KR20010098202A - method for secure for exchanging e-document in the internet - Google Patents

Abstract

Disclosed is a security method for electronic document exchange in an internet to solve a security problem that may occur in an electronic document exchange or an electronic payment when implementing an intranet using a web server. The present invention creates a new pseudo random generator object used as a seed for generating a DSA key pair, generates a 100-byte pseudo random number, obtains a KeyPairGenerator object, and initializes the KeyPairGenerator object with a key size of 512 bits and a seed random number. Generating a keyPair object from a KeyPairGenerator object, obtaining a secret key and a public key of the KeyPair object, and storing them in a file; A signature generation step of transmitting a public key among the keys generated by the DSA key generator to the web server, the client signing the message with the secret key, and then sending the signed message to the web server; And the web server decrypts the received client signature with the previously received public key and authenticates if the decryption value is the same as the registered user.

Description

Secure method for exchanging e-documents on the Internet

The present invention relates to a security method for electronic document exchange in the Internet, and more particularly, to a security method for electronic document exchange in the Internet to solve the security problems that may occur in the exchange of electronic documents or electronic payment when implementing the intranet using a web server It is about.

In general, due to the rapid growth of the Internet, domestic companies are facing crises and opportunities at the same time. The crisis is the fact that competition between companies is intensifying not only domestically but also internationally, so there is no place to sell goods even in the country without international competitiveness, and the opportunity is that if you have international competitiveness, you can do business with consumers all over the world.

The Internet is now the foundation of a distribution system that allows companies located anywhere in the world to trade as if they were buying something from a household in their neighborhood. In this situation, companies need to adapt to the rapidly changing international market environment in order to be internationally competitive, including the need for cost reduction and productivity improvement and increased customer demand for goods and services.

It is problematic for companies to adapt to the current market environment because of their limitations and inconsistencies in making in-house decision-making or serving customers around the world with existing documented communication systems. Therefore, an electronic payment and electronic ordering system that can reduce costs by making faster decisions and serving customers in a wide variety of markets, and promote and sell goods to customers around the world, is the best solution. have. However, the infrastructure for this is urgent to construct, but more importantly, the problem of confidentiality of information and authentication of the settlement agent is solved.

The present invention has been invented to solve the above problems, security of the system, document encryption, to build a web server intranet system to enable the company's basic business and publicity over the Internet for companies that are not built intranet The purpose is to provide an authentication method.

1 is a block diagram showing the disclosure of a public key to a web server as an application example of a security method according to the present invention.

FIG. 2 is a block diagram illustrating an example of applying a security method according to the present invention to obtain a public key and a ciphertext generator of a person who sends a document to a web server and transmit the encrypted document and a symmetric encryption key web server.

3 is a block diagram showing reading of a cipher text transmitted as an application example of a security method according to the present invention.

The present invention for achieving the above object

Create a new pseudo-random generator object used as a seed to generate the DSA key pair, generate a 100-byte pseudo-random number to obtain a KeyPairGenerator object, initialize the KeyPairGenerator object with a 512-bit key size, and a seed random number, and then use a KeyPairGenerator object. A key generation step of obtaining a secret key and a public key of the KeyPair object after storing the KeyPair object in a file;

A signature generation step of transmitting a public key among the keys generated by the DSA key generator to the web server, the client signing the message with the secret key, and then sending the signed message to the web server; And

The web server includes a signature authentication step of decrypting the received client signature with the public key received previously and authenticating if the decryption value is the same as the registered user.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In the accompanying drawings, Figure 1 is a block diagram for showing the public key of the public to the public as an example of the application of the security method according to the present invention, Figure 2 is an application of the security method according to the present invention. 3 is a block diagram showing a public key and a ciphertext generator of a sender to be sent to a web server and transmitted to an encrypted document and a symmetric cryptographic key web server, and FIG. 3 is a ciphertext transmitted as an application example of a security method according to the present invention. Is a block diagram to show reading.

For corporate business process support system using web, security method should be classified and applied to each component of client / server environment. To this end, we analyze the business according to the security classification of Orange Book and Red Book presented by the US Department of Defense and apply security methods. Doing so can alleviate the anxiety of companies doing business on the Web.

