KR102492553B1 - Method and System for Digital Signature which unused Password based on FIDO Authentication - Google Patents

Abstract

The present invention relates to a FIDO-based password-free electronic signature method and system, and more particularly, performs user authentication through biometric information authentication according to the FIDO standard to replace password input, and user stored when registering a user in a FIDO server It relates to a FIDO-based password-free digital signature method and system that can encrypt a user's certificate and private key for digital signature through a symmetric key generated based on unique information and store them in a web storage of a web browser.

Description

FIDO-based password-free electronic signature method and system {Method and System for Digital Signature which unused Password based on FIDO Authentication}

The present invention relates to a FIDO-based password-free electronic signature method and system, and more particularly, performs user authentication through biometric information authentication according to the FIDO standard to replace password input, and user stored when registering a user in a FIDO server It relates to a FIDO-based password-free digital signature method and system that can encrypt a user's certificate and private key for digital signature through a symmetric key generated based on unique information and store them in a web storage of a web browser.

In general, FIDO (Fast Identity Online) is a new authentication system that allows authentication to be processed through an irreplaceable yet simple procedure through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. is the standard specification of FIDO authentication is basically an authentication scheme used to solve the vulnerability of systems that use IDs and passwords. Security is further enhanced by using biometric information such as iris or face as a password.

On the other hand, a digital signature is an electronic form of data attached to or logically combined with an electronic document, and is used for the purpose of verifying the identity of the signer and indicating the user's approval of the contents of the signed document. The certificate required to perform such electronic signature includes a public key, and the private key paired with the public key is encrypted with a password and stored according to security risks such as use other than the person in case of leakage. However, since certificates and private keys exist in the form of files, it is easy to access the location (NPKI) stored on the hard disk and easy to copy/use, resulting in poor security. As such, public certificates encrypted with passwords are decrypted by password detection attacks such as key logging and used illegally as users use passwords that are easy to remember and convenient to input.

In order to solve this problem, it is possible to not use passwords that are easy to hack, perform user authentication with user's own biometric information, solve the problem of being vulnerable to leakage of certificates, and strengthen the security of encryption keys that perform encryption. A method is needed, but there is no conventional technology for providing such a service.

The present invention performs user authentication through biometric information authentication according to the FIDO standard to replace password input, and to perform digital signature through a symmetric key generated based on user-specific information stored when registering a user in a FIDO server. Its purpose is to provide a FIDO-based password-free electronic signature method and system that can encrypt certificates and private keys and store them in web storage of web browsers.

In order to solve the above problems, the present invention is a FIDO-based password-free electronic signature method performed by a certificate issuing server, a FIDO server, and a user's terminal. A web browser can be executed on the user's terminal, and digital signature Information for performing can be stored in the web storage, and by the FIDO server, a biometric information authentication request is transmitted to the user's terminal according to the user registration request transmitted from the user's terminal, and biometric information authentication in the user's terminal A user registration step of receiving and storing user-specific information generated according to the execution of; The certificate issuing server receives a certificate public key and a certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal, and the user's terminal stores the certificate in web storage. Certificate storage step to store in; When the user authentication of the user's terminal is completed by the FIDO server, a first authentication step of transmitting symmetric key derivation information including user-specific information or derived from information including user-specific information to the user's terminal; a key data storage step of storing, by the user's terminal, encryption key data obtained by encrypting the private key of the certificate using the symmetric key derived based on the symmetric key derivation information, in the web storage; a second authentication step of transmitting, by the FIDO server, the symmetric key derivation information to the user's terminal when user authentication of the user's terminal is completed; and the user's terminal decrypts the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key derivation information to derive the private key of the certificate, and uses the certificate and the private key to decrypt the original text data. It provides a FIDO-based password-free digital signature method including; digital signature step of performing a signature.

In one embodiment of the present invention, the user registration step, by the FIDO server, receiving a user registration request from the terminal of the user; Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal; Receiving, by the FIDO server, the user-specific information including the FIDO public key generated from the terminal of the user who performed biometric information authentication according to the biometric information authentication request; and storing, by the FIDO server, the user-specific information including the received FIDO public key in the FIDO server.

In one embodiment of the present invention, the symmetric key derivation information may include a FIDO public key and a user ID generated in the user registration step.

In one embodiment of the present invention, the step of storing the certificate may include generating a certificate public key and a certificate private key by the user's terminal; receiving, by a certificate issuing server, the certificate public key and certificate issuance request from a user's terminal; generating a certificate including the certificate public key by a certificate issuing server and transmitting the certificate to a user's terminal; and storing the certificate in the web storage by the user's terminal.

