP generator may include an account number or a transfer amount.

If the OPIN generation key and the OTP generation key are the same, the OPIN generation algorithm and the OTP generation algorithm may be different.

If the OPIN generation key and the OTP generation key are different, the OPIN generation algorithm and the OTP generation algorithm may be the same.

The OTP verification algorithm may perform a verification procedure by comparing an OTP received from the OTP generator with a self-generated OTP in the authentication server.

The authenticating method of the authentication server may further include a step of completing the OTP verification if the generation time of the OPIN is different from the reception time of the OTP by a predetermined time or more.

According to another aspect of the present invention, there is provided an authentication server for authenticating a user using an OTP, comprising: an OPIN generation request receiving unit for receiving an OPIN generation request from a banking server or a user terminal; An OPIN generation unit for generating an OPIN through an OPIN generation algorithm based on at least one of an OPIN generation key, a current time, transaction information, and an authority code; An OPIN transmission unit for transmitting the generated OPIN to the user terminal; An OTP receiver for receiving the self-generated OTP from an OTP generator that performs verification of the OPIN inputted from a user and generates an OTP only when verification is successfully completed; And an OTP verifying unit for verifying whether the OTP is valid through at least one of an OTP generation key, a current time, transaction information, and an authority code, and an OTP verification algorithm based on the OTP.

In order to achieve the above object, another embodiment of the present invention provides a method for authenticating a user using a smart OTP using an OTP in an OTP generator, comprising: receiving an OPIN from a user or receiving an OPIN from a user terminal or an authentication server ; Verifying that the OPIN is valid through an OPIN verification algorithm based on the OPIN generation key, the current time, the transaction information, the authority code, and the OPIN; Generating an OTP through an OTP generation algorithm based on at least one of an OTP generation key, a current time, transaction information, and an authority code; And displaying the generated OTP through the OTP generator or transmitting the generated OTP to a user terminal or an authentication server.

Wherein verifying that the OPIN is valid comprises checking whether the OPIN generation time received from the authentication server and the current time of the OTP generator are different from each other by a predetermined time or longer using the current time information of the OTP generator .

The OPIN verification algorithm may be to perform the verification procedure in a manner that compares the received OPIN with the self-generated OPIN in the OTP generator.

In order to achieve the above object, another embodiment of the present invention is a smart OTP program installed on an OTP generator and performing authentication using the OTP, the smart OTP program comprising at least an OPIN generation key, a current time, transaction information, An OPIN verification module that verifies whether the OPIN is valid through an OPIN verification algorithm based on the one and the OPIN; And an OTP generation module that generates an OTP through an OTP generation algorithm based on at least one of an OTP generation key, a current time, transaction information, and an authority code, and performs OTP generation only when the OPIN is valid. , And Smart OTP program.

According to an embodiment of the present invention, since the OTP is generated after performing the verification first through the OPIN generated by the authentication server, when the attacker modulates the current time information of the OTP generator through hacking, the verification of the OPIN fails Since no OTP is generated, the security can be improved.

It should be understood that the effects of the present invention are not limited to the above effects and include all effects that can be deduced from the detailed description of the present invention or the configuration of the invention described in the claims.

1 is a general configuration diagram of a personal authentication system using an OTP according to an embodiment of the present invention.
FIG. 2 is a flowchart illustrating a process of authenticating a user using an OTP according to an exemplary embodiment of the present invention. Referring to FIG.
3 is a block diagram illustrating an internal configuration of an authentication server according to an embodiment of the present invention.
4 is a diagram schematically showing a configuration of a Smart OTP installed in an OTP generator.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "indirectly connected" . Also, when an element is referred to as "comprising ", it means that it can include other elements, not excluding other elements unless specifically stated otherwise.

In this specification, OTP (One Time Password) refers to the one-time password generated in the authentication process.

The authentication method using the OTP performed in the present invention can be used in combination with various OTP technologies. That is, the present invention is not limited to various OTP schemes such as NFC (Near Field Communication) OTP, USIM (Universal Subscriber Identity Module) OTP, Secure SD (Secure Digital) OTP, and TEE (Trusted Execution Environment) OTP.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a general configuration diagram of a personal authentication system using an OTP according to an embodiment of the present invention.

Referring to FIG. 1, the authentication system according to an exemplary embodiment of the present invention may include an OTP generator 100, a user terminal 200, a banking server 300, and an authentication server 400.

