KR20140020339A - Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof - Google Patents

Abstract

Disclosed are a self authentication method using a user apparatus, a digital system for the same and an authentication system. The self authentication method using the user apparatus includes: a step in which a digital system performs communication with the user apparatus for self authentication; a step in which the digital system receives apparatus authentication information generated by the user apparatus through the communication, and transmits a check signal including the apparatus authentication information to an authentication system; and a step of performing an authentication checking procedure in which the transmitted check signal is authenticated by the authentication system. Only when the authentication check procedure succeeds, an authentication request outputted to the authentication system or a service system connected to the authentication system from a data processing apparatus or the digital system succeeds. The apparatus authentication information includes an apparatus one-time information generated by the user apparatus on the basis of a server generation key delivered to the user apparatus through the digital system by being generated by the authentication system.

Description

Identity for authentication using user apparatus, digital system, and authentication system

The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly, a user who wants to use various services (eg, financial transactions such as login, payment or transfer, certificate issuance, etc.). When a user needs to perform identity authentication (also referred to as user authentication), the present invention relates to a personal authentication method having a simple and very excellent security and a system using a user device and a digital system (eg, a mobile terminal).

In particular, the server may generate a server generation key and authenticate a device (eg, a digital system or a data processing device) that has requested an authentication using one-time information generated by the digital system or the user device based on the generated server generation key. The present invention relates to an authentication method having excellent security and a system therefor.

Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.

For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.

Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.

The i-PIN is a method of authenticating the user by using a virtual identification number used on the Internet. The user must know a new identification number in advance, and it is difficult to perform a normal authentication function once an exposure is performed as in an ID password method There are constraints.

In addition, the authentication of the mobile phone itself is problematic in that it is susceptible to smsing and the like by a method of authenticating occupation of the mobile phone by using the authentication number.

Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.

In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.

Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.

In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.

In this case, the authentication request and the authentication action to be performed by a legitimate user can be separated so that the authentication request and the authentication request are authenticated, so that the information necessary for authentication can be easily exposed to the other person. A technical idea that allows the use of the service without requiring the service is required.

In order to use conventional one-time information (e.g., OTP), a client (e.g., OTP token) and an authentication side (e.g., OTP authentication server) , And time information). Especially, in order to generate one-time information through the time synchronization method which is widely used recently, time synchronization between the client and the authentication side is very important. In order to synchronize the time, the client side must be able to confirm the time. However, according to the technical idea of the present invention, the user device (e.g., a smart card or the like) may not have a timer. Even if a timer is provided in a user device or a digital system, it may be difficult to substantially synchronize the time with the timer of the user device and the authentication side (e.g., authentication system).

Korean Patent Application Publication No. 10-2013-0029983 "Method, apparatus and recording medium for authentication processing using local area communication"

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.

In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.

In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.

In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.

Also, even when the payment card is used for authentication of the user, the settlement financial information (for example, the card number, the expiration date, the CVC, etc.) may not be circulated on the network and even if the outflow of information occurs due to an attack, It is to provide a technical idea about the authentication method which can provide high security by reducing the risk of leakage of financial information.

In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .

In addition, the digital system or the user device may generate authentication information including one-time information by using a server generation key (for example, various keys such as a random number value and a time value) generated at the authentication side (eg, authentication system). It is to provide a highly secure authentication method. In particular, it is to provide a technical idea that the server generation key can be used even when the authentication information is generated by a user device that cannot directly communicate with the authentication side.

In addition, when the user device generates authentication information, the user device uses the server generation key received from the server and the identification information of the digital system received from the digital system or the terminal one-time information generated by the digital system. By generating a, by using the authentication information generated by the user device to provide a technical idea that can be authenticated to the digital system as well as the user device at a time.

The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.

In addition, the authentication is successful only if the digital system to be used for the authentication and the user device paired with the digital system are set in advance, and communication (for example, contact or contactless) is performed between the paired devices. It is to provide a technical idea that can provide a significant security synergy effect.

In accordance with one aspect of the present invention, there is provided a user authentication method using a user device, in which a digital system communicates with a predetermined user device for authentication, wherein the digital system generates device authentication information through the communication. And receiving an acknowledgment signal including the device authentication information to an authentication system, and performing an authentication confirmation procedure in which the transmitted confirmation signal is authenticated by the authentication system. To be successful, an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed, and the device authentication information is generated by the authentication system and is transmitted through the digital system. A document delivered to the user device And device one-time information generated by the user device based on a burr generation key.

