KR102034970B1 - Method for Providing Non Identification Compatibility Authentication Service - Google Patents

Abstract

According to the method of providing a non-identity compatible authentication service of the present invention, a terminal of a customer having a financial app and a FIDO-linked app is executed through a server provided in a participating agency server and a distributed management center that provide financial services through the financial app. In the method, the non-identifiable compatibility number generated to correspond to the terminal of the customer who wants to use the FIDO service in the server to provide and store the terminal through the participating agency server, the financial service through the financial app Upon authentication using the customer's bio-information, the server receives a transaction text, a transaction text hash value (h), a terminal device ID, an organization code, and a service code from the participating agency server to receive a request for authentication, and the server The time stamp is applied to the transaction text hash value in the transaction server hash value (h ') to which the time stamp is applied. And the authentication request message including a transaction text and a transaction text hash value (h ') applied with a time stamp in the participating institution server, and transmitting the generated authentication request message to the financial app of the terminal. Receives an authentication response including a non-identifiable compatible token, an authentication response message, and an authentication device authentication key ID from the financial app, and stores a result of verifying an electronic signature for the authentication response message, and stores the result from the participating institution server to the server. Request verification for the non-identity compatible number-based non-identity compatible token generated in the FIDO-linked app of the terminal, process the verification for the non-identity compatible number-based non-identity compatible token from the server, and deactivate to the participating agency server. Providing an identification compatible token verification result to transmit a non-identification compatible token verification result response to the financial app of the terminal, In the financial app, the authentication request message is delivered to the FIDO-linked app, and the FIDO-linked app requests the FIDO private key signature for the authentication request message to the authentication device provided in the terminal. Comparing the bio-information stored in the terminal with the bio-information and verifying the sameness; and authenticating the authentication request message with the FIDO private key and passing the authentication response message including the signature value to the FIDO associated app. And extracting the authentication device authentication key ID from the FIDO-linked app and extracting the authentication device authentication key ID with the key to generate a non-identification compatible token, and generating a non-identification-compatible token based on the non-identification compatibility number. And transmitting the identification compatible token, the full certificate, and the authentication device authentication key ID.

Description

Method for Providing Non Identification Compatibility Authentication Service

The present invention is a method of running through a server provided in the participating agency server and the distributed management center to provide a financial service through the financial app to the terminal of the customer having a financial app and FIDO-linked app, the server FIDO The non-identifiable compatibility number generated to correspond to the terminal of the customer who wants to use the service is provided to the terminal through the participating institution server and stored, and the authentication using the bio information of the customer who is provided with the financial service through the financial app When the server receives a transaction text, a transaction text hash value (h), a terminal device ID, an organization code, and a service code from the participating agency server, the server requests a certification message, and the server timestamps the transaction text hash value. Apply and transmit the transaction text hash value (h ') to which the timestamp is applied to the participating institution server, To generate an authentication request message including a timestamp transaction text hash value (h ') and send it to the financial app of the terminal, non-identifiable compatible token from the financial app of the terminal in the participating agency server, authentication response message Receiving an authentication response including an authentication device authentication key ID, storing the result of verifying the electronic signature for the authentication response message, and the non-identity compatible generated in the FIDO-associated app of the terminal from the participating agency server to the server Request verification of a number-based non-identity compatible token, process the verification of the non-identity-compatible number-based non-identity-compatible token at the server, and provide a verification result of the non-identity-compatible token to the participating organization server of the terminal. Sends a non-identified compatible token verification result response to the financial app, and the authentication request message from the financial app of the terminal to the FIDO-linked app. And transmitting the FIDO private key signature for the authentication request message to the authentication device provided in the terminal in the FIDO-linked app and comparing the bio information recognized by the customer in the authentication device with the bio information stored in the terminal. Verifying the identity, and authenticating the authentication request message with the FIDO private key in the authentication device to pass the authentication response message containing the signature value to the FIDO-linked app and the authentication device authentication key ID in the FIDO-linked app. Extract the authentication device authentication key ID with a key to extract the non-identification compatible number, and to generate a non-identification compatible token based on the non-identification compatibility number and the non-identification compatible token, professional, authentication device authentication key ID from the FIDO-linked app to the financial app. It relates to a non-identity compatible authentication service providing method comprising the step of transmitting.

Recently, a variety of ways to authenticate customers on the Internet or mobile have emerged. This authentication method is used in the complex financial transaction process from unlocking the screen or logging in.

Meanwhile, as IDs, passwords, and public certificates used as conventional authentication means are leaked by various types of attacks such as viruses or hacking, authentication technologies using biometric information without fear of loss are increasing. It's a trend.

Fast Identity Online (FIDO) is a standard specification of authentication system that enables authentication through a simple process that is not replaceable by fingerprint recognition, iris recognition, or face recognition instead of ID and password. Through the use of to solve the weaknesses of the existing ID, password system has been improved security.

On the other hand, Republic of Korea Patent Publication No. 10-1611872 (2016.04.12) relates to an authentication method using a FIDO and a certificate, when the user requests a service to the service server through the service terminal, the FIDO authentication server is a user authentication device An authentication method using a FIDO and a certificate for requesting an authentication using the biometric information and transmitting an authentication response to an authentication request to a FIDO authentication server is performed.

However, the security level of each authentication device is different, the higher level of security is required to apply to financial services, etc., and the compatibility between various financial institutions is not properly achieved. New ways of doing things should be sought.

An object of the present invention, in the method of running through a server provided in the participating agency server and the distributed management center to provide a financial service through the financial app to the terminal of the customer having a financial app and FIDO-linked app, the server In the first step to store and provide the non-identification compatible number generated to correspond to the terminal of the customer who wants to use the FIDO service to the terminal through the participating institution server and the customer of the financial service through the financial app In the second step of receiving a transaction text, a transaction text hash value (h), a terminal device ID, an organization code, and a service code from the participating institution server when authentication is performed using the bio-information, and requesting the full text of authentication from the server. Applying a timestamp to the transaction text hash value and transmitting the transaction text hash value h 'to which the time stamp is applied to the participating institution server; A fourth step of generating an authentication request message including a transaction original text and a time stamp applied transaction text (h ') from the participating institution server and transmitting the generated transaction request message to the financial app of the terminal; Receiving the authentication response including the non-identification compatible token, the authentication response message, and the authentication device authentication key ID from the financial app of the fifth step of storing the result of verifying the electronic signature for the authentication response message and at the participating institution server A sixth step of requesting the server to verify the non-identity compatible token based non-identity compatible token generated in the FIDO-linked app of the terminal; and processing the verification of the non-identity compatible number based non-identity compatible token at the server; A non-identified compatible token verification result is provided to the participating agency server, and a non-identified compatible token verification result response is transmitted to the financial app of the terminal. And a fourth step of transmitting the authentication request message from the financial app of the terminal to the FIDO associated app and the FIDO for the authentication request message from the FIDO linked app to the authentication device provided in the terminal. Requesting to sign a private key; and verifying whether the authentication device compares bio information recognized by a customer with bio information stored in the terminal, and digitally signs the authentication request message with a FIDO private key. Pass the authentication response message including the signature value to the FIDO-linked app, extract the authentication device authentication key ID from the FIDO-linked app, extract the authentication device authentication key ID with the key, and identify the non-identification code-based non-identification number. A step of generating an identification compatible token and a non-identification compatible token, professional, and authentication device authentication key ID from the FIDO-linked app to the financial app. To provide a non-identified compatible with the authentication service providing method comprising the step of transmitting to.