The OTP generator 100 according to an embodiment may be configured as a terminal performing a role of verifying a disposable PIN (hereinafter referred to as OPIN in this specification) in which a pre-verification is performed before OTP generation and OTP generation are performed . The OTP generator 100 may be provided with a Smart OTP that performs OTP generation and management. Hereinafter, the smart OTP refers to a kind of program or application installed on the OTP generator 100 to perform the authentication related function including the OTP generation and management. That is, a smart OTP can be called a smart OTP program or a smart OTP application.

The user terminal 200 according to one embodiment can be used as a tool for a user to perform an electronic financial transaction. That is, a user who wishes to perform an electronic financial transaction accesses a financial institution web page through the user terminal 200 or accesses a financial institution server through a financial institution-related program or application installed in the user terminal 200, Financial services can be provided.

In the process of the user providing the financial service through the user terminal 200, the user must perform the authentication of the user, and the OTP can be used in the process. According to one embodiment, the OTP may be used when a user accesses a financial institution server using his / her ID and a matching password, and may be used when a user uses each service such as account transfer, financial product subscription, etc. . When an OTP is used in performing authentication of a user, when a user inputs an OTP generated and displayed in the OTP generator 100 to the user terminal 200, the OTP received by the user terminal 200 is transmitted to a financial institution server or Alternatively, the OTP generator 100 may generate the OTP and send it to the financial institution server or the certification authority server side without the user's separate OTP input process.

According to one embodiment, the OTP generator 100 and the user terminal 200 may be implemented in separate configurations, but according to another embodiment, the OTP generator 100 and the user terminal 200 may be implemented as one integrated terminal . In a case where the integrated terminal performs both the functions of the OTP generator 100 and the user terminal 200, the integrated terminal may have both smart OTP and financial institution related applications installed therein, and the smart OTP and financial institution related applications are integrated into one It may also work.

The banking server 300 according to an exemplary embodiment may be a server including various financial institution servers described above, and may be a server managed by a bank, a post office, an insurance company, a securities company, and the like. And transmits the result of the processing to the user terminal 200. The banking server 300 may also exchange information between the user terminal 200 and the authentication server 400.

The authentication server 400 according to an exemplary embodiment may perform a role of verifying that the OTP generated by the OTP generator 100 is a valid OTP. In addition, the authentication server 400 may generate an OPIN to be validated before generating the OTP by the OTP generator 100, and may transmit the OPIN to the OTP generator 100. The configuration related to OPIN will be described later.

That is, the authentication server 400 receives the OTP generated by the OTP generator 100 and performs authentication by itself, transmits the authentication result to the banking server 300, and transmits the authentication result to the banking server 300. In this case, Financial services can be provided.

According to one embodiment, the authentication server 400 may operate separately from the banking server 300, but according to another embodiment, the banking server 300 includes various authentication related functions of the authentication server 400 May be implemented as part of a function.

A mobile server (not shown) is provided separately from the banking server 300 and the authentication server 400 and is connected to the OTP generator 100, the user terminal 200, the banking server 300, And the authentication server 400 can perform data transmission / reception.

The communication between the OTP generator 100, the user terminal 200, the banking server 300 and the authentication server 400 may be performed through a communication network, and the communication network may include a communication mode such as wired and wireless, As shown in FIG. For example, the communication network may be implemented by various communication networks such as a local area network (LAN), a metropolitan area network (MAN), and a wide area network (WAN). Preferably, the communication network according to an embodiment of the present invention may be a known World Wide Web (WWW) or the like.

FIG. 2 is a flowchart illustrating a process of authenticating a user using an OTP according to an exemplary embodiment of the present invention. Referring to FIG.

According to an embodiment of the present invention, the OTP generator 100 may perform the verification of the OPIN before generating the OTP, so that the OTP can be generated only when the verification of the OPIN is successfully performed.

The OPIN (Onetime Personal Identification Number) is disposable PIN information generated by the authentication server 400, and is information to be verified prior to the step of generating the OTP. The OPIN is information that is changed every time the electronic financial transaction of the user is changed. The authentication server 400 can acquire the notarized time information through association with the time server (not shown), and use it to generate OPIN.

Referring to FIG. 2, the OTP generator 100, the user terminal 200, the banking server 300, and the authentication server 400 perform authentication using the OTP. Although the OTP generator 100 and the user terminal 200 are separated in the embodiment of FIG. 2, it is needless to say that the OTP generator 100 and the user terminal 200 may function as one integrated terminal .