The device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the terminal identification information of the digital system transferred to the user device through the server generation key and the communication. The second device is one-time information generated by the user device, and the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

In the user authentication method using the user device, the authentication activity request information output by the authentication system that has received the authentication request including the identification information of the digital system output from the data processing apparatus is the data processing apparatus or the digital system. The digital system may perform the communication with the user device when the authentication activity request information is displayed.

The user authentication method using the user device may further include receiving, by the digital system, authentication activity request information output from the data processing apparatus receiving the identification information of the digital system, and when the authentication activity request information is received, The digital system may perform the communication with the user device.

In addition, the device authentication is generated by the authentication system server one-time information corresponding to the device one-time information, the server one-time information is generated based on the server generation key, and the generated server one-time information received The authentication confirmation procedure may be successful when the device corresponds to the one-time information included in the information, or the authentication confirmation procedure may be successful when the device one-time information is decrypted and the decryption result corresponds to the server generation key. .

If the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system, the terminal identification information of the digital system is further authenticated by the authentication system or the terminal one-time information. If is further authenticated, it may be characterized in that the authentication confirmation procedure is successful.

The authentication method using the user device may further include receiving, by the digital system, device identification information of the user device through the communication, and transmitting the confirmation signal to the authentication system. And including the device identification information in the confirmation signal, and transmitting the device identification information to the authentication system, and the authentication confirmation procedure is successful only when the device identification information is authenticated by the authentication system.

The user device may be a payment IC card, and the device identification information included in the confirmation signal may be identification information of the user device irrelevant to payment financial information of the payment IC card.

The transmitting of the confirmation signal to the authentication system includes the step of the digital system further including the terminal identification information of the digital system in the confirmation signal, and the terminal identification information must be further authenticated by the authentication system. The authentication confirmation procedure may be characterized in that successful.

The user authentication method using the user device may further include determining, by the digital system, whether the user device is a preset pair so as to correspond to the digital system. It may be characterized in that the transmission to the authentication system.

The digital system may be included in the confirmation signal and transmitted to the authentication system without displaying the device authentication information.

The authentication method using the user device includes the steps of requesting, by the digital system or the authentication system, user authentication information corresponding to the user device to a user of the digital system and inputting user authentication information input in response to the request. Or transmitting, by the data processing apparatus, to an authentication system, wherein the authentication confirmation procedure is successful when the user authentication information is further authenticated by the authentication system.

The digital system may not include payment financial information of the user device, wherein the user device is a payment IC card.

In the authentication method using a user device for solving the technical problem, the authentication system transmits a server generation key to a digital system, when the digital system communicates with a predetermined user device, the authentication system is the digital system Receiving an acknowledgment signal from the acknowledgment signal, wherein the acknowledgment signal includes device authentication information generated by the user device; and performing an authentication confirmation procedure in which the authentication system authenticates the device authentication information based on the received confirmation signal. And if the authentication confirmation procedure for authenticating the device authentication information is successful, the authentication system succeeds in an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system. Characterized in that the processing device Through viewing the presentation communication on the basis of the user equipment with the server generates a key from the digital transmission system comprises a device-time information generated by the user device.

The device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the terminal identification information of the digital system transferred to the user device through the server generation key and the communication. And second device one-time information generated by the user device, wherein the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

In the user authentication method using the user device, the authentication system receives the authentication request including identification information of the digital system from the data processing device and the authentication system processes the digital system or the data in response to the reception. And transmitting the authentication activity request information to a device, and after transmitting the authentication activity request information, the authentication system performs the authentication confirmation procedure only when the confirmation signal is received from the digital system. Can be.

The authentication system may be configured to perform an authentication verification procedure for authenticating the device authentication information based on the received confirmation signal. The authentication system may include: server one-time information corresponding to the device one-time information. Generating information based on a generation key and determining whether the generated server one-time information corresponds to the device one-time information included in the received device authentication information, or the authentication system decrypts and decrypts the device one-time information. And determining whether a result corresponds to the server generated key.

When the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system, an authentication confirmation for authenticating the device authentication information based on the confirmation signal received by the authentication system. The performing of the procedure may further include the step of authenticating the terminal identification information of the digital system by the authentication system or the step of authenticating the terminal one-time information by the authentication system.

