KR102406388B1 - A method and an apparatus for master key management based on sharing algorithms for block chain transactions - Google Patents

Abstract

An operating method of a user terminal providing a transaction management service through a block chain network according to an embodiment of the present invention includes: receiving query information including user identification information transmitted from a service providing apparatus; registering a master key of a user wallet account used for the transaction management service in the user terminal based on response information input from the user terminal in response to the query information; generating a plurality of secret keys capable of restoring the master key by using a number of secret keys greater than or equal to a threshold according to distributed sharing secret key processing corresponding to the master key; encrypting a first secret key or a second secret key among the plurality of secret keys with a service providing device key issued by the service providing device; and selectively applying a preset cryptographic algorithm and cryptographic element among the plurality of secret keys, delivering the second group of encrypted secret keys to the service providing device, and transferring the encrypted secret keys of the third group to a key management server and distributing and managing the secret key by delivering it to

Description

Distributed sharing algorithm-based encryption key management method for block chain transaction and terminal device processing the same

The present invention relates to a key management method and a terminal device for processing the same. More specifically, the present invention relates to a distributed sharing algorithm-based encryption key management method for block chain transactions and a terminal device for processing the same.

In general, blockchain uses a peer-to-peer (P2P) network as one of the distributed databases. Distributed database is a technology that allows multiple users to share a large-scale database by physically distributing data. Blockchain creates a peer-to-peer network of cryptocurrency users connected to the Internet.

Through this, transaction details (blocks) of virtual currency are stored in the user's computer. Among them, transaction details that match the data of the majority of users are verified as normal ledgers and stored in blocks. If errors such as omissions are found in a specific user's ledger, it is corrected by duplicating the normal ledger and replacing it.

When a block containing new transaction details is created, the process of appending it to the back of the previous block is repeated. The name blockchain also means that transaction details (blocks) are linked. When trading, each user's transaction history is compared. Through this, the authenticity of transaction details can be identified, preventing data forgery. The security stability of the blockchain increases as more users share data. In addition to Bitcoin, blockchain is being used for various online services such as cloud computing services.

Asset information such as cryptocurrency formed by such block chain technology is irreversibly stored by the data of a majority of users, thus ensuring asset transparency and reliability.

However, only one encryption key for blockchain asset transactions is assigned to each wallet account, and the encryption key is a key used for each transaction. There is this.

In addition, if there is a service server that brokers asset information transactions, unintentional damage to encryption key data may occur due to hacking in the input/output process of the service server, service interruption, or natural disaster, etc. If not, there is a problem in that the entire cryptocurrency asset of the wallet account has no choice but to be treated as a loss.

To solve this problem, methods of backing up encryption key data locally or through an external cloud as a separate method have been proposed. Security maintenance and encryption key restoration stability are not significantly improved.

The present invention has been devised to solve the above problems, and it distributes and manages encryption key data used in block chain-based cryptocurrency transactions in a plurality of devices based on a distributed sharing algorithm, and when the encryption key is lost or damaged Provides a distributed sharing algorithm-based encryption key management method for block chain transactions that can safely and quickly restore encryption keys quickly and easily using distributed managed encryption key data without leakage of personal information, and a terminal device that processes the same It is intended to

In a method for operating a user terminal that provides a transaction management service through a block chain network according to an embodiment of the present invention for solving the above problems, the query information including the user identification information transmitted from the service providing device is received. to do; registering a master key of a user wallet account used for the transaction management service in the user terminal based on response information input from the user terminal in response to the query information; generating a plurality of secret keys capable of restoring the master key by using a number of secret keys greater than or equal to a threshold according to distributed sharing secret key processing corresponding to the master key; encrypting a first secret key or a second secret key among the plurality of secret keys with a service providing device key issued by the service providing device; and selectively applying a preset cryptographic algorithm and cryptographic element among the plurality of secret keys, delivering the second group of encrypted secret keys to the service providing device, and transferring the encrypted secret keys of the third group to a key management server and distributing and managing the secret key by delivering it to

A user terminal device that provides a transaction management service through a block chain network according to an embodiment of the present invention for solving the above problems receives query information including user identification information transmitted from the service providing device, a master key information management unit for registering a master key of a user wallet account used for the transaction management service in the user terminal based on response information input from the user terminal in response to the query information; and according to the distributed sharing secret key processing corresponding to the master key, a plurality of secret keys capable of restoring the master key by using a number of secret keys greater than or equal to a threshold value are generated, and a first secret key or a first secret key among the plurality of secret keys 2 The secret key is encrypted with the service providing device key issued by the service providing device, and a preset encryption algorithm and encryption element among the plurality of secret keys are selectively applied to provide the service with the encrypted second group of secret keys and a secret key data management unit that transmits to the device and distributes and manages the secret key by transferring the encrypted third group secret keys to the key management server.

In addition, the method according to an embodiment of the present invention for solving the above problems may be implemented as a computer program stored in a computer-readable recording medium to execute the method in a computer.

According to an embodiment of the present invention, encryption key data used for block chain-based cryptocurrency transactions are distributed and managed in a plurality of devices based on a distributed sharing algorithm, and without separate personal information leakage when the encryption key is lost or data is damaged, It is possible to provide a method for managing an encryption key based on a distributed sharing algorithm for a block chain transaction that enables a secure restoration of an encryption key quickly and easily using distributed managed encryption key data, and a terminal device for processing the same.

1 is a conceptual diagram schematically illustrating an entire system of the present invention.
2 is a block diagram illustrating in more detail an apparatus for providing a service and a terminal apparatus according to an embodiment of the present invention.
3 is a block diagram illustrating in more detail a distributed sharing-based encryption key processing unit according to an embodiment of the present invention.
4 is a flowchart illustrating a distributed sharing algorithm-based encryption key management method according to an embodiment of the present invention.
5 is a diagram for explaining distributed encryption key data according to an embodiment of the present invention.
6 is a flowchart illustrating a master key restoration process according to an embodiment of the present invention.
7 is a flowchart illustrating a distributed sharing algorithm-based encryption key management method according to another embodiment of the present invention.
8 is a diagram for explaining distributed encryption key data according to another embodiment of the present invention.
9 to 13 are flowcharts for explaining a key recovery process according to another embodiment of the present invention.

The following is merely illustrative of the principles of the invention. Therefore, those skilled in the art will be able to devise various devices that, although not explicitly described or shown herein, embody the principles of the present invention and are included within the spirit and scope of the present invention. Further, it is to be understood that all conditional terms and examples listed herein are, in principle, expressly intended solely for the purpose of enabling the concept of the present invention to be understood, and not limited to the specifically enumerated embodiments and states as such. should be

Moreover, it is to be understood that all detailed description reciting the principles, aspects, and embodiments of the invention, as well as specific embodiments, are intended to cover structural and functional equivalents of such matters. It should also be understood that such equivalents include not only currently known equivalents, but also equivalents developed in the future, i.e., all devices invented to perform the same function, regardless of structure.

Thus, for example, the block diagrams herein are to be understood as representing conceptual views of illustrative circuitry embodying the principles of the invention. Similarly, all flowcharts, state transition diagrams, pseudo code, etc. may be tangibly embodied on computer-readable media and be understood to represent various processes performed by a computer or processor, whether or not a computer or processor is explicitly shown. should be

In addition, the clear use of terms presented as processor, control, or similar concepts should not be construed as exclusively referring to hardware having the ability to execute software, and without limitation, digital signal processor (DSP) hardware, ROM for storing software. It should be understood to implicitly include (ROM), RAM (RAM) and non-volatile memory. Other common hardware may also be included.

The above objects, features and advantages will become more apparent through the following detailed description in relation to the accompanying drawings, and accordingly, those of ordinary skill in the art to which the present invention pertains can easily implement the technical idea of the present invention. There will be. In addition, in the description of the present invention, if it is determined that a detailed description of a known technology related to the present invention may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted.

