KR101747234B1 - Authentication method using two channels and the system for it - Google Patents

Abstract

A method for authenticating a user according to a service request of a first terminal using a two-channel authentication method, the method comprising the steps of: (a) receiving a service provision request from the first terminal; (b) generating the service identification information according to the service provision request and transmitting the service identification information to the first terminal; (c) a login random number including at least one of the user ID previously stored in the second terminal and the service identification information received from the service providing server through the 2-channel authentication related application activated in the second terminal, Receiving a value request; (d) generating a login random value after confirming at least one of the user ID and the service identification information, and transmitting the random value to the second terminal; (e) receiving, by the service providing server, a login authentication request including at least one of a signature value using the login random value from the second terminal and a certificate issued to the user at the member registration process from the authentication server; And (f) performing verification of the certificate received from the second terminal in cooperation with the authentication server and verification of the signature value, wherein the service providing server performs authentication of the web page information .

Description

[0001] The present invention relates to a two-channel authentication method and system using an identification value and an authentication server,

More particularly, the present invention relates to a two-channel authentication method and system, and more particularly, to a two-channel authentication method and system using a simple authentication method To a two-channel authentication method and system capable of performing two-channel authentication.

[0003] With the development of information and communication technology, various types of servers have existed on a network. In the case where a predetermined client (client) accesses through a predetermined client terminal, the servers authenticate the client, And provides various types of information and / or services according to a predetermined procedure defined in advance by the customer terminal.

As a generalized customer authentication method in the client authentication of a server on the network as described above, there is a method of authenticating a customer through the ID / PW after registering the ID / PW on the server according to the customer registration procedure, In electronic transaction services requiring security, a variety of security programs such as authentication certificates, security cards, virtual keyboards, ARS (Audio Response System) authentication, OTP (One Time Password) and the like are used. Method and the like.

However, among the methods of using the ID / PW, there is a problem in that the user joins through the illegal information and thus the ID / PW is acquired, or even if the ID / PW is a normal ID / PW, Or illegal acquisition of an ID / PW through hacking or phishing of an ID / PW via a sniffing means and / or a spoofing means and / or a key stroke means, And exploitable problems. In addition, the customer also inconveniences the use of the ID / PW every time the service is used, and also inconveniences the management to remember the ID / PW for each site.

Also, the customer authentication method using the public certificate can avoid the hacking using the sniffing means and / or the spoofing means, which illegally access the network by the encryption technology of the public certificate, by avoiding the fraudulent customer authentication by the public certificate issuing procedure However, illegal acquisition of the authorized certificate password through hacking and phishing using the keystroke means can not be prevented as long as server connection and client authentication on the network are performed in a single customer terminal.

Therefore, in recent years, the use of two-channel authentication performed by a server capable of directly or indirectly communicating with a wired terminal and a wireless terminal used by a customer through heterogeneous communication networks is increasing.

An object of the present invention is to solve the above-mentioned problems, and it is an object of the present invention to provide a method and apparatus for generating an identification value based on a pre-registered terminal and a customer ID / PW of a customer using a 2-channel authentication service, A two-channel authentication method and system in which a customer can perform a login with a simple operation (e.g., click, input, QR code scan, etc.) on the terminal.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, unless further departing from the spirit and scope of the invention as defined by the appended claims. It will be possible.

According to another aspect of the present invention, there is provided a method of authenticating a user according to a service request of a first terminal using a two-channel authentication method, the method comprising the steps of: (a) Receiving a service providing request from the service providing server; (b) generating the service identification information according to the service provision request and transmitting the service identification information to the first terminal; (c) a login random number including at least one of the user ID previously stored in the second terminal and the service identification information received from the service providing server through the 2-channel authentication related application activated in the second terminal, Receiving a value request; (d) generating a login random value after confirming at least one of the user ID and the service identification information, and transmitting the random value to the second terminal; (e) receiving, by the service providing server, a login authentication request including at least one of a signature value using the login random value from the second terminal and a certificate issued to the user at the member registration process from the authentication server; And (f) performing verification of the certificate received from the second terminal in cooperation with the authentication server and verification of the signature value, wherein the service providing server performs authentication of the web page information .

The user ID according to an exemplary embodiment of the present invention may be configured such that when the user requests a member registration with the authentication server using the first terminal or the second terminal, And may be identification information allocated to the user.

According to an embodiment of the present invention, the step (a) may include: providing a web page including a button associated with a login request signal from the service providing server to the first terminal; And automatically receiving a service provision request including the user ID previously stored in the first terminal according to a user's input signal for a button associated with the login request signal from the first terminal .

According to an embodiment of the present invention, the step (b) may further comprise: determining a service identification value for identifying a web site provided by the service providing server, a session identification value for a user terminal accessing the service providing server, And generating the service identification information including the service identification information.

In the step (b), the service providing server includes at least one of the user ID and the service identification information received from the first terminal, and requests the authentication server to perform login authentication for the user .

