KR20100084064A - Payment system and method using ip address identification - Google Patents

Payment system and method using ip address identification

Info

Publication number
KR20100084064A
KR20100084064A KR1020090003489A KR20090003489A KR20100084064A KR 20100084064 A KR20100084064 A KR 20100084064A KR 1020090003489 A KR1020090003489 A KR 1020090003489A KR 20090003489 A KR20090003489 A KR 20090003489A KR 20100084064 A KR20100084064 A KR 20100084064A
Authority
KR
South Korea
Prior art keywords
authentication
user
subscriber
payment
terminal
Prior art date
Application number
KR1020090003489A
Other languages
Korean (ko)
Inventor
정태우
Original Assignee
정태우
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 정태우 filed Critical 정태우
Priority to KR1020090003489A priority Critical patent/KR20100084064A/en
Publication of KR20100084064A publication Critical patent/KR20100084064A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/388Payment protocols; Details thereof using mutual authentication without cards, e.g. challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Abstract

PURPOSE: A discharge, payment and banking system in wire/wireless networks and a mobile communication network system using IP address as the unique discrimination of a user through the identification and method of the IP address, and additional application service implementation and a method thereof are provided to use user authentication information in discharge, payment and internet banking through IP address based user authentication independent to types of a terminal, thereby constructing more reliable system. CONSTITUTION: An IP(Internet Protocol) authentication decision unit(F-8) decides whether the allocation IP of a user terminal(F-1) is effective or not. The IP authentication decision unit performs an authentication procedure about user information. The authentication result of a subscriber and user is transferred to an authentication management unit(F-7). The authentication management unit registers the authentication result in an authentication database. If a user requests discharge, payment and banking for electronic commerce, internet banking and etc., the authentication management unit performs vicarious execution for the processing of PB(Private Banking).

Description

Implementation and method of payment, payment and banking system and additional application service in wired / wireless network and mobile communication system using IP address as user's unique identifier through authentication of IP address and its method {Payment System and Method Using IP Address Identification}

 1 is a relationship diagram between an OSI reference model and a TCP / IP protocol.

 2 is a structural cross section of a packet and a header on a TCP / IP protocol.

 3 is a block diagram of an Internet access service through an Internet service provider.

 4 is a block diagram of a wired and wireless integrated service through an Internet service provider.

 5 is a diagram illustrating an IP network configuration of CDMA, GSM, IMT2000, and next generation mobile communication networks using a mobile communication network.

 6 is a diagram illustrating a wired / wireless connection and authentication procedure through an Internet service provider.

 7 is a diagram illustrating a wired / wireless connection, authentication, and service procedure through an Internet service provider using a web and an access program.

 8 is a configuration diagram of an IP address authentication-based payment and payment system and additional services.

 9 is a relationship diagram of a payment, payment, and banking system through IP address authentication.

 10 is a system configuration diagram of the present invention.

 11 is a functional block diagram of the present invention.

 12 is a procedure diagram for packet analysis and processing.

 13 is a detailed diagram of an IP authentication server function configuration in a wired and wireless network.

 14 is a detailed diagram of IP authentication and server function configuration of a mobile phone terminal (mobile phone) using a mobile communication network.

 15 is a payment settlement and banking processing flow chart.

 16 is a flow chart and procedure for internet service authentication and security monitoring via IP authentication.

 17 is a flowchart illustrating a procedure for authenticating a user connected to a pressurizer network.

 18 is a flowchart illustrating a user connection determination unit.

 19 is a flowchart for registering IP address-based subscriber authentication information.

 20 is a flowchart for distribution of a subscriber station agent.

 21 is a flowchart of generating and registering subscriber and user information in a terminal agent.

 22 is a flowchart illustrating a processing in a payment and settlement system using authentication information.

 23 is a flowchart illustrating an additional service implementation through IP address authentication.

An object of the present invention is to solve various functional and security requirements such as Internet-based payment, Internet banking, and paid additional services through authentication by subscriber and user by using an IP address as a unique identifier. In the meantime, it has solved the complexity of system configuration and construction by various payment and payment methods and different authentication methods and identifiers by operators, and secured security and safety in the network backbone network. To provide the service. It uses the assigned IP address and the information and functions of subscriber and user authentication on the 3rd and 4th generation mobile communication networks including IPv4, IPv6-based network and IMT2000. The purpose of this study is to derive various services based on IP address, additional services for paid and application services. Through this, it can be said that the purpose of the invention is to construct and use a safer and more convenient Internet service user environment.

