KR102208142B1 - Method and system for issuing and using device certificate based on distributed code - Google Patents

Abstract

Provided is a method for device security which improves the memory space efficiency of a device. The method for device security comprises the steps of: generating a certificate signing request (CSR) based on information received from a device by a relay PC; transmitting the CSR to a certificate authority (CA) server by the relay PC; in response to the CSR, issuing a certificate of the device and transmitting the issued certificate to the relay PC by the CA server; determining location information in the certificate of at least one component by searching for at least one of the components in the certificate by the relay PC; transmitting the location information and the certificate to the device; storing the certificate and the location information by the device; and verifying the integrity of the certificated based on the location information by the device.

Description

How to issue and use a device certificate based on distributed code, and a system for it {METHOD AND SYSTEM FOR ISSUING AND USING DEVICE CERTIFICATE BASED ON DISTRIBUTED CODE}

The present invention relates to device security, and more particularly, to a method of issuing and using a device certificate to prevent duplication, forgery, and tampering of a device, and a system therefor.

The Internet of Things (IoT) is a system connected to the Internet to collect, control, and manage information by mounting sensors and processors on things (eg, devices). The devices that make up the Internet of Things have a very simple sensing function and have a variety of shapes and characteristics, from devices that perform serial communication at the level of SPI (Serial Peripheral Interface) to devices with various sensing functions and high-performance computing capabilities such as smartphones. Have.

In such IoT, it is a very important technology issue to prevent malfunctions or unintended functions due to devices that perform malicious roles. Device authentication and identification are indispensable for enhancing device security in the IoT. A representative embodiment for authentication and identification of an IoT device is a method of using a certificate.

A method and system for distributing a code for issuing and using a device certificate can be provided.

The technical problem to be achieved by this embodiment is not limited to the technical problem as described above, and other technical problems may be inferred from the following embodiments.

A method for security of a device, comprising: generating a CSR (Certificate Signing Request) based on information received from the device by a relay PC, and transmitting the CSR to a CA (Certificate Authority) server by the relay PC, Issuing a certificate of the device in response to the CSR in the CA server and transferring the issued certificate to the relay PC, the relay PC searching for at least one of the components in the certificate, the at least one Determining location information in the certificate of a component, transferring the location information and the certificate to the device, storing the certificate and the location information by the device, and the device being based on the location information Thus, it may include the step of verifying the integrity of the certificate.

The location information includes a memory relative address in the certificate in which the at least one component is recorded, and the verifying the integrity of the certificate includes direct access to an area of the memory based on the memory relative address. It may include the step of reading at least one of the components for verifying.

At least one of the components is owner information of the certificate, and verifying the integrity of the certificate may further include comparing the owner information and identification information of the device.

A device including a memory for storing a certificate, a CA server for issuing the certificate, and a relay for generating a CSR (Certificate Signing Request) based on information received from the device and transmitting the CSR to the CA server Including a PC, wherein the CA server issues the certificate in response to the CSR and delivers the issued certificate to the relay PC, and the relay PC is the location information in which the owner information of the certificate is recorded in the certificate. And the certificate to the device, and the device directly accesses an area of the first memory in the device based on the location information to read the owner information, and the read owner information and identification information of the device The integrity of the certificate is verified by comparing and the location information may include a memory relative address in the certificate in which the owner information is recorded.

The relay PC includes a second memory, and the second memory includes a CSR generation unit in which a software code for generating the CSR is recorded, and a software code for searching for owner information of the certificate from the certificate. It may include a search unit.

By distributing and managing codes for issuing and using device certificates, the efficiency of the memory space of the device can be improved.

1 illustrates a device using a certificate, according to an embodiment.
2 is a diagram illustrating a method of issuing a device certificate and verifying the integrity of the certificate for device security, according to an embodiment.
Fig. 3 shows a system for using a certificate, according to an embodiment.
4 illustrates components (items) in a certificate read from a memory in a device, according to an embodiment.

In the following, some embodiments will be described clearly and in detail with reference to the accompanying drawings so that those with ordinary knowledge in the technical field to which the present invention pertains (hereinafter, ordinary technicians) can easily implement the present invention. will be.