Alternatively, the step (b) according to the embodiment of the present invention may further comprise: deriving information about the second terminal from the user information DB constructed based on the user ID in the authentication server; And requesting the authentication server to execute the 2-channel authentication related application including the service identification information using the information about the second terminal.

Preferably, the authentication server may request the second terminal to execute the 2-channel authentication related app using a push message.

According to an embodiment of the present invention, in the step (c), the service providing server transmits to the service providing server based on the service identification value included in the service identification information in the 2-channel authentication- Communicating with the second terminal upon a connection request; And automatically receiving a login random value request including the user ID previously stored in the second terminal according to a user input signal for a button associated with a login request signal from the 2-channel authentication related app from the service providing server can do.

Alternatively, in the step (c) according to the embodiment of the present invention, the service providing server transmits the service identification information input by the user through the 2-channel authentication related application activated by the second terminal, Communicating with the second terminal requesting access based on the first terminal; And receiving the login random value request including at least one of the user ID and the service identification information previously stored in the second terminal from the second terminal by the service providing server.

Meanwhile, in the step (a) according to an embodiment of the present invention, the step (a) may include: providing a web page including a button associated with a login request signal from the service providing server to the first terminal; And the service providing server may automatically receive a service provision request from the first terminal according to a user's input signal for a button associated with the login request signal.

In this case, the step (b) includes a service identification value for identifying a web site provided by the service providing server and a user identification value for identifying a user terminal accessing the service providing server and performing a login request And generate the service identification information.

In the step (c), the service providing server transmits a service request to the second terminal based on the service identification information inputted by the user through the 2-channel authentication related application activated by the second terminal, Communicating with a second terminal; And receiving the login random value request including at least one of the user ID and the service identification information previously stored in the second terminal from the second terminal by the service providing server.

According to another aspect of the present invention, there is provided a method for authenticating a user according to a service request of a mobile terminal using a two-channel authentication method, the method comprising the steps of: (a) Receiving a service provision request from a browser; (b) the service providing server generates a login random value in response to the service provision request, and transmitting a web page including the generated login random value to the mobile browser of the mobile terminal; (c) The service providing server selects a button for a login request signal outputted to the mobile browser by the user, and transmits a login authentication request including a signature value and a certificate through the 2-channel authentication related application activated by the mobile terminal Receiving; And (d) performing verification of the certificate and verification of the signature value received from the mobile terminal in cooperation with the authentication server by the service providing server, and transmitting, to the mobile browser of the mobile terminal, And providing information.

In the step (c) according to the embodiment of the present invention, the login random value received from the service providing server to the 2-channel authentication related app in the mobile browser and the web site identification of the service providing server accessed from the mobile browser Quot; value ". ≪ / RTI >

According to another aspect of the present invention, there is provided a system for authenticating a user according to a service request of a first terminal using a two-channel authentication method, the system comprising: A service providing server for providing a service to the first terminal through a login authentication procedure with a second terminal according to a service request; And an authentication server that performs a user authentication procedure in association with the service providing server for a login authentication request of the second terminal, which is requested through the activated 2-channel authentication related application of the second terminal, Generates service identification information including a web site identification value and a session identification value or a user identification value according to a service request of the first terminal and transmits the service identification information to the first terminal, Value to the second terminal, and performs a verification process on the certificate and the signature value transmitted when the login authentication is requested from the second terminal.

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the present invention by those skilled in the art. And can be understood and understood.

According to an embodiment of the present invention, an identification value is generated based on a pre-registered terminal and a customer ID / PW of a customer using a 2-channel authentication service, and a simple operation Eg, click, input, QR code scan, etc.), the user's login usability and manageability can be simplified.

In addition, according to the embodiment of the present invention, it is possible to enhance security through asymmetric-based two-channel login and to propose a low-cost two-channel authentication method using a smartphone app.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a diagram illustrating an example of a configuration of a 2-channel authentication system using an identification value and an authentication server according to an embodiment of the present invention.
FIG. 2 is a flowchart illustrating an example of a customer registration procedure for using a two-channel authentication method according to an embodiment of the present invention.
3 is a flowchart illustrating an example of a login process using a 2-channel authentication method according to an embodiment of the present invention.
4 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention.
5 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention.
6 is a flowchart illustrating another example of the login process using the two-channel authentication method according to an embodiment of the present invention.
FIG. 7 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

More particularly, the present invention relates to a two-channel authentication method and system, and more particularly, to a two-channel authentication method and system using a simple authentication method To a two-channel authentication method and system capable of performing two-channel authentication.

1 is a diagram illustrating an example of a configuration of a 2-channel authentication system using an identification value and an authentication server according to an embodiment of the present invention.

1, a two-channel authentication system 100 according to an exemplary embodiment of the present invention includes a first terminal 110, a second terminal 120, a service providing server 130, and an authentication server 140 .