  1 is a relationship diagram between an OSI reference model and a TCP / IP protocol. 1 illustrates the relationship between the OSI reference model and the TCP / IP protocol. The present invention provides a procedure for implementing a payment, payment and banking system and additional application services through IP address-based user authentication using address information and header information at the IP layer in the TCP / IP protocol corresponding to the network layer in the OSI reference model. And methods will be described. 2 is a structural cross section of a packet and a header on a TCP / IP protocol. 2 shows the configuration of the user data and the header. In order to understand the present invention, the current subscriber authentication and detailed procedures will be described through the Internet access service configuration diagram of FIG. 3. In FIG. 3, a subscriber's access request, which is requested through a subscriber access device (hereinafter referred to as a SAN (Subcriber Access Network) 53) using a user terminal (wired / wireless TM (Terminal) 51), is typically a billing authentication server (hereinafter referred to as AAA). After authenticating with (Authentication, Authorization and Accounting) Server, it is connected to the Internet through a router (hereinafter, RT (Router 42)). The AAA system performs roaming authentication, access authorization and billing functions for users, dynamic allocation of home agents (HAs), and functions as key distribution centers (KDCs).

 6 is a wired / wireless connection connection and authentication procedure through an internet service provider, and FIG. 7 is a wired / wireless connection connection, authentication and service procedure diagram through an internet service provider using a web and an access program. I would like to. 6 shows a simple procedure such as MAC address authentication. When the user terminal 51 requests the network search while the terminal is activated (S100), the subscriber access network 53 responds to the request (S101). The user terminal 51 transmits the access information of the subscriber (S110) while making an authentication request to the subscriber access network 53. When the transmitted subscriber access information is authenticated by the authentication server 55 and the authentication result is returned to the subscriber access network 53 (S112), the subscriber access information is received (S120) and a network connection request (S130) is made. The subscriber access network 53 receives the connection request (S131) and the network connection (S132) is made.

In FIG. 6, subscriber authentication information such as MAC address of the subscriber station 51 is stored in the authentication server 55 and requested when the subscriber is connected to manage authentication. In this case, the authentication of the terminal NIU (Network Interface Unit) is performed. When changing or replacing, continuous change of authentication information is required, and log record cannot be managed or authenticated.

7 shows a procedure for authenticating with a subscriber ID and password currently applied to ISPs (Internet Service Providers). When the TM 51 passes through S100, S101, and S110, the SAN 53 requests authentication to the authentication front (hereinafter referred to as AF (Authentication Front) 58) for subscriber authentication for subscriber authentication in the SAN 53. The AF 58 requests information for authentication from the TM 51. The subscriber enters a predetermined subscriber authentication ID and password. In this case, the AF 58 may be configured as a TCP / IP service integrated authentication method using an HTTP proxy. In addition, the AF 58 may perform authentication by transmitting an authentication request code in an encrypted manner for subscriber authentication. Authentication methods are applied in various ways depending on the type of terminal and functional constraints. The authentication request information received from the TM 51 for the authentication request (S111), the authentication information request, and the authentication result processing (S113, S114) is queried to the AAA server 55 to perform a verification procedure for the authentication information. At this time, after confirming the billing information and the additional service request information of the subscriber as a result of authentication (S116), it was possible to perform secondary subscriber convenience services such as additional services at the time of network connection request (S130).

Currently, various authentication methods are provided according to service terminals and service providers. For this reason, integration of authentication information processing and procedures, integration with intelligent robot systems, and home servers for home networks are provided. In order to secure mobility between other service providers and to ensure mutual compatibility of authentication information in integrated authentication, ubiquitous, IPv6, and Mobile IP environments, it is necessary to secure and independent subscriber authentication and authentication technical requirements for service infrastructure construction and operation. Is emerging.

In FIG. 9, when a customer purchases an item through an e-commerce site, and secondly, when a customer remits money through the Internet, the third customer pays and pays through a mobile device using a billing server of a mobile carrier including a mobile phone. Finally, we explained the case where the customer transfers the money to the beneficiary through the mobile device. When the customer B-1 purchases and pays for the goods through the e-commerce site, the customer B-1 Through 2, the payment method can be selected. In the case of card payment through the web, the payment request is made by using the payment settlement relay server (B-2). At this time, the payment relay server (B-2) receives the customer (B-1) through the certificate system (B-3). After the certification is completed, the procedure is completed by notifying the e-commerce system of the payment result after confirming the payment intention from the customer. If the customer (B-1) wants to send money to the beneficiary through Internet banking (B-4), the bank requests a remittance and the Internet banking server (B-4) authenticates the customer (B-1). 3) After the authentication is made, transactions are made by remitting from the customer's bank account to the recipient's bank (B-9) account.

In addition, when the customer makes payment / payment or remittance using the mobile terminal, the customer (B-1) passes the mobile terminal through the wireless network of the mobile communication company (B-7) and then authenticates the mobile server (B-5). Through the payment through the payment relay server (B-2) or to the bank transfer using the Internet banking server (B-4). The problem that arises in this case is that all systems must establish and operate a system of different standards for payment, settlement and banking depending on which payment or banking method the customer selects. For this reason, the complexity of the whole system and security problems can be raised, and furthermore, it cannot fully cope with the development of IPv6 or next-generation network technology.