1 illustrates a device using a certificate, according to an embodiment.

The device 1000 may include all or part of an electronic device such as a smart phone, a tablet PC, a mobile device such as a wearable device, an IoT device, a computer, or a home appliance. For example, the device 1000 may be a microcontroller (MCU) mounted on an electronic device.

The relay PC 1200 is a computing device for relaying generation and issuance of certificates of an authentication authority. The relay PC 1200 may relay the issuance of the certificate 1020 of the device 1000. According to an embodiment, the relay PC 1200 may be connected to the device 1000 based on a serial communication method.

The CA (Certificate Authority) server 1400 is a server of a certification authority for issuing a certificate 1020 of the device 1000. According to an embodiment, the CA server 1400 may be a server of a certification authority for generating, issuing, and managing certificates for issuing certificates for each device. The CA server 1400 may be connected to the relay PC 1200 based on a communication network. The communication network may include various wired or wireless networks. For example, the communication network is LTE (Long Term Evolution), WIMAX (Worldwide Interoperability for Microwave Access), GSM (Global System for Mobile communications), CDMA (Code Division Multiple Access), Bluetooth, NFC (Near Field Communication), Wi- At least one of various wireless communication protocols such as Fi (Wireless Fidelity), RFID (Radio Frequency Identification), and/or various wired communication such as TCP/IP (Transfer Control Protocol/Internet Protocol), USB (Universal Serial Bus), Firewire, etc. It can support at least one of the protocols.

Referring to FIG. 1, the device 1000 may include a certificate 1020 in which information for proving that the device 1000 is trusted is recorded. According to an embodiment, the certificate 1020 may include a certificate owner's name (CNID), a public key (PUK), a signature (SIG), a validity period of the certificate 1020, and the like.

The manufacturer of the device 1000 (for example, the manufacturer/manager of the device 1000), which is the subject of the signature generation, provides a certificate 1020 including a signature (SIG) signed with his/her private key (PRK) or secret key. can do. The certificate 1020 may be stored in a region of a memory (eg, flash memory) of the device 1000. Since the issuance of the certificate 1020 follows a hierarchical structure, the signature (SIG) may include a signature of an upper certification authority.

The device 1000 may generate a Certificate Signing Request (CSR) for requesting for issuance of a certificate and transmit it to the relay PC 1200. The relay PC 1200 may transmit the received CSR to the CA server 1400, and the CA server 1400 may issue a certificate 1020 in response to the CSR. The issued certificate 1020 may be transferred to the device 1000 through the relay PC 1200 again. The device 1000 may store the certificate 1020.

The device 1000 may verify the integrity of the certificate 1020. The device 1000 may verify the signature (SIG) by inputting a hash value and a public key (PUK) generated by synthesizing and hashing contents recorded in the certificate 1020 into a digital signature verification algorithm. In addition, by comparing the certificate owner information (CNID) parsed from the certificate 1020 with device identification information (HWID) recorded in the device 1000, it is possible to check whether the device 1000 is forged or altered. The identification information (HWID) of the device for comparison is uniquely assigned to distinguish and identify the device 1000 from other devices, for example, when the device 1000 is manufactured, it is uniquely assigned to the corresponding product model by the manufacturer. It may be a serial number (serial number). The device identification information HWID may be previously recorded by the manufacturer of the device 1000 in one area of the memory of the device 1000.

In this embodiment, in the memory of the device 1000, a software code for generating a CSR and components in the certificate 1020 required to verify the integrity of the certificate 1020 (for example, a public key ( A software code for parsing items such as PUK), certificate hash value (HVAL), owner information (CNID) of the certificate 1020, etc.) must be recorded. The software code for parsing the components is, for example, a code that loads the certificate 1020 into memory (eg, RAM), and recognizes an identifier for each of the components of the certificate from the loaded certificate 1020. It may include a code to structure the certificate 1020 based on the recognized identifier.