The first terminal 110 is connected to the service providing server 130 via a wired / wireless communication network and receives various services provided by the service providing server 130. The first terminal 110 accesses the service providing server 130 and performs a login request for using the service, and when the second terminal 120 receives the login approval from the service providing server 130 in accordance with the login authentication, It is a terminal using a page providing service. For example, the service providing server 130 may be a web server on the Internet and the customer's first terminal 110 may be a personal computer connectable to the Internet.

The second terminal 120 is a terminal for inputting and / or extracting or generating customer authentication information to the service providing server 130 connected to the first terminal 110, To the service providing server (130).

Specifically, the second terminal 120 activates the related application in response to the 2-channel authentication-related application execution request transmitted from the authentication server 140 and performs a procedure necessary for the client authentication (or login authentication) with the service providing server 130 . At this time, the second terminal 120 accesses the service providing server 130 through the activated authentication-related app according to the user input signal, transmits and receives the identification information necessary for the customer authentication and the login authentication process with the service providing server 130 And performs the authentication procedure. The first terminal 110 can utilize the service provided by the service providing server 130 according to the authentication result of the second terminal 120.

The second terminal 130 may be a Personal Communication System (PCS), a Global System for Mobile communications (GSM) terminal, a Personal Digital Cellular (PDC), a Personal Handyphone System (PHS) And a mobile communication terminal including a PDA (Personal Digital Assistant) or a Smart Phone.

The service providing server 130 is a device for providing various services to the first terminal 110 according to a request of the first terminal 110. Specifically, the service providing server 130 performs a customer authentication and a login authentication procedure with the second terminal 120 in cooperation with the authentication server 140 when accepting the login request of the first terminal 110. [

Specifically, the service providing server 130 receives an identification value for identifying the corresponding service providing server from the authentication server 140 through the registration procedure for using the two-channel authentication method to the authentication server 140. [ Then, the identification value is transmitted according to the login request of the first terminal 110, the customer identification information including the identification value is received through the authentication related app of the second terminal 120, And provides the corresponding service to the first terminal 110 upon authentication confirmation.

A two-channel authentication method according to an embodiment of the present invention will be described below with reference to FIG. 2 and FIG.

FIG. 2 is a flowchart illustrating an example of a customer registration procedure for using a two-channel authentication method according to an embodiment of the present invention.

2, the user terminal 210 including the first terminal 211 and the second terminal 212 of the customer performs data communication with the authentication server 220 and uses the 2-channel authentication service Membership is performed.

2, the user connects to the authentication server 220 via the service providing server by accessing a web site to be used by using the first terminal 211, And transmits a registration request signal together (S201).

For example, the service providing server can link and provide a member registration page for requesting a user to input user identification information required for member registration on a web site accessed by a user. Here, the 'user identification information' is information for identifying a plurality of users such as a user's name, a telephone number, an e-mail address, a mobile phone number, and other information other than a name can be set as a user option. Preferably, when the second terminal 212 is a mobile terminal such as a smart phone, the authentication server 220 transmits an authentication-related application installation / execution related message (e.g., PUSH message or SMS message) to the second terminal 212 (E.g., mobile phone number) of the second terminal to the option registration information according to the user selection.

Upon receiving the user identification information for the member registration from the first terminal 211, the authentication server 220 checks whether the user is registered through the hash value of the user identification information based on the previously constructed member information DB If the user is an unregistered user, a user ID is generated from the user identification information hash value (S202).

The user ID is information to be generated by the authentication server 220 for user identification, not by information set by the user, and is not necessarily limited to that generated in step S202. As a result of checking whether the user is registered, the user ID can be generated from the user identification information hash value transmitted from the first terminal 211 at a later stage with respect to the unregistered user.

The authentication server 220 generates a registration request number for the unregistered user and transmits the registration request number to the first terminal 211 (S203). The 'registration request number' is a randomly generated number that requests the user to input the identification number to confirm the identity of the user. More specifically, the registration request number is the number of the registration request received by the user through the first terminal 211, To the authentication server 220 through the authentication server 212 to perform the user authentication procedure.

The authentication server 220 transmits a message requesting the installation of the 2-channel authentication-related app (App) to the second terminal 212 by using the identification information of the second terminal such as the mobile phone number received in step S201 (S204).

If the second terminal 212 is a mobile communication terminal, the app install request may be transmitted through a text message such as SMS / MMS. Preferably, the app install request may include a URL of a web page (e.g., Uniform Resource Locator) address. Alternatively, the user can directly search for and install related apps using the app market through the second terminal 212.

The second terminal 212 generates a user key automatically in conjunction with the authentication server 220 while the 2-channel authentication related app is installed and executed according to a user input (S205). At this time, the user key is a key provided by the authentication server 220 to use an asymmetric cryptography-based public key infrastructure (PKI) that combines a public key and a private key. Value and a private key generated from the public key.

When the second terminal 212 executes the 2-channel authentication related application, the user inputs the registration request number and the member information received in step S203 through the member registration menu function included in the application (S206).