When the user wants to receive the electronic financial transaction service through the operation of the user terminal 200, the user terminal 200 can transmit the user authentication request to the banking server 300 (S201). In this case, the user terminal 200 may transmit the identification information of the user such as the ID of the user and the contents of the financial transaction service to be performed to the banking server 300 together.

The banking server 300 receives the authentication request from the user terminal 200, grasps the content of the financial transaction service that the user intends to perform, and determines whether the authentication through the OTP should be performed when providing the corresponding service have. That is, the banking server 300 can set the security strength for each electronic financial transaction service, and can determine whether the financial transaction that the user wishes to perform is a transaction that should use the OTP. Such a security strength may be preset by the user, and the banking server 300 may accordingly determine whether or not to perform authentication via OTP.

If the banking server 300 determines that the user authentication for the financial transaction service requested by the user should be performed through the OTP, the banking server 300 may transmit the request for generating the OPIN to the authentication server 400 (S203).

The authentication server 400 receiving the OPIN generation request from the banking server 300 may generate the OPIN (S205). The authentication server 400 generates the OPIN key by inputting the OPIN generation key of the user, the current time, the transaction information, the authority code, and the like to the OPIN generation algorithm according to one embodiment. Can be generated.

Figure 112015118404413-pat00001

Referring to the equation 1, f () is OPIN generation algorithm, K is OPIN generation key, T is the current time, I i represents the i-th additional information. That is, the authentication server 400 can generate OPIN by inputting various variables into the OPIN generation algorithm.

The OPIN generation key may be stored in the authentication server 400 at a different value for each user requesting the electronic financial transaction, and the current time may be acquired from the external time server by the authentication server 400. [

According to one embodiment, the OPIN generation process may include an interworking function of a financial transaction. In this case, the authentication server 400 can generate OPIN by additionally inputting the transaction information received from the banking server 300, such as the account number and the transfer amount, to the OPIN generation algorithm when generating the OPIN.

The authentication server 400 can transmit OPIN to the banking server 300 in step S207 and the banking server 300 can transmit the received OPIN to the user terminal 200 in step S209.

According to one embodiment, the user can check the OPIN displayed on the user terminal 200 and input the OPIN to the OTP generator 100. That is, the OTP generator 100 can receive the OPIN from the user (S211). The OPIN can be displayed to the user through the display device existing in the user terminal 200, and the OTP generator 100 can receive the OPIN through the keypad or the touch screen. According to another embodiment, the OTP generator 100 and the user terminal 200 are connected, and the user terminal 200 may transmit the OPIN received from the banking server 300 to the OTP generator 100 without any user's operation.

The OTP generator 100 may perform verification of OPIN received from the user (S213). The OTP generator 100 can verify the OPIN by inputting OPIN, OPIN generation key, current time, transaction information, institution code, and the like received from the user into the OPIN verification algorithm. . According to one embodiment, when the transaction interworking function is performed in the OPIN generation process, the OTP generator 100 may additionally input information such as an account number, a transfer amount, and the like to the OPIN verification algorithm in performing the verification of the OPIN.

According to one embodiment, the OPIN verification algorithm can perform the verification of OPIN through comparison of OPIN generated by the authentication server 400 and input from the user and OPIN generated in the OTP generator 100 .

Unlike the time obtained by the authentication server 400 from the external time server, the current time used by the OTP generator 100 is extracted from the time information in the OTP generator 100 or the time information received from the user terminal 200 , The attacker performing the hacking can modulate the time information of the OTP generator 100 or the user terminal 200. However, when the current time is modulated in the process of performing the OPIN verification, the OPIN verification algorithm performs a problem in the OPIN verification process, so that the verification may not be normally performed and may fail. That is, if the difference between the current time information used by the authentication server 400 and the current time information used by the OTP generator 100 is equal to or more than a certain level, for example, one minute or more, OPIN verification may fail.

If the OPIN verification fails, the OTP generator 100 can output only the error message to the user without generating the OTP, and the user can not obtain the OTP and can not proceed the financial transaction any more.

Conversely, if the OPIN verification is successfully performed, the OTP generator 100 may generate the OTP (S215). OTP generation by the OTP generator 100 can be performed in a manner similar to the OPIN generation of the authentication server 400 described above with reference to Equation (1). That is, the OTP generator 100 can generate the OTP by inputting the OTP generation key, the current time, and various additional information to the OTP generation algorithm. According to an exemplary embodiment, the OTP generator 100 may include an interworking function of the financial transaction in the OTP generation process, and the OTP generator 100 may generate OTP by additionally inputting information directly related to a financial transaction, such as an account number and a transfer amount, can do.