Hereinafter, a preferred embodiment according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram schematically illustrating an entire system according to an embodiment of the present invention.

First, as shown in FIG. 1, the block chain network system 1000 according to an embodiment of the present invention may be composed of a block chain mesh network formed by one or more node terminals connected by wire or wirelessly through a network. have. And, among the node terminals, a service providing apparatus 100 that provides a transaction service based on a block chain network according to an embodiment of the present invention and an encryption key management service based on a distributed sharing algorithm, and one receiving a service according to service registration The above user terminal 200 may be included.

In addition, each node terminal including the service providing apparatus 100 and one or more user terminals 200 may be connected to a block chain network through an input/output device and exchange data. To this end, each node terminal includes a mobile device such as a mobile phone, a smart phone, a PDA, a tablet computer, and a laptop computer, a computing device such as a personal computer, a tablet computer, and a netbook, or an electronic product such as a television, a smart television, or a security device for gate control. and various electronic systems.

In addition, each node terminal including the service providing apparatus 100 and one or more user terminals 200 may include a communication module for accessing the block chain network. The blockchain network may be implemented as a wired network, such as, for example, a local area network (LAN), a wide area network (WAN), or a value added network (VAN). In addition, the block chain network is a mobile radio communication network, satellite communication network, Bluetooth (Bluetooth), Wibro (Wireless Broadband Internet), HSDPA (High Speed Downlink Packet Access), Wi-Fi (Wi-Fi), LTE (Long Term) Evolution) can be implemented in all kinds of wireless networks. If necessary, the block chain network may be a network in which wired and wireless are mixed.

In addition, each node terminal including the service providing apparatus 100 and one or more user terminals 200 may register account information according to its own node access to transaction book data shared through a network in a cloud manner. And, when a transaction of encrypted information for generating a block chain is required, each trader terminal may propagate the transaction information to be recorded in the transaction book data to each trader terminal.

And, according to the mutual verification process corresponding thereto, for example, when approval from node terminals of a certain ratio or more is processed, the transaction book data is updated and the information is shared, so that the transaction of encryption information for creating a block chain is performed can be processed.

Here, the transaction ledger data is a block chain ( block chain) data can be linked.

Accordingly, verification of forgery or falsification of the transaction book data can be easily processed according to the verification of the hash value of the block chain. To this end, each trader terminal may provide computing power for performing calculation and verification processing for calculating the hash value of the next block, and may obtain a corresponding reward.

The security stability of such a block chain can be formed by the system participation of data-sharing sharers. Accordingly, transaction information blocks including details of sharing between each sharer terminal connected to the block chain network and encryption information issuance/transaction details for creating a block chain can be sequentially stored, and for preventing forgery Transaction verification (proof-of-work) processing for sequentially block-chaining hash values can be performed distributedly in each trader terminal.

For such transaction verification processing, various distributed consensus algorithms may be used, and representative examples thereof include Proof-of-Work (PoW), Proof-of-Stake (PoS), and the like. Proof-of-Work (PoW, Proof-of-Work) is exemplified as a method of suppressing fraud by proving that resources (ex. computing power, etc.) To enable proof in proportion to the stake, PoS provides a process to control the probability of creating a block in proportion to the stake of the token each node has.

And, according to an embodiment of the present invention, the service providing apparatus 100 is a node terminal participating in a block chain network for asset transaction of cryptocurrency, or receives and processes data from one or more node terminals connected to the block chain network It may be a device that provides the service data to the user terminal 200 .

The service providing apparatus 100 processes a transaction process using a block chain wallet account corresponding to the user terminal 200 based on the user identification information and encryption key information of the user terminal 200 registered in advance, and processes The result information may be provided to the user terminal 200 .

In addition, the user terminal 200 may provide a payment or confirmation service of cryptocurrency to the wallet account of the user terminal 200 by processing cryptocurrency transaction information performed through a block chain through transaction information processing. .

In addition, the user terminal 200 may monitor transaction block information corresponding to a cryptocurrency transaction by interworking with the service providing device 100 , and may identify abnormal transaction information based on the monitored information, and corresponding A service process for processing an appropriate asset theft prevention process may be executed, and execution result information may be provided to the user terminal 200 .

Accordingly, the service providing apparatus 100 and the user terminal 200 interworking therewith according to an embodiment of the present invention can provide a secure restoration process according to the loss of the encryption key through a distributed management service of the encryption key. Furthermore, it not only detects the occurrence of abnormal block chain transactions due to an attacker's hacking attempt in advance, but also promptly prevents theft through transfer to the safe asset wallet account before the block approval by consensus is completed and returns it to the user. By doing so, it is possible to provide a secure blockchain-based asset transaction service that can be returned through follow-up measures even if a transaction block is generated due to an attacker's takeover.

In particular, the service providing apparatus 100 performs a distributed sharing-based encryption key management service based on the encryption key distribution data received from the user terminal 200, and distributed management of encryption key data of a block chain wallet account according to the management service. And, the recovery process according to the request of the user terminal 200 can be performed without separately reading personal information.

To this end, the user terminal 200 according to an embodiment of the present invention obtains distributed data of encryption key data managed from the service providing apparatus 100, and in response to the obtained distributed data, to the user terminal 200 By performing the master encryption key restoration process using hash data of the user personalization information input in advance, the encryption key can be restored, which will be described in more detail later.

Here, the service functions of the service providing apparatus 100 and the user terminal 200 according to an embodiment of the present invention may be implemented in one service device, but one or more function sets of each component such as a service agent It can be modularized and implemented as a software development kit (SDK), and the SDK is installed on various software platforms on which the SDK can be installed, so that each modular service function can be implemented by the function of each block chain node terminal.

In addition, the configuration and operations of the user terminal 200 and the service providing apparatus 100 according to an embodiment of the present invention will be described in more detail with reference to the following drawings.

2 is a block diagram illustrating in more detail a user terminal and a service providing apparatus according to an embodiment of the present invention.

Referring to FIG. 2 , the user terminal 200 according to an embodiment of the present invention includes a user information registration unit 210 , a transaction information processing unit 220 , a monitoring interface unit 230 , and a distributed sharing-based encryption key processing unit 270 . The service providing device 100 includes an encryption key distributed data management unit 139 for providing an encryption key management service interlocked with the distributed sharing-based encryption key processing unit 270, and identifies, stores and It may include an identification unit 131, a storage unit 132, and a transmission unit 133 for transmitting information to the monitoring interface unit 230, and at least one for collecting necessary information according to the characteristics of each block chain network. Monitoring information collection units (134, 135, 136, 137, 138) may be selectively included.

The user information registration unit 210 acquires, stores and manages user information of the user terminal 200 for providing a transaction service and an encryption key management service according to an embodiment of the present invention.

Here, the user information includes at least one of user identification information of the user terminal 200, node information, device-specific information, use block chain network information, user authentication information, transaction authentication information, and user personalization information corresponding to the encryption key. can

Here, the user identification information may include identification information pre-registered in the service providing device 100 for service use, and in response to the user identification information, the device-specific information, use block chain network information, identity authentication information, At least one of the user personalization information corresponding to the transaction authentication information and the encryption key may be matched and stored and managed. In addition, the user information may be obtained through a question-and-answer method and used as authentication information. To this end, the user terminal 200 may transmit input information on the user information related query information provided by the service providing apparatus 100 to the service providing apparatus 100 . The user terminal 200 may manage response information matching preset user information-related query information and check whether the user's input information corresponds to the response information.

The device-specific information may be a unique value that can uniquely identify the user terminal 200 , for example, a UDID value allocated during the manufacturing of the terminal, etc. may be exemplified. The node information may include node identification information for identifying a user node on a block chain network, and network address information may be exemplified.