The non-identity compatible authentication service providing method according to the present invention is executed through a server provided in a participating agency server and a distributed management center that provide financial services through the financial app to a terminal of a customer having a financial app and a FIDO-linked app. In the method, the first step to provide and store the non-identification compatible number generated to correspond to the terminal of the customer who wants to use the FIDO service in the server to the terminal through the participating institution server and through the financial app When authenticating using bioinformation of a customer receiving a financial service, the server receives a transaction text, a transaction text hash value (h), a terminal device ID, an organization code, and a service code from the participating agency server to request a certification. In the second step and the server, the time stamp is applied to the transaction text hash value and the time stamp is applied to the transaction text hash value h '. A fourth step of transmitting to the participating institution server and a fourth request for generating an authentication request message including a transaction text and a transaction text hash value (h ') to which a timestamp is applied; Storing the result of verifying the electronic signature for the authentication response message by receiving an authentication response including a non-identifiable compatible token, an authentication response message, and an authentication device authentication key ID from the financial app of the terminal at the participating institution server; The fifth step and the sixth step of requesting verification of the non-identity compatible number-based non-identity compatible token generated in the FIDO associated app of the terminal to the server from the participating agency server and the non-identity compatible number-based non-identification in the server; Process the verification of the identification compatible token and provide the verification result of the non-identification compatible token to the participating agency server to decode the financial app of the terminal. And a seventh step of transmitting a response of the mutually compatible token verification result, wherein the fourth step includes transmitting an authentication request message from the financial app of the terminal to the FIDO associated app and the authentication provided to the terminal in the FIDO associated app. Requesting the FIDO private key signature for the authentication request message to the device; and verifying whether the authentication device compares the bio information recognized from the customer with the bio information stored in the terminal and verifies whether the authentication device is the same. Digitally signing the FIDO private key with the signature to send an authentication response message containing the signature value to the FIDO-linked app and extracting the authentication device authentication key ID from the FIDO-linked app to extract the non-identifiable compatibility number from the authentication device authentication key ID as a key. Steps to create a non-identity compatible token based non-identity compatible token and the non-identification code from the FIDO-linked app to the financial app Including the step of transmitting the token to professional authoring apparatus proof key ID is characterized in that formed.

delete

delete

delete

delete

According to the present invention, a method of being executed through a server provided in a distributed management center in conjunction with a participating institution server providing a financial service through the financial app to a terminal of a customer having a financial app and a FIDO-linked app, the FIDO A first step of generating and storing a non-identification compatible number corresponding to a terminal of a customer who wants to use a service; and a second step of storing and generating the generated non-identification compatible number to the terminal through the participating institution server; When authenticating using the bio-information of a customer who receives a financial service through the financial app, a transaction text, a transaction text hash value (h), a terminal device ID, an institution code, and a service code are received from the participating institution server to provide a certification. The participating agency server applies a timestamp to the third step and the transaction text hash value that is requested, and applies the time stamp to the transaction text hash value (h '). The fourth step of transmitting to the fifth step and the non-identification compatible number-based non-identification compatible token generated from the participating agency server to request verification for the non-identity compatible number-based non-identity compatible token generated in the FIDO associated app of the terminal. And a sixth step of processing the verification, and providing a verification result of the non-identity compatible token to the participating agency server to transmit the verification result of the non-identity compatible token to the financial app of the terminal. Generating the authentication request message including a transaction text and a timestamp applied transaction text hash value (h ') from the participating institution server, and transmitting the authentication request message from the participating institution server to the financial app of the terminal. The step of passing the authentication request message to the FIDO associated app in the financial app of the authentication request message to the authentication device provided in the terminal in the FIDO connected app Requesting the FIDO private key signature for the certificate; and verifying whether the authentication device compares the bio-information recognized by the customer with the bio-information stored in the terminal, and verifies whether the authentication device is the same as the FIDO private key for the authentication request message. Passing an electronic signature to send an authentication response message containing a signature value to the FIDO-linked app and extracting the authentication device authentication key ID from the FIDO-linked app and extracting the non-identification compatible number from the authentication device authentication key ID as a key. Creating a number-based non-identifiable token and sending a non-identifiable token, professional, authentication device authentication key ID from the FIDO-linked app to the financial app, and identifying the non-identifiable token from the financial app to the participating server. Sending an authentication response including a response message, the authentication device authentication key ID, and the authentication response message from the participating agency server. And verifying the digital signature on the message to store the result.

On the other hand, in a method of running through a server provided in a distributed management center in conjunction with a server participating in providing financial services through the financial app to the terminal of the customer with a financial app and FIDO-linked app according to the present invention, A first step of generating and storing a non-identification compatible number corresponding to a terminal of a customer who wants to use a FIDO service, and a second step of providing and generating the generated non-identification compatible number to the terminal through the participating institution server; When authenticating using the bio-information of the customer receiving the financial service through the financial app, the authentication text by receiving the transaction text, transaction text hash value (h), terminal device ID, institution code, service code from the participating institution server The third step to receive the request and the time stamp for the transaction text hash value and includes the transaction text and the transaction text hash value (h ') with the time stamp applied. The fourth step of generating an authentication request message and the fifth step of processing the authentication request message to be provided to the terminal through the participating institution server and the non-identifiable compatibility number based non-identification generated in the FIDO associated app of the terminal from the participating institution server. The sixth step of receiving a request for verification of the compatible token and the verification of the non-identity compatible token based on the non-identification compatible number are processed, and the digital signature verification result and the non-identification compatibility to the financial app of the terminal via the participating agency server. And a seventh step of transmitting a token verification result response, wherein the sixth step includes transmitting an authentication request message from the financial app of the terminal to the FIDO linked app and from the FIDO linked app to the authentication device provided in the terminal. Requesting a FIDO private key signature for the authentication request message; Comparing the stored bio-information and verifying the same or not, and digitally signing the authentication request message with the FIDO private key to pass the authentication response message containing the signature value to the FIDO-linked app and the FIDO-linked app. Extracting the authentication device authentication key ID and extracting the authentication device authentication key ID as a key to generate a non-identification compatible token, and to generate a non-identification compatible token based non-identification compatible token and a non-identification compatible token from the FIDO-linked app to the financial app. And transmitting an authentication response including the authentication device authentication key ID and a non-identification compatible token, an authentication response message, and an authentication device authentication key ID from the financial app to the participating agency server. do.

On the other hand, a method of running through a server provided in a distributed management center in conjunction with a server of a participating institution that provides a financial service through the financial app to the terminal of the customer having two or more financial apps and FIDO-linked app according to the invention In the first step of generating and registering a non-identification compatible number corresponding to the terminal of the customer who wants to use the FIDO service, and providing the generated non-identification compatible number to the terminal through a second participating agency server to store it. And a second step in which an authentication request using a non-identifiable compatibility number registered through the second participating institution is confirmed for the financial service provided through the financial app of the first participating institution, and the transaction text and transaction from the first participating institution server. A third step of receiving the original hash value (h), the terminal device ID, the organization code, and the service code to request a compatibility certification message; and the terminal device ID, the organization code, and the service And the fourth step of checking whether the second participating organization is registered or not, and applying the time stamp to the transaction text hash value (h) and including the transaction text and the transaction text hash value (h ') to which the time stamp is applied. The fifth step of generating an authentication request message and the sixth step of processing the authentication request message to be provided to the terminal through the first participant server and the non-identifiable compatibility generated in the FIDO associated app of the terminal from the first participant server A seventh step of receiving a request for verification of the number-based non-identity-compatible token and an eighth step of processing verification of the non-identity-compatible number-based non-identification-compatible token, wherein the eighth step includes: Verifying and storing the result and verifying the authentication response message electronic signature, storing the result, and verifying the signature verification result through the first participating institution server to the financial app of the first participating institution. Characterized in that it comprises the step of transmitting.