According to one embodiment, the OTP generation key that the OTP generator 100 inputs to the OTP generation algorithm and the OPIN generation key that the authentication server 400 inputs to the OPIN generation algorithm can be configured identically. The OTP generation key and the OPIN generation key may be different for each user performing the financial transaction, but for one user, the OTP generation key and the OPIN generation key may include the same information. In this case, the OTP generation algorithm and the OPIN generation algorithm must be configured with different algorithms.

According to another embodiment, the OTP generation algorithm used by the OTP generator 100 for OTP generation and the OPIN generation algorithm used by the authentication server 400 for OPIN generation may be the same. However, in this case, the OTP generation key input to the OTP generation algorithm and the OPIN generation key input to the OPIN generation algorithm must be set differently for one user.

According to another embodiment, the OTP generation algorithm used by the OTP generator 100 for OTP generation and the OPIN generation algorithm used by the authentication server 400 for generating the OPIN are different, and the OTP generation key and OPIN generation key used for OTP generation The OPIN generation key used may also be different.

According to one embodiment, after generating the OTP, the OTP generator 100 may display the OTP on a display unit such as the display unit of the OTP generator 100, and the user confirms the OTP and inputs the OTP to the user terminal 200 (S217). According to another embodiment, the OTP generator 100 may be connected to the user terminal 200 through a communication network, and may transmit the OTP generated after completing the OTP generation to the user terminal 200 without intervention of the user.

The user terminal 200 may transmit the OTP received from the user to the banking server 300 (S219). The banking server 300 may transmit the received OTP to the authentication server 400 at step S221 and the user terminal 200 may directly transmit the OTP to the authentication server 400 according to an embodiment of the present invention.

The authentication server 400 inputs the received OTP and the OTP generation key of the user, the current time, the transaction information, the authority code, and the like to the OTP verification algorithm to check whether or not the OTP is normally generated (S223). According to one embodiment, when the transaction interworking function is performed in the OTP generation process, the authentication server 400 may additionally input information such as an account number, a transfer amount, and the like to the OTP verification algorithm in performing OTP verification.

According to one embodiment, the OTP verification algorithm may be used to verify the OTP by comparing the OTP generated by the OTP generator 100 to the authentication server 400 and the OTP generated by the authentication server 400 itself Can be performed.

After completing the OTP verification, the authentication server 400 may transmit the OTP verification completion information to the banking server 300 (S225). The banking server 300 can provide the financial service requested by the user and provide the result only when the user authentication using the OTP is normally performed through the OTP verification completion information. The banking server 300 may suspend the provision of the financial service requested by the user when the authentication of the user using the OTP is not normally performed and may transmit a request message to request the user to retry the authentication using the OTP. In addition, the banking server 300 may include a function of blocking a user's authentication attempt if the specific user fails to authenticate the user using the OTP more than a predetermined number of times.

3 is a block diagram illustrating an internal configuration of an authentication server 400 according to an embodiment of the present invention.

3, the authentication server 400 includes an OPIN generation request receiving unit 410, an OPIN generating unit 420, an OPIN transmitting unit 430, an OTP receiving unit 440, an OTP verifying unit 450, a controller 460 And a communication unit 470.

The OPIN generation request receiving unit 410 according to an embodiment may receive an OPIN generation request from the user terminal 200 or the banking server 300. [ The OPIN generation request receiving unit 410 may receive together with the OPIN generation request, user identification information such as a user's ID and information on a financial transaction service that the user wishes to perform together. The information on the financial transaction service that the user desires to perform may include a type of financial transaction service, an account number to be a target of the financial transaction service, and an amount information of a financial transaction.

The OPIN generation unit 420 according to an embodiment may generate an OPIN by inputting an OPIN generation key, a current time, transaction information, an authority code, and the like to the OPIN generation algorithm. In this process, the OPIN generation unit 420 determines the information on the current time that becomes one input value of the OPIN generation algorithm using the time information received from the external time server or the time information managed by the authentication server 400 .

If the financial transaction interlock function is included in the OPIN generation process, the OPIN generation unit 420 may add specific transaction information such as an account number and a transfer amount to the input value input to the OPIN generation algorithm.