The user authentication method using the user device may further include the step of authenticating whether the digital system and the user device are pairs set to correspond to each other in advance by the authentication system and the pair is established. Only if it is authenticated can it be determined that the authentication confirmation procedure was successful.

The user authentication method using the user device for solving the technical problem is the step of the user device to communicate with the digital system for the authentication, the user device generating the device authentication information, the device generated by the user device Transmitting authentication information to the digital system, transmitting a confirmation signal including the transmitted device authentication information to the authentication system by the digital system, and verifying the authentication that the transmitted confirmation signal is authenticated by the authentication system. And performing a procedure, and the authentication confirmation procedure is successful until an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed, and the device authentication is performed. The information is generated by the authentication system It is characterized in that on the basis of the user device the generated server key delivery device to include a one-time information generated by the user device via the digital system.

Generating device authentication information by the user device may include generating, by the user device, first device one-time information based on the server generation key, or received by the user device from the digital system through the server generation key and the communication. Generating the device authentication information by generating second device one-time information based on one terminal identification information, wherein the user device includes the first device one-time information or the second device one-time information. The information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

The user authentication method using the user device may be stored in a computer-readable recording medium recording a program.

The digital system for solving the technical problem is a user device communication module for performing communication with the user device for identity authentication of the authentication request, when communication with the user device through the user device communication module, the confirmation signal-the confirmation And a control module for transmitting the signal includes the device authentication information generated by the user device to an authentication system, wherein the authentication confirmation procedure for authenticating the device authentication information included in the confirmation signal by the authentication system is performed. If successful, the authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed, and the device authentication information is generated by the authentication system. Has been used above through the digital system Based on the server generates a key delivery device characterized in that it comprises a device-time information generated by the user device.

The device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the terminal identification information of the digital system transferred to the user device through the server generation key and the communication. The second device is one-time information generated by the user device, and the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

The digital system may further include a terminal one-time information generating module for generating the terminal one-time information.

The authentication system for solving the technical problem is a confirmation signal output by the digital system when the digital system communicates with a predetermined user device, the confirmation signal includes the device authentication information generated by the user device- An authentication unit for receiving a communication unit, an authentication unit for generating a predetermined server generation key, and performing an authentication confirmation procedure for authenticating the device authentication information included in the received confirmation signal, and an authentication confirmation in which the device authentication information is authenticated If the procedure is successful, the controller comprises a control unit for successfully processing an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system, wherein the device authentication information is included in the authentication unit. Generated by the digital system from the communication through the And device one-time information generated by the user device based on the server generation key delivered to the user device.

The device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the terminal identification information of the digital system transferred to the user device through the server generation key and the communication. The second device is one-time information generated by the user device, and the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

The user device for solving the technical problem includes a communication means for performing communication with the digital system, the calculation means for generating device authentication information when the communication is performed through the communication means, by the calculation means The generated device authentication information is transmitted to the digital system, and when the confirmation signal including the transmitted device authentication information is transmitted by the digital system to the authentication system, the transmitted confirmation signal is authenticated by the authentication system. A verification procedure is performed, and an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed only when the authentication verification procedure is successful. The digital time generated by the authentication system On the basis of the server generates the key passes through the system is characterized in that it comprises a device-time information generated by the operation means.

The computing means generates first device one-time information based on the server generation key, or generates second device one-time information based on the server identification key and terminal identification information received from the digital system through the communication. Generating device authentication information, wherein the computing means includes terminal identification information of the digital system or terminal one-time information generated by the digital system in the device authentication information including the first device one-time information or the second device one-time information. It may be characterized in that it can be optionally further included.

According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.

In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.

In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.

The present invention also provides a highly secure authentication method using a server creation key (for example, a random number value, a server time value, etc.) generated by an authentication side (e.g., an authentication system). In particular, in the case of using the server generated key, the authentication side and the client side should be able to communicate. According to the technical idea of the present invention, communication with the authentication side is performed through a digital system capable of communicating with the authentication side. There is an effect that authentication can be performed using one-time information even by a user device that cannot be performed. That is, it is necessary to carry two authentication tools of digital system and user device that the user generally possesses, so that authentication can be successful, but at least one of the authentication tools (for example, IC card or the like) It is possible to perform authentication using one-time information. Also, even when the user device can not communicate with the authentication side among the authentication tools, the authentication can be performed through the digital system as the remaining authentication tool.