In one embodiment of the present invention, the first authentication step, by the FIDO server, receiving a user authentication request from the user's terminal; Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal; By the FIDO server, when user authentication is completed according to the biometric information authentication in the user's terminal, transmitting the symmetric key derivation information including the user's FIDO public key to the user's terminal; .

In one embodiment of the present invention, the second authentication step, by the FIDO server, receiving a user authentication request from the user's terminal; Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal; Transmitting, by the FIDO server, the symmetric key derivation information including the user's first public key to the user's terminal when user authentication is completed as biometric information authentication is performed in the user's terminal; The digital signature step may include deriving a symmetric key by a user's terminal through biometric information authentication based on the symmetric key derivation information; and decrypting, by the user's terminal, the encryption key data stored in the web storage using the symmetric key. and performing digital signature using the private key of the certificate decrypted from the encryption key data by the user's terminal.

In one embodiment of the present invention, the symmetric key may be derived by the user's terminal based on the symmetric key derivation information after the user's biometric information authentication is performed.

In order to solve the above problems, an embodiment of the present invention is a FIDO-based password-free electronic signature system implemented by a certificate issuing server, a FIDO server, and a user's terminal, in which a web browser is executed in the user's terminal Information for performing the digital signature may be stored in the web storage, the FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request transmitted from the user's terminal, and the FIDO server transmits the user's Receives and stores user-specific information generated by performing biometric information authentication in the terminal of the user, and the certificate issuing server receives a certificate public key and a certificate issuance request from the user's terminal, and generates a certificate including the certificate public key. Create and transmit to the user's terminal, the user's terminal stores the certificate in web storage, and the FIDO server, when user authentication of the user's terminal is completed, contains user-specific information or from information containing user-specific information The derived symmetric key derivation information is transmitted to the user's terminal, and the user's terminal stores the encryption key data that encrypts the private key of the certificate with the symmetric key derived based on the symmetric key derivation information in the web storage. And, the FIDO server transmits the symmetric key derivation information to the user terminal when user authentication of the user terminal is completed, and the user terminal uses the symmetric key derived based on the symmetric key derivation information to perform encryption stored in the web storage. Provided is a system in which a private key of a certificate is derived by decrypting key data, and a user's terminal performs a digital signature on original data using the certificate and the private key.

According to one embodiment of the present invention, when using a PKI certificate in a user's PC, user authentication is performed using a biometric information authentication method according to the FIDO standard, so that a digital signature can be easily performed without entering a password. can be effective.

According to an embodiment of the present invention, encryption key data obtained by encrypting a certificate and a certificate private key, which are information necessary for performing a digital signature, is stored in a web storage, and digital signature is performed with the certificate and private key stored in the web storage, Since there is no need to possess a certificate and a private key in the user's terminal, it is possible to exert an effect of preventing leakage of personal information due to loss of the terminal.

According to an embodiment of the present invention, by deriving a symmetric key based on symmetric key derivation information derived based on user-specific information stored after user registration in the FIDO server, the security of the encryption key for encrypting data can be strengthened effect can be exerted.

According to an embodiment of the present invention, by performing user authentication using a biometric information authentication method and not using a password, it is possible to prevent personal information leakage accidents due to password hacking such as key logging. .

According to an embodiment of the present invention, by storing and using a certificate and a private key in the web storage of a web browser, it is possible to perform an electronic signature without installing a security program such as Active X in the user's terminal. there is.

1 schematically illustrates the overall system form of a FIDO-based password-free electronic signature method according to an embodiment of the present invention.
Figure 2 schematically shows the steps of the overall process of performing the FIDO-based password-free digital signature method according to an embodiment of the present invention.
3 schematically illustrates a process of performing a user registration step according to an embodiment of the present invention.
4 schematically illustrates a process of performing a certificate storage step according to an embodiment of the present invention.
5 schematically illustrates a process of performing a first authentication step and a key data storage step according to an embodiment of the present invention.
6 schematically illustrates a process of performing a second authentication step and a digital signature step according to an embodiment of the present invention.
7 schematically illustrates a process of performing a first authentication step and a second authentication step according to an embodiment of the present invention.
8 schematically illustrates the internal configuration of a computing device according to an embodiment of the present invention.

Various embodiments are now described with reference to the drawings, wherein like reference numbers are used throughout the drawings to indicate like elements. In this specification, various descriptions are presented to provide an understanding of the present invention. However, it is apparent that these embodiments may be practiced without these specific details. In other instances, well-known structures and devices are presented in block diagram form in order to facilitate describing embodiments.