The second terminal 212 transmits a registration request message including at least one of the user identification information required for member registration, the registration request number, the user identification information, the member information, the user public key, And transmits it to the authentication server 220 (S207). Here, the signature value is a value derived by substituting the hash value of the user identification information and the user's private key into a predetermined signature function.

The authentication server 220 performs a signature verification procedure using the user public key transmitted together with the signature value received from the second terminal 212 (S208).

When the signature verification is successful, the authentication server 220 allocates a user ID and a certificate to the user and stores it in association with the user information in the member information DB (S209).

Here, the user ID is generated as identification information generated from the user identification information hash value as described above, preferably by applying a hash function to HMAC (Hash-based Message Authentication Code) with a private key in the authentication server 220 The user ID can be inferred through the user ID or the user ID can not be inferred through the user ID.

When the member registration is completed, the authentication server 220 transmits the user ID and the certificate together with the member registration completion message to the second terminal 212 through the 2-channel authentication related application (S210). At this time, the authentication server 220 can register not only the member registration but also the second terminal 212 that has performed the data communication as a device corresponding to the user.

The second terminal 212 verifies whether the certificate received from the authentication server 220 is a legitimate certificate issued by the authentication server 220 (S211).

If it is confirmed that the second terminal 212 is valid, the second terminal 212 stores the received user ID and the certificate in the memory of the second terminal 212 (S212).

When the user ID and the certificate are stored in the second terminal 212, the authentication server 220 transmits a user ID to the first terminal 211 together with a message indicating that the user's registration is completed (S213). Similarly, the authentication server 220 can perform device registration for the second terminal 212 as well as member registration.

Accordingly, the first terminal 211 also stores the user ID in the internal memory (S214).

In this case, the step of storing the user ID in steps S212 and S214 may include a step of storing the user IDs separately from the user IDs provided by the authentication server 220 of the first terminal 211 and the second terminal 212, Identification information (e.g., an alias composed of a user name and a part of a mobile phone number), and the like.

According to the embodiment of the present invention, when the device registration is completed together with the membership registration of the user for using the identification information and the two-channel authentication method using the authentication server, the user accesses the service providing server using the plurality of registered terminals It is possible to perform the login process of the 2-channel authentication method for using the corresponding service.

According to the embodiment of the present invention, unlike the login according to the existing ID / PW input, a predetermined button click method, an identification value input method or a QR code identification method on a page for login in an authenticated terminal can be used. 3 to Fig. 7.

3 is a flowchart illustrating an example of a login process using a 2-channel authentication method according to an embodiment of the present invention.

3, the first terminal 301 according to the embodiment of the present invention accesses the service providing server 303 and accesses the service providing server 303 to use the online service provided by the service providing server 303. [ The login request signal is transmitted together with the user ID through the web page provided in the server (S301).

At this time, the login process to the web site at the first terminal 301 may use the conventional method of inputting the user ID and PW specified by the user, but in the embodiment of the present invention, It is assumed that the user ID issued by the server 220 is inputted. That is, as the user ID received from the authentication server 220 in the member registration process is stored in the first terminal 211 and the second terminal 212, the user can access the service providing server 303 as illustrated in FIG. (First click) of selecting a specific button on the web site for the login request to the service providing server 303 by calling up the user ID previously stored in the first terminal 301. [

In response to the request of the first terminal 301, the service providing server 303 generates service identification information for identifying the website provided by the service providing server and transmits the service identification information to the first terminal 301 (S302, S303) .

In the present specification, 'service identification information' is information composed of an identification value for identifying a web site and an identification value for distinguishing session information generated according to a user's server connection by a device. In order to use the 2-channel authentication method, the identification value for the website classification can be replaced with an abbreviation of the domain by an identification value issued from the authentication server when the service provider registers the service provider.

Specifically, the service identification information is composed of digits of digits that can be input by the user, and an ID is assigned to each registered website. The identification value of the website can be composed of a combination of alphabets and numbers. For example, when a four-digit code consisting of alphabet and number is set as the service identification information, a total of 36 characters are composed of 26 alphabets and 10 digits, and 3 digits are assigned as the website identification value among the 4 digits codes A total of 46656 IDs can be generated for each web site, and the remaining one-digit codes constituting the service identification information can be allocated as identification information for identifying a session for each user.

In addition, the domain information of the corresponding web site can be used in abbreviated form instead of the web site identification value. For example, when the web site address provided by the service providing server 303 is www.shopping.com and the domain address of the authentication server 304 is cert.com, the authentication server 304 acquires the identification value Instead, you can configure the abbreviated domain information shop110.cert.com. The authentication server can provide abbreviated domains such as shop110.cert.com, and the user only has to memorize and process (input and confirm) shop110.

Referring again to FIG. 3, the service providing server 303 transmits service identification information and user ID information to the authentication server 304 according to a login request of the first terminal 301, and requests login authentication (S304).