In addition, the information of the blockchain network used can be used to determine the provision of appropriate transaction services, account and block takeover prevention, and notification processing according to the type and characteristics of the blockchain.

In addition, the user authentication information and transaction authentication information may include user authentication information (KYC, Know Your Customer) for performing a distributed sharing-based encryption key processing process, and first, it is necessary to create a transaction block or return a transaction block. It can be used as an authentication method in case the user loses the return key from the secure asset wallet account.

In addition, the user personalized information corresponding to the encryption key may be hashed and stored and managed in the user terminal 200, and encryption of the distributed sharing-based encryption key processing unit 270 according to an embodiment of the present invention It can be used for key distribution data generation and restoration process.

The transaction information processing unit 220 may process a registered cryptocurrency asset transaction according to user information registration. Here, the transaction information processing unit may set preferential transaction information, and the preferential transaction is a block chain network that processes registered cryptocurrency asset transactions according to user information registration, when the preferential transaction conditions corresponding to duplicate transactions are preset can operate on

For example, a blockchain network that supports token transactions using Ethereum or ERC-20 can request approval of other transactions corresponding to the same wallet as a priority transaction before the time when the proof-of-work consensus algorithm is completed.

Here, the conditions for the preferential transaction to be pre-processed in response to the existing abnormal transaction block may be different for each block chain network, but a method of allocating a higher transaction fee in general may be exemplified. In this case, it is preferable that the transaction fee of the priority transaction block according to the priority transaction information is higher than the fee of the existing abnormal transaction block by a predetermined ratio or more.

Accordingly, the transaction information processing unit 220, from the wallet account of the user terminal 200 registered with the user information, all or part of the assets for the prevention of theft to the safety management asset wallet account generated by the service providing device 100 To transfer, a preferential transaction block can be created, and the generated block is encrypted and stored and managed by the preferential transaction information setting unit 120 itself, or provided to the user terminal 200 so that it can be used when performing a subsequent hijacking prevention process. can be processed.

The monitoring interface unit 230 monitors transaction information of blocks waiting for approval or agreement completion formed on the block chain network, and matches normal user information (network address, terminal unique identification information, etc.) according to preset user information It is determined whether or not an abnormal transaction block is generated from a terminal node that does not work, and when the abnormal transaction block is generated, the abnormal transaction block information is transmitted to the transaction information processing unit 220 .

Here, the shared data on the block chain network that monitors transaction information may include blocks in the block generation waiting area for performing the consensus process, and the expression is different for each block chain network, but transactions representing blocks in the approval waiting area It may be indicated as status information of names such as pool (POOL), mempool (MEMPOOL), and pending pool (PENDING).

This monitoring interface unit 230 directly monitors the transaction block information in the state of the approval waiting area of each block chain transaction network by itself, or, as shown in FIG. 2 , the service providing apparatus 100 according to the embodiment of the present invention. Distributed monitoring can also be performed through monitoring agents running in .

For example, a blockchain network includes N blockchain networks, such as the first blockchain network, the second blockchain network, ... and the Nth blockchain network, such as the Bitcoin network, Ethereum network, etc. may be composed of In addition, each monitoring agent may be provided for one or more block chains, or one monitoring agent may connect to a plurality of block chain networks to collect monitoring information for each block chain network and deliver it to the monitoring interface unit 230 .

More specifically, the monitoring agent may include an identification unit 131, a storage unit 132, and a transmission unit 133 for identification, storage, and information transmission to the monitoring interface unit 230 of monitoring information, and each It may optionally include one or more monitoring information collecting units 134, 135, 136, 137, and 138 for collecting necessary information according to the characteristics of the block chain network.

Here, one or more information collection units include a block information collection unit 134 that collects transaction block information formed in an approval waiting area state on a block chain network, and a transaction information collection unit 135 that collects transaction request information generated from one or more nodes. , a node information collection unit 136 that collects identification information and related address information of each node that has requested a transaction, a network information collection unit 137 that collects network address information, and one or more automated transactions stored by the block chain It may include at least one of the contract information collecting unit 138 that collects contract information that provides process execution.

The identification unit 131 identifies transaction block information corresponding to the user registration information from the monitoring information collection unit 134 , 135 , 136 , 137 , 138 based on the user registration information received from the monitoring interface unit 130 . and may be stored in the storage unit 132 or transmitted to the monitoring interface unit 230 through the transmission unit 133 .

Accordingly, the monitoring interface unit 230 may monitor whether a preset abnormal transaction occurs in response to the transaction information identified through the monitoring agent.

On the other hand, the encryption key distribution data management unit 139 may receive, store and manage the encryption key distribution data of the wallet account for each block chain network from the user terminal 200, and process to prevent loss or theft of the encryption key of the wallet account By receiving the encryption key distribution data request for the secured asset wallet account, it can be delivered to the user terminal 200 .

Accordingly, the distributed sharing-based encryption key processing unit 270 may pre-register encryption key distribution data corresponding to the encryption key distribution data management unit 139 of the service providing device 100, and the registered encryption key distribution data is The encryption key distribution data management unit 139 may be mapped with user registration information, and may be stored and managed separately based on a plurality of cloud servers physically or logically isolated from each other.

In addition, the distributed sharing-based encryption key processing unit 270 distributes the encryption key using more widely distributed encryption key data by interworking with the service providing device 100 as well as the key management server 300 that provides a separate key management service. It can handle the management and restoration process, which will be described later in more detail with reference to FIG. 3 .

3 is a block diagram illustrating in more detail a distributed sharing-based encryption key processing unit according to an embodiment of the present invention.

Referring to FIG. 3 , the user terminal 200 according to an embodiment of the present invention manages and restores encryption key data according to a distributed sharing method using the service providing apparatus 100 and a separate key management server 300 . can be processed

More specifically, referring to FIG. 3 first, when a user's cryptocurrency wallet account is created, the user terminal 200 configures the encryption key distributed sharing data for distributed sharing of encryption key data for use of the wallet account. and sharing the distributed sharing data of the configured encryption key to the service providing apparatus 100 and the key management server 300, respectively.

Here, as the distributed sharing method, a known SHAMIR distributed secret sharing algorithm may be exemplified. For example, if a participant greater than a threshold value combines a secret key, an encryption key capable of performing encryption key authentication for restoration may be formed, which is user authentication information even if the secret key is damaged or lost in the user terminal 200 . And it enables generation of an encryption key for restoration according to the combination with the distributed encryption key data of the service providing device 100 or the key management server 300 according to the user personalization information.

More specifically, the original encryption key of the user's wallet account may be referred to as a master key, and the master key may be distributed and processed by generating a plurality of secret keys according to a distributed sharing algorithm such as the Shamir algorithm. The plurality of secret keys may be encrypted through a specific cryptographic element and distributed as secret key hash information. The distributed sharing-based encryption key processing unit 270, when the plurality of secret keys or the plurality of secret key hash information of the plurality of secret key hash information of a predetermined threshold or more is collected to be combinable, the distributed sharing algorithm based on the master key can be restored again.

At least a portion of the secret key generated in this way may be stored and managed internally in the user terminal 200 , and at least a portion is transmitted to the service providing device 100 and stored and managed by the encryption key distribution data management unit 139 . may be, and at least a portion may be transferred to the key management server 300 to be stored and managed.

For the detailed system configuration for distributed processing of the encryption key, referring to FIG. 3 , the distributed sharing-based encryption key processing unit 270 according to an embodiment of the present invention includes a user information processing unit 2710 and a master key information management unit 2720. ), an internal secret key data management unit 2730 , a management server secret key data management unit 2740 and a restoration logic processing unit 2750 .

The user information processing unit 2710 stores and manages user information for master key management and restoration according to an embodiment of the present invention. Here, the user information may include user authentication information such as KYC information and user personalization information for restoration of the master key.