As used herein, the terms "component", "module", "system", "unit", etc. refer to a computer-related entity, hardware, firmware, software, a combination of software and hardware, or an execution of software. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, a thread of execution, a program, and/or a computer. For example, both an application running on a computing device and a computing device may be components. One or more components may reside within a processor and/or thread of execution, and a component may reside on a computer

It can be localized within, or distributed between two or more computers. Also, these components can execute from various computer readable media having various data structures stored thereon. Components may for example signal with one or more packets of data (e.g. data and/or signals from one component interacting with another component in a local system, distributed system to other systems and data over a network such as the Internet). ) to communicate via local and/or remote processes.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements and/or groups thereof. It should be understood that it does not.

In addition, terms including ordinal numbers such as first and second may be used to describe various components, but the components are not limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The terms and/or include any combination of a plurality of related recited items or any of a plurality of related recited items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are generally understood by those of ordinary skill in the art to which the present invention belongs. has the same meaning as Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the embodiments of the present invention, an ideal or excessively formal meaning not be interpreted as

A “user terminal” referred to below may be implemented as a computer or portable terminal capable of accessing a server or other terminals through a network. Here, the computer includes, for example, a laptop, desktop, laptop, etc. equipped with a web browser, and the portable terminal is, for example, a wireless communication device that ensures portability and mobility. , PCS(Personal Communication System), GSM(Global System for Mobile communications), PDC(Personal Digital Cellular), PHS(Personal Handyphone System), PDA(Personal Digital Assistant), IMT(International Mobile Telecommunication)-2000, CDMA(Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) terminals, and the like. In addition, a "network" is a wired network such as a local area network (LAN), a wide area network (WAN) or a value added network (VAN), a mobile radio communication network, or a satellite It can be implemented in all kinds of wireless networks such as communication networks.

1 schematically illustrates the overall system form of a FIDO-based password-free electronic signature method according to an embodiment of the present invention.

The user terminal of FIG. 1 may correspond to the aforementioned user terminal, and the FIDO server 1000 and the certificate issuing server 2000 correspond to a computing device including one or more processors and one or more memories. 1, the FIDO server 1000 and the certificate issuing server 2000 included in the server system are shown separately, but in another embodiment, the FIDO server 1000 and the certificate issuing server 2000 are integrated server may exist as Preferably, the user's terminal is a laptop, desktop, or laptop equipped with a web browser. The user's terminal may access the FIDO server 1000 and the certificate issuance server 2000 through a web browser program, and perform authentication through biometric information to log in to his or her account.

In the present invention, FIDO (Fast Identity Online) is a new authentication system that allows authentication to be processed through a simple procedure that cannot be replaced through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. is the standard specification of The biometric information should be interpreted as information including all biometric information such as fingerprint, iris face recognition, voice, and vein that can be extracted from a living body or behavioral characteristic biometric information such as motion.

In the present invention, the web browser installed in the user's terminal includes all application applications that allow the user to access the website, such as Microsoft's Internet Explorer, Google's Chrome, and Apple's Safari, and is a client, not a server, through the web browser. You can use web storage where you can store data on . Web storage includes local storage capable of semi-permanently storing data in a browser and session storage capable of individually storing data for each session, and the web storage of the present invention includes either local storage or session storage. can be used

The FIDO server 1000 receives a user registration request from the user's terminal, stores user-specific information to perform user registration, and transmits a biometric information authentication request to the user's terminal for which biometric information authentication has been completed. It is possible to transmit symmetric key derivation information derived from information that includes unique information or user-specific information.

The certificate issuing server 2000 may receive a certificate public key and a certificate issuance request from a user's terminal, generate a certificate including the certificate public key, and transmit the generated certificate to the user's terminal.

The user's terminal performs user authentication based on biometric information through the FIDO server 1000, and the user's terminal that has performed the user authentication receives symmetric key derivation information from the FIDO server 1000, and the symmetric key derivation information Based on this, a symmetric key can be derived. In addition, a certificate may be received through a certificate issuance request to the certificate issuance server 2000 and stored in the web storage. The encryption key data that encrypts the private key of the certificate generated in the user's terminal by the derived symmetric key can be stored in web storage, and the encryption key data stored with the derived symmetric key is decrypted to derive the private key of the certificate. It is possible to perform electronic signature on the original data by using the private key.

Hereinafter, operations of the user's terminal and the server system will be described in more detail.

Figure 2 schematically shows the steps of the overall process of performing the FIDO-based password-free digital signature method according to an embodiment of the present invention.

The server system of the present invention can provide a FIDO-based password-free electronic signature method. In general, user authentication is performed through biometric information authentication according to the FIDO standard to replace password input, and user-specific information stored when registering a user in the FIDO server (1000) is used as symmetric key derivation information Through a symmetric key generated Information for digital signature can be encrypted and the user's certificate and private key can be stored in the web storage of the web browser that can be executed in the user's terminal.