The authentication server 304 transmits a message for requesting execution of the 2-channel authentication related application to the second terminal (e.g., the second terminal) using the second terminal identification information (e.g., mobile phone number) of the previously registered user, 302 (S305). At this time, preferably, the execution request message of the 2-channel authentication related application can be transmitted in the form of a PUSH message, and the service identification information received from the service providing server 303 together with the PUSH message can be transmitted.

Accordingly, the user executes the authentication-related app through the PUSH message received in the second terminal 302 (S306), and transmits a login random value request signal including the user ID and the service identification information through the executed authentication- To the providing server 303 (S307).

At this time, in step S307, the user transmits the user ID previously stored in the second terminal 302 through the operation (second click) by the user to select a specific button preset on the application, To the service providing server 303 together with the request for providing the login random value.

The service providing server 303 confirms the user ID and service identification information transmitted from the second terminal 302 in step S308 and transmits a response message including the login random value to the second terminal 302 in step S309, .

The authentication related app of the second terminal 302 generates a signature value using the login random value transmitted from the service providing server 303 and transmits the generated signature value and the certificate provided by the authentication server in the user registration process To the service providing server 303 and requests login authentication (S310).

Here, the signature value for the login authentication request is a value obtained by substituting the hash value and the user private key concatenated with the user identification information and the login random value into the hash function.

The service providing server 303 performs a verification procedure for checking whether the certificate is issued to the user by the authentication server 304 in cooperation with the authentication server 304 at step S311, A verification procedure using the user's private key is also performed on the received signature value (S312).

Upon completion of the certificate verification and the signature verification, the two-channel authentication is legitimately performed through the second terminal 302, the login of the first terminal 301 is approved and a web page for use of the corresponding service is provided ).

In the two-channel authentication method according to an embodiment of the present invention described above with reference to FIG. 3, the authentication server issues an identification ID for each web site, and a second terminal And the user confirms the PUSH message transmitted to the second terminal, thereby enabling the second terminal to access the corresponding service providing server through the execution of the authentication-related application and the application, and perform user authentication and service authentication Thus, the user can omit the process of inputting the user identification information or the service identification information separately in the first terminal and the second terminal.

4 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention.

Referring to FIG. 4, the first terminal 401 according to the embodiment of the present invention transmits a user ID (ID) to a service providing server 403 through a web page provided by the service providing server 403, (S401).

Likewise, the login process to the corresponding website in the first terminal 401 uses a method in which the user inputs the user ID and the PW, or when the user sets the ID / PW in the storage state while inputting the ID / PW in the initial login, It is possible to omit the process of inputting the ID / PW each time the user logs in and to transmit the user identification information such as ID / PW stored in the first terminal 401 to the service providing server 403 through a click operation (first click) of a specific button .

In response to the request of the first terminal 401, the service providing server 403 generates service identification information for identifying a web site provided by the service providing server and transmits the generated service identification information to the first terminal 401 (S402 and S403) .

The user who confirmed the service identification information through the first terminal 401 activates the 2-channel authentication related app through the second terminal 402 (S404).

When the user inputs the service identification information transmitted to the first terminal 401 through the application activated on the second terminal 402, the service providing server 403 (Step S405 and step S406).

At this time, the 2-channel authentication-related app recognizes the domain information of the website included in the service identification information, and can perform a login request while attempting to access the corresponding site.

The service providing server 403 confirms the user ID and the service identification information transmitted from the second terminal 402 in step S407 and transmits a response message including the login random value to the second terminal 402 in step S408, .

The authentication related app of the second terminal 402 generates a signature value by applying the hash value and the user private key processed by the service provision server 403 to the hash function so as to concatenate the login random value and the user identification information, The generated signature value and the certificate provided in advance from the authentication server 404 are transmitted to the service providing server 403 and the login authentication is requested (S409).

The service providing server 403 performs a verification procedure for checking whether the certificate is issued to the user in cooperation with the authentication server 404 in step S410 and checks whether the certificate is issued from the second terminal 402 The verification of the received signature is also performed (S411).

Upon completion of the certificate verification and the signature verification, it is judged that the 2-channel authentication is legitimately performed through the second terminal 402. Accordingly, the first terminal 401 approves the login to the corresponding website, (S412).

In the login process of the 2-channel authentication method according to another embodiment of the present invention illustrated in FIG. 4, the user directly inputs the registration request number transmitted to the first terminal through the authentication-related application of the second terminal, Transmission method. 3, the user can perform a single click step for a login request on the first terminal 401 and a single information input for directly inputting the service identification information on the second terminal 402 The two-channel authentication method can be used.

In the two-channel authentication process using the service identification information input method of the user, the service authentication server transmits a PUSH for authentication-related application execution to the second terminal according to the login request of the first terminal, The process of transmitting a message can be omitted.

In the two-channel authentication method illustrated in FIGS. 3 and 4, the user ID information issued to the user by the authentication server in the member registration process is stored in the user terminal (first terminal and second terminal) , The process of inputting the user ID information at the time of the login request of the user is omitted and the pre-stored user ID information is automatically transmitted to the service providing server by selecting a predetermined login request button.