The master key information management unit 2720 stores and manages the master key, and in preparation for loss or damage of the master key, the secondary hashed master key hash information based on the hashed data of the user personalization information. can be stored and managed.

In addition, the master key information management unit 2720 matches the response information in response to the query information including the user identification information transmitted from the service providing device 100 to determine whether it is normal or deliver it to the service providing device 100 . can judge The master key information management unit 2720 may register a master key of a user wallet account used for a transaction management service.

In addition, the master key hash information may be mapped with the user identification result information and delivered to the service providing device 100 , and the service providing device 100 uses the user authentication based master key hash information management module 1391 . Through this, the master key hash information may be stored and managed, and the mapped master key hash information may be encrypted again with a service providing device key and transmitted to the master key information management unit 2720 .

Accordingly, the master key information management unit 2720 may store and manage the hash-processed master key hash information based on the user personalization information in an encrypted state with the service providing device key of the service providing device 100 . have.

Accordingly, the master key information management unit 2720 transmits the user identity authentication result information to the service providing device 100 when the master key hash information is required, and receives the corresponding service providing device key to obtain the master key hash information. can be obtained

Here, the master key cannot be restored using only the master key hash information, but the master key hash information can be used for a secret key or secret key hash information request to the key management server 300 using the hash information, which is a hash of the user personalization information. Since it is hash data that is secondary processed by the data, it can be usefully used for accurate user confirmation.

On the other hand, the internal secret key data management unit 2730 groups at least some of the plurality of distributed sharing secret key hash data generated from the master key as a plurality of internal secret keys, and distributed storage and management of the plurality of internal secret keys.

The internal secret key data management unit 2730 selectively applies a preset encryption algorithm and encryption element among a plurality of secret keys, and shares the second group of encrypted secret keys with the service providing device 100, encryption The third group of secret keys may be transferred to the key management server 300 to distribute and manage a plurality of secret keys.

Additionally, the secret keys of the second group may be encrypted using the service providing device key or encrypted user personalization information corresponding to the user identification information as the encryption element. In addition, the secret keys of the third group may be encrypted using a key management server key issued by the key management server or encrypted user personalization information corresponding to the user identification information as the encryption element.

Also, the internal secret key data management unit 2730 may store and manage the first secret key among the plurality of internal secret keys in the user terminal 200 .

Here, the internal secret key data management unit 2730 may store and manage the first secret key by encrypting it based on hash data of the user personalized information. Accordingly, user personalized information may be required to restore the first secret key. According to another embodiment of the present invention, the internal secret key data management unit 2730 may store and manage the first secret key by encrypting it based on the service providing device key.

In addition, the internal secret key data management unit 2730 may deliver the first secret key to the service providing device 100, and the service providing device 100 encrypts the first secret key as a service providing device key. It can also be stored and managed. In this case, when the user authentication result information received from the user terminal 200 is confirmed, the service providing apparatus 100 transmits the first secret key encrypted with the service providing apparatus key to the user terminal 200 through a preset path such as an email. ) can be transmitted. Here, for personal information and security enhancement, the first secret key transmitted through a preset path may be deleted by the service providing apparatus 100 .

Meanwhile, the internal secret key data management unit 2730 may store and manage one or more second secret keys as data that is sequentially double encrypted by the first secret key and the service providing device key of the service providing device 100. have. According to another embodiment of the present invention, the internal secret key data management unit 2730 may store and manage one or more second secret keys as data encrypted by the service providing device key of the service providing device 100 . .

Then, the second secret key is transmitted to the service providing device 100, and by the internal secret key hash information cloud distribution management module 1392 of the service providing device 100, distributed cloud servers physically or logically isolated from each other can be distributed and managed.

As the sequentially double-encrypted data is double-encrypted, for example, the third secret key is double-encrypted data by the second secret key and the service providing device key of the service providing device 100 to the internal secret key data management unit 2730. It can be stored and managed, and the third secret key is transmitted to the service providing device 100 and physically or logically isolated from each other by the internal secret key hash information cloud distribution management module 1392 of the service providing device 100 . It can be distributed and managed on distributed cloud servers. As another example, the third secret key may be stored and managed in the internal secret key data management unit 2730 as data encrypted by the user personalization information hash data, and the third secret key is the service providing apparatus 100 It may be transmitted to and managed in distributed cloud servers physically or logically isolated from each other by the internal secret key hash information cloud distribution management module 1392 of the service providing device 100 .

For such distributed management, the service providing apparatus 100 may further include a mapping index module 1393 . The mapping index module 1393 may store and manage one or more secret keys mapped to the master key hash information, the hash data of the user personalization information, the server information and the index information, and according to the user's authentication information confirmation, the One or more secret keys may be provided to the user terminal 200 .

Here, since the secret key may include a series of second secret keys and the third secret keys that are sequentially double-encrypted from the first secret key as described above, in the user terminal 200, the service providing apparatus 100 ) of the service providing device key, the first secret key, and hash data of the user's personalization information, the second secret key and the third secret key can be normally obtained. According to another embodiment of the present invention, as described above, the secret key includes a series of second secret keys encrypted from the service providing device key and the third secret keys encrypted from user personal information hash data. Therefore, the user terminal 200 can normally obtain the second secret key and the third secret key only when the service providing device key of the service providing device 100 and hash data of the user's personalized information exist.

On the other hand, the management server secret key data management unit 2740 groups at least a portion of a plurality of distributed sharing secret keys or secret key hash data generated from the master key as a plurality of management server secret keys, and a plurality of management server secret keys Distributed storage and management.

Here, the management server secret key may be mapped with the master key hash data and delivered to the key management server 300 , and the key management server 300 includes the master key hash information management unit 301 and the server secret key information management unit 303 . You can register, store and manage management server secret keys through .

In addition, the key management server 300 may issue a management server key according to the registration of the management server secret key to the user terminal 200, and the management server secret key data management unit 2740 transmits the management server secret keys to the management server. By performing encryption processing using a key, security can be improved.

For example, the management server secret key data management unit 2740 may store and manage fourth to [n]th secret keys different from the first to third secret keys as the management server secret key, the second The 4th to [n]th secret keys may be transmitted to the key management server 300 , and may be encrypted using the key management server key or user personal information hash data issued in response thereto.

Accordingly, the restoration logic processing unit 2750, when it is determined that restoration of the master key is necessary, user authentication information obtained through the user information processing unit 2710 and the master key information management unit 2720, user personalization information hash data, and One or more secret keys can be obtained from the service providing device 100 or the key management server 300 by using at least one of the master key hash data, and when the one or more secret keys are obtained in a state that can be combined by more than a threshold , by performing a restoration process according to the distributed sharing algorithm, it is possible to restore the master key.

According to such processing, the secret key data distributed and shared by the user terminal 200, the service providing device 100, and the key management server 300 are hashed data and authentication result information and , it can be safely and easily restored based on each device key.

For example, in order to restore the master key, the user terminal 200 based on a preset first conditional key restoration process, according to the master key restoration request input and user input information, the first included in the user input information Receives second secret key encryption information corresponding to the secret key encryption information from the service providing device 100, and decrypts the first secret key encryption information and the second secret key encryption information using the service providing device key And, the master key can be restored by performing restoration processing based on a distributed sharing algorithm using the decrypted information.

At the same time, the user terminal 200 based on the preset second conditional key restoration process, according to the master key restoration request and user input information, the encryption information and the third secret of the second secret key corresponding to the user identification information Receives encryption information of a key from the service providing device 100, and uses the service providing device key corresponding to the user identification information or the encrypted personalized user information as a decryption factor to encrypt information of the second secret key and The encryption information of the third secret key is decrypted, and the master key can be restored by performing a restoration process based on a distributed sharing algorithm using the decrypted information.