Electronic document exchange refers to a method of exchanging data with one another through a network in a structured and standardized form that can be processed by a computer, instead of exchanging paper documents in a company or business. Types of security breaches that can occur in such electronic document exchanges include eavesdropping, tampering, forgery, and denial of transmission and reception of documents. In addition, user authentication is required for electronic payment.

Users frequently use the Internet based on TCP / IP for Telnet, FTP, SMTP, and HTTP services. However, TCP / IP was not developed at the time of design in view of the above mentioned risk factors, but only for the purpose of accurately transmitting data to its destination. Therefore, the Internet using TCP / IP is very vulnerable to the risks discussed above.

With the generalization of the Internet, it is frequently used to transmit sensitive information over the network. Due to the security vulnerability of TCP / IP, it is possible for third parties to find out the information of a specific user by using techniques such as IP Sniffing. Therefore, in order to prevent such eavesdropping, the confidentiality of the document should be provided so that the contents of the document cannot be recognized.

Electronic document encryption used to provide such confidentiality generally uses symmetric key cryptographic algorithms such as DES, IDEA, RC4, and the like. This encryption prevents third parties who do not know the encryption key from seeing the document even if they can sniff the network and obtain the cipher text.

Integrity must be provided to prevent illegal electronic document tampering by third parties. This is provided through a technique for generating a message authentication code of an electronic document to be sent and sending it with the electronic document. Representative algorithms for generating message authentication codes include MD5 and SHA-1. Like the encryption algorithm used for confidentiality and the electronic document to be sent, this algorithm generates a message authentication code by hashing the key using a key known to each other. The sender sends the electronic document and the message authentication code together to the receiver.The receiver generates a message authentication code by using the received electronic document and key, similar to the sender, to check whether the message has been tampered with. Compare with In this case, it can be confirmed that there is no modulation during transmission.

The Internet is a virtual space that cannot see each other, so it is very difficult for the client and server to trust each other. Therefore, a mechanism to identify the client is needed to control users accessing the server's information. This is possible through the authentication service. Password schemes for this purpose are most commonly used to primarily block illegal users from most systems. In addition, when you want to exchange important information such as purchase orders or public documents, you must provide mutual authentication services including server authentication as well as user authentication. Such mutual authentication is typical of using an X.509 public key certificate. In order to prevent repudiation of transmission, electronic signatures are used together when sending electronic documents, like stamps or handwritten signatures on paper documents. This digital signature is a security technique that uses a pair of digital signature generation key and digital signature verification key as information that can not be made other than itself. The sender attaches the digital signature generated by the digital signature generation key after creating the electronic document, and the receiver can easily confirm the sender's identity, modification and tampering with the sender's digital signature verification key. The denial of receipt must be resolved in an application layer protocol for sending and receiving electronic documents using digital signature techniques. In other words, it is possible to implement a protocol that can verify whether the receiver has received the electronic document sent by the sender. It should be possible to completely block illegal third-party access, or to grant access to information and systems of different importance. That is, it should be possible to read only or to read and write. Information management is very important in a system used by a large number of users, and destruction of important information is fatal when various services are provided. Therefore, if a system that manages important information is connected to the Internet, an intrusion prevention system should be installed to prevent illegal access or misuse by users.

Not all of the security requirements described above should be applied to electronic document exchange and electronic payment. Depending on the installation environment of the server, the operating system on which it is run, and the features of the language and database engine to be implemented, it may be different.

According to the present invention, the environment for implementing the electronic document exchange and electronic payment system is UNIX operating system, the database engine uses MySql in terms of cost, and the implementation language is PHP3 for server-side database interworking, C ++ and Java for encryption. We used JavaApplet for the client-side encryption engine. In addition, since the electronic documents are exchanged and approved on one web server, the appropriate security method is applied.

The present invention applies the following method to provide confidentiality of the security service. The ZIP algorithm is used to compress electronic documents. Compression has the advantage of making it harder to guess plain text with encrypted results by doing it before encryption and saving transmission time and space. Encrypt the document to be sent using a symmetric encryption key. The encryption key is encrypted with the recipient's public key and sent together. The recipient uses his secret key to find out the encryption key and decrypts the received electronic document. Extract the compressed electronic document.