The OPIN transmission unit 430 according to an embodiment may transmit the OPIN generated by the OPIN generation unit 420 to the user terminal 200 or the OTP generator 100 through the banking server 300, The OPIN transmission unit 430 can directly transmit the OPIN generated by the user terminal 200 or the OTP generator without going through the banking server 300. [

The OTP receiving unit 440 according to the embodiment may receive the OTP received from the banking server 300 from the OTP generator 100 or the user terminal 200 from the banking server 300. According to another embodiment, the OTP receiver 440 may receive the OTP directly from the OTP generator 100 or the user terminal 200. [

The OTP verification unit 450 according to an exemplary embodiment of the present invention performs an OTP verification process in which an OTP received by an OTP receiver 440, an OTP generation key corresponding to user information for performing a financial transaction, a current time, a transaction information, It is possible to determine whether or not the OTP is normally generated.

A method of determining whether the OTP received by the OTP receiver 440 by the OTP verifier 450 is based on the OPIN generated by the OPIN generator 420 includes a comparison of the creation time or transmission time of the OPIN with the OTP reception time There may be a way to do it. That is, the OTP verifying unit 450 checks the time when the OPIN generation request receiving unit 410 received the OPIN generation request, the time when the OPIN generation unit 420 generated the OPIN, or the time when the OPIN transmission unit 430 transmitted the OPIN And calculates the difference between the time and the time when the OTP receiver 440 receives the OTP. If the time difference exceeds a predetermined value, the OTP verification can be failed.

The OTP verification result performed by the OTP verification unit 450 can be transmitted to the banking server 300 by the authentication result transmitting unit (not shown) included in the authentication server 400, Based on this result, the user can decide whether or not to provide the desired financial service.

The control unit 460 according to an exemplary embodiment of the present invention includes an OPIN generation request receiving unit 410, an OPIN generating unit 420, an OPIN transmitting unit 430, an OTP receiving unit 440, an OTP verifying unit 450, and a communication unit 470 It is possible to perform a function of controlling the data flow. That is, the control unit 460 according to the present invention includes an OPIN generation request receiving unit 410, an OPIN generating unit 420, an OPIN transmitting unit 430, an OTP receiving unit 440, an OTP verifying unit 450, So as to perform a unique function.

The communication unit 470 according to one embodiment enables communication between the authentication server 400 and external devices. Specifically, the authentication server 400 enables communication with the banking server 300, the user terminal 200, the OTP generator 100, and an external time server.

4 is a diagram schematically showing a configuration of the smart OTP 500 installed in the OTP generator 100. As shown in FIG.

4, the smart OTP 500 may include an OPIN verification module 510, a secret information management module 520, an OTP generation module 530, and a drive module 540. The OPIN verification module 510, the secret information management module 520, the OTP generation module 530 and the drive module 540 are described as a configuration of the smart OTP 500. However, the OTP generator 100 or the user terminal 200, The OPIN verification module 510, the secret information management module 520, the OTP generation module 530 and the drive module 540 may perform the respective operations in the OTP generator 100 or the user terminal 200 The present invention is not limited thereto. These program modules are concepts that encompass routines, subroutines, programs, objects, components, data structures, etc., that perform each operation or execute a particular abstract data type, but are not limited thereto.

Each module constituting the smart OTP 500 can be driven in the security area of the OTP generator 100, and the security area can be composed of a smart card, USIM, TEE, and the like.

The OPIN verification module 510 according to an exemplary embodiment may perform the function of verifying the OPIN received from the outside. The verification of OPIN can be performed by inputting the received OPIN and OPIN generation key, current time, transaction information, institution code, etc. to the OPIN verification algorithm. If the transaction interworking function is performed in the OPIN generation process, Specific information such as account number, transfer amount, etc. may be added as input values of the OPIN verification algorithm.

The secret information management module 520 according to one embodiment can manage the information such as the OPIN generation key used for the verification of the OPIN, the OTP generation key used for the OTP generation, and the transaction information of the user in the security area have.

The OTP generation module 530 may generate an OTP by inputting an OTP generation key, a current time, and various additional information to the OTP generation algorithm. When the transaction interlock function is performed, the OTP generation module 530 generates an account number, The specific financial transaction information may be input values of the OTP generation algorithm. The OTP generation module 530 receives the OPIN verification result from the OPIN verification module 510, and can generate the OTP only when the OPIN verification is successfully performed.

The driving module 540 according to an embodiment includes an OPIN verification module 510, a secret information management module 520, an OTP generation module 530, and an OTP generation module 540 in the OTP generator 100 or the user terminal 200 including the OTP generation function. Can be managed as a whole. The driving module 540 may serve to receive the user's OPIN and pass it to the OPIN verification module 510 and to pass the verification result of the OPIN verification module 510 to the OTP generation module 530 And a function of managing the user interface of the OTP generator 100 in which the smart OTP 500 is driven.

As described above, according to the embodiments of the present invention, the OPIN is generated through the current time information recognized by the authentication server 400, the OTP generator 100 firstly verifies the OPIN, and then generates the OTP, Therefore, when the attacker modulates the current time information used by the OTP generator 100 in the middle, the OPIN is not successfully verified and accordingly, the OTP is not generated. Therefore, the attacker can obtain the OTP information It is not possible to acquire the effect. In addition, when the transaction interlock function is used, the OPIN and the OTP are generated by using the transaction information inputted by the user as the input value of the generation algorithm, so that the security is further improved.

The embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specially designed and constructed for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules for performing the processing according to the present invention, and vice versa.

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

The scope of the present invention is defined by the appended claims, and all changes or modifications derived from the meaning and scope of the claims and their equivalents should be construed as being included within the scope of the present invention.

100: OTP generator
200: User terminal
300: Banking server
400: authentication server
500: Smart OTP

Claims (12)

A method for authenticating an authentication server using an OTP,
Receiving an OPIN generation request from a banking server or a user terminal;
Generating an OPIN through an OPIN generation algorithm based on at least one of an OPIN generation key, transaction information, and an authority code and a current time;
Transmitting the generated OPIN to the user terminal;
Receiving an OTP generated by the OTP generator from an OTP generator that performs verification of the OPIN input from a user and generates an OTP only when verification is successfully completed; And
Comparing the OTP generated by the authentication server with the OTP generated by the OTP generator based on at least one of the OTP generation key, the transaction information, and the authority code and the current time to verify whether the OTP is valid. How to perform authentication of the authentication server.
The method according to claim 1,
The transmitting of the generated OPIN to the user terminal comprises:
Further comprising the step of displaying the OPIN on a financial transaction screen displayed on the user terminal.
The method according to claim 1,
Wherein the OPIN generation algorithm or the transaction information input to the OTP generator includes an account number or a transfer amount.
The method according to claim 1,
Wherein if the OPIN generation key and the OTP generation key are identical, the OPIN generation algorithm and the OTP generation algorithm are different.
The method according to claim 1,
Wherein if the OPIN generation key and the OTP generation key are different, the OPIN generation algorithm and the OTP generation algorithm are the same.
delete The method according to claim 1,
Further comprising the step of completing OTP generation when the generation time of the OPIN and the reception time of the OTP differ by a predetermined time or more.
An authentication server for authenticating a user using an OTP,
An OPIN generation request receiving unit for receiving an OPIN generation request from a banking server or a user terminal;
An OPIN generation unit for generating an OPIN through an OPIN generation algorithm based on at least one of an OPIN generation key, transaction information, and an authority code and a current time;
An OPIN transmission unit for transmitting the generated OPIN to the user terminal;
An OTP receiver for receiving an OTP generated by the OTP generator from an OTP generator that performs verification of the OPIN inputted from a user and generates an OTP only when verification is successfully completed; And
And an OTP verifying unit for verifying whether the OTP is valid by comparing at least one of the OTP generation key, the transaction information, and the authority code with the OTP generated by the authentication server based on the current time and the OTP generated by the OTP generator , Authentication server.
In the OTP generator, a smart OTP performs authentication using OTP,
Receiving an OPIN from a user or receiving an OPIN from a user terminal or an authentication server;
Verifying whether the received OPIN is valid through an OPIN verification algorithm for comparing the OPIN generated by the OTP generator with the received OPIN based on at least one of the OPIN generation key, the transaction information, and the authority code and the current time;
Generating an OTP through the OTP generation algorithm based on at least one of the OTP generation key, the transaction information, and the authority code and the current time only if the received OPIN is verified as valid; And
And displaying the generated OTP through the OTP generator or transmitting the generated OTP to the user terminal or the authentication server so that the OTP generated by the authentication server and the OTP generated by the OTP generator can be compared and verified. How to perform authentication of smart OTP.
10. The method of claim 9,
Wherein verifying that the OPIN is valid comprises:
And checking whether the OPIN generation time received from the authentication server and the current time of the OTP generator are different from each other by a predetermined time or longer using the current time information of the OTP generator.
delete A smart OTP program installed on an OTP generator and performing authentication using the OTP,
An OPIN verification module for generating an OPIN based on at least one of an OPIN generation key, transaction information, and an authority code and a current time and comparing the OPIN with an OPIN received from the outside to verify whether the OPIN received from the outside is valid; And
Generating an OTP through an OTP generation algorithm based on at least one of an OTP generation key, transaction information, and an authority code, and performing an OTP generation only when the OPIN is valid, and transmitting the generated OTP to the outside, A smart OTP program stored on a medium for executing an OTP generation module that allows an OTP generated by an authentication server and an OTP transmitted to the outside to be compared.
KR1020150171395A 2015-12-03 2015-12-03 User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same KR101737066B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150171395A KR101737066B1 (en) 2015-12-03 2015-12-03 User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150171395A KR101737066B1 (en) 2015-12-03 2015-12-03 User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same

Publications (1)

Publication Number Publication Date
KR101737066B1 true KR101737066B1 (en) 2017-05-18

Family

ID=59048963

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150171395A KR101737066B1 (en) 2015-12-03 2015-12-03 User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same

Country Status (1)

Country Link
KR (1) KR101737066B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200031801A (en) * 2018-09-17 2020-03-25 인비즈넷 주식회사 User authentication system and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100814561B1 (en) 2006-08-01 2008-03-17 인포섹(주) One Time Password Authentication Using A Mobile Phone
KR101386363B1 (en) * 2013-11-04 2014-04-29 유한회사 실릭스 One-time passwords generator for generating one-time passwords in trusted execution environment of mobile device and method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100814561B1 (en) 2006-08-01 2008-03-17 인포섹(주) One Time Password Authentication Using A Mobile Phone
KR101386363B1 (en) * 2013-11-04 2014-04-29 유한회사 실릭스 One-time passwords generator for generating one-time passwords in trusted execution environment of mobile device and method thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200031801A (en) * 2018-09-17 2020-03-25 인비즈넷 주식회사 User authentication system and method
WO2020060150A1 (en) * 2018-09-17 2020-03-26 인비즈넷 주식회사 Identity authentication system and method
KR102145766B1 (en) * 2018-09-17 2020-08-19 인비즈넷 주식회사 User authentication system and method

Similar Documents

Publication Publication Date Title
US20210226941A1 (en) System and method for electronic credentials
US11223948B2 (en) Anonymous authentication and remote wireless token access
KR102358546B1 (en) System and method for authenticating a client to a device
KR102382474B1 (en) System and method for establishing trust using secure transmission protocols
KR102383021B1 (en) Enhanced security for registration of authentication devices
US11917074B2 (en) Electronic signature authentication system based on biometric information and electronic signature authentication method
US10044725B2 (en) Controlling access to online resources using device validations
KR102439782B1 (en) System and method for implementing a hosted authentication service
CN113474774A (en) System and method for approving a new validator
US11539526B2 (en) Method and apparatus for managing user authentication in a blockchain network
US20160164921A1 (en) Service Channel Authentication Processing Hub
KR101516881B1 (en) User authentication method and apparatus
US20160191504A1 (en) Mobile terminal for providing one time password and operating method thereof
KR20150011293A (en) Biometric authentication Electronic Signature Service methods Using an instant messenger
CN113711560A (en) System and method for efficient challenge-response verification
CN110838919B (en) Communication method, storage method, operation method and device
EP3425550B1 (en) Transaction method, transaction information processing method, transaction terminal and server
US20230198751A1 (en) Authentication and validation procedure for improved security in communications systems
KR20210116407A (en) Cross authentication method and system between online service server and client
KR101737066B1 (en) User identity authentication method using one time pin and otp, authentication server and otp generator implementing the same
KR101708880B1 (en) Integrated lon-in apparatus and integrated log-in method
KR20180037168A (en) Cross authentication method and system using one time password
Arnosti et al. Secure physical access with NFC-enabled smartphones
Hauck OpenID for Verifiable Credentials: formal security analysis using the Web Infrastructure Model
KR102210894B1 (en) Method for Exchanging Transaction Information

Legal Events

Date Code Title Description
A201 Request for examination