Therefore, the memory capacity of the device 1000 must be large enough to accommodate such a software code. However, if the device 1000 is small (for example, an IoT device, an MCU), there is a limit to the capacity of the flash memory, so a method of increasing the memory space efficiency by distributing software codes that occupy a large amount of memory space elsewhere is required. .

2 is a diagram illustrating a method of issuing a device certificate and verifying the integrity of the certificate for device security, according to an embodiment.

In step S2100, the relay PC 1200 receives information for generating a Certificate Signing Request (CSR) from the device 1000, and may generate a CSR based on the received information. For example, the relay PC 1200 receives CSR based on certificate owner information (CNID), public key (PUK), public key algorithm, signature (SIG), signature algorithm, various parameters, etc.) received from the device 1000. Can be created. To this end, a software code for generating a CSR may be recorded in the memory of the relay PC 1200. The software code for generating a CSR may be a code for performing an operation of generating a CSR by recording additional information for issuing a certificate in the received information. In this embodiment, since the software code for generating the CSR is stored in the relay PC 1200 instead of the device 1000, the memory space efficiency of the device 1000 may be improved.

In step S2200, the relay PC 1200 may transmit the generated CSR to the CA server 1400.

In step S2300, the CA server 1400 may issue a certificate corresponding to the CSR in response to the received CSR, and transmit the issued certificate to the relay PC 1200 (S2400).

In step S2500, the relay PC 1200 may determine the location information in the certificate of at least one of the components by searching for at least one of the components in the certificate. For example, the relay PC 1200 may search for the owner information (CNID) of the certificate from the certificate, and determine a location in the certificate where the certificate owner information (CNID) is recorded. The location may be address information (eg, a memory relative address in the certificate) of a memory area in which each component of the certificate is recorded.

The location information may include a memory relative address (or an offset value) in a certificate in which each component of the certificate is recorded. For example, the memory relative address may mean whether the certificate owner information (CNID) is recorded within a number of bytes or from a number of bytes from the start address of a memory area in which the certificate is stored. To this end, the memory of the relay PC 1200 may include a memory in which a software code for searching for at least one of the components in the certificate (for example, certificate owner information (CNID)) and determining location information is recorded. have. Although the description has been made using the certificate owner information (CNID) as an example, components for which location information is determined are not limited thereto. For example, the relay PC 1200 may determine location information in which the signature (SIG) and/or public key (PUK) of the certificate is recorded in addition to the certificate owner information (CNID).

In step S2600, the relay PC 1200 may transmit location information and a certificate to the device 1000.

In operation S2700, the device 1000 may store the certificate and location information received from the relay PC 1200 in a memory in the device. For example, the device 1000 may store the certificate and location information in the flash memory of the device 1000.

In operation S2800, the device 1000 may verify the integrity of the certificate based on the received location information. In order to obtain a component for integrity verification, a memory area of the device 1000 in which a read operation is to be performed may be determined based on location information. In this embodiment, the controller of the device 1000 may determine an address of a memory area in which a read operation is to be performed by adding a memory relative address (or an offset value) to the start position of the memory in which the certificate is recorded. The device 1000 may read necessary components by directly accessing an area of a memory in which components of the certificate are recorded using the location information. For example, the device 1000 is a memory in which the public key (PUK) and/or hash value (HVAL) is recorded without the need to search for the public key (PUK) and/or signature (SIG) in the memory where the certificate is stored. You can directly access the area and read the value recorded in the area. In addition, the device 1000 may directly access an area of the memory in which the certificate owner information (CNID) is recorded without having to search for the certificate owner information (CNID) in the memory in which the certificate is stored and read the value recorded in the corresponding area .

Referring to FIG. 4, the device 1000 may read a component for verifying the integrity of a certificate from a flash memory 4000 composed of 2n pages in the device 1000 based on location information. According to an embodiment, the controller of the device 1000 may access page #2 based on the first location information offset1 and read certificate owner information CNID from page #2. The device 1000 may access page #4 based on the second location information offset2 and read the public key PUK from page #4. The device 1000 may access page #2n-3 based on the third location information offset3 and read the signature SIG from page #2n-3.