In addition, when the user device generates authentication information including one-time information, the user device includes a server generation key received from the server and identification information of the digital system received from the digital system or terminal one-time information generated by the digital system. By generating authentication information using the authentication information, not only the user device but also the digital system can be authenticated using the authentication information generated by the user device. In addition, the authentication information generated by the user device may be used to simultaneously authenticate not only the user device but also the digital system, so that a digital system relatively vulnerable to attack generates authentication information independently and authenticates the authentication system. As a result, high security can be obtained.

In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.

In addition, since the digital system to be used for authentication of the user can be preset and specified, it has the effect of having a strong characteristic against attack such as smishing or man in the middle attack. Online crime can be actively blocked.

In addition, since a user device paired with the digital system can be set in advance, the two devices are paired with each other even if they do not have all the paired devices (that is, even if they have a registered digital system and the user device). If the device is not set), it is possible to bring about a significant increase in security by disabling normal authentication.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
FIG. 6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
7 to 9 show a schematic data flow when the user device generates one-time information by using the identification information of the digital system.
10 is a diagram illustrating a process of performing an authentication confirmation procedure by an authentication system according to an embodiment of the present invention.
11 is a diagram for explaining a process of transmitting a confirmation signal by a digital system according to one embodiment of the present invention.
12 is a view showing a schematic configuration of a user device according to an embodiment of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.

Referring to FIG. 1, a digital system 100, an authentication system 200, and a user device 300 may be provided to implement a user authentication method using a user device according to an embodiment of the present invention. Depending on the implementation, a predetermined data processing apparatus 400 may be further provided. Further, a service system 500 connected to the authentication system 200 and capable of providing a predetermined service to the digital system 100 and / or the data processing apparatus 400 may be further provided.

The digital system 100 can implement the technical idea of the present invention while transmitting and receiving necessary information through the wired / wireless network with the authentication system 200. In addition, the digital system 100 obtains information (eg, device authentication information, device identification information, etc.) necessary for the technical idea of the present invention from the user device 300 by communicating with the user device 300. can do. In addition, the digital system 100 communicates with the user device 300 so as to provide the user device 300 with information necessary for the technical idea of the present invention (eg, a server generated key generated by the authentication system 200). , Terminal identification information, or terminal one-time information generated by the digital system 100).

The digital system 100 may perform contact or non-contact communication with the user device 300. For example, the user device 300 may be implemented as a smart card, an IC card, or a transportation card capable of performing contact or non-contact communication with the digital system 100. In particular, the user device 300 may be a payment IC card (e.g., a credit card, a check card, etc.).

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100.

Hereinafter, for convenience of description, the user device 300 will be described as a payment IC card, but the scope of the present invention is not limited thereto. Although the digital system 100 and the user device 300 perform short-range wireless communication (e.g., NFC communication, blues, etc.), the scope of the present invention is not limited thereto.

The digital system 100 may perform communication (eg, near field communication) with the user device 300. To this end, the user may tag the digital system 100 and the user device 300.

In this specification, tagging refers to the case where the digital system 100 and the user device 300 are located within a certain distance (for example, 10 cm or less when the NFC communication is used) in order to carry out contactless communication such as RFID communication and NFC communication. Or the like). The user can perform tagging by bringing the digital system 100 or the user device 300 into a predetermined distance to the user device 300 or the digital system 100. [

If the user device 300 is a payment card, the user device 300 may be a financial transaction means. The user device 300 may include a predetermined communication device (e.g., an RF antenna, an RF tag, and the like) to perform tagging communication with the digital system 100. [ In addition, the user device 300 may further include a storage device in which information necessary for realizing the technical idea of the present invention can be stored. For example, the user device 300 may be implemented as an IC card having an IC chip or various types of smart cards. Of course, the user device 300 may be an apparatus that can not independently perform financial transactions as described above. Even if the user device 300 is not a financial transaction device, according to the technical idea of the present invention, a user device 300 (e.g., an ID, a mobile phone separate from the digital system 100) Etc.) can be used to easily perform authentication of the user. For example, since the user can easily perform the identity authentication only by the tagging operation of the digital system 100 and the user device 300, the user can input the ID / password, select the authorized certificate, As compared with the conventional complicated authentication process, it is possible to perform the self-authentication with high security, which is much simpler.

In addition, when performing short-range wireless communication through tagging, the user device (for example, an electronic ID card or a payment card, etc. 300) does not need to be taken out of a pocket or a wallet.

Of course, other personal authentication methods (eg, personal authentication using a public certificate) may be further performed before or after the personal authentication according to the technical idea of the present invention for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.