Figure 2 shows a process of performing a user registration step, a certificate storage step, a first authentication step, a key data storage step, a second authentication step, and a digital signature step by the server system and the user terminal of the present invention. Specifically, as a FIDO-based password-free electronic signature method performed by the certificate issuing server 2000, the FIDO server 1000, and the user's terminal, the user's terminal can run a web browser and perform the digital signature The information for may be stored in the web storage, and by the FIDO server 1000, a biometric information authentication request is transmitted to the user's terminal according to the user registration request transmitted from the user's terminal, and the biometric information in the user's terminal A user registration step of receiving and storing user-specific information generated by performing authentication (S1000); The certificate issuing server 2000 receives a certificate public key and a certificate issuance request from a user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal, and by the user's terminal, the certificate Certificate storage step (S2000) of storing in the web storage; When user authentication of the user's terminal is completed by the FIDO server 1000, a first authentication step of transmitting symmetric key derivation information including user-specific information or derived from information including user-specific information to the user's terminal (S3000); A key data storage step (S4000) of storing, by the user's terminal, encryption key data obtained by encrypting the private key of the certificate using the symmetric key derived based on the symmetric key derivation information, in the web storage; A second authentication step (S5000) of transmitting the symmetric key derivation information to the user's terminal when the user authentication of the user's terminal is completed by the FIDO server (1000); and the user's terminal decrypts the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key derivation information to derive the private key of the certificate, and uses the certificate and the private key to decrypt the original text data. It includes; electronic signature step (S6000) of performing a signature.

Specifically, in the user registration step (S1000), the FIDO server 1000 receives a user registration request from the user's terminal and transmits a biometric information authentication request to the user's terminal, and biometric information authentication in the user's terminal Receives and stores user-specific information generated according to the execution. Preferably, the user-specific information includes user information including a user ID and a FIDO public key.

In the certificate storage step (S2000), the certificate issuing server 2000 receives a certificate public key and a certificate issuance request from the user's terminal, and transmits a certificate including the certificate public key to the user's terminal. The terminal of the user who has received the certificate including the certificate public key stores the received certificate in the web storage of the web browser.

In the first authentication step (S3000), when user authentication of the user's terminal is completed by the FIDO server 1000, symmetric key derivation information derived from information containing user-specific information or user-specific information transmitted to the user's terminal. Preferably, the symmetric key derivation information includes a FIDO public key and a user ID.

In the key data storage step (S4000), the user's terminal derives a symmetric key based on the symmetric key derivation information received from the FIDO server 1000 after performing biometric information authentication. Thereafter, the private key of the certificate is encrypted using the derived symmetric key to generate encryption key data, and the generated encryption key data is stored in the web storage.

In the second authentication step (S5000), when user authentication of the user's terminal is completed by the FIDO server 1000, symmetric key derivation information derived from information containing user-specific information or user-specific information transmitted to the user's terminal.

In the digital signature step (S6000), the user's terminal derives a symmetric key based on the symmetric key derivation information received from the FIDO server (1000) after biometric information authentication is performed. Thereafter, the encryption key data stored in the web storage is decrypted by the derived symmetric key to derive the private key of the certificate, and the original data is digitally signed using the certificate and the private key.

In this way, since the user performs user authentication using the biometric information authentication method according to the FIDO standard without using a password, it is possible to easily perform an electronic signature without entering a password.

3 schematically illustrates a process of performing a user registration step according to an embodiment of the present invention.

Specifically, the user registration step (S1000), by the FIDO server (1000), receiving a user registration request from the user's terminal (S100); By the FIDO server (1000), sending a biometric information authentication request to the user's terminal (S110); Receiving, by the FIDO server 1000, the user-specific information including the FIDO public key generated from the terminal of the user who performed the biometric information authentication according to the biometric information authentication request (S140); and storing, by the FIDO server 1000, the user-specific information including the received FIDO public key in the FIDO server 1000 (S150).

In step S100, the user's terminal transmits a user registration request to the FIDO server (1000). That is, the user registration request is received from the user's terminal by the FIDO server (1000).

In step S110, the biometric information authentication request is transmitted to the user terminal by the FIDO server 1000 having received the user registration request.

In step S120, the terminal of the user who has received the biometric information authentication request performs biometric information authentication. Preferably, the biometric information authentication request is performed by determining whether the biometric information of the user pre-stored in the user's terminal matches the biometric information input to the user's terminal. For example, when biometric information pre-stored in the user's terminal to perform biometric information authentication is a fingerprint, biometric information authentication is input to the user's terminal when performing biometric information authentication with the user's fingerprint pre-stored in the user's terminal. Determines whether the user's fingerprint matches. When the input user's fingerprint matches the previously stored user's fingerprint, biometric information authentication is completed.