On the other hand, a method of running through a server provided in a distributed management center in conjunction with a server of a participating institution that provides a financial service through the financial app to the terminal of the customer having two or more financial apps and FIDO-linked app according to the invention In the present invention, a non-identification compatible number corresponding to a terminal of a customer who wants to use a FIDO service is generated and registered, and the generated non-identification compatibility number is provided to the terminal through an n (n> 0) participating agency server and stored. In the first step and the authentication using the bio-information of the customer receiving the financial service through the financial app of the first participating institution, the transaction text, the transaction text hash value (h) from the first participating agency server, the terminal device Receive the ID, agency code, and service code for the second step of requesting the certification text, and apply the timestamp to the transaction text hash value and apply the time stamp to the transaction text hash value (h ') The third step of processing to be transmitted to the financial app of the first participant through the first participant server and from the first participant server non-identification compatible number based non-identification generated in the FIDO linked app of the terminal A fourth step of receiving a request for verification of the compatible token and a fifth step of processing verification of the non-identification compatible token based on the non-identification compatibility number, and requesting further authentication through the second participating organization of the customer, (1) Receive a transaction text, a transaction text hash value (h), a terminal device ID, an organization code, and a service code from a participating agency server to query the sixth step of requesting a full-text authentication certificate; and query the terminal device ID, organization code, and service code. Step 7 of checking whether the second participating organization is registered and the transaction text hash value (h) are time stamped, and the transaction text and time stamp applied transaction text hash value (h) In the FIDO associated app of the terminal from the ninth step and the first participant server to process the eighth step of generating a compatible authentication request message and a compatible authentication request message to be provided to the terminal through the first participating institution server; A tenth step of receiving a request for verification of the generated non-identity compatible number-based non-identity compatible token, and an eleventh step of processing verification of the non-identity compatibility number-based non-identity compatible token; and the eighth step, Sending a compatibility authentication request message to the financial app of the first participant; and sending a compatibility authentication request message to the FIDO connection app through the financial app of the second participant from the financial app of the first participant; App by the FIDO private key signature for the authentication request message from the app to the authentication device and the bio-information is recognized through the device and the bio-stored in the terminal Comparing the information and the recognized bio-information to verify whether the same and the authentication device to the authentication request message to the authentication request message containing the signature value signed with the FIDO private key and the FIDO-linked app and the FIDO-linked app Extracting the authentication device authentication key ID from the authentication device authentication key ID to extract the non-identification compatible number with the key and the non-identification compatibility number-based non-identification compatible token in the FIDO-linked app, the financial app of the first participating organization And passing the signature value (h´) and the non-identified compatible token to the first participating authority server via the step 11, wherein the eleventh step includes verifying the non-identified compatible token and storing the result and authenticating the response. Verifying the message digital signature and storing the result; and transmitting the signature verification result to the financial app of the first participating institution via the first participating institution server. It characterized by comprising.

According to the present invention, when there are a plurality of non-identifiable interchange numbers registered in the process of performing bio certification for the use of the customer's financial service, by using the authentication result of another financial institution, the security of the bio information authentication process There is an advantage to increase.

In addition, according to the present invention, the non-identification confirmation token generated based on the non-identification compatibility number performs the OTP function for each authentication point generated at the time of delivering the authentication result, thereby having the advantage of preventing the nonrepudiation of authentication.

1 is a diagram illustrating a configuration of a PIDO compatible authentication service providing system according to an exemplary embodiment of the present invention.
2 to 4 are views illustrating a process of generating and storing a non-identity compatible number through FIDO registration according to an embodiment of the present invention.
5 to 6 are diagrams illustrating a FIDO authentication process according to an embodiment of the present invention.
7 to 8 are diagrams illustrating a FIDO authentication process according to another embodiment of the present invention.
9 to 10 are diagrams illustrating a FIDO compatible authentication process according to an embodiment of the present invention.
11 to 14 are diagrams illustrating a FIDO cross authentication process according to an embodiment of the present invention.
15 to 17 illustrate a FIDO login authentication process according to an embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings and description will be described in detail the operating principle of the preferred embodiment of the present invention. However, the drawings and the following description shown below are for the preferred method among various methods for effectively explaining the features of the present invention, the present invention is not limited only to the drawings and description below.

In addition, in the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. Terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to intentions or customs of users or operators. Therefore, the definition should be made based on the contents throughout the present invention.

As a result, the technical spirit of the present invention is determined by the claims, and the following examples are one means for efficiently explaining the technical spirit of the present invention to those skilled in the art to which the present invention pertains. It is only.

1 is a diagram showing the configuration of a PIDO compatible authentication service providing system according to an embodiment of the present invention.

In more detail, Figure 1 is to issue and store a non-identifiable compatibility number for a terminal (eg, a smartphone) in which the customer's bio information is stored, when using the terminal 145, the non-identifiable compatibility number is used. For the fido compatible authentication service providing system to enhance the security and safety of the FIDO method for processing a transaction to verify the bio-certification result value of the terminal 145, and to enable compatible authentication between financial institutions that process the transaction As a simple configuration, a person of ordinary skill in the art to which the present invention pertains may refer to and / or modify the drawing 1 to infer various implementation methods for the configuration of a system for providing a PAIDO compatible authentication service. However, the present invention includes all the implementation methods inferred above, and the technical features are only shown by the implementation method shown in FIG. Jing is not limited.

Referring to FIG. 1, the PIDO compatible authentication service providing system interworks with a plurality of participating institution servers, and registers the FIDO through any one participating institution server in the terminal 145 in which the bio information of the customer is stored. Distributed management center for issuing and storing non-identification compatible numbers for), and enabling authentication for customers using financial services based on the non-identification compatible numbers and compatible authentication between participating agency servers that provide financial services. 100 and one or more participating agency servers providing a financial app for providing a financial service to the terminal 145 and registering FIDO with the distributed management center 100 according to a request of the terminal 145 ( 120. 130), and the financial app provided by one or more participating agency servers are installed, FIDO compatible authentication service through the FIDO connection app 150 provided by the distributed management center 100 The customer requesting the lock held can comprise the terminal 145.

In order to use the FIDO compatible authentication service according to the present invention, the terminal 145 of the customer has a financial app provided from at least one participating institution server, and the FIDO linked app 150 provided from the distributed management center 100. ).

In addition, the terminal 145 is provided with a FIDO client for processing a FIDO message and a FIDO authentication device for managing the customer's bio-certification and FIDO authentication key.

The financial app is an app installed in the terminal 145 to provide a financial service through the participating institution server.

The FIDO app 150 stores and manages the message relay and the non-identification compatible number with the financial app and the FIDO client installed on the terminal 145, and generates a non-identification compatible token based on the non-identification compatible number. Can be.

Here, the non-identity compatible number may include an organization code, a service code, an authentication technology code, a registration method code, a random number value, and the like, and include a compatible authentication or cross authentication through a FIDO compatible authentication service according to the present invention. Can be used for authentication relaying and prevention of visibility.

The non-identity compatible token may perform an OTP role with a token generated by using the non-identity compatibility number as a seed.

*

Participating organization server means a financial service provider that holds customer's personal information, financial account, and financial transaction information, and is a server provided in the financial service provider, and may be configured with business servers 125 and 135. In some cases, the FIDO server 140 may be further provided.

Work servers 125 and 135 may be in charge of the FIDO service linkage process with the distributed management center 100.

The FIDO server 140 may be provided in a participating organization that is building a development FIDO service and may process an internal FIDO message.

*

Referring to FIG. 1, in the case of the A participant agency server 120, only the work server 125 is configured, and in this case, the financial app and the distributed management center of the client's terminal 145 are servers provided in the joint FIDO user organization. Message relaying can be handled between 100.

B participant agency server 130 is composed of a work server 135 and the FIDO server 140, in this case, the server provided in the individual FIDO user organizations to issue a non-identifiable compatibility number during the FIDO registration process FIDO In the authentication process, the non-identified compatible token verification may be requested to the distributed management center 100.

Referring to FIG. 1, a channel server 105, a FIDO connection server 110, and a common FIDO server 115 may be configured.

The channel server 105, the distributed management center 100 may perform a professional transmission and reception between the participating agency server (work server) and the FIDO connection server.

The FIDO connection server 110 may perform the FIDO service connection processing inside the distributed management center 100.

The joint FIDO server 115 may perform FIDO message processing inside the distributed management center 100.