Additionally, the user terminal 200 provides the service with the encryption information of the second secret key corresponding to the preset user authentication information according to the master key restoration request and user input information, based on the preset third conditional key restoration process. Receiving from the device 100 and receiving the encryption information of the fourth secret key encrypted using the key management server key from the key management server 300, to decrypt the service providing device key or the key management server key Decrypts the encryption information of the second secret key and the encryption information of the fourth secret key by using it as a factor, and performs a distributed sharing algorithm-based restoration process using the decrypted information to restore the master key . In this case, the encryption information of the fourth secret key may be received as encryption information of the fourth secret key that is first decrypted by the asymmetric key management server key corresponding to the user authentication information.

In addition, the user terminal 200, based on the preset fourth conditional key restoration process, according to the master key restoration request and user input information, the first secret key encryption information included in the user input information, and the user input information Receives the encryption information of the fourth secret key encrypted with the key management server key corresponding to the user identification information included in the key management server 300, and decrypts the service providing device key or the key management server key It is possible to decrypt the encryption information of the first secret key and the fourth secret key by using it as a factor, and restore the master key by performing a distributed sharing algorithm-based restoration process using the decrypted information. In this case, the encryption information of the fourth secret key may be received as encryption information of the fourth secret key that is first decrypted by the asymmetric key management server key corresponding to the user identification information.

Then, the user terminal 200 based on the preset fifth conditional key restoration process, according to the master key restoration request and user input information, the encryption information of the fourth secret key corresponding to the user identification information and the fifth secret key receiving the encryption information of the key management server, and decrypting the encryption information of the fourth secret key and the encryption information of the fifth secret key by using the encrypted user personalization information or the key management server key as a decryption factor, The master key may be restored by performing restoration processing based on a distributed sharing algorithm using the decrypted information. In this case, the encryption information of the fourth secret key may be received as encryption information of the fourth secret key that is first decrypted by the asymmetric key management server key corresponding to the user identification information.

4 is a flowchart for explaining a distributed sharing algorithm-based encryption key management method according to an embodiment of the present invention, and FIG. 5 is a diagram for explaining distributed encryption key data according to an embodiment of the present invention.

4 and 5, first, the user terminal 200 according to an embodiment of the present invention registers transaction information and terminal information through a set block chain network (S101), and cryptocurrency through the block chain network A wallet account for processing asset transactions is registered (S103).

Then, the user terminal 200 generates user authentication information corresponding to the wallet account (S105), and registers the master key hash information corresponding to the generated user authentication information to the service providing apparatus 100 (S107).

Here, referring to FIG. 5 , the master key hash information may be first encrypted by the user personalization information hash data and registered in the service providing device 100 , and in the service providing device 100 , in the master key hash information registration A corresponding key can be issued. Accordingly, the user terminal 200 may store and manage the master key hash information by encrypting it with the service providing device key.

For example, the user personalized information hash data may be hash data of personalized information including at least one of an email address, birthday information, and name information preset in the user terminal 200 . Accordingly, in order to restore the master key hash information, user personalization information and a service providing device key may be required.

Then, the user terminal 200 generates a plurality of secret keys according to the distributed sharing secret key processing of the master key (S109).

Here, the plurality of secret keys may be composed of hash data distributed from the master key by a distributed sharing algorithm such as the SHAMIR equation. Each of the plurality of secret keys cannot restore the master key, but when the secret keys above a preset threshold are combined, the master key can be restored by a distributed sharing restoration process such as performing the SHAMIR algorithm in reverse.

Then, the user terminal 200 encrypts the first secret key by using the hash data of the user personalized information (S113).

Here, again, referring to FIG. 5 , the first secret key encrypted with the hash value of the user personalization information may be transmitted to the service providing apparatus 100 in case it is lost or damaged.

If the first secret key is requested from the user terminal 200 to the service providing device 100 due to loss or damage, the service providing device 100 encrypts the first secret key with the service providing device key according to user authentication. , may be transmitted through a path such as e-mail, and the transmitted first secret key may be deleted by the service providing apparatus 100 .

Thereafter, the user terminal 200 performs chain encryption processing based on the first secret key and the service providing device key on one or more other second group secret keys, and stores and manages them as an internal secret key (S115).

As shown in FIG. 5, the second group secret keys may be composed of a second secret key hash, a third secret key hash, and the like, and each is combined with a service providing device key to sequentially chain encryption processing from the first secret key. can be Accordingly, since the remaining keys cannot be recovered without the aforementioned first secret key, the security thereof may be improved.

In addition, the service providing device 100 may register mapping and index information of hash information and index information of user authentication information, master key hash information, and personalized user information to the second group secret keys, and the registered second group secret keys are in the cloud. It can be distributed and managed on a server-based basis. For example, as shown in FIG. 5 , the second secret key hash may be distributed and stored as first distributed cloud information, second distributed cloud information, etc. in the first cloud, and the third secret key in the second cloud server The hash may be distributed and stored as the first distributed cloud information, the second distributed cloud information, and the like.

In addition, the user terminal 200 may perform encryption processing for one or more other third group secret keys based on the key management server key, and the encrypted third group secret keys are stored and managed in the key management server 300 . may be (S117), and may be transmitted to the user terminal 200 according to the request of the user terminal (200). Additionally, the user terminal 200 may perform encryption processing for one or more other third group secret keys using a key management server or user personalization information hash, and the encrypted third group secret keys are encrypted by the key management server 300 ) can be stored and managed.

Here, referring to FIG. 5 , the third group secret keys may be composed of data such as a fourth secret key hash and a fifth secret key hash, and the key management server 300 provides user authentication information and master key hash information. It is possible to store and manage third group secret keys by mapping.

6 is a flowchart illustrating a master key restoration process according to an embodiment of the present invention.

Referring to FIG. 6 , the user terminal 200 according to an embodiment of the present invention obtains user identity authentication result information corresponding to the master key restoration request input ( S201 ).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200 obtains the user personalized information hash data according to the user input (S203).

Thereafter, the user terminal 200 obtains a service providing device key based on at least one of identity authentication result information or user personalized information hash data (S205).

Then, the user terminal 200 restores the master key hash information by using the obtained service providing device key (S207).

Then, the user terminal 200, based on the master key hash information or the user personalized hash data, obtains a first secret key (S209).

Here, based on the master key hash information or the user personalized hash data authentication, the first secret key is transmitted from the service providing device 100 to a path such as an e-mail, or a user personalization corresponding to the internally stored and managed first secret key It may be obtained by performing a decryption process using hash data.

Then, the user terminal 200 uses the first secret key to sequentially restore the second group secret keys stored internally or delivered from the service providing apparatus 100 (S211).

Also, the user terminal 200 obtains the third group secret keys from the key management server 300 based on the master key hash information and the identity authentication result information (S213).

Then, the user terminal 200 restores the master key by processing a distributed sharing algorithm using at least one of the first secret key, the second group secret key, and the third group secret (S215).

7 is a flowchart for explaining a distributed sharing algorithm-based encryption key management method according to another embodiment of the present invention, and FIG. 8 is a diagram for explaining distributed encryption key data according to another embodiment of the present invention.

7 and 8, first, the user terminal 200 according to an embodiment of the present invention registers transaction information and terminal information through a set block chain network (S301), and cryptocurrency through the block chain network A wallet account for processing asset transactions is registered (S303).

Then, the user terminal 200 generates user authentication information corresponding to the wallet account (S305), and registers master key information corresponding to the generated user authentication information to the service providing apparatus 100 (S307).

The user terminal 200 may receive query information including user identification information transmitted from the service providing apparatus 100 . The user terminal 200 may input response information in response to the query information. The user terminal 200 may register the master key of the user wallet account used for the transaction management service in the user terminal 200 based on the response information.