In step S130, when the biometric information authentication is completed, the user's terminal generates the user's FIDO public key and FIDO private key. Preferably, when biometric information authentication is not completed, the user's terminal does not generate a FIDO public key and a FIDO private key.

In step S140, the user's terminal transmits the user-specific information including the FIDO public key and user ID generated in step S130 to the FIDO server 1000. That is, by the FIDO server 1000, user-specific information including the FIDO public key generated from the terminal of the user who has performed biometric information authentication is received.

In step S150, by the FIDO server 1000, user registration is performed by storing user-specific information including the received FIDO public key in the FIDO server 1000.

In this way, by storing user information in the FIDO server 1000 and registering a user, symmetric key derivation information can be derived based on user-specific information stored in the FIDO server 1000 to derive a symmetric key, Encryption and decryption can be performed, and the security of an encryption key for encrypting data can be enhanced.

4 schematically illustrates a process of performing a certificate storage step according to an embodiment of the present invention.

Specifically, the certificate storage step includes generating a certificate public key and a certificate private key by the user's terminal (S200); Receiving the certificate public key and certificate issuance request from the user's terminal by the certificate issuing server (2000) (S210); generating a certificate including the certificate public key by the certificate issuing server 2000 and transmitting the certificate to the user's terminal (S220 and S230); and storing the certificate in the web storage by the user's terminal (S240).

In step S200, the user's terminal generates a certificate public key and a certificate private key for digital signature.

In step S210, the user's terminal transmits the certificate public key generated in step S200 and the certificate issuance request to the certificate issuing server 2000. That is, by the certificate issuing server 2000, a certificate public key and a certificate issuance request are received from the user's terminal.

In step S220, the certificate issuing server 2000 generates a certificate including a certificate public key and transmits it to the user's terminal. The certificate generated by the certificate issuing server 2000 may further include certificate information such as an issuing subject, an issuing authority, a signature of the issuing authority, and a certificate serial number in addition to the certificate public key.

In step S230, the certificate issuing server 2000 transmits the certificate generated in step S220 to the user's terminal.

In step S240, the user's terminal receives the certificate including the certificate public key transmitted by the certificate issuing server 2000, and stores the received certificate in the web storage.

By storing the issued certificate in the web storage of the web browser running on the user's terminal, the user's terminal can perform the digital signature through the certificate stored in the web storage when the user's terminal wants to perform the digital signature. By not directly storing the certificate in the terminal, it is possible to exert an effect of preventing the risk of leakage of personal information due to the loss of the certificate due to the loss of the user's terminal.

5 schematically illustrates a process of performing a first authentication step and a key data storage step according to an embodiment of the present invention.

Specifically, the first authentication step, by the FIDO server 1000, receiving a user authentication request from the user's terminal (S300)); By the FIDO server (1000), sending a biometric information authentication request to the user's terminal (S310); By the FIDO server 1000, when user authentication is completed according to the biometric information authentication in the user's terminal, transmitting the symmetric key derivation information including the user's FIDO public key to the user's terminal (S350) ; and the key data storage step (S4000) includes: performing biometric information authentication by the user's terminal and deriving the symmetric key based on the symmetric key derivation information (S360); generating, by the user's terminal, encryption key data obtained by encrypting the private key of the certificate using the derived symmetric key (S370); Storing the encryption key data obtained by encrypting the private key of the certificate in a web storage (S380); includes.

In step S300, the user's terminal transmits a user authentication request to the FIDO server (1000). That is, by the FIDO server 1000, a user authentication request is received from the user's terminal.

In step S310, a biometric information authentication request is transmitted to the user terminal by the FIDO server 1000.

In step S320, the user's terminal performs biometric information authentication according to the biometric information authentication request transmitted from the FIDO server 1000, and generates an authentication response for biometric information authentication when the biometric information authentication is completed.

In step S330, the user's terminal transmits the authentication response generated after biometric information authentication in step S320 to the FIDO server 1000.

In step S340, the FIDO server 1000 verifies the authentication response received from the user's terminal to perform user authentication.

In step S350, the FIDO server 1000 transmits symmetric key derivation information to the user terminal when user authentication is completed. Preferably, the symmetric key derivation information includes the FIDO public key and user ID generated in the user registration step.

In step S360, the user's terminal receiving the symmetric key derivation information from the FIDO server 1000 performs biometric information authentication. When the biometric information authentication is completed, the user's terminal derives a symmetric key based on the received symmetric key derivation information.

In step S370, the terminal of the user who derived the symmetric key encrypts the certificate private key using the derived symmetric key to generate encryption key data.

In step S380, the user's terminal stores the encryption key data in which the certificate private key is encrypted by the symmetric key in the web storage.

Preferably, a process in the form of a program that performs these steps can be operated in the web browser of the user's terminal.

Preferably, the key data storage step may be performed only when user authentication is completed in the first authentication step.

In this way, the user's terminal stores the encryption key data that encrypts the certificate and certificate private key, which are information necessary for performing digital signature, in the web storage, so that the user's terminal does not need to possess the certificate and private key, By performing the digital signature with the certificate and private key stored in the web storage, it is possible to exert an effect of preventing leakage of personal information due to loss of the terminal.

6 schematically illustrates a process of performing a second authentication step and a digital signature step according to an embodiment of the present invention.

Specifically, the second authentication step (S5000) includes, by the FIDO server 1000, receiving a user authentication request from the user's terminal (S400); By the FIDO server (1000), sending a biometric information authentication request to the user's terminal (S410); By the FIDO server 1000, when user authentication is completed according to the biometric information authentication in the user's terminal, transmitting the symmetric key derivation information including the user's first public key to the user's terminal (S420 ); wherein the digital signature step comprises: deriving a symmetric key by the user's terminal through biometric authentication based on the symmetric key derivation information (S460); and decrypting, by the user's terminal, the encryption key data stored in the web storage using the symmetric key (S470); and performing digital signature using the private key of the certificate decrypted from the encryption key data by the user's terminal (S480).

In step S400, the user's terminal transmits a user authentication request to the FIDO server (1000). That is, by the FIDO server 1000, a user authentication request is received from the user's terminal.

In step S410, a biometric information authentication request is transmitted to the user terminal by the FIDO server 1000.

In step S420, the user's terminal performs biometric information authentication according to the biometric information authentication request transmitted from the FIDO server 1000, and generates an authentication response for biometric information authentication when the biometric information authentication is completed.

In step S430, the user's terminal transmits the authentication response generated after biometric information authentication in step S420 to the FIDO server 1000.

In step S440, the FIDO server 1000 verifies the authentication response received from the user's terminal to perform user authentication.

In step S450, the FIDO server 1000 transmits symmetric key derivation information to the user's terminal when user authentication is completed. Preferably, the symmetric key derivation information includes the FIDO public key and user ID generated in the user registration step.

Steps S400 to S450 correspond to the second authentication step.

In step S460, the user's terminal receiving the symmetric key derivation information from the FIDO server 1000 performs biometric information authentication. When the biometric information authentication is completed, the user's terminal derives a symmetric key based on the received symmetric key derivation information.

In step S470, the terminal of the user who derived the symmetric key derives the private key of the certificate by decrypting the encryption key data, which is the private key of the encrypted certificate stored in the web storage, by the derived symmetric key.

In step S480, the user's terminal performs a digital signature on the original text data using the certificate and the private key of the certificate decrypted from the encryption key data.

Steps S460 to S480 correspond to the electronic signature step.

Preferably, a process in the form of a program that performs these steps can be operated in the web browser of the user's terminal.

Preferably, the electronic signature step may be performed only when user authentication is completed in the second authentication step.

In this way, the user's terminal stores the encryption key data that encrypts the certificate and certificate private key, which are information necessary for performing digital signature, in the web storage, so there is no need to download the certificate and private key to the user's terminal, By performing the electronic signature through the web browser, it is possible to exert an effect of preventing leakage of personal information due to loss of the terminal.

7 schematically illustrates a process of performing a first authentication step and a second authentication step according to an embodiment of the present invention.

Specifically, the first authentication step and the second authentication step, by the FIDO server (1000), receiving a user authentication request from the user's terminal (S510); By the FIDO server 1000, generating one-time verification information and transmitting it to the user's terminal (S520); Receiving, by the FIDO server 1000, an authentication response including the one-time verification information encrypted with the user's FIDO private key from the terminal of the user whose biometric information authentication has been performed (S550); Decrypting the authentication response received using the user's FIDO public key stored in the user registration step by the FIDO server (1000) (S560); and performing user authentication by determining whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 match by the FIDO server 1000 (S570).

In step S510, a user authentication request is received from the user's terminal by the FIDO server (1000) (2000).

In step S520, by the FIDO server 1000 receiving the user authentication request, one-time verification information is generated and the one-time verification information is transmitted to the user's terminal.

In the FIDO server 1000, a random number may be generated as a random value for user authentication and delivered to the user as a challenge. The one-time verification information refers to a randomly generated Challenge Number to perform user authentication once.

In step S530, the user's terminal receiving the one-time verification information from the FIDO server 1000 performs biometric information authentication. Preferably, the biometric information authentication is performed by determining whether the user's biometric information pre-stored in the user's terminal matches the biometric information input to the user's terminal.

In step S540, when the biometric information authentication is completed, the user's terminal encrypts the received one-time verification information using the FIDO private key generated in the user registration step.

In step S550, the user terminal transmits an authentication response including encrypted one-time verification information to the FIDO server 1000. That is, by the FIDO server 1000, an authentication response including one-time verification information encrypted with the user's private key is received from the user's terminal.

In step S560, the FIDO server 1000 receiving the verification response decrypts the encrypted one-time verification information included in the authentication response received by the user's FIDO public key stored in the FIDO server 1000 in the user registration step do The FIDO private key and FIDO public key generated in the user's terminal are asymmetric keys that can be decrypted only with the other key when encryption is performed with each key. That is, when some data is encrypted with a private key, the encrypted data can be decrypted with the public key paired with the private key. Data can be decrypted. Therefore, when the encrypted one-time verification information is decrypted and decryption is completed, it can be authenticated that the one-time verification information is the one-time verification information transmitted through the user's terminal by the user who is currently trying to authenticate.

In step S570, user authentication is performed by determining whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 match by the FIDO server 1000. If the one-time verification information decrypted in step S560 and the one-time verification information generated by the FIDO server 1000 and transmitted to the user's terminal match, user authentication is completed. If the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 do not match, user authentication is not completed.

In this way, when user authentication is completed in the first and second authentication steps, the FIDO server 1000 transmits symmetric key derivation information to the user's terminal.

In this way, biometric information authentication is performed based on biometric information, and verification responses to one-time verification information are verified by user common information shared only by the user's terminal and the FIDO server (1000) only when biometric information authentication is completed. However, since user authentication is performed only for registered users, the security of user authentication can be strengthened.

8 schematically illustrates the internal configuration of a computing device according to an embodiment of the present invention.

All or some of the components shown in FIG. 1 may include components of a computing device described later.

As shown in FIG. 8 , a computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, an input/output subsystem ( I/O subsystem 11400, a power circuit 11500, and a communication circuit 11600 may be included at least.

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. there is. The memory 11200 may include a software module, a command set, or other various data necessary for the operation of the computing device 11000 .

In this case, access to the memory 11200 from other components, such as the processor 11100 or the peripheral device interface 11300, may be controlled by the processor 11100. The processor 11100 may be composed of single or multiple processors, and may include GPU and TPU type processors in order to improve calculation processing speed.

Peripheral interface 11300 may couple input and/or output peripherals of computing device 11000 to processor 11100 and memory 11200 . The processor 11100 may execute various functions for the computing device 11000 and process data by executing software modules or command sets stored in the memory 11200 .

Input/output subsystem 11400 can couple various input/output peripherals to peripheral interface 11300. For example, the input/output subsystem 11400 may include a controller for coupling a peripheral device such as a monitor, keyboard, mouse, printer, or touch screen or sensor to the peripheral interface 11300 as needed. According to another aspect, input/output peripherals may be coupled to the peripheral interface 11300 without going through the input/output subsystem 11400.

The power circuit 11500 may supply power to all or some of the terminal's components. For example, power circuit 11500 may include a power management system, one or more power sources such as a battery or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator or power It may contain any other components for creation, management and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, the communication circuit 11600 may include an RF circuit and transmit/receive an RF signal, also known as an electromagnetic signal, to enable communication with another computing device.

The embodiment of FIG. 8 is just one example of the computing device 11000, and the computing device 11000 may omit some of the components shown in FIG. 8, further include additional components not shown in FIG. It may have a configuration or arrangement combining two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware including one or more signal processing or application-specific integrated circuits, software, or a combination of both hardware and software.

Methods according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded in computer readable media. In particular, the program according to the present embodiment may be composed of a PC-based program or a mobile terminal-specific application. An application to which the present invention is applied may be installed in a user terminal through a file provided by a file distribution system. For example, the file distribution system may include a file transmission unit (not shown) that transmits the file according to a request of a user terminal.

The device described above may be implemented as a hardware component, a software component, and/or a combination of hardware components and software components. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) , a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may run an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of software. For convenience of understanding, there are cases in which one processing device is used, but those skilled in the art will understand that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it can include. For example, a processing device may include a plurality of processors or a processor and a controller. Other processing configurations are also possible, such as parallel processors.

Software may include a computer program, code, instructions, or a combination of one or more of the foregoing, which configures a processing device to operate as desired or processes independently or collectively. You can command the device. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed on networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as flOTPical disks. - Optical media (magneto-OTPical media), and hardware devices specially configured to store and execute program instructions such as ROM, RAM, flash memory, etc. are included. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

As described above, although the embodiments have been described with limited examples and drawings, those skilled in the art can make various modifications and variations from the above description. For example, the described techniques may be performed in an order different from the method described, and/or components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved.

Therefore, other implementations, other embodiments, and equivalents of the claims are within the scope of the following claims.

Claims (8)

As a FIDO-based password-free electronic signature method performed by a certificate issuing server, a FIDO server, and a user's terminal,
A web browser may be executed on the user's terminal, information for performing digital signature may be stored in web storage,
The FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request transmitted from the user's terminal, and receives and stores the user's unique information generated according to the biometric information authentication in the user's terminal. user registration step;
The certificate issuing server receives a certificate public key and a certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal, and the user's terminal stores the certificate in web storage. Certificate storage step to store in;
When the user authentication of the user's terminal is completed by the FIDO server, a first authentication step of transmitting symmetric key derivation information including user-specific information or derived from information including user-specific information to the user's terminal;
a key data storage step of storing, by the user's terminal, encryption key data obtained by encrypting the private key of the certificate using the symmetric key derived based on the symmetric key derivation information, in the web storage;
a second authentication step of transmitting, by the FIDO server, the symmetric key derivation information to the user's terminal when user authentication of the user's terminal is completed; and
The user's terminal decrypts the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key derivation information to derive the private key of the certificate, and obtains a digital signature for the original data using the certificate and the private key. Electronic signature step to perform; FIDO-based password-free electronic signature method comprising a.
The method of claim 1,
In the user registration step,
Receiving a user registration request from a user's terminal by the FIDO server;
Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal;
Receiving, by the FIDO server, the user-specific information including the FIDO public key generated from the terminal of the user who performed biometric information authentication according to the biometric information authentication request; and
Storing, by the FIDO server, the user-specific information including the received FIDO public key in the FIDO server; FIDO-based passwordless electronic signature method comprising the.
The method of claim 1,
The symmetric key derivation information,
FIDO-based passwordless electronic signature method, including the FIDO public key and user ID generated in the user registration step.
The method of claim 1,
The certificate storage step,
generating a certificate public key and a certificate private key by the user's terminal;
receiving, by a certificate issuing server, the certificate public key and certificate issuance request from a user's terminal;
generating a certificate including the certificate public key by a certificate issuing server and transmitting the certificate to a user's terminal; and
By the user's terminal, storing the certificate in the web storage; including, FIDO-based password-free electronic signature method.
The method of claim 1,
In the first authentication step,
Receiving a user authentication request from a user's terminal by the FIDO server;
Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal;
By the FIDO server, when user authentication is completed according to the biometric information authentication in the user's terminal, transmitting the symmetric key derivation information including the user's FIDO public key to the user's terminal; including, FIDO Based password-free digital signature method.
The method of claim 1,
The second authentication step,
Receiving a user authentication request from a user's terminal by the FIDO server;
Transmitting, by the FIDO server, a biometric information authentication request to a user's terminal;
Transmitting, by the FIDO server, the symmetric key derivation information including the user's FIDO public key to the user terminal when user authentication is completed according to the biometric information authentication performed in the user terminal;
The electronic signature step,
deriving, by the user's terminal, a symmetric key through biometric information authentication based on the symmetric key derivation information; and
decrypting, by the user's terminal, the encryption key data stored in the web storage using the symmetric key; and
FIDO-based passwordless electronic signature method comprising: performing a digital signature using the private key of the certificate decrypted from the encryption key data by the user's terminal.
The method of claim 1,
The symmetric key,
FIDO-based password-free electronic signature method derived based on the symmetric key derivation information after performing the user's biometric information authentication by the user's terminal.
As a FIDO-based password-free electronic signature system implemented by a certificate issuing server, a FIDO server, and a user's terminal,
A web browser may be executed on the user's terminal, information for performing digital signature may be stored in web storage,
The FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal,
The FIDO server receives and stores user-specific information generated by performing biometric information authentication in the user's terminal,
The certificate issuing server receives a certificate public key and a certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal;
The user's terminal stores the certificate in web storage,
When the user authentication of the user's terminal is completed, the FIDO server transmits symmetric key derivation information derived from information containing user-specific information or user-specific information to the user's terminal,
The user's terminal stores encryption key data, which encrypts the private key of the certificate, in the web storage using the symmetric key derived based on the symmetric key derivation information;
The FIDO server transmits the symmetric key derivation information to the user terminal when user authentication of the user terminal is completed,
The user's terminal derives the private key of the certificate by decrypting the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key derivation information;
The user's terminal performs a digital signature on the original data by the certificate and the private key, a FIDO-based password-free electronic signature system.

Images