The device 1000 may verify the signature (SIG) of the certificate by generating a hash value for the contents of the certificate, and inputting the generated hash value and the read public key (PUK) into the digital signature verification algorithm. The device 1000 may check whether the device 1000 is forged or altered by comparing the read certificate owner information CNID and the device identification information HWID. In this embodiment, the device 1000 is based on a code for loading a certificate into a memory (eg, RAM), a code for recognizing an identifier for each of the components of the certificate from the loaded certificate, and the recognized identifier. The efficiency of memory usage can be improved because the code that structures the certificate does not need to be written to memory. Additionally, since direct access is possible without the need to load and structure a certificate into a memory, the efficiency of memory use can be further improved.

3 shows a system for device security.

Referring to FIG. 3, the system 3000 may include a device 1000, a relay PC 1200, and a CA server 1400.

For the device 1000, the relay PC 1200, and the CA server 1400, the above description with reference to FIGS. 1 and 2 is the device 1000, the relay PC 1200, and the CA server 1400 of FIG. Since it can also be applied to, detailed description is omitted.

The relay PC 1200 may include a CSR generation unit 1220 and a search unit 1240. The CSR generator 1220 may include software code for an operation of generating a CSR. The search unit 1240 may determine location information of at least one of the components in the certificate by searching for at least one of the components in the certificate received from the CA server 1400. For example, the search unit 1240 may include a software code for an operation of searching for owner information CNID using an identifier in the certificate and determining location information of the owner information CNID. The relay PC 1200 may include a memory for recording the CSR generation unit 1220 and the search unit 1240.

Since software codes (CSR generation unit 1220 and search unit 1240), which occupy a relatively large amount of capacity, are recorded in the relay PC 1200 instead of the device 1000, the memory space efficiency of the device 1000 is increased. Ease of design and expandability of the device 1000 may be improved by using the resulting idle memory. This is more effective when the device 1000 is a small size (eg, IoT device, MCU).

The descriptions are intended to provide exemplary configurations and operations for implementing the present invention. The technical idea of the present invention will include not only the embodiments described above, but also implementations that can be obtained by simply changing or modifying the above embodiments. In addition, the technical idea of the present invention will also include implementations that can be achieved by easily changing or modifying the embodiments described above.

Claims (5)

In the method for security of the device,
Generating, by a relay PC, a Certificate Signing Request (CSR) based on information received from the device;
Transmitting, by the relay PC, the CSR to a Certificate Authority (CA) server;
Issuing a certificate of the device in response to the CSR in the CA server and transmitting the issued certificate to the relay PC;
Determining, by the relay PC, the location information of the at least one component in the certificate by searching for at least one of the components in the certificate;
Transferring the location information and the certificate to the device;
Storing, by the device, the certificate and the location information; And
And verifying, by the device, the integrity of the certificate based on the location information. The method of claim 1,
The location information includes a memory relative address in the certificate in which the at least one component is recorded,
The verifying the integrity of the certificate includes reading at least one of the components for verifying the integrity by directly accessing a region of the memory based on the memory relative address. The method of claim 2,
At least one of the components is information on the owner of the certificate,
The verifying the integrity of the certificate further comprises comparing the owner information and identification information of the device. A device including a memory for storing a certificate;
A CA server for issuing the certificate; And
Including a relay PC for generating a CSR (Certificate Signing Request) based on the information received from the device and transmitting the CSR to the CA server,
The CA server issues the certificate in response to the CSR and delivers the issued certificate to the relay PC,
The relay PC transmits the location information and the certificate in which the owner information of the certificate is recorded in the certificate to the device,
The device directly accesses an area of the first memory in the device based on the location information to read the owner information, and verifies the integrity of the certificate by comparing the read owner information with the identification information of the device. and,
The location information includes a memory relative address in the certificate in which the owner information is recorded. The method of claim 4,
The relay PC includes a second memory,
The second memory,
A CSR generator in which a software code for generating the CSR is recorded; And
And a search unit in which a software code for searching for owner information of the certificate from the certificate is recorded.

Images