In order to achieve the above object, first, a method for extracting and managing information necessary for a wired / wireless network and a mobile communication terminal in the production of a driver agent distributed and installed in a user terminal and its distribution method. Second, extraction and management of fingerprint and user authentication information of the terminal through drive agent distribution and installation. Third, a plurality of user authentication and processing method and the security method using the same terminal. Fourth, the method and procedure for the classification, authentication and service of packet when subscriber is connected to the network. Fifth, how to register and manage IP authentication information through subscriber authentication procedure. Sixth, how to generate and manage authentication keys for user authentication. Seventh, management of the user IP authentication information and authentication information routing method. Eighth, it can be said that the purpose of the present invention is to solve the above-mentioned problems of the prior art and to implement a safer and more convenient system by solving payment and banking processing procedures and security methods through IP address authentication.

The present invention provides an integrated authentication method independent of the user terminal and the authentication method, and applies to payment, payment and banking using the result of the authentication, for this purpose, all terminals used for mobile phone terminals, PDAs, laptops and wired and wireless Internet access Through the authentication of each terminal to improve the reliability and security. In addition, it uses the IP address as a unique identifier to interwork with a payment and payment server for payment and settlement in commerce. In addition, various additional application services and paid content services are provided and billed through the user-specific authentication, billing, and payment methods for payment and payment to service providers (Internet service providers, mobile phone service providers, etc.) including ISPs. The purpose is to provide.

To this end, in the present invention, a method of tagging a value by using an option field of a packet header in a method of distinguishing whether a terminal includes authentication information from a terminal of a subscriber by using a network access device, and the first step of the procedure A second step of determining whether or not to authenticate the packet by classifying the packet of the subscriber station in the network access device; Step 4 of creating and distributing subscriber information using a key; step 5 of generating and managing IP address-based user authentication information using an IPv4, IPv6 and an authentication key or encryption key provided by a subscriber or a user. Use of the authentication information to enable payment of additional services and payments, including Internet access services. It includes a sixth step.

Packet manipulation and classification technology and method, packet classification processing technology, terminal recognition technology, that is, a system equipped with a desktop operating system, a system equipped with a mobile operating system, and a terminal recognition technology for a mobile phone for the above-described step-by-step purposes. And its method, IP authentication server and its operation technology, IP address based payment payment server gateway, authentication server interworking gateway, terminal driver and authentication information management agent deployment and installation technology and server operation technology, one-time security encryption key generation and Synchronization server technology, billing and settlement service technology for Internet service providers, mobile IP authentication proxy technology for packet switch network based IP authentication required in mobile phones and mobile terminals, user terminal fingerprint extraction and management technology Multi-user recognition and authentication . In addition, it aims to implement efficient and convenient user authentication system through subscriber embedded authentication DB technology for security and fast response speed.

In order to explain the subject matter of the present invention, the definition and division of subscriber and user will be made first. A subscriber is an individual or organization that pays for the use of services that subscribe to services such as ISPs and mobile phones using cellular networks. In the case of a user in a home, a subscriber may be A, and a mapping relationship of 1: 1 or 1: M exists between a subscriber and a terminal, and the present invention has been devised in consideration of all these cases. In addition, the subscriber may use a plurality of users according to the attributes of the terminal to the terminal of the subscriber, and this case is processed based on the IP authentication policy. In addition, in case of joining in the name of a company or organization, including the case of using a fixed IP address-based network, the relationship between the subscriber and the actual terminal may create 1: 1, 1: M, M: N relationship. The present invention has been devised in consideration of the above. In other words, the authentication process of the present invention is processed only through authentication of the fingerprint of the terminal when not in the case of payment or payment. In the case of payment or payment, the authentication process of the user undergoes the authentication process of the user and undergoes user authentication. After that, payment, payment and banking requests are processed.

As shown in FIG. 9, when the subscriber station TM 71 requests an access, the subscriber access network requests an AAA (Authentication, Authorization and Accounting) server 75 for authentication of the subscriber access. Allocate The AAA server 75 shown in FIG. 9 is in the process of assigning an IP address and authentication for allowing the subscriber to connect. When a user attempts to access the Internet through authentication of the AAA server, an AAA server 75 requests an access connection. IAS (Identity Authentication Server (100)) shows a network configuration that is subjected to the authentication process with the IP information received and assigned the subscriber's authentication information. The present invention provides a payment, payment through real name authentication of the user authenticated by the AAA server And to secure the interoperability with the banking services (81, 82, 83) and through the interworking with various additional application service system (VAS (77)) is the main function of the invention to build a safe and convenient IP-based network environment.