Here, the user identity authentication information corresponding to the user identification information may be registered in the service providing apparatus 100 . In addition, the master key may be first encrypted by the user personalization information hash data and registered in the service providing device 100, and in the service providing device 100, the service providing device key, which is a key corresponding to the master key hash information registration can be issued

For example, the user personalized information hash data may be hash data of personalized information including at least one of an email address, birthday information, and name information preset in the user terminal 200 . Accordingly, in order to restore the master key, user personalization information and a service providing device key may be required.

Then, the user terminal 200 generates a plurality of secret keys according to the distributed sharing secret key processing of the master key (S309).

Here, the plurality of secret keys may be composed of hash data distributed from the master key by a distributed sharing algorithm such as the SHAMIR equation. Each of the plurality of secret keys cannot restore the master key, but when the secret keys greater than a preset threshold are combined, the master key may be restored by a distributed sharing restoration process such as performing the SHAMIR algorithm in reverse.

Then, the user terminal 200 encrypts the first secret key or the second secret key using the service providing device key (S311).

Additionally, the user terminal 200 uses the secret keys of the second group among the plurality of secret keys as the service providing device key, or encrypted user personal information (user personalization information hash) corresponding to the user identification information, the cryptographic element can be used for encryption. At the same time, the user terminal 200 provides a key management server key that issues a third group of secret keys among the plurality of secret keys from the key management server, or encrypted user personalization information (user personalization) corresponding to the user identification information. information hash) may be used as the encryption element to perform encryption processing. At this time, when the user terminal 200 performs encryption processing using a key management server key among the secret keys of the third group, firstly obtains primary encryption processing information using a key management server key, which is a symmetric key. And, the secondary encryption processing information may be obtained by using a key management server key that is an asymmetric key secondary to the primary encryption processing information. In addition, the user terminal 200 may include at least one secret key encrypted using the encrypted user personal information hash, which is the encrypted user personal information, from among the secret keys of the second group and the secret keys of the third group. .

Here, again referring to FIG. 8 , the second secret hash information that is the second secret key encrypted with the service providing device key may be transmitted to the service providing device 100 in case it is lost or damaged.

If the second secret key is requested from the user terminal 200 to the service providing device 100 due to loss or damage, the service providing device 100 transmits the second secret key hash information mapped according to user authentication to the email and It may be transmitted through the same path, and the transmitted second secret key hash information may be deleted by the service providing apparatus 100 .

Thereafter, the user terminal 200 selectively applies a preset encryption algorithm and encryption element among the plurality of secret keys, and transmits the second group of encrypted secret keys to the service providing device, and the encrypted third group The secret key is transmitted to the key management server to distribute and manage the secret key (S313).

According to an embodiment of the present invention, the user terminal 200 may perform encryption processing using one or more other second secret keys as a service providing device key. In addition, the user terminal 200 may perform encryption processing for one or more other third secret keys by using the user personalized information hash. Through this, the user terminal 200 may store and manage the encrypted second secret key hash or the third secret key hash as the second group secret key and share it with the service providing apparatus 100 . Also, the user terminal 200 may encrypt one or more other fourth secret keys as a key management server key. In addition, the user terminal 200 may perform encryption processing for one or more other fifth secret keys by using the user personalization information hash. Through this, the user terminal 200 may store and manage the encrypted fourth secret key hash or the fifth secret key hash as the third group secret key and share it with the key management server 300 .

As shown in FIG. 8 , the second group secret keys may be composed of an encrypted second secret key hash, a third secret key hash, and the like. In addition, each of the third group secret keys may be composed of an encrypted fourth secret key hash, a fifth secret key hash, and the like. Among them, the security of the third secret key hash and the fifth secret key hash can be improved because encryption is processed using the user personalized information hash.

In addition, the service providing device 100 may register mapping and index information of hash information and index information of user authentication information, master key hash information, and personalized user information to the second group secret keys, and the registered second group secret keys are in the cloud. It can be distributed and managed on a server-based basis. For example, as shown in FIG. 8 , the second secret key hash may be distributed and stored as first distributed cloud information, second distributed cloud information, etc. in the first cloud, and the third secret key in the second cloud server The hash may be distributed and stored as the first distributed cloud information, the second distributed cloud information, and the like.

Additionally, the user terminal 200 may perform encryption processing for one or more other third group secret keys using a key management server or user personalization information hash, and the encrypted third group secret keys are encrypted by the key management server 300 ) can be stored and managed.

Here, referring to FIG. 8 , the third group secret keys may be composed of data such as a fourth secret key hash and a fifth secret key hash, and the key management server 300 provides user authentication information and master key hash information. It is possible to store and manage third group secret keys by mapping.

Additionally, referring to FIG. 8 , the user terminal 200 may extract the personalized user information hash by applying the personalized user information to a hash algorithm based on the user authentication information. The user terminal 200 may obtain a master key based on a hash of user personalized information and generate a plurality of secret keys through distributed sharing secret key processing. Each of the plurality of secret keys may be processed as the [n]th secret key hash through encryption to which a preset cryptographic element is applied, and may be distributed and managed in the service providing apparatus 100 or the key management server 300 .

9 to 13 are flowcharts for explaining a key recovery process according to another embodiment of the present invention.

First, referring to FIG. 9 , according to an embodiment of the present invention, the user terminal 200 acquires user identity authentication result information corresponding to the master key restoration request input (S401).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200 obtains a first secret key hash that is the first secret key encryption information included in the user input information (S403).

Accordingly, the user terminal 200 requests the service providing apparatus 100 for a second secret key hash that is second secret key encryption information corresponding to the first secret key hash (S405).

Here, the second secret key hash may be transmitted from the service providing apparatus 100 to the user terminal 200 through a path, such as an email, based on user identity authentication result information.

Thereafter, the user terminal 200 obtains the service providing device key based on the second secret key hash and the identity authentication result from the service providing device 100 (S407).

Next, the user terminal 200 decrypts the first secret key hash and the second secret key hash using the obtained service providing device key to obtain a first secret key and a second secret key (S409) .

Then, the user terminal 200 restores the master key by processing the distributed sharing algorithm using the first secret key and the second secret key (S411).

Referring to FIG. 10 , according to an embodiment of the present invention, the user terminal 200 obtains user identity authentication result information corresponding to a master key restoration request input ( S501 ).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200 obtains the user personalized information hash through the user personalized information included in the user input information based on the user identity authentication result information (S503).

Thereafter, the user terminal 200 encrypts the second secret key hash which is the second secret key encryption information encrypted with the service providing device key and the third secret key encrypted with the user personalization information hash based on the identity authentication result information. A third secret key hash, which is information, is obtained from the service providing apparatus 100 (S505).

Next, the user terminal 200 decrypts the second secret key hash by using the service providing device key issued based on the identity authentication result information as a decryption factor and obtains the second secret key (S507).

At the same time, the user terminal 200 decrypts the third secret key hash by using the user personalized information hash as a decryption factor and obtains the third secret key (S509).

Then, the user terminal 200 restores the master key by processing the distributed sharing algorithm using the second secret key and the third secret key (S511).

Referring to FIG. 11 , according to an embodiment of the present invention, the user terminal 200 obtains user identity authentication result information corresponding to the master key restoration request input (S601).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200 requests a second secret key hash that is encryption information of the second secret key corresponding to the preset user authentication information (S603).

The second secret key hash may be encrypted with the service providing device key and distributed and managed in the service providing device 100 .

At the same time, the user terminal 200 obtains a fourth secret key hash that is fourth secret key encryption information corresponding to the second secret key hash from the key management server 300 (S605).

At this time, when the fourth secret key hash is first generated, it is primarily encrypted with the symmetric key management server key, and after primary encryption, it is secondarily encrypted with the asymmetric key management server key. The asymmetric key management server key may be utilized as an encryption key used in an RSA algorithm or the like.

Next, the user terminal 200 obtains the second secret key hash from the service providing device 100 and decrypts it with the service providing device key to extract the second secret key (S607).