Through the FIDO registration process of FIGS. 2 to 3 and the FIDO authentication process of FIGS. 4 to 8, the channel server 105 constituting the distributed management center 100, the FIDO connection server 110, and the common FIDO server ( 115 will be described in more detail.

2 is a diagram illustrating a process of generating and storing a non-identity compatible number through FIDO registration according to an embodiment of the present invention.

In more detail, Figure 2 is a process of performing the FIDO registration through the participating agency server in the terminal 145 of the customer, the financial app and the FIDO associated app is installed, the terminal 145 to request the FIDO registration through the financial app, The registration full text is requested to the distributed management center through the participating agency server, and the registration full text is generated through the distributed management center 100 and transmitted to the financial app of the terminal 145 through the participating agency server. Those skilled in the art to which the present invention pertains may refer to various embodiments of the process of generating and storing a non-identity compatible number through FIDO registration by referring to and / or modifying the drawing 2, The present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 2, the process of generating and storing a non-identification compatible number through the FIDO registration shown may be started from a process in which the financial app and the FIDO-linked app 150 are installed on the terminal 145 of the customer ( 200).

After the financial app and the FIDO associated app 150 is installed on the terminal 145, if the financial app is a new subscription customer operated by Participant A, perform a member registration through the financial app, and perform a non-face-to-face real name verification procedure. Perform 205.

The non-face-to-face real name verification procedure may utilize the financial app or a separate non-face-to-face name verification app for the policy of the participating institutions.

When the non-face-to-face real name verification procedure is performed, the financial app of the terminal 145 transmits the real name verification result to the participating institution server 120 to share the real name verification result (210).

Then, the participating agency server 120 generates a registration inquiry query key (for example, a resident registration number hash value) based on the real name verification result (215), and transmits the generated registration registration query key to the distributed management center and shares it ( 220).

Then, when the customer first requests FIDO registration through the financial app of the terminal (225), the financial app transmits the financial app ID, the terminal ID, etc. to the participating institution server 120 and requests the registration full (230).

* Participation agency server 120 requests the full registration to the distributed management center 100 (235), at this time the terminal ID received from the financial app and the organization code stored in the participating agency server, service code, real name verification process The generation method can be transmitted to the distributed management center (100).

Here, the institution code uses a joint code managed by a distributed management center as a participant organization code, and may be configured by a bank, securities, card, insurance, etc. classification criteria.

The service code can be divided into services according to the policy of participating organizations when operating multiple services in participating organizations.

The registration method code is a code for distinguishing the identification method according to the policy of the participating organization. The registration method code may be composed of classification criteria such as general registration, security registration, non-face real name verification registration, and face-to-face registration. Authentication strength code can be given.

The FIDO connection server 110 of the distributed management center 100 provides a registration full request from the participating institution server 120 to the joint FIDO server 115, and the joint FIDO server 115 generates a registration full text (240). ) Transfers to FIDO connection server 110.

The FIDO connection server 110 responds to the registration text to the participating institution server (245), and the participating organization server responds to the registration text to the financial app (250).

3 is a diagram illustrating a process of generating and storing a non-identity compatible number through FIDO registration according to an embodiment of the present invention.

In more detail, in FIG. 3, after the process of FIG. 2, the registration full text is received by the financial app of the terminal 145, and the recognition and identification of the bio information of the customer is performed through the authentication device of the terminal 145. The key pair is generated, the FIDO public key and the registration request message are digitally signed with the authentication device authentication key, and the digital signature value and authentication device authentication key ID are transmitted to the participating agency server through the FIDO-linked app and the financial app to register. As one of ordinary skill in the art to which the present invention pertains, various implementation methods for a process of generating and storing a non-identity compatible number through FIDO registration by referring to and / or modifying the drawing 3 will be inferred. As will be appreciated, the present invention includes all implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 3, if a registration message is received from the participating agency server through the process of FIG. 2 as the financial app of the terminal 145, the financial app may be started from the process of delivering the registration message received through the FIDO-linked app. (300).

When the registration message is delivered, the FIDO connection app 150 generates a one-time key pair for the non-identity compatible number and the authentication device authentication key ID encryption (305), and injects the disposable public key into the registration request message (310).

Then, the FIDO connection app 150 requests the FIDO key pair generation to the authentication device and transmits a registration request message (315).

When the authentication device of the terminal 145 receives a registration request message from the FIDO connection app 150, the authentication device recognizes the bio information of the customer and compares the recognized bio information with the bio information previously stored in the terminal 145 to determine whether the identity is the same. Verify (320).

If the identity is verified, the authentication device generates a key pair (FIDO public key and FIDO private key) and digitally signs the FIDO public key and registration request message with the authentication device authentication key managed by the authentication device (325).

The authentication device transmits an electronic signature value (FIDO public key, registration request message) and authentication device authentication key ID to the financial app via the FIDO-associated app (330).

Here, the authentication device authentication key ID is a unique value for each device including a manufacturer and a device number, and may be used when inquiring a non-identification compatible number.

The financial app requests registration by transmitting a FIDO message including an electronic signature value (FIDO public key, registration request message) and authentication device authentication key ID to the participating institution server (335), and the participating institution server is distributed management center (100). Request for registration by delivering the full FIDO ().

4 is a diagram illustrating a process of generating and storing a non-identity compatible number through FIDO registration according to an embodiment of the present invention.

In more detail, Figure 4 shows that after the FIDO full text is delivered to the distributed management center 100 through the process of Figure 3, registration is requested, the non-identifiable compatibility number is generated in the distributed management center 100 to participate in the server. As shown in the process to transmit to the terminal 145 to be stored, if you have a general knowledge in the technical field to which the present invention belongs, non-identifiable compatibility number through the FIDO registration by referring to and / or modified in Figure 4 It will be possible to infer various implementation methods for the process of generating and storing the present invention, but the present invention includes all the implementation methods inferred, the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 4, after the FIDO message is delivered to the distributed management center 100 through the process of FIG. 3 and registered is requested, the authentication apparatus is managed by the common FIDO server 115 of the distributed management center 100. The key may be started from the process of verifying the digital signature value included in the FIDO text with a key (400).

If the digital signature value is verified, the joint FIDO server 115 registers the FIDO information and transmits a registration request message including the disposable public key to the FIDO connection server 110 (405).

Then, the FIDO connection server 110 generates a non-identification compatible number and stores it in association with the authentication device authentication key ID value (410).

Here, the non-identity compatible number is an information system used for additional functions for authentication relaying and security enhancement such as compatibility authentication or cross-certification, and may include an organization code, a service code, an authentication technology code, a registration method code, and a random number value. .

When the non-identification compatible number is generated, the FIDO connection server 110 encrypts the non-identification compatibility number and the authentication device authentication key ID under management with a one-time public key (415), and transmits a registration response including the encrypted data to the participating institution server. (420).

The participating agency server transmits the registration response including the encrypted data to the financial app of the terminal 145 (425), and the financial app transmits the registration response to the FIDO linked app 150 (430).

Thereafter, the FIDO associated app 150 decrypts the data encrypted with the one-time public key (435), stores the non-identifiable compatibility number and authentication device authentication key ID (440), and then transmits the registration result to the financial app (445). ), The FIDO registration process is terminated.

5 to 8 illustrate a process of performing authentication using the FIDO information registered through the process of FIGS. 2 to 4 in a process in which a customer performs a financial service through a financial app of a participating institution server. Particularly, FIGS. 5 to 6 illustrate a process in which authentication is performed when the participating institution server 130 includes the FIDO server 140 itself, and FIGS. 7 to 8 illustrate that the participating institution server 120 performs the FIDO. When the common FIDO server 115 of the distributed management center 100 is used without the server 140 itself, the process of performing authentication is illustrated.

5 is a diagram illustrating a FIDO authentication process according to an embodiment of the present invention.