As shown in the system configuration of FIG. 10, the user terminal 1 may be a computer equipped with a desktop or server operating system, a note PC using a wireless network, a PDA, and a mobile phone using a mobile communication network. The network access device 4 refers to a wired network based subscriber focusing device, a subscriber focusing device supporting a wireless network and a packet switching based network access management device based on a mobile phone wireless network. The subscriber authentication server is a server that authenticates and manages the subscriber's authentication, billing, and access services, and is commonly referred to as an AAA (Authentication, Authorization and Accounting) server. AAA server has RADIUS and DIAMETER, and AAA server follows its authentication procedure according to each protocol. The IP authentication service server (IAS 100 includes a function corresponding to the present invention. Looking at the detailed configuration thereof, the IP authentication server 100-1, the payment settlement server 100-2, and the service server 100-3. ) And mobile IP authentication proxy 100-4. Each of these servers is an IP authentication DB (D-1), payment and payment information DB (D-2), service profile DB (D-3) and mobile user IP. There is an authentication DB (D-4) First, the IP authentication server 100-1 requests the fingerprint information and the authentication key of the user terminal in order to register the IP address information in the user authentication information. The payment and banking agent server 100-2 maps the user's IP address information and the user's payment and payment information, and requests the terminal of the customer when requesting payment, payment, and banking. E-commerce (EC (81)), payment and settlement relay server (PG (82)), banking (BK (83)) and the Internet Various transactions and payments can be made by accessing the service site (EBiz 84.) The server 100-3 processes the various additional application services requested by the subscriber only by authenticating the IP address. It is a server function that is responsible for payment and management of paid contents and Euro application service, and controls access and service by using authentication information of authentication server In mobile IP authentication proxy 100-4, subscriber uses mobile phone wireless network. After establishing a reliable mobile phone wireless network at the subscriber mobile authentication proxy time established in the mobile phone terminal and the backbone network for the desired service of the IP-based network from the terminal using the mobile phone when accessing the Internet network and requesting service The mobile authentication proxy server will act as the request and processing of e-commerce payment and Internet banking services. In this case, after the approval is finally confirmed through the user's encrypted authentication key, the IP-based mobile authentication proxy server function can overcome the complexity of security and security of the system configuration of payment, payment, and banking. 11 is a representative diagram of the present invention, in which the entire system is further shown in the functional configuration diagram, wherein the user terminal unit F-1, the network connection unit unit F-2, the connection distribution and route processing unit F-3, Agent plug-in distribution management unit (F-4), agent plug-in service management unit (F-5), user connection determination unit (F-6), IP authentication management unit (F-7), IP authentication determination unit (F-8), IP It consists of an authentication processing unit (F-9), authentication key management unit (F-10), payment banking request unit (F-11), payment and banking processing unit (F-12) and the authentication and billing processing unit (F-13). In the case of F-1, an agent driver module that manages network devices for IP-based authentication is distributed and installed from the server, which can directly manage and process packets at subscriber terminals. Responsible for secure management of authorized authentication keys for payment and banking. In addition, if the server transmits the embedded subscriber authentication DB to secure subscriber security and stability, it decrypts the encryption of the embedded subscriber authentication DB, queries the encryption key for access to the authentication server, and extracts the subscriber terminal authentication fingerprint. Can be stored in and used. In the case of accessing a terminal using a wireless mobile phone network, the authentication of the terminal and the actual processing of the service are separated, and the subscriber manages the authentication, authorization, and authentication key through the terminal, and the actual service is performed through the mobile authentication proxy. When F-1 requests network access, F-2 accepts subscriber's request and requests F-3 for connection request and route processing. At this time, if it is not an IP mobile network like a mobile phone, the terminal receives a request and converts it into a packet to request a connection. When the access request is received, F-3 authenticates the connection of F-1. In this case, subscriber authentication, authorization, and billing of the subscriber are handled. Once authenticated, the router will establish the route. If the content and procedure of authentication are clearly defined here, the authentication used in the present invention is written in two different meanings and procedures. Authentication through the AAA server refers to the authentication of the subscriber's network access rights and billing information, which we will just call authentication. In addition, IP authentication, which is a main function of the present invention, enables payment, payment, and banking processing and additional applications through mapping of IP addresses assigned by subscribers and users who are allowed access and authentication information on payment and payment information of subscribers and users. Means subscriber payment authentication information for a service.