Because the electronic documents are managed in a database, the sender can see immediately whether they are sent or received and whether the recipient has confirmed the document. To do this, the user ID and password used to log in to the intranet are essentially blocked from disguising an illegal user as an intranet subscriber by generating a message authentication code using the MD5 algorithm, encrypting it with the recipient's public key, and sending it. It also registers the IP address of the logged in client and deletes it when logging off so that only the logged on user's computer can work on the intranet.

Use the encrypted user authentication key for electronic payment. The DSA and hash function MD5 are used for authentication and electronic payment. The approver generates the approval by MD5 and encrypts the generated message with its private key and sends it. The server managing the intranet then decrypts the received message with the sender's public key to indicate whether or not to pay the document and forward the document to the next payer.

By applying a security level to electronic documents, users who are not authorized by the security level cannot access it. To do this, each document is given a security rating. By writing the database interlocking part in PHP3, the system could be infiltrated by PHP's own security flaw. To solve this problem, the following measures were applied.

This is a passive way of not giving another user's account to a web server that provides intranets. This is a method that can be applied in that it is not necessary to give an account because the document can be exchanged using the constructed intranet.

A flaw in PHP3 is that a third party reads the code, exposing the database name and password written in the code. To do this, the program written in PHP3 does not record the database name and password. Instead, the encrypted database name and password are generated and provided only when the transaction occurs and the database transaction is terminated.

Concatenate all the inputs into one string, and replace duplicate spaces between different words in the input with a single space. Convert the input string to an array of bytes (the MessageDigest object only operates on bytes, not characters). Get a MessageDigest object. The algorithm used is MD5. Updates a MessageDigest object with input data. Compute the message digest. Since the value of the message digest is always in the form of a byte array and is not human readable, the BASE64Encoder class in the sun.misc. * Package is used to convert the digest to base64 encoded format. Print a message digest in base64 encoded format. That is, as shown in FIG. 1, the key generation order for the DSA signature algorithm is: 1) Create a new pseudo random generator object and generate a 100-byte pseudo random number. This number is used as a seed to generate the DSA key pair. (2) Obtain a KeyPairGenerator object using SHA1withDSA of Java.Security.KeyPairGenerator. 3. Initialize the KeyPairGenerator object with a key size of 512 bits and a seed random number. Create a KeyPair object from the KeyPairGenerator object. Obtain the private and public keys of the KeyPair object and store them in a file.

Also, as shown in FIG. 2, the DSA signature generation procedure transmits the public key to the web server among the keys generated by the DSA key generator. The client signs the message with its private key. ③ Send the signed message to the web server.

And, as shown in Figure 3, the DSA signature verification procedure ① Web server decrypts the received client signature with the public key previously received. ② If the decrypted value is the same as the registered user, authentication is performed.

Without security issues, sending and receiving electronic documents over the Internet will not be easy due to the potential breach and user authentication issues. Therefore, the present invention has developed an encryption method and a compression method for confidentiality when exchanging electronic documents, and a user authentication key generation and payment method for electronic payment. We also developed a method to perform security with an IP and a specified IP address at login. In addition, by interworking with the database, users can be handled according to the security level of various data. These security measures enable small and medium businesses to build intranets at a convenient and low cost.

As described above, the present invention provides a security, document encryption, and authentication method of the system for the construction of a web server intranet system to enable the company's basic business and publicity through the Internet for companies without an intranet. There is.

Although the preferred embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited thereto and may be improved or modified by those skilled in the art within the scope of the technical idea of the present invention.

Claims (1)

Create a new pseudo-random generator object used as a seed to generate the DSA key pair, generate a 100-byte pseudo-random number to obtain a KeyPairGenerator object, initialize the KeyPairGenerator object with a 512-bit key size, and a seed random number, and then use a KeyPairGenerator object. A key generation step of obtaining a secret key and a public key of the KeyPair object after storing the KeyPair object in a file; A signature generation step of transmitting a public key among the keys generated by the DSA key generator to the web server, the client signing the message with the secret key, and then sending the signed message to the web server; And The web server decrypts the received client signature with the previously received public key, and if the decryption value is the same as the registered user, the security method for electronic document exchange in the internet including a signature authentication step.