5 is a view for explaining an embodiment using a two-channel authentication method in a case where a user ID is not stored in a user terminal.

5 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention.

5, the first terminal 501 according to the embodiment of the present invention accesses the service providing server 503 and transmits a login request signal through a web page provided by the service providing server 503 (S501 ). At this time, if the user ID assigned by the authentication server to the first terminal 501 is not stored, the first terminal 501 transmits a login request signal to the service providing server 503 as an unregistered user.

In response to the request of the first terminal 501, the service providing server 503 generates service identification information for identifying the website provided by the service providing server and transmits the service identification information to the first terminal 501 (S502 and S503) .

At this time, the generated service identification information may be configured with an identification value for identifying a web site and an identification value for distinguishing an anonymous user (or first terminal) requesting a login. Herein, the identification value for identifying an anonymous user is different from the identification value for distinguishing a session according to the device-specific server connection described above with reference to FIG. 3, Information. Accordingly, the identification value for session identification can be assigned a one-digit code, while the identification value for identifying an anonymous user can be configured to distinguish a plurality of login request users by assigning a three-digit code.

The user who confirmed the service identification information through the first terminal 501 activates the 2-channel authentication related app through the second terminal 502 (S504).

At this time, since the service providing server 503 does not acquire the identification information of the user of the first terminal 501 that has performed the login request, the service providing server 503 transmits the 2-channel authentication related information to the second terminal of the user It is preferable that the user confirms the service identification information transmitted to the first terminal 501 and activates the 2-channel authentication related app at the second terminal 502, rather than transmitting the PUSH message requesting execution of the application .

When the 2-channel authentication related app is executed in the second terminal 502, the service identification information transmitted to the first terminal 501 is input through the corresponding application, and the executed application is registered in the web site Recognizes the domain information and transmits a login random value request signal while attempting connection to the service providing server 503 (S505, S506).

At this time, the second terminal 502 derives the previously stored user ID from the authentication server in the member registration process, and transmits the user ID included in the login random value request signal. That is, even if the first terminal 501 performs the login request as an anonymous user, the service providing server can confirm the identity of the user and whether the user is a legitimate user by transmitting the user ID through the second terminal 502.

The service providing server 503 confirms the user ID and the service identification information transmitted from the second terminal 502 in step S507, generates a login random value in the second terminal 502, and transmits the random number together with the response message in step S508 ).

The authentication related app of the second terminal 502 generates a signature value by applying the login random value, the hash value of the user identification information, and the user private key transmitted from the service providing server 503 to the signature function, In the registration process, the certificate received from the authentication server is transmitted to the service providing server 403 and the login authentication is requested (S509).

The service providing server 503 performs a verification procedure for checking whether the certificate is issued to the user by the authentication server 504 in cooperation with the authentication server 504 in operation S510, A verification procedure for the received signature value is also performed (S511).

Upon completion of the certificate verification and the signature verification, it is judged that the 2-channel authentication is legitimately performed through the second terminal 502, the first terminal 501 approves the login to the corresponding website, (S512).

At this time, since the service providing server 503 has secured the user information for the first terminal 501 corresponding to the second terminal 502 through certificate and signature verification for the second terminal 502, The terminal 501 can transmit a user ID while providing a web page corresponding to the login.

Accordingly, the first terminal 501 stores the user ID transmitted from the service providing server 503, and also stores the simple identification information for replacing the user ID according to the user selection (S513). By storing at least one of the user ID and the simple identification information in the first terminal 501, the login process using the two-channel authentication method according to the above-described method in FIG. 3 or 4 is performed can do.

6 is a flowchart illustrating another example of the login process using the two-channel authentication method according to an embodiment of the present invention.

Referring to FIG. 6, the first terminal 601 according to an embodiment of the present invention accesses a service providing server 603 and requests a web page for using the service (S601).

The service providing server 603 generates a two-dimensional barcode including a login random value and website identification information (or domain information) for the request of the first terminal 601 (S602), and transmits the generated two- To the first terminal 601 (S603). At this time, a QR (Quick Response) code can be used as a two-dimensional bar code.

The QR code is a two-dimensional bar code in a matrix format that displays information in a black and white grid pattern. It is capable of storing vertical and horizontal information and non-numeric character data, thereby overcoming the capacity limitation of a conventional bar code, to be. According to the embodiment of the present invention, the service providing server 603 can provide the identification information of the website to be used by the user and the login random value through the QR code.

The user recognizes the two-dimensional bar code output on the display unit of the first terminal 601 using the second terminal 602 (S604). To this end, it is assumed that the second terminal 602 includes a camera module for barcode recognition and an associated application capable of reading information stored in the barcode.

The second terminal 602 derives the identification information of the website to which the first terminal 601 accesses and the login random value from the recognized two-dimensional bar code (S605).

Then, the second terminal 602 executes the pre-set 2-channel authentication related application, and accesses the service providing server 603 according to the website identification information derived in the previous step through the 2-channel authentication related application , And transmits the log-in authentication request together with the derived log-in random value and the certificate stored in the second terminal 602 to the service providing server 603 (S606).