The user connection determination unit (F-6) analyzes the network connection packet of the user to determine the type of the F-1 of the subscriber network and whether the device is installed. If the installation of the device agent is required in F-1, the connection request is redirected to F-4. In F-4, the environment of the subscriber station is analyzed to determine whether to deploy and install an appropriate device agent. At this time, the version code is analyzed to determine whether the device agent needs updating or installation distribution. When an agent plug-in is installed, when a connection request is made in F-1, data is sent to the Payload to be used at the application level or by using an option field of an IP header (in case of IPv4) or an extension field. When F-3 receives a connection request of a packet tagged with an IP header or a packet including a payload, the subscriber requests from F-6 to F-1, and F-1 receives the authentication information. It is sent to F-3 through F-2. At this time, the subscriber's information is encrypted by using a one-time encryption key, and the packet sent to F-3 interprets the request of F-1 from F-6. At this time, if a user of F-1 is subscribed to an additional service, the user is instructed to perform the additional service. At this time, the supplementary service may be installed and executed in F-1 or may be performed in an Internet service subscriber backbone network. The subscriber's authentication information is analyzed and managed and instructed by F-5. In the F-8, the authentication process of the user information including the IP address and the subscriber is authenticated by determining whether the assigned IP of the F-1 is valid or can be authenticated. Through this, the IP authentication determination unit refers to the result of the subscriber and the user's authentication by referring to the result, and the F-7 registers and manages the authentication database. The user pays and pays for e-commerce and Internet banking. And banking (hereinafter referred to as PB) request, the F-7 acts as a proxy for PB processing.

12 is a simplified diagram of an IP authentication procedure through packet analysis, classification, and verification when accessing an Internet network through a backbone router through subscriber access authentication. The packet classifier PC 45 is classified using the packet classification database PD 45-1 provided by the packet classification database by analyzing the packet in the packet analyzer PRS 44 by monitoring the packet PK 43. The packet classifies the type of terminal, information classification of IP-based terminal (mobile phone subscriber cell phone, etc.), IP authentication packet, IP non-authentication packet and subscriber terminal and abnormal packet which need to install or install agent. Through the packet verification process (PV 46) through the subscriber authentication request for the accepted packet is registered IP authentication information to the IP authentication management server (AM 48) through the verification process of the IP authentication registration key (AS 49).

13 is a functional configuration diagram of IP authentication and payment settlement processing in the wired and wireless network of the present invention. When the access request is received from the subscriber access terminal 85 from the subscriber access network device 86, the access and charging authority authentication server 55 is authenticated to establish the path 87 for the access request. The subscriber access terminal 85 stores and manages authentication information and encryption keys required for payment settlement with the user's terminal, and installs a driver agent for managing and managing the presence or absence of the agent and authentication information in the packet requested at the time of network connection. Or it may be implemented through an external device. Encapsulated by the driver agent for a terminal when a network connection request is made through the network device at the user's terminal. The encapsulated user's packet is connected to the backbone network of the Internet service provider through the subscriber access network concentrator and is authenticated by the subscriber billing and authentication device. The packet through the authentication requests a connection to the external network. At this time, the authentication information is extracted for IP authentication, and the extracted authentication information is queried for subscriber authentication information through the IP authentication gateway for inquiry 92 on the subscriber information. do. In addition, the IP authentication information extraction function determines whether to block or redirect the packet by analyzing the driver agent installation and update of the subscriber access request packet. When the authentication information for IP authentication is extracted, the authentication authentication decryption key is queried 110 to the authentication key management server 94 to check the key, and if the IP authentication key sent by the user is correct, request registration to the IP registration request function 96. do. The IP authentication registration function 96 extracts and decodes various information required for registration through 91, 94, and 55 to generate IP authentication registration information required for registration. Here, the registration information required for IP address authentication may be a fingerprint of a subscriber terminal, subscriber assigned IP address information, payment related information, user identification information, user authentication key, service subscription information, subscriber and user profile information, and the like. . In the case of a subscriber using a mobile phone network, the subscriber and the user query the location management server 95 with the location management server 95 to confirm the request and then request the main IP authentication server. The authentication information synchronization function 97 compares and verifies the above-mentioned information requested from the IP authentication registration function and registers the information with 130, 140, and 150. 130 refers to IP authentication information. User information, user ID, Auth Key, hash key-message digest, authentication key (Auth_key), billing information (Billing_Info). , Enhanced Encryption Key, and so on. 140 is a database that manages information necessary for user payment and payment, and 150 is a terminal fingerprint version information (Version Control), update management information (Update Management), authentication management information (Authentication Manager), billing service subscription list (Paid Service List) It may include a variety of additional information, including,. 140 is a database that manages information related to payments and settlements of users. The authentication information synchronization feature shown in 97 is designed to provide seamless linkage and monitoring between services by synchronizing IP authentication information when the same user or subscriber uses or requests services from multiple Internet service providers and mobile operators. Function. The additional application service function shown at 90 is a service that allows the subscriber to start or move to the service before connecting to the Internet through authentication of the subscriber's IP address when the subscriber applies for the service. In this case, various additional application services are possible. Examples include security services, disability diagnosis, and unmanned security services. 99 is the part in charge of the main IP authentication server function.It verifies each authentication request information delivered from the authentication request function, stores it in the subscriber and user database, inquires, retrieves it, and processes the actual function of IP address authentication. This is the part to perform. 98's payment, payment and banking gateway securely encrypts network connection when PB (Payment and Banking) request is received from external internet network, initializes it into secure network, and delivers user's payment and payment information, approval and request information. It plays the role of transmitting gateway.