In more detail, Figure 5 is a process of requesting a financial service through a financial app after the FIDO registration process is successfully performed through the process of Figures 2 to 4 is stored in the terminal 145, the non-identifiable compatibility number The process of performing authentication using the FIDO information registered in the present invention. Those skilled in the art to which the present invention pertains may refer to and / or modify this drawing to modify the FIDO server 140 by itself. It will be possible to infer various implementation methods for the process of the authentication is performed through the participating institution server 130 provided with, but the present invention is made to include all the implementation methods inferred, shown in Figure 5 The technical features are not limited only by the method.

Referring to FIG. 5, a customer who installs a financial app provided by a participating participant in a terminal 145 may request a financial service through a financial app, and may start from a process of selecting bio certification among authentication means (500). ).

The financial app receives the terminal ID from the FIDO linked app 150 (505), and transmits the terminal ID, the transaction text to the participating institution server 130 to request the full text authentication (510).

Participating organization's work server 135 extracts the hash of the transaction text (h = hash (transaction text)) (515), to the distributed management center 100 the transaction text, transaction text hash value, smartphone device ID, institution Request the non-repudiation message by sending the code, service code (520).

When the non-repudiation message is requested from the participating institution server 130, the FIDO connection server 110 of the distributed management center 100 checks the terminal ID, the institution code, and the service code to confirm registration of the participating institution B (525). In step 530, the time stamp is applied to the transaction text hash value (h '= hash (h, timestamp, nonce)).

In addition, the FIDO connection server 110 transmits a transaction text hash value h ′ to which the time stamp is applied to the participating institution server 130 to respond to a non-repudiation request (535).

The business server 135 of the participating institution server 130 transmits the non-repudiation message to the FIDO server 140 of the participating organization (540), and the FIDO server 140 authenticates the request message including the original text, h´. Create 545.

In addition, the FIDO server 140 transmits the generated authentication request message to the financial app of the terminal 145 via the work server 135 (550).

The financial app transmits an authentication request message to the FIDO-linked app 150 (555), and the FIDO-linked app 150 requests the FIDO private key signature for the authentication request message to the authentication device (560).

6 is a diagram illustrating a FIDO authentication process according to an embodiment of the present invention.

In more detail, FIG. 6 illustrates a process in which authentication is performed when the participating agency server 130 has its own FIDO server 140 following the process of FIG. 5, and in the technical field to which the present invention pertains. Those skilled in the art may infer various implementation methods for a process in which authentication is performed through the participating agency server 130 having its own FIDO server 140 by referring to and / or modifying the drawing. Although there will be, the present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 6, when the FIDO private key signature is requested for the authentication request message from the FIDO-linked app 150 of the terminal 145 to the authentication apparatus through the process of FIG. 5, the authentication apparatus is connected to the terminal 145. The bio information (fingerprint, iris, vein, etc.) may be recognized and the bio information stored in the terminal 145 may be commenced by comparing the recognized bio information with the recognized bio information (600).

If the identity is verified, the authentication device digitally signs the authentication request message with the FIDO private key (605), and transmits the full text including the electronic signature value to the FIDO associated app 150 (610).

The FIDO association app extracts the authentication device authentication key ID to extract the non-identification compatibility number using the authentication device authentication key ID as a key (615), and generates a non-identification compatible token based on the extracted non-identification compatibility number (620).

When the non-identified compatible token is generated, the FIDO associated app 150 transmits the non-identified compatible token, professional, and authentication device authentication key ID to the financial app (625), and the financial app is non-identified to the participating institution server 130. An authentication response including a token, an authentication request message, and an authentication device authentication key ID is transmitted (630).

Participating organization's work server 135 transmits an authentication response including an unidentified compatible token, an authentication request message, and an authentication device authentication key ID to the FIDO server 140 (635), and the FIDO server 140 sends an authentication request message. The electronic signature is verified and the verification result is stored (640).

Thereafter, the FIDO server 140 transmits the signature verification result to the work server 135 (645), and the work server 135 requests verification of the non-identity compatible token to the distributed management center 100 (650).

After the FIDO associated server 110 of the distributed management center 100 verifies the non-identity compatible token and stores the result (655), it is compatible with the financial app of the terminal 145 via the participating institution server 130. By responding the token verification result (660), the FIDO authentication process for the participant server 130 having its own FIDO server 140 is terminated.

7 is a diagram illustrating a FIDO authentication process according to another embodiment of the present invention.

In more detail, Figure 7 is a process that the FIDO registration process is successfully performed through the process of Figures 2 to 4 after the non-identifiable compatibility number is stored in the terminal 145, the customer requests a financial service through the financial app The process of performing authentication using the FIDO information registered in the present invention. Those skilled in the art to which the present invention pertains may refer to and / or modify the present invention to modify the FIDO server 140 by itself. In the case of the participating institution server 130 using the common FIDO server 115 of the distributed management center without having to be able to infer various implementation methods for the process of the authentication is performed, the present invention is all inferred implementation It is made, including the method, the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 7, a customer who installs a financial app provided by a participating organization in a terminal 145 may request a financial service through a financial app and select a bio certification among authentication means (700). ).

The financial app receives the terminal ID from the FIDO connection app 150 (705), and transmits the terminal ID, the transaction text to the participating institution server 120 to request a full text authentication (710).

Participating organization's work server 125 extracts the hash of the transaction text (h = hash (transaction text)) (715), the transaction management text to the distributed management center 100, transaction text hash value, smartphone device ID, institution Code, the service code is transmitted to request the full authentication (720).

The FIDO connection server 110 of the distributed management center 100 checks the registration of the participating participants by querying the terminal ID, the institution code, and the service code (725), and applies a timestamp to the transaction text hash value (h) ´ = hash (h, timestamp, nonce)) (730).

In addition, the FIDO connection server 110 transmits the transaction text hash value h 'to which the time stamp is applied to the joint FIDO server 115 to request the full text of authentication (735).

The joint FIDO server 115 generates an authentication request message including the transaction text, h '(740), and transmits an authentication request message including the transaction text, h' to the FIDO connection server 110 (745).

The FIDO connection server 110 transmits an authentication request message including a transaction original, h ′ to the financial app of the terminal 145 through the participating institution server 120 (750).

Thereafter, the financial app transmits an authentication request message to the FIDO linked app 150 (755), and the FIDO linked app 150 requests the FIDO private key signature for the authentication request message to the authentication device (760).

8 is a diagram illustrating a FIDO authentication process according to another embodiment of the present invention.

More specifically, FIG. 8 is a case where the participating agency server 120 does not have its own FIDO server 140 and uses the common FIDO server 115 of the distributed management center 100 following the process of FIG. 7. As an illustration of a process in which authentication is performed, those skilled in the art to which the present invention pertains may refer to and / or modify this drawing 8 to participate in a server that does not have its own FIDO server 140. In the case of 120, various implementation methods for the process of authentication may be inferred, but the present invention includes all the implementation methods inferred above, and the technical features thereof are only shown in the implementation method shown in FIG. It is not limited.

Referring to FIG. 8, when the FIDO private key signature is requested for the authentication request message from the FIDO-linked app 150 of the terminal 145 to the authentication apparatus through the process of FIG. 5, the authentication apparatus is connected to the terminal 145. Recognizing bioinformation (fingerprint, iris, vein, etc.) and comparing the bioinformation previously stored in the terminal 145 with the recognized bioinformation may be started from the process of verifying whether the same (800).

If the identity is verified, the authentication apparatus digitally signs the authentication request message with the FIDO private key (805), and transmits the full text including the electronic signature value to the FIDO associated app 150 (810).

The FIDO association app extracts the authentication device authentication key ID to extract the non-identification compatibility number using the authentication device authentication key ID as a key (815), and generates a non-identification compatibility token based on the extracted non-identification compatibility number (820).

When the non-identified compatible token is generated, the FIDO associated app 150 transmits the non-identified compatible token, the professional, the authentication device authentication key ID to the financial app (825), and the financial app is distributed and managed through the participating institution server 120. The authentication response including the non-identification compatible token, the authentication request message, and the authentication device authentication key ID is transmitted to the center 100 (830).