According to an embodiment of the present disclosure, the user device 300 may generate predetermined authentication information, wherein the authentication information generated by the user device 300 is defined as 'device authentication information.' The device authentication information may include at least one piece of authenticated information to be authenticated. The device authentication information may include at least one-time information (eg, OTP, etc.) generated by the user device, such that the one-time information generated by the user device 300 is defined as device one-time information.

In addition, as will be described later, the device authentication information may further include identification information (hereinafter, terminal identification information) of the digital system 100 as authenticated information. In addition, the device authentication information may further include terminal one-time information generated by the digital system 100 as authenticated information.

Meanwhile, the device one-time information may be one-time information generated based on the server generation key generated by the authentication system 200 and transmitted through the digital system 100. When generating one-time information (eg, the device one-time information), it is natural that identification information of the device (eg, the user device 300) generating the one-time information may be further used.

According to an embodiment of the present disclosure, the device one-time information may be generated not only by the server generation key but also by using terminal identification information of the digital system 100 received from the digital system 100.

According to an embodiment of the present disclosure, the device one-time information may be generated by using the server generation key and the terminal identification information. The generation of the device one-time information by using the server generation key and the terminal identification information means not only the case where the server generation key and the terminal identification information are used as input values of the one-time information generation algorithm, but also the server generation. One value generated using a key and the terminal identification information may be used as an input value of the one-time information generation algorithm.

In some embodiments, the device one-time information may be generated using the server generation key and the terminal one-time information generated by the digital system 100.

When the device one-time information is generated based on the terminal identification information or the terminal one-time information as well as the server generation key, there is an effect that the terminal identification information or the terminal one-time information is authenticated by the authentication system 200. . That is, there is an effect that the digital system 100 is authenticated.

The at least one piece of authenticated information is included in the device authentication information, wherein the at least one piece of authenticated information is encrypted with a separate encryption key, or some of the at least one piece of authenticated information are subject to encryption. It may also mean including the case where the authenticated information is used to generate an encryption key or an encryption key.

Accordingly, the fact that the at least one piece of authenticated information is included in the device authentication information means that the at least one piece of authenticated information included in the device authentication information is obtained by the authentication system 200 (eg, Encryption, encoding, hashing, etc.) may mean that the device authentication information is generated.

The user device 300 may generate the device one-time information and transmit only the device one-time information to the digital system 100 as the device authentication information. Alternatively, device authentication information including the device one-time information and the terminal identification information (or the terminal one-time information) may be transmitted to the digital system 100.

Meanwhile, authentication information to be authenticated by the authentication system 200 may be generated by the digital system 100. Authentication information (hereinafter, terminal authentication information) generated by the digital system 100 may also be generated in a manner similar to the device authentication information described above.

That is, the terminal authentication information may include at least one piece of authenticated information to be authenticated, and the terminal authentication information may include at least one-time information generated by the digital system 100 (hereinafter, terminal one-time information). have.

In addition, as will be described later, the terminal authentication information may further include identification information (hereinafter, referred to as device identification information) of the user device 300 or device one-time information generated by the user device 300 as authenticated information. .

In addition, the terminal one-time information may also be one-time information generated based on the server generation key. According to an embodiment of the present disclosure, the terminal one-time information may be generated using the device identification information (or device one-time information) received from the user device 300 as well as the server generation key. When the terminal one-time information generated as described above is generated based on the device identification information or the device one-time information as well as a server generation key, when the device one-time information is authenticated by the authentication system 200, the device identification information. Alternatively, there is an effect of authenticating the device one-time information. That is, the user device 300 is authenticated.

Hereinafter, the authentication information included in the confirmation signal transmitted by the digital system 100 to the authentication system 200 will be described based on the case where the device authentication information is generated by the user device 300. However, even when the authentication information is the terminal authentication information, the average expert in the technical field of the present invention can easily deduce that the technical idea of the present invention can be easily applied in a similar manner, except that the subject generating the authentication information is different. .

According to an embodiment of the present disclosure, when the user device 300 is a payment card, the card is tagged with the digital system 100, and is supplied with power through electromagnetic induction, thereby providing an IC chip provided in the card. By the device authentication information may be generated. The processor provided in the IC chip may generate the device authentication information when power is supplied through communication with the digital system 100, and allow the digital system 100 to read the generated device authentication information. . Of course, in this case, the digital system 100 may be required to be an authenticated system capable of reading the device authentication information. To this end, it is a matter of course that an authorized software capable of reading the device authentication information may be installed in the digital system 100.