14 is a functional configuration diagram for IP authentication and payment settlement in the mobile telephone network of the present invention. In the mobile device (MD 85), a device agent must be installed for IP-based authentication and payment settlement. When the mobile device 85 first connects to the service network, the mobile device 85 analyzes information of the terminal to determine whether the device agent is installed. The 86 RAN (Radio Access Network) consists of a base station and a base station controller. When the 85 mobile device requests a connection, the base station controller converts radio data from the mobile communication network to packet data with the R-P IF 86-1. When fragmented and encapsulated from wireless data into IP-based packets, 95 (MAP Mobile Authentication Proxy) assigns a single private or public IP to the mobile terminal from the IP address pool. After the IP address is assigned, the mobile terminal requests an internet connection. The following process is the same as the procedure of the wired / wireless network. In the mobile authentication proxy, the main functions according to packet conversion are as follows. 1) IP address assignment and management, 2) Session and authentication management between mobile terminal and internet service network 3) Virtual subscriber station protocol conversion function is implemented to ensure compatibility between expression languages among various internet service networks such as WAP, HTML, XML, etc. It provides functions to use various services regardless of compatibility of terminal.

The payment settlement and banking processing flowchart of FIG. 15 illustrates a processing procedure of a user's IP address based PB. When P-1 requests PB to P-2, P-2 uses P-1's IP address to make PB request as P-3. P-3 requests the user authentication key to the terminal of the requested IP address. At this time, the requested user terminal keeps the fingerprint of the user terminal together. At this time, the fingerprint of the user terminal extracts the hash code from the user system information through the message summary. The extracted hash code is securely encrypted using an encryption key. The fingerprint of the user terminal is checked when the terminal is booted for the first time, and if a small number of information of the system information is changed, it is updated through a user verification procedure and the terminal is changed. However, the replacement must be updated with a new system fingerprint. When P-1 receives a user authentication key request (PB-3) from P-3, P-1 transmits an authentication key and establishes tunneling between the user and P-3. When P-3 confirms the authentication key received from P-1 through P-4, it requests P-1 for confirmation of the PB. When payment is confirmed from P-1, P-3 requests P-5 to approve PB. When P-5 approves, P-3 notifies P-2 of the result and PB ends.

16 is a flowchart illustrating a procedure of user terminal authentication at an Internet service site through an IP address-based subscriber station and user authentication function. That is, when the user terminal E-1 requests access to the Internet service site E-2, in the case of the Euro Internet service site or a site requiring high security, the user terminal E-1 uses a function of the present invention for more secure user authentication. I can receive it. The terminal authentication and the IP address-based authentication function through the fingerprint of the terminal provide the function to be used in conjunction with the content copyright protection function in the case of the content service provider or the Internet service provider. To this end, upon receiving a terminal access request (EA-1) from the user at the Internet service site (E-2), E-2 requests an authentication (EA-2) from the IP authentication server. Upon receiving the authentication request, E-3 calls the device agent of the subscriber station to request user connection security monitoring. Upon being notified of the normal connection connection from the device agent of E-1, the IP authentication server E-3 notifies the subscriber station and the authentication result to the Internet service site E-2. Through this procedure, the access approval procedure of the subscriber is performed, and the user terminal accesses the target Internet service site. Through this, the IP address authentication function for the use of Internet services is implemented.

FIG. 17 shows IP authentication to the user connection determination unit F-6 through the user terminal unit F-1, the network connection unit unit F-2, and the connection distribution and route processing unit F-3 shown in FIG. Is a flowchart for requesting. The subscriber station 200 is connected to the pressurizer network, in which case it is connected to a general wired Internet network (201) and a connection using a wireless Internet network (WLAN 202) and a wireless mobile communication network of a mobile terminal including a mobile phone. It is divided into the case of network connection request 203 using. When a user connects through a wired subscriber network, an IP address is assigned and a subscriber authentication process is performed.In the case of an ISP network provider, AAA Server authentication is used. In the mobile operator network, HLR (Home Location Register) and EIR (Equipment Identity Register) And authentication through AuC (Authentication Center), etc. Subscriber authentication through subscriber authentication process (wired / wireless network 263, mobile communication network 264). After the subscriber authentication, IP address authentication process is performed. The present invention can be defined as a lower function of the AAA server, but is defined as a function for implementing an independent function by excluding the independence and interdependence of the system. After the user authentication is requested to set the path to the external network, the packet processor 265 analyzes the subscriber packet and determines whether to install the agent of the device. The subscriber station based on the mobile phone network determines whether the device is installed through the subscriber authentication. Through this, the user's request data through the mobile phone network is encapsulated into a packet 268, receives an IP address assignment 269, and requests authentication of the user's access. Step 269 is a function of the mobile authentication proxy. The main functions of the mobile authentication proxy are to manage sessions, manage IP addresses, and act as a translator and interpreter for the Internet expression language. In the case where the device agent is not installed, the user access determination unit 300 calls the agent distribution management unit 400.