The service providing server 603 checks whether or not the login random value received from the second terminal 502 matches the login random value stored in the two-dimensional barcode provided to the first terminal 601 in the previous step S603, And performs a verification procedure on the certificate received from the second terminal 602 in cooperation with the server 604 (S607).

In step S608, the service providing server 603 performs verification of the signature received from the second terminal 602 upon completion of the certificate verification.

Upon completion of the certificate verification and the signature verification, it is judged that the 2-channel authentication is legitimately performed through the second terminal 602. Accordingly, the first terminal 601 approves the login to the corresponding website, (S609).

According to the embodiment of the present invention illustrated in FIG. 6, various information used in a data communication process between a terminal and a server for two-channel authentication is provided to a user through a two-dimensional barcode, thereby simplifying the authentication process can do. In this embodiment, the user performs a two-channel authentication process by a click operation for requesting a login at the first terminal 601 and an operation for scanning a two-dimensional barcode output to the first terminal 601 using the second terminal 602. [ Can be performed.

As described above, if the first embodiment of the present invention proposes a two-channel authentication method using a browser (e.g., a PC browser) in a fixed terminal and an authentication-related app installed in a mobile terminal as a second terminal, In the above-described embodiment, a two-channel authentication method between a mobile browser of a mobile terminal and an authentication related application is proposed.

FIG. 7 is a flowchart illustrating another example of a login process using a two-channel authentication method according to an embodiment of the present invention. It is assumed that the user's mobile terminal illustrated in FIG. 7 utilizes a browsing technology that can access the general web through a mobile browser, that is, a mobile web technology.

Referring to FIG. 7, the mobile browser 711 of the user mobile terminal 710 according to the embodiment of the present invention accesses the service providing server 720 and requests the service providing server 720 to provide a web page for using the service (S701).

The service providing server 720 generates a login random value for the request of the mobile browser 711 and transmits the web page including the random value to the mobile browser 711 (S702).

When the user clicks the login request button included in the mobile web displayed on the mobile browser 711, the 2-channel authentication related application installed in the mobile terminal 710 is automatically executed (S703).

The mobile browser 711 provides the login random value received from the service providing server 720 to the executed 2-channel authentication related application and the web site address information (domain information) accessed by the mobile browser 711 (S704).

Specifically, according to a signal generated when the user clicks the login button in the mobile browser 711, the mobile browser 711 automatically sets parameter values including the application execution and login random value and domain information to 2 And transmits it to the channel authentication related application 712.

The two-channel authentication related app 712 generates a signature value using the login random value transmitted from the mobile browser 711 (S705).

At this time, the signature value is generated by clicking the login approval button on the executed application, unlike the above-described embodiments. The generated signature value is a value obtained by substituting the hash value and the user private key concatenated with the domain information and the login random value, which are the address information of the web site, into the hash function. This is because the 2-channel authentication method is performed when the user connects to the service providing server in an independent session in the mobile terminal, so that the user identification information can be excluded when generating the signature value.

Next, the authentication related application 712 transmits a login authentication request including the certificate and the signature value provided from the authentication server 730 to the service providing server 720 (S706).

The service providing server 720 performs a verification procedure on the certificate transmitted from the mobile terminal 710 in cooperation with the authentication server 730 in step S707 and performs a signature value verification procedure using the user's private key upon completion of the certificate verification (S708).

When the verification of the certificate and the verification of the signature are completed, the 2-channel authentication is legitimately performed through the 2-channel authentication related application 712 of the mobile terminal 710, and the login And provides a web page for using the service (S709).

Accordingly, the user can perform the web site login using the 2-channel authentication method using the mobile browser of the mobile terminal and the 2-channel authentication related app.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments of the present invention are not intended to limit the scope of the present invention but to limit the scope of the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

Claims (15)

A method for authenticating a user according to a service request of a first terminal using a two-channel authentication method,
(a) a service provision server receiving a service provision request from the first terminal;
(b) generating the service identification information according to the service provision request and transmitting the service identification information to the first terminal;
(c) a login random number including at least one of the user ID previously stored in the second terminal and the service identification information received from the service providing server through the 2-channel authentication related application activated in the second terminal, Receiving a value request;
(d) generating a login random value after confirming at least one of the user ID and the service identification information, and transmitting the random value to the second terminal;
(e) receiving, by the service providing server, a login authentication request including at least one of a signature value using the login random value from the second terminal and a certificate issued to the user at the member registration process from the authentication server; And
(f) the service providing server performs verification of the certificate received from the second terminal in cooperation with the authentication server and verification of the signature value, and transmits the web page information corresponding to the login approval to the first terminal Comprising:
The user ID,
When the user requests the member registration with the authentication server using the first terminal or the second terminal, identification information allocated to the user in accordance with a predetermined member registration confirmation and signature verification from the authentication server, And a two-channel authentication method using service identification information. delete The method according to claim 1,
The step (a)
Providing a web page including a button associated with a login request signal from the service providing server to the first terminal; And
Wherein the service providing server automatically receives from the first terminal a service provision request including the user ID previously stored in the first terminal according to a user's input signal for a button associated with the login request signal. 2 - channel authentication method using authentication server and service identification information. The method of claim 3,
The step (b)
And generating the service identification information including a service identification value for identifying a web site provided by the service providing server and a session identification value for a user terminal connected to the service providing server and performing a login request , 2-channel authentication method using authentication server and service identification information. The method according to claim 3 or 4,
The step (b)
Further comprising the step of requesting the authentication server to perform login authentication for the user including at least one of the user ID and the service identification information received from the first terminal by the service providing server, Two - channel authentication method using information. 6. The method of claim 5,
The step (b)
Deriving information about the second terminal from the user information DB constructed based on the user ID in the authentication server; And
Further comprising the step of requesting, by the authentication server, execution of the 2-channel authentication related application including the service identification information using the information related to the second terminal, the authentication server and the 2-channel authentication method using the service identification information . The method according to claim 6,
Wherein the authentication server requests an execution of the 2-channel authentication related application to the second terminal using a push message, the 2-channel authentication method using the authentication server and the service identification information. 5. The method of claim 4,
The step (c)
The service providing server communicating with the second terminal when requesting a connection to the service providing server based on the service identification value included in the service identification information in the 2-channel authentication related application of the second terminal; And
The service providing server automatically receiving a login random value request including the user ID previously stored in the second terminal according to a user input signal for a button associated with a login request signal from the 2-channel authentication related app , 2-channel authentication method using authentication server and service identification information. 5. The method of claim 4,
The step (c)
The service providing server communicating with the second terminal requesting access based on the service identification information input by the user through the 2-channel authentication related application activated by the second terminal by a user input signal; And
And the service providing server receiving a login random value request including at least one of the user ID and the service identification information previously stored in the second terminal from the second terminal, Two-channel authentication method. The method according to claim 1,
The step (a)
Providing a web page including a button associated with a login request signal from the service providing server to the first terminal; And
Wherein the service providing server automatically receives a service provision request from the first terminal according to a user's input signal for a button associated with the login request signal, wherein the authentication server and the two-channel authentication method using the service identification information . 11. The method of claim 10,
The step (b)
Generating a service identification information for identifying a web site provided by the service providing server and a user identification value for identifying a user terminal connected to the service providing server and performing a login request; 2 - channel authentication method using server and service identification information. 11. The method of claim 10,
The step (c)
The service providing server communicating with the second terminal requesting access based on the service identification information input by the user through the 2-channel authentication related application activated by the second terminal by a user input signal; And
And the service providing server receiving a login random value request including at least one of the user ID and the service identification information previously stored in the second terminal from the second terminal, Two-channel authentication method. A method for authenticating a user according to a service request of a mobile terminal using a two-channel authentication method,
(a) a service provision server receiving a service provision request from a mobile browser of the mobile terminal;
(b) generating, by the service providing server, service identification information including a website identification value according to the service provision request and transmitting the service identification information to the mobile browser;
(c) the service providing server includes at least one of a user ID previously stored in the 2-channel authentication-related app through the 2-channel authentication related application activated in the mobile terminal and the service identification information received from the service providing server Receiving a login random value request;
(d) generating a login random value after confirming at least one of the user ID and the service identification information, and transmitting the random value to the 2-channel authentication related app;
(e) receiving, by the service providing server, a login authentication request including at least one of a signature value using the login random value from the 2-channel authentication related app and a certificate issued to the user at the member registration process from the authentication server ; And
(f) the service providing server performs verification of the certificate received from the 2-channel authentication-related app in cooperation with the authentication server and verification of the signature value, and transmits the web page information The method comprising:
The user ID,
When the user requests the member registration with the authentication server using the mobile terminal, the authentication server and the service identification information, which are identification information allocated to the user in accordance with a predetermined member registration verification and signature verification from the authentication server, Two-channel authentication method. delete A system for authenticating a user according to a service request of a first terminal using a two-channel authentication method,
A service providing server for providing a service to the first terminal through a login authentication procedure with a second terminal according to a service request of the first terminal connected through a wire / wireless communication network; And
And an authentication server for performing a user authentication procedure in association with the service providing server for a login authentication request of the second terminal, which is requested through the activated 2-channel authentication related application of the second terminal,
The service providing server includes:
And generates and transmits service identification information including a web site identification value and a session identification value or a service identification information including a user identification value to the first terminal according to a service request of the first terminal, And a signature random number generating unit that generates a random number and transmits the generated random random number to the second terminal, and transmits a random number to the second terminal, Perform verification procedures,
The user ID,
When the user requests the member registration with the authentication server using the first terminal or the second terminal, identification information allocated to the user in accordance with a predetermined member registration confirmation and signature verification from the authentication server, And 2 - channel authentication system using service identification information.

Images