Meanwhile, the device authentication information includes device one-time information as described above, and the device one-time information may generate one-time information on a server generation key (eg, a random number value) generated by the authentication system 200. It may be information generated as an input value of a predetermined algorithm. The server generation key may be transferred from the authentication system 200 to the user device 300 through the digital system 100. For example, when the digital system 100 and the user device 300 perform an authentication operation for communicating with each other, the digital system 100 transmits the server generation key received from the authentication system 200 to the user device 300, . Then, the user device 300 may generate one-time information by using the received server generation key as an input value (key or seed). Of course, since the user device 300 performs a function of a client for generating one-time information, the identification information of the user device 300 may be further used when generating the device one-time information.

The server generation key may be, but is not limited to, a random number generated by the authentication system 200, and may be any information that the server can specify.

The method of generating the one-time information by the user device 300 using the server creation key may be such that the user device 300 generates one-time information even when the timer for using the time synchronization method is not provided, It is possible to easily judge whether the information is authentic or not. In addition, even when using the user device 300 equipped with the timer, it may be very difficult to synchronize the time of the user device 300 and the authentication system 200 on a user-by-user basis. In addition, the system can cope with various types of online attacks through the digital system 100. Also, it is possible to easily generate the one-time information even if the user device (e.g., IC card 300) possessed by the user is used instead of the OTP client specially designed for generating the one-time information.

Meanwhile, a method of using a server generated key as in the technical spirit of the present invention may be contrasted with a conventional challenge response method. In order to use the conventional challenge response method, a client must be able to communicate with the authentication system 200. do. However, according to the technical idea of the present invention, it is possible to generate the device one-time information in a similar manner to the challenge response method using the user device 300 that can not directly communicate with the authentication system 200. This is because, in order to authenticate through the technical idea of the present invention, the user must perform an authentication operation communicating the digital system 100 and the user device 300, that is, two authentication tools, (200). ≪ / RTI >

The user device 300 can communicate with the digital system 100 and the digital system 100 can communicate with the authentication system 200 according to the technical concept of the present invention, May obtain a server generation key from the authentication system 200 and use it to generate device one-time information. Of course, in addition to the server creation key, the identification information of the user device 300 may be further used as an input value (key or seed) for generating device one-time information. Various one-time information generation algorithms for generating one-time information using a predetermined input value, that is, a fixed value such as the server generated key (e.g., a random number value) and / or a device Therefore, a detailed description thereof will be omitted.

Meanwhile, the user device 300 further generates the device one-time information by using identification information of the digital system 100, that is, terminal identification information (or terminal one-time information previously generated by the digital system 100). You may. To this end, when the digital system 100 performs communication (eg, near field communication) with the user device 300, the digital system 100 may transmit the terminal identification information (or terminal one-time information) to the user device 300. Of course, as described above, the server generation key may also be delivered to the user device 300 through the communication. Then, the user device 300 may generate the device one-time information by using the received server generation key and the terminal identification information (or terminal one-time information) as input values. Of course, since the device one-time information is generated by the user device 300, the identification information of the user device 300 can be further used to generate the device one-time information.

As such, when the terminal identification information (or terminal one-time information) is used when generating the device one-time information, when the device one-time information is authenticated by the authentication system 200, the user device which has generated the device one-time information. Not only 300 is authenticated but also the digital system 100 is authenticated.

In addition, when the user device 300 and the digital system 100 are simultaneously authenticated using the device one-time information, the user device 300 and the digital system 100 generate one-time information. Compared to the case where each one-time information is authenticated by the authentication system 200, higher security can be provided. Because the user device (for example, IC card, 300) that implements the technical idea of the present invention can be much more difficult to forgery through the attack than the digital system (100). In addition, one-time information generated by using a larger number of input values (eg, server generation key, device identification information, and terminal identification information (or terminal one-time information)) is hacked. Since two pieces of one-time information (ie, device one-time information and terminal one-time information) generated using the server generation key and the device identification information are each more difficult than being hacked, higher security is provided. .

Of course, when the user device 300 generates the device one-time information by using the terminal identification information (or the terminal one-time information) of the digital system 100, the authentication system 200 also uses the device one-time information. The terminal identification information (or terminal one-time information) is used for authentication. When the terminal one-time information is used to generate the device one-time information