18 is to check the change or modification of the terminal by extracting the fingerprint of the terminal from the packet transmitted from the subscriber station. Here, the fingerprint of the subscriber terminal is managed by extracting the identification code of the hardware of the subscriber terminal, extracting the hash code, and granting the encryption authentication key to the hash code, and the authentication information including the fingerprint of the terminal is managed in the terminal embedded authentication information DB. . Through authentication of the fingerprint of the terminal, it is possible to check the modification or change of the terminal of the hardware, request an update, or block the connection. As a result of checking the fingerprint transmitted from the terminal, if the designated user's terminal is correct, a secure encryption channel is established between the user terminal and the IP address authentication server, thereby transmitting the authentication information of the user. The user authentication information and the user's profile are retrieved. The user profile includes specific additional application services or environment data of various users. Through this, IP address authentication information is registered.

19 illustrates extracting an authentication key from packet data and validating the authentication key for IP address authentication for a subscriber or a user. In the case of mobile authentication, the mobile proxy server function is used for authentication of subscriber IP address in a mobile phone network or a mobile communication network. When requesting authentication in a mobile authentication proxy using a device agent installed in a terminal including a subscriber's mobile phone or a stored encrypted authentication key, the authentication key is validated and the subscriber authentication key is decrypted and the mobile authentication proxy server is decrypted. This registers the IP address authentication record.

FIG. 20 examines a packet at a network connection request of a subscriber station and determines whether a device agent is installed by comparing fingerprint codes of the terminal. It analyzes whether the agent needs to be updated or needs to be installed, and if necessary, remotely determines the environment of the target terminal to transmit and install the agent drive.

21 illustrates an example of generating an authentication code of a subscriber while an agent is installed in the subscriber terminal. After the authentication driver and agent are installed, the agent is driven to extract the terminal information and generate a hash code using the extracted information. A terminal fingerprint is generated by adding an encryption authentication key to the generated hash code, and the generated fingerprint of the terminal is stored in the terminal embedded authentication DB. The stored terminal built-in authentication DB is multi-encrypted and automatically initializes the fingerprint for authentication and requests for issuance again when an error occurs more than the specified number of times.

Fig. 22 is a flowchart showing a procedure and procedure when a subscriber requests payment, payment, and banking using a terminal through a wired / wireless network and a mobile telephone network. When the payment, payment and remittance request is received, the authentication for the IP is inquired. Inquiry of subscriber authentication information about requested IP address inquires fingerprint and authentication key of user terminal sent by subscriber or user by using terminal, requests subscriber to approve payment, and upon confirmation of payment, payment, payment and banking Perform the processing and notify the user of the result.

Fig. 23 is a flowchart showing the execution sequence and steps of a network or Internet-based supplementary application service when a subscriber station is connected to a network and assigned an IP address. Here, the step of assigning an IP address is omitted in the case of a fixed IP address. The subscriber station transmits the authentication key and the fingerprint of the terminal to the IP address authentication server. By comparing and authenticating the transmitted fingerprint of the subscriber station, the reliability of the terminal fingerprint authentication information is determined, the additional application service registered in the subscriber profile is searched, and the service is called. It is encrypted in the authentication DB and transmitted to the subscriber terminal. At this time, the embedded subscriber authentication DB is a built-in DB that stores the fingerprint of the subscriber terminal and the authentication key for each user and a built-in DB for the subscriber additional application service is updated to a single DB while managing the different information and transmitted to the subscriber terminal. In the subscriber terminal embedded DB, all records and record fields are composed of variable fields and are encrypted and records are automatically deleted when accessing abnormal embedded DB more than a certain number of times. The built-in DB contains all the information for the subscriber's authentication and payment, and may contain account information such as a real bank or card and manage only the authentication keys that can access the account.

[Key Word Index] The abbreviations used in the claims of the present invention are as follows.