The FIDO connection server 110 of the distributed management center 100 verifies the non-identity compatible token and stores the result (835), and transmits an authentication response to the joint FIDO server 115 (840).

The joint FIDO server 115 verifies the authentication response message digital signature and stores the result (845), and passes the signature verification result to the FIDO connection server 110 (850).

Thereafter, the FIDO connection server 110 responds to the verification result by the financial app of the terminal 145 via the participating institution server 120 (855), the participating organization server (FIDO server 140 does not have its own) ( In the case of 120), the FIDO authentication process is terminated.

9 is a diagram illustrating a FIDO compatibility authentication process according to an embodiment of the present invention.

In more detail, Figure 9 shows that the FIDO registration process is successfully performed through the process of Figures 2 to 4 after the non-identification compatible number is stored in the terminal 145, the customer through the financial app of Participant A financial services When the customer is a sensor-on-unregistered customer of the participating participant A in the process of requesting, showing a process of performing authentication by relaying the authentication result value of the participating participant C, which is a sensor-on-registration registrar, the technology to which the present invention pertains. Those skilled in the art may refer to and / or modify this drawing 9 to infer various implementation methods for the process of performing certification according to the use of financial services by an unregistered institution in connection with a sensor-on registrar. However, the present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG. .

Referring to FIG. 9, the illustrated embodiment may be started from a process in which a customer requests an account transfer to a participating participant B through a financial app operated by a participating participant A (900).

At this time, the customer can enter the withdrawal account (participating agency A), the transfer amount, the deposit account (participating institution B) through the A financial app.

When a bank transfer request is requested, the A-Financial App requests a list of non-identifiable compatibility numbers stored as the FIDO-linked app 150 (905), and the FIDO-linked App 150 sends the following non-identifiable-compatible number list to the A-Financial App. (910).

Non-identification compatibility number 1 (C participating institution): bank, fingerprint, face-to-face verification

<Institution code (001-100), authentication technology code (100), registration method code (face registration? 04)>

Non-identification compatibility number 2 (D participating organization): Real name verification using securities companies, irises, accredited certificates and security cards

<Institution code 201-299, authentication technology code 104, registration method code (security registration? 02)>

Non-identification compatibility number 3 (E participating organizations): card company, fingerprint, mobile phone simple authentication Real name verification

<Institution code (301-399), authentication technology code (100), registration method code (general registration? 01)>

Non-identification compatibility number 4 (F participating organizations): insurance company, finger vein, non-face-to-face name verification app

<Institution code (401-499), authentication technology code (102), registration method code (non-face name verification? 03)>

* General Registration: Real-time name verification without restriction on SMS, PIN, etc.

* Security registration: Real name verification using two or more of public certificate, non-identification compatible token, security card, and ARS

<Example of non-identifiable compatibility number list>

Thereafter, the A-financial app checks the list of non-identifiable compatibility numbers and then displays the non-identifiable compatibility numbers that match the policies of the participating institutions to the customer and requests the selection of an authentication user organization (915).

For example, if Participant A has a standard for the recognition strength of the registration method code at the time of account transfer (requires the strength of security registration or higher), the non-identification compatibility numbers 1, 2, and 4 can be shown to the customer.

If the customer chooses to use the C participant bio-certification (920), the A-financial app requests the full certification certification to the A-participating institution server (925), wherein the A-financial app is a smartphone received from the FIDO linked app 150 The terminal ID, authentication device authentication key ID, authority code, service code, transaction text is sent to the A participating agency server (120).

Participant A server 120 extracts the hash of the transaction text (h = hash (transaction text)) (930), and requests the full compatibility authentication to the FIDO connection server (935). At this time, the participating A server transfers the smartphone terminal ID, the authentication device authentication key ID, the organization code, the service code, and the hash value (h) to the FIDO connection server 110.

The FIDO connection server 110 checks the registration of the participating C organizations by inquiring the terminal ID, the institution code, and the service code (940), and combines a timestamp with respect to the original transaction hash value (h) (h´ = hash ( h, timestamp, nonce)) (945).

In addition, the FIDO connection server 110 generates a compatibility authentication request message including a time stamp combined transaction text hash value (h ′) (950), and via the A participating agency server 120 to the A financial app. The compatibility authentication request message is transmitted (955).

10 is a diagram illustrating a FIDO compatibility authentication process according to an embodiment of the present invention.

In more detail, FIG. 10 illustrates a Participation Authority server 120 including a compatibility authentication request message including a transaction text hash value h ′ combined with a time stamp in the FIDO connection server 110 through the process of FIG. 9. FIDO compatible authentication process after the process of transmitting to the A financial app via, if the person having ordinary knowledge in the technical field to which the present invention belongs, and with reference to the Figure 10 and / or modified sensor on the registration authority It can be inferred various implementation methods for the process of performing the authentication according to the use of the financial services of the non-registered institution in connection, but the present invention includes all the implementation methods inferred, the implementation method shown in Figure 10 The technical features are not limited only.

Referring to FIG. 10, the illustrated embodiment shows a compatible authentication request message including a transaction text hash value h ′ combined with a time stamp in the FIDO connection server 110 in the process of FIG. 9. After transmitting to the A financial app via the 120, the A financial app may be initiated from the process of delivering a compatibility authentication request message to the FIDO associated app 150 through the C financial app (1000).

The FIDO connection app 150 requests the FIDO private key signature for the authentication request message from the C authentication device (1005), the authentication device recognizes the bio information (fingerprint, iris, etc.) through the device and writes to the terminal 145. The stored bio information and the recognized bio information are compared to verify whether they are the same (1010).

Thereafter, the authentication device signs 1015 the FIDO private key with respect to the authentication request message, and transmits an authentication response message including the signature value to the FIDO associated app 150 (1020).

The FIDO connection app 150 extracts the authentication device authentication key ID to extract the non-identification compatible number using the authentication device authentication key ID as a key (1025), and generates a non-identification compatible token based on the extracted non-identification compatibility number. (1030).

FIDO associated app 150 transmits the signature value and non-identifiable compatible token to A financial app (1035), A financial app is signed value to the FIDO associated server 110 via the A participating agency server 120 (h And (1040).

The FIDO connection server 110 verifies the non-identity compatible token, stores the result, and transmits an authentication response to the joint FIDO server 115 (1045).

The joint FIDO server 115 verifies the authentication response message digital signature (h ') and stores the result (1050), and then transmits the signature verification result to the FIDO connection server 110 (1055).

The FIDO connection server 110 responds to the verification result with the A financial app via the A participating agency server 120, thereby completing the FIDO compatible authentication process according to the present embodiment (1060).

11 is a diagram illustrating a FIDO cross certification process according to an embodiment of the present invention.

In more detail, Figure 11 is a registration customer of Participating Institution B who wants to use financial services after the FIDO registration process is successfully performed through the processes of FIGS. If additional authentication is required for security enhancement in major financial transactions, after authentication of the service user agency (participating agency B), the certification is relayed by relaying the compatibility certification result of the sensor warmer registration agency (participant A). To illustrate the process, those of ordinary skill in the art to which the present invention pertains, various implementation methods for the process of performing additional authentication in conjunction with the sensor on registrar 11 by referring to and / or modified in this drawing 11 It may be inferred, but the present invention includes all the implementation methods inferred above, and the technical features are only limited to the implementation method shown in FIG. Not determined

Referring to FIG. 11, the illustrated embodiment may be started from a process of selecting a bio-certification among authentication means after a customer requests a financial service provided by a B-financial app operated by a participating participant B (1100).

The B financial app receives the smartphone terminal ID from the FIDO linked app (1105), and sends a terminal ID and a transaction text to the server B participating in the request for authentication (1110).

Participant B server extracts the hash of the transaction text (h = hash) (1115), and transmits the transaction text, transaction text hash value, smartphone device ID, institution code, and service code to the FIDO connection server. Request a non-repudiation text (1120).

The FIDO connection server 110 checks the registration of the participating participant B by inquiring the terminal ID, the institution code, and the service code (1125), and applies a timestamp to the transaction text hash value (h´ = hash (h, timestamp). , nonce)) (1130).

Then, the FIDO connection server 110 responds (h´) to the non-repudiation professional request to the work server 135 of the participating participant B (1135),

The business server 135 of the B participating organization transmits the non-repudiation message to the FIDO server 140 of the B participating institution (1140).

The FIDO server 140 generates an authentication request message including the transaction text, h '(1145), and transmits the authentication request message to the B financial app via the business server 135 of the B participating organization (1150).

Then, the B financial app delivers an authentication request message to the FIDO associated app 150 (1155).

12 is a diagram illustrating a FIDO cross certification process according to an embodiment of the present invention.

In more detail, Figure 12 illustrates the FIDO cross-certification process after the authentication request message is transmitted from the B financial app to the FIDO-linked app 150 through the process of Figure 11, in the technical field to which the present invention belongs Those skilled in the art will be able to infer various implementation methods for the process of performing additional authentication in connection with the sensor-on registrars by referring to and / or modifying the drawing 12, but the present invention is inferred by all It is made, including the method, the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 12, the illustrated embodiment shows an authentication request message from the FIDO linked app 150 to the authentication device after the authentication request message is transmitted from the B financial app to the FIDO linked app 150 through the process of FIG. 11. It may be initiated from the process of requesting a FIDO private key signature for (1200).

The authentication device recognizes the bio information (fingerprint, iris, etc.) through the device and compares the bio information stored in the terminal with the recognized bio information to verify whether it is the same (1205), and the digital signature with the FIDO private key for the authentication request message. In operation 1215, the full text including the signature value is transmitted to the FIDO connection app 150 (1215).

The FIDO associated app 150 extracts the authentication device authentication key ID to extract the non-identification compatible number with the authentication device authentication key ID (1220), and generates a non-identification compatible token based on the non-identification compatibility number (1225). The B financial app transmits a non-identifiable compatible token, professional, and authentication device ID key (1230).

The B financial app transmits an authentication response including a non-identifiable compatible token, an authentication request message, and an authentication device authentication key ID to the FIDO server 140 of the B participating institution via the work server 135 of the B participating agency (1235). ),

The FIDO server 140 verifies the authentication response message electronic signature (transaction text, h '), stores the result (1240), and transmits the signature verification result to the work server 135 (1245).

The work server 135 requests verification of the non-identity compatible token to the FIDO-associated server 110 (1250), verifies the non-identity-compatible token from the FIDO-associated server 110 (1255), and participates in the B participating organization. Through the server, the B financial app responds with the verification result of the non-identity compatible token (1260).

13 is a diagram illustrating a FIDO cross certification process according to an embodiment of the present invention.

In more detail, in FIG. 13, after verifying the non-identifiable compatible token in the FIDO-associated server 110 through the process of FIG. 12, the non-identifiable compatible token verification result is returned to the B financial app via the B participating agency server. Figure FIDO cross-certification process, if those of ordinary skill in the art to which the present invention belongs, various modifications to the process of performing additional authentication in conjunction with the sensor-on registration agencies by referring to and / or modified in Figure 13 Although the implementation method may be inferred, the present invention includes all the implementation methods inferred above, and the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 13, the illustrated embodiment verifies the non-identifiable compatible token in the FIDO-associated server 110 through the process of FIG. 12 to verify the non-identifiable compatible token verification result with the B financial app via the B participating agency server. After the response, the B financial app may be started from the process of requesting a list of non-identifiable compatibility numbers stored in the FIDO associated app 150 (1300).

FIDO-linked app 150 sends a list of non-identifiable compatible numbers to the B financial app (1305), B financial app checks the list of non-identifiable compatible numbers, and then look up the non-identifiable compatible numbers according to the B Participant Policy Show and request the selection of the authentication user (1310).

Subsequently, if the customer chooses to use the A participant bio-certification, B financial app is a smartphone terminal ID, authentication device authentication key ID, institution code, service code, transaction text received from the FIDO associated app 150 as the B participant server Send the request for a compatible certification full text (1315).

B participating agency server extracts the hash of the transaction text (h = hash (transaction text)) (1320), the FIDO connection server 110 to the smartphone terminal ID, authentication device authentication key ID, institution code, service code, hash The value (h) is transmitted to request a compatible certification message (1325).

The FIDO connection server 110 checks whether the A participating organization is registered by inquiring a terminal ID, an institution code, and a service code (1330), and combines a timestamp with respect to the original transaction hash value (h´ = hash (h, timestamp, nonce)) (1335).

Thereafter, the FIDO connection server 110 generates a compatibility authentication request message including h ′ (1340), and transmits a compatibility authentication request message to the B financial app via the B participating agency server (1345).

The B financial app transmits a compatibility authentication request message to the A financial app (1350), and the A financial app transmits a compatibility authentication request message to the FIDO-linked app 150 (1355).

14 is a diagram illustrating a FIDO cross certification process according to an embodiment of the present invention.

In more detail, Figure 14 illustrates the FIDO cross-certification process after a compatibility authentication request message is transmitted from the A-Financial App to the FIDO-linked app 150 through the process of Figure 13, in the technical field to which the present invention belongs. Those skilled in the art may refer to and / or modify this drawing 14 to infer various implementation methods for the process of performing additional authentication in connection with the sensor-on registrars. It is made, including the implementation method, the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 14, the illustrated embodiment is a certification authentication request from the FIDO linked app 150 after the compatibility authentication request message is transmitted from the A financial app to the FIDO linked app 150 through the process of FIG. 13. It may be initiated from the process of requesting a FIDO private key signature for the request message (1400).

The authentication apparatus recognizes bio information (fingerprint, iris, etc.) through the device and verifies whether the bio information (fingerprint, iris, etc.) is identical by comparing the bio information stored in the terminal with the recognized bio information (1405).

The authentication device signs the authentication request message with the FIDO private key (1410) and delivers an authentication response message including the signature value to the FIDO associated app (1415).

FIDO associated app 150 extracts the authentication device authentication key ID to extract the non-identification compatible number with the authentication device authentication key ID (1420), after generating a non-identification compatible number based non-identification compatible token (1425), The B financial app delivers the signature value (h´) and the non-identifiable compatible token (1430).

The B financial app delivers the signature value and the non-identifiable compatible token to the FIDO associated server 110 via the B participating agency server 130 (1435), and the FIDO associated server 110 verifies the non-identifiable compatible token result. After storing, the authentication response is transmitted to the common FIDO server 115 (1440).

The joint FIDO server 115 verifies the authentication response message digital signature (h '), stores the result (1445), and transmits the signature verification result to the FIDO connection server 110 (1450).

Thereafter, the FIDO connection server 110 responds to the verification result with the B financial app via the B participating agency server 130 (1455), and the FIDO cross authentication process according to the embodiment of the present invention is completed.

15 is a diagram illustrating a FIDO login authentication process according to an embodiment of the present invention.

In more detail, Figure 15 shows that after the FIDO registration process is successfully performed through the processes of Figures 2 to 4, and the non-identification compatibility number is stored in the terminal 145, the account information for the non-financial company that is not registered bio information is generated. And an authentication process for logging in, a person having ordinary knowledge in the technical field to which the present invention belongs, FIDO login authentication process for a non-financial company with no bioinformation by referring to and / or modifying this drawing 15. Various implementation methods may be inferred, but the present invention includes all the implementation methods inferred above, and the technical features are not limited to the implementation method illustrated in FIG.

Referring to FIG. 15, the illustrated embodiment may be started from a process of requesting a login (first login request) to the D-distributor app after the customer registers the bio information with the participating participant A (1500).

When the D distributor app requests a list of non-identifiable compatibility numbers to the FIDO associated app 150 (1505), the FIDO associated app 150 transmits a list of non-identified compatible numbers to the D distributor company (1510). At this time, check whether there is a non-identification compatible number generated when registering A participating organization.

The D distributor company app requests a compatible certification full text to the FIDO connection server 110 via the D distributor server (1515).

The FIDO connection server 110 generates a compatibility authentication request message (1520) and transmits a compatibility authentication request message to the D distributor company app via the D distributor company (1525).

The D distributor company app transmits a compatibility authentication request message to the A-financial app (1530), and sends a compatibility authentication request message to the FIDO-linked app from the A-financial app (1535).

Then, the FIDO connection app 150 requests the FIDO private key signature for the authentication request message to the authentication device (1540), the authentication device recognizes the bio information (fingerprint, iris, etc.) through the device and the bio-stored in the terminal The information is verified by comparing the information with the recognized bioinformation (1545).

The authentication device signs the compatible authentication request message with the FIDO private key and passes the compatible authentication response message containing the signature value to the FIDO-linked app 150 (1550), and the FIDO-linked app 150 sends the authentication device authentication key ID. The non-identification compatible number is extracted using the authentication device authentication key as a key (1555).

16 is a diagram illustrating a FIDO login authentication process according to an embodiment of the present invention.

More specifically, FIG. 16 extracts the authentication device authentication key ID from the FIDO associated app 150 through the process of FIG. 15 and extracts the non-identification compatibility number using the authentication device authentication key as a key. The authentication process for account creation and login is illustrated. If a person having ordinary knowledge in the technical field to which the present invention belongs, the FIDO login for a non-financial company with no bioinformation is made by referring to and / or modifying this drawing 16. Various implementation methods for the authentication process may be inferred, but the present invention includes all the implementation methods inferred above, and the technical features are not limited to the implementation method shown in FIG.

Referring to FIG. 16, the illustrated embodiment extracts an authentication device authentication key ID from the FIDO associated app 150 through the process of FIG. 15, and extracts a non-identification compatible number using the authentication device authentication key as a key. In step 150, it may be started from the process of transmitting the non-identity compatible number and the authentication response to the A financial app (1600).

Thereafter, the A financial app delivers the non-identifiable compatibility number and authentication response to the A participating institution server (1605), and the A participating institution server queries the bioinformation registration data having the same non-identifiable compatibility number from the DB (1610). If it is confirmed that the customer has already been registered in the A participating institution, the inquiry result and the authentication response are transmitted to the FIDO connection server 110 (1615).

The FIDO connection server 110 transmits the authentication response to the joint FIDO server 115 (1620), the joint FIDO server 115 stores the result by verifying the authentication response message electronic signature (1625), and the FIDO connection server ( In step 1630, the signature verification result is transmitted.

Upon completion of verification, the FIDO connection server 110 requests the real name verification information (name, address, date of birth, etc.) from the A participating institution server (1635), and receives the real name identification information from the A participating institution server (1640). Provide real name identification information (name, address, date of birth, etc.) to the server (1645).

17 is a diagram illustrating a FIDO login authentication process according to an embodiment of the present invention.

In more detail, Figure 17 illustrates the creation of an account for a non-financial company after the process of providing real name identification information (name, address, date of birth, etc.) from the FIDO connection server 110 to the D distributor server through the process of Figure 16. The authentication process for login is illustrated, and a person having ordinary knowledge in the technical field to which the present invention pertains refers to the FIDO login authentication process for a non-financial company in which bio information is not registered by referring to and / or modifying the drawing 17. Various implementation methods may be inferred, but the present invention includes all the implementation methods inferred, and the technical features are not limited to the implementation method shown in FIG.

Referring to FIG. 17, the illustrated embodiment provides real name identification information (name, address, date of birth, etc.) from the FIDO connection server 110 to the D distributor server through the process of FIG. Based on the transmitted real name verification information (name, address, date of birth, etc.) may be started from the process of creating a customer member account (1700).

For example, D-distributor assigns a unique but unidentifiable local ID to the customer only once upon initial login and confirms that the customer agrees to federate the account with Participant A. The local ID can be matched 1: 1, and the customer receives the bio information registration result and authentication success message generated by Participant A based on the real name confirmation information provided when registering the bio information of Participant A. Can be used as information for verification. Thereafter, a separate member registration process for identifying a customer and a distributor member service including electronic payment may be available without a corresponding company login procedure.

The D-distributor server in which the account is created makes a login request to the customer (1705), and the D-distributor app requests a compatible certification message to the FIDO-associated server 110 via the D-distributor server (1710).

The FIDO connection server 110 generates a compatibility authentication request message (1715), and transmits a compatibility authentication request message to the D distributor company app via the D distributor company (1720).

The D distribution app delivers a compatibility authentication request message to the FIDO linked app 150 through the A financial app (1725), and the FIDO linked app 150 requests the FIDO private key signature for the authentication request message to the authentication device ( 1730).

The authentication device recognizes the bio information (fingerprint, iris, etc.) through the device and compares the bio information stored in the terminal with the recognized bio information to verify whether it is the same (1735), and signs a FIDO private key for the compatibility authentication request message. In step 1740, the compatible authentication response message including the signature value is transmitted to the FIDO associated app 150.

The FIDO connection app 150 transmits the signature value to the joint FIDO server 115 via the D distributor company and the FIDO connection server 110 (1745), and the joint FIDO server 115 verifies the signature value (1750). ).

In addition, the joint FIDO server 115 transmits the verification result to the D distributor server via the FIDO connection server 110 (1755), and the D distributor server inquires the distributor Local ID matching the A participating organization bioinformation registration information. Accept the login to the account (1760).

100: distributed management center 105: channel server
110: FIDO connection server 115: common FIDO server
120: A participating agency server 125: Work server (A participating agency)
130: Participating agency B 135: Business server (participant B)
140: FIDO server 145: customer terminal
150: FIDO linked app 155: D distributor company server

Claims (3)

In the method of running through a server provided in the participating agency server and the distributed management center to provide a financial service through the financial app to the terminal of the customer with a financial app and FIDO-linked app,
A first step of providing and storing the non-identification compatible number generated to correspond to the terminal of the customer who wants to use the FIDO service in the server to the terminal through the participating agency server;
When authenticating using bioinformation of a customer who receives a financial service through the financial app, the server receives a transaction text, a transaction text hash value (h), a terminal device ID, an institution code, and a service code from the participating institution server. A second step of receiving a request for full certification;
A third step of applying a time stamp to the transaction text hash value at the server and transmitting the transaction text hash value h 'to which the time stamp is applied to the participating institution server;
A fourth step of generating, at the participating server, an authentication request message including a transaction text and a transaction text hash value (h ') to which a time stamp is applied, and transmitting the authentication request message to the financial app of the terminal;
A fifth storing the result of verifying the electronic signature for the authentication response message by receiving an authentication response including the non-identification compatible token, the authentication response message, and the authentication device authentication key ID from the financial app of the terminal in the participating institution server; step;
A sixth step of requesting, from the participating institution server, the server to verify the non-identity compatible number-based non-identity compatible token generated in the FIDO-associated app of the terminal; And
The server processes the verification of the non-identity compatible number-based non-identity compatible token, and provides a verification result of the non-identity compatible token to the participating agency server to transmit the verification result of the non-identity compatible token to the financial app of the terminal. To include; seventh step;
The fourth step,
Transmitting an authentication request message to the FIDO associated app in the financial app of the terminal;
Requesting the FIDO private key signature for the authentication request message from the FIDO-associated app to the authentication device provided in the terminal;
Comparing the bio information recognized by the customer with the bio information previously stored in the terminal to verify whether the authentication device is the same;
Digitally signing the authentication request message with the FIDO private key in the authentication device to deliver an authentication response message including the signature value to the FIDO-associated app;
Extracting the authentication device authentication key ID from the FIDO-associated app and extracting the authentication device authentication key ID from the non-identification compatible number to generate a non-identification compatibility number based non-identification compatible token;
And transmitting the non-identified compatible token, full text, and authentication device authentication key ID from the FIDO-linked app to the financial app.



delete delete

Images