In addition, the user terminal 200 obtains a first decrypted fourth secret key hash from the key management server 300 using the asymmetric key management server key, and then in the first decrypted fourth secret key hash for the symmetric key management server key as a decryption factor to extract a fourth secret key (S609).

Then, the user terminal 200 restores the master key by processing the distributed sharing algorithm using the second secret key and the fourth secret key (S611).

12, according to an embodiment of the present invention, the user terminal 200 obtains user identity authentication result information corresponding to the master key restoration request input (S701).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200 obtains a first secret key hash that is the first secret key encryption information included in the user input information (S703).

Next, the user terminal 200 obtains, from the key management server 300, a fourth secret key hash, which is encryption information of the fourth secret key, corresponding to the user identification information included in the user input information (S705).

At this time, when the fourth secret key hash is first generated, it is primarily encrypted with the symmetric key management server key, and after primary encryption, it is secondarily encrypted with the asymmetric key management server key. The asymmetric key management server key may be utilized as an encryption key used in an RSA algorithm or the like.

Here, the key management server 300 transmits the fourth secret key hash, which is primarily decrypted using the asymmetric key management server key, to the user terminal 200 with respect to the fourth secret key hash encrypted twice. send.

Thereafter, the user terminal 200 decrypts the first secret key hash by using the service providing device key issued by the service providing device 100 as a decryption factor, and obtains the first secret key (S707) .

At the same time, the user terminal 200 decrypts the fourth secret key hash by using the symmetric key management server key issued as the symmetric key from the key management server 300 as a decryption factor, and obtains the fourth secret key (S709).

Then, the user terminal 200 restores the master key by processing the distributed sharing algorithm using the first secret key and the fourth secret key (S711).

Referring to FIG. 13 , according to an embodiment of the present invention, the user terminal 200 acquires user identity authentication result information corresponding to the master key restoration request input (S801).

Here, the identity authentication result information may include identity inquiry result information obtained from a preset KYC institution.

Then, the user terminal 200, on the basis of the user identity authentication result information, obtains the user personalized information included in the user input information is encrypted user personalized information hash (S803).

After that, the user terminal 200, based on the user identity authentication result information, the fourth secret key hash that is encryption information of the fourth secret key corresponding to the user identification information, and the fifth secret key encryption information 5 A secret key hash is obtained from the key management server 300 (S805).

At this time, when the fourth secret key hash is first generated, it is primarily encrypted with the symmetric key management server key, and after primary encryption, it is secondarily encrypted with the asymmetric key management server key. The asymmetric key management server key may be utilized as an encryption key used in an RSA algorithm or the like.

Here, the key management server 300 transmits the fourth secret key hash, which is primarily decrypted using the asymmetric key management server key, to the user terminal 200 with respect to the fourth secret key hash encrypted twice. send.

Through this, the user terminal 200 decrypts the fourth secret key hash by using the symmetric key management server key issued as the symmetric key from the key management server 300 as a decryption factor, and obtains the fourth secret key (S807).

At the same time, the user terminal 200 decrypts the fifth secret key hash by using the user personalized information hash as a decryption factor, and obtains a fifth secret key (S809).

Then, the user terminal 200 restores the master key by processing the distributed sharing algorithm using the fourth secret key and the fifth secret key (S811).

Each of the above-described methods of FIGS. 9 to 13 may be selectively processed according to a preset conditional key recovery process in the system.

To this end, the service providing apparatus 100, the user terminal 200, or the key management server 300 stores the condition information, respectively, and restores the key of any one of FIGS. 9 to 13 when it corresponds to a preset condition. It can operate to selectively perform a process.

For example, the first conditional key restoration process of FIG. 9 may be performed when the user has information of the first secret key hash and can be input through the user terminal 200 . In this case, the key restoration process of FIG. 9 may restore the master key without exchanging information with the key management server 300 .

At the same time, the second conditional key restoration process of FIG. 10 is performed when the user has lost the information of the first secret key hash, but it is possible to input response information matching the preset user identification query information through the user terminal 200 can In this case, the key restoration process of FIG. 10 may restore the master key without exchanging information with the key management server 300 .

Additionally, the third conditional key restoration process of FIG. 11 may be performed when the user loses the information of the first secret key hash and the response information matching the user identification query information preset through the user terminal 200 is lost. have. In this case, the service providing apparatus 100 may additionally provide an additional authentication method for confirming authorized electronic information or unique information capable of authenticating a specific user. The additional authentication method may utilize a joint certificate, one time password (OTP), mobile authentication, email authentication, and the like. In this case, in the key restoration process of FIG. 11 , the user terminal 200 may restore the master key through information exchange with the service providing apparatus 100 and the key management server 300 .

In addition, the fourth conditional key restoration process of FIG. 12 may be performed when the user can input information of the first secret key hash through the user terminal 200 but cannot exchange information with the service providing apparatus 100 . In this case, the key restoration process of FIG. 12 may restore the master key through information exchange between the user terminal 200 and the key management server 300 .

In addition, the fifth conditional key restoration process of FIG. 13 may be performed when the user loses information on the first secret key hash and information exchange with the service providing apparatus 100 is impossible. In this case, the user should be able to input response information matching the preset user identification query information through the user terminal 200 . Through this, the key restoration process of FIG. 13 may restore the master key through information exchange between the user terminal 200 and the key management server 300 .

The above-described methods according to an embodiment of the present invention may be produced as a program to be executed in a computer. In addition, the program may be stored in a computer-readable recording medium, and examples of the computer-readable recording medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. have.

The computer-readable recording medium is distributed in a network-connected computer system, so that the computer-readable code can be stored and executed in a distributed manner. In addition, functional programs, codes, and code segments for implementing the method can be easily inferred by programmers in the art to which the present invention pertains.

In addition, although preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and the technical field to which the present invention belongs without departing from the gist of the present invention as claimed in the claims In addition, various modifications may be made by those of ordinary skill in the art, and these modifications should not be individually understood from the technical spirit or prospect of the present invention.

Claims (17)

In the operating method of a user terminal that provides a transaction management service through a block chain network,
Receiving query information including user identification information transmitted from the service providing device;
registering a master key of a user wallet account used for the transaction management service in the user terminal based on response information input from the user terminal in response to the query information;
generating a plurality of secret keys capable of restoring the master key by using a number of secret keys greater than or equal to a threshold according to distributed sharing secret key processing corresponding to the master key;
encrypting a first secret key or a second secret key among the plurality of secret keys with a service providing device key issued by the service providing device; and
Among the plurality of secret keys, the first secret key and the second group and the third group of secret keys different from the second secret key are encrypted by selectively applying a preset encryption algorithm and encryption element, respectively, and encryption and transferring the secret keys of the second group to the service providing device, and transferring the encrypted secret keys of the third group to a key management server to distribute and manage the secret key;
The step of registering the master key comprises:
Registering user identity authentication information corresponding to the user identification information and hash data of the master key to the service providing device; further comprising
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. The method of claim 1,
The encryption step is
For the secret keys of the second group among the plurality of secret keys, encrypted user personal information corresponding to the service providing device key or the user identification information is used as the encryption element as the encryption key for encryption, and , for the secret keys of the third group, encryption processing using a key management server key issued by the key management server or encrypted user personalization information corresponding to the user identification information as the encryption element as the encryption key for encryption further comprising;
When encryption processing is performed using the key management server key from among the secret keys of the third group, primary encryption processing information is obtained using a symmetric key management server key, and secondary encryption processing information is used in the primary encryption processing information. characterized in that the secondary encryption processing information is obtained by using the asymmetric key management server key,
Among the secret keys of the second group and the secret keys of the third group, at least one secret key that is encrypted using the encrypted user personalization information as a cryptographic key for encryption is included.
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 3. The method of claim 2,
Based on a preset first conditional key restoration process, according to the master key restoration request input and user input information, the second secret key encryption information corresponding to the first secret key encryption information included in the user input information is provided as the service Receive from a device, decrypt the first secret key encryption information and the second secret key encryption information using the service providing device key, and perform a distributed sharing algorithm-based restoration process using the decrypted information to perform the Restoring the master key; further comprising
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 3. The method of claim 2,
Based on a preset second conditional key restoration process, according to a master key restoration request and user input information, the second secret key encryption information and the third secret key encryption information corresponding to the user identification information are provided to the service providing apparatus and using the service providing device key or the encrypted user personalization information corresponding to the user identification information as a decryption factor that is a cryptographic key for decryption, the encryption information of the second secret key and the third secret Decrypting the encryption information of the key, and performing a distributed sharing algorithm-based restoration process using the decrypted information to restore the master key; further comprising
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 3. The method of claim 2,
Receive, from the service providing device, encryption information of a second secret key corresponding to preset user authentication information, according to a master key restoration request and user input information, from the service providing device based on a preset third conditional key restoration process, and manage the key The encryption information of the fourth secret key encrypted using the server key is received from the key management server, and the encryption information of the second secret key and the encryption information of the second secret key by using the service providing device key or the key management server key as a decryption factor Decrypting the encryption information of the fourth secret key, and restoring the master key by performing a distributed sharing algorithm-based restoration process using the decrypted information;
The encryption information of the fourth secret key is first decrypted by the asymmetric key management server key corresponding to the user authentication information, characterized in that it is received by the user terminal
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 3. The method of claim 2,
Based on a preset fourth conditional key restoration process, according to the master key restoration request and user input information, the first secret key encryption information included in the user input information corresponds to the user identification information included in the user input information receiving the encryption information of the fourth secret key encrypted with the key management server key from the key management server, and using the service providing device key or the key management server key as a decryption factor, the first secret key encryption information and Decrypting the encryption information of the fourth secret key, and restoring the master key by performing a distributed sharing algorithm-based restoration process using the decrypted information;
The encryption information of the fourth secret key is first decrypted by the asymmetric key management server key corresponding to the user identification information, characterized in that it is received by the user terminal
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 3. The method of claim 2,
Based on a preset fifth conditional key restoration process, according to the master key restoration request and user input information, the encryption information of the fourth secret key and the encryption information of the fifth secret key corresponding to the user identification information are transferred to the key management server and decrypts the encryption information of the fourth secret key and the encryption information of the fifth secret key by using the encrypted user personalization information or key management server key as a decryption factor, which is a decryption key for decryption, and the decrypted Restoring the master key by performing restoration processing based on a distributed sharing algorithm using the information;
The encryption information of the fourth secret key is first decrypted by the asymmetric key management server key corresponding to the user identification information, characterized in that it is received by the user terminal
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 8. The method according to any one of claims 3 to 7,
The distributed sharing algorithm is a Shamir (SHAMIR) secret key algorithm, characterized in that
A method of operating a user terminal that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. In a user terminal device that provides a transaction management service through a block chain network,
Receive query information including user identification information transmitted from the service providing device, and based on response information input from the user terminal in response to the query information, obtain the master key of the user wallet account used for the transaction management service a master key information management unit for registering with the user terminal; and
According to the distributed sharing secret key processing corresponding to the master key, a plurality of secret keys capable of restoring the master key are generated using a number of secret keys greater than or equal to a threshold, and a first secret key or a second secret key among the plurality of secret keys The secret key is encrypted with the service providing device key issued by the service providing device, and among the plurality of secret keys, the first secret key and the second group and third group of secret keys different from the second secret key, respectively By selectively applying a preset cryptographic algorithm and cryptographic element to encrypt, deliver the encrypted secret keys of the second group to the service providing device, and deliver the encrypted secret keys of the third group to a key management server Including; a secret key data management unit for distributed management of the secret key;
The master key information management unit,
Registering user identity authentication information corresponding to the user identification information and hash data of the master key in the service providing device
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 10. The method of claim 9,
The secret keys of the second group are encrypted by using the encrypted user personalization information corresponding to the service providing device key or the user identification information as the encryption element that is the encryption key for encryption, and the third group Secret keys, the key management server key issued by the key management server or encrypted user personalization information corresponding to the user identification information is used as the encryption element, which is a cryptographic key for encryption, characterized in that the encryption process is performed,
Among the secret keys of the second group and the secret keys of the third group, at least one secret key that is encrypted by using the encrypted user personalization information as a cryptographic key for encryption is included.
The personalized user information comprises user personalized hash data obtained by hashing at least one of email information, birthday information, and name information obtained according to a user input
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 11. The method of claim 10,
Based on a preset first conditional key restoration process, according to the master key restoration request input and user input information, the second secret key encryption information corresponding to the first secret key encryption information included in the user input information is provided as the service Receive from a device, decrypt the first secret key encryption information and the second secret key encryption information using the service providing device key, and perform a distributed sharing algorithm-based restoration process using the decrypted information to perform the Restoring the master key, characterized in that
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 11. The method of claim 10,
Based on a preset second conditional key restoration process, according to a master key restoration request and user input information, the second secret key encryption information and the third secret key encryption information corresponding to the user identification information are provided to the service providing apparatus and using the service providing device key or the encrypted user personalization information corresponding to the user identification information as a decryption factor that is a cryptographic key for decryption, the encryption information of the second secret key and the third secret key Decrypting encryption information of , and restoring the master key by performing a distributed sharing algorithm-based restoration process using the decrypted information
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 11. The method of claim 10,
Receive, from the service providing device, encryption information of a second secret key corresponding to preset user authentication information, according to a master key restoration request and user input information, from the service providing device based on a preset third conditional key restoration process, and manage the key The encryption information of the fourth secret key encrypted using the server key is received from the key management server, and the encryption information of the second secret key and the encryption information of the second secret key by using the service providing device key or the key management server key as a decryption factor Decrypting the encryption information of the fourth secret key, and restoring the master key by performing a distributed sharing algorithm-based restoration process using the decrypted information,
The encryption information of the fourth secret key is first decrypted by an asymmetric key management server key corresponding to the user authentication information, characterized in that it is received by the user terminal
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 11. The method of claim 10,
Based on a preset fourth conditional key restoration process, according to the master key restoration request and user input information, the first secret key encryption information included in the user input information corresponds to the user identification information included in the user input information receiving the encryption information of the fourth secret key encrypted with the key management server key from the key management server, and using the service providing device key or the key management server key as a decryption factor, the first secret key encryption information and Decrypting the encryption information of the fourth secret key, and performing a distributed sharing algorithm-based restoration process using the decrypted information to restore the master key,
The encryption information of the fourth secret key, characterized in that the primary decryption process by the asymmetric key management server key corresponding to the user identification information is received by the user terminal
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 11. The method of claim 10,
Based on a preset fifth conditional key restoration process, according to the master key restoration request and user input information, the encryption information of the fourth secret key and the encryption information of the fifth secret key corresponding to the user identification information are transferred to the key management server and decrypts the encryption information of the fourth secret key and the encryption information of the fifth secret key by using the encrypted user personalization information or key management server key as a decryption factor that is a cryptographic key for decryption, and the decryption It is characterized in that the master key is restored by performing restoration processing based on the distributed sharing algorithm using the obtained information,
The encryption information of the fourth secret key, characterized in that the primary decryption process by the asymmetric key management server key corresponding to the user identification information is received by the user terminal
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. 16. The method according to any one of claims 11 to 15,
The distributed sharing algorithm is a Shamir (SHAMIR) secret key algorithm, characterized in that
A user terminal device that handles encryption key management based on a distributed sharing algorithm for blockchain transactions. A computer program stored in a computer readable medium in which a program for executing the method according to any one of claims 1 to 7 in a computer is recorded.

Images