AAA: Authentication, Authorization & Accounting

ADB: Authentication DB

AE: Authentication Info Extractor

AE: Authentication Info Extractor

AF: Authentication Front Server

AGW: Authentication Gateway

AIS: Authentication Information Synchronizer

AM: Authentication Management

AP: Access Point

AR: IP Auth Register

AS: Authentication and Security Issuing Server

BK: Internet Banking Server

CM: Cipher Module

CN: Core Network

DS: Digital Signature managing Server

EC: Electronic Commerce Server

Ebiz: Electronic Business Server

GW: Gateway

HA: Home Agent

IADB: Subscriber Identy Authentication DataBase

IAS: IP address based Identity Authentication Server

KD: Key decryptor

KM: Key Manager

LMB: Location Management Base

MAP: Mobile Authentication Proxy

MAS: Main Authentication Server

MD: Mobile Devices

MPLS: Multiple Protocol Label Switch

MST: Main Security Tunnel

MT: Mobile Terminal

NAP: network agent Plug

PBGW: Payment and Banking Gateway

PC: Packet Classifier

PD: Packet Classifier Policy Database

PG: Payment Gateway

PK: Packet Capture

PRS: Packet Parser

PP: Personalized profiler

PRS: Packet Based Radio Switch

PV: Packet Valifier

PnBi: Payment and banking Information

R-P IF: Radio to Packet interface

RAN: Radio Access Network

RNC: Radio Network Controller

RS: Radio Station

RT: Router

SAN: Subscriber Access Network

TM: Subscriber Terminal

VAS: Value Added Application Service

VAS: Value Added Application Service

VC: Validity Checking

VGW: Virtual Gateway

As described above, user authentication information is used for payment, payment, and internet banking through IP address-based user authentication independent of the type of terminal, so that a more secure and reliable system can be constructed and flexible over IPv4, IPv6, and Mobile IP. Coping is possible. Also, through IP authentication, fundamental countermeasure is possible through monitoring for illegal hacking and spam.

Claims (4)

Payment, payment and banking system in wired / wireless network and mobile communication network using IP address as the unique identifier of user through authentication of IP address and method. An additional application service system in a wired / wireless network and a mobile communication network using an IP address as a unique identifier of a user through authentication of the IP address and a method thereof. A method of payment, payment, and banking service in a wired / wireless network and a mobile communication network using an IP address as a unique identifier of a user through authentication of the IP address and the method thereof. An additional application service method in a wired / wireless network and a mobile communication network using an IP address as a unique identifier of a user through authentication of the IP address and the method.
KR1020090003489A 2009-01-15 2009-01-15 Payment system and method using ip address identification KR20100084064A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020090003489A KR20100084064A (en) 2009-01-15 2009-01-15 Payment system and method using ip address identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020090003489A KR20100084064A (en) 2009-01-15 2009-01-15 Payment system and method using ip address identification

Publications (1)

Publication Number Publication Date
KR20100084064A true KR20100084064A (en) 2010-07-23

Family

ID=42643599

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020090003489A KR20100084064A (en) 2009-01-15 2009-01-15 Payment system and method using ip address identification

Country Status (1)

Country Link
KR (1) KR20100084064A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101360792B1 (en) * 2013-04-19 2014-02-11 주식회사 포비커 Purchaser authentication method and server for payment system using celluar phone and credit card electronic payment system using the same
WO2014171694A1 (en) * 2013-04-19 2014-10-23 (주)이포넷 Method and server for payment system authenticating buyer using mobile phone and credit card electronic payment system using same
KR101675132B1 (en) * 2015-12-24 2016-11-11 김의준 Method for servicing control of remittances payment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101360792B1 (en) * 2013-04-19 2014-02-11 주식회사 포비커 Purchaser authentication method and server for payment system using celluar phone and credit card electronic payment system using the same
WO2014171693A1 (en) * 2013-04-19 2014-10-23 (주)이포넷 Method and server for payment system authenticating buyer using mobile phone and credit card electronic payment system using same
WO2014171694A1 (en) * 2013-04-19 2014-10-23 (주)이포넷 Method and server for payment system authenticating buyer using mobile phone and credit card electronic payment system using same
KR101675132B1 (en) * 2015-12-24 2016-11-11 김의준 Method for servicing control of remittances payment

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
CN102316093B (en) Dual-Mode Multi-Service VPN Network Client for Mobile Device
CN100417152C (en) System for distributed network authentication and access control
CN102333075B (en) VPN network client for mobile device having fast reconnect
CN102316092B (en) VPN network client for mobile device having fast reconnect
US8533798B2 (en) Method and system for controlling access to networks
KR100644616B1 (en) Method for single-sign-on based on markup language, and system for the same
RU2411670C2 (en) Method to create and verify authenticity of electronic signature
US20020157090A1 (en) Automated updating of access points in a distributed network
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
CN110383762B (en) Method, device and system for realizing policy control
CN101189616A (en) Facilitating and authenticating transactions
KR20040102175A (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
JP2002111870A (en) Communication system, mobile terminal device, gateway device, and method of controlling communication
WO2004034645A1 (en) Identification information protection method in wlan interconnection
US20110047270A1 (en) Network connection service providing device
CN107517189A (en) Method, the equipment that a kind of WLAN user access authentication and configuration information issue
WO2011026404A1 (en) Session updating method for authentication, authorization and accounting and equipment and system thereof
CN103023856A (en) Single sign-on method, single sign-on system, information processing method and information processing system
US9258309B2 (en) Method and system for operating a wireless access point for providing access to a network
EP1386470B1 (en) Architecture for providing services in the internet
KR20100084064A (en) Payment system and method using ip address identification
CN101783806B (en) Portal certificate authentication method and device
CN114301967A (en) Narrow-band Internet of things control method, device and equipment
CN100466567C (en) A method of access authentication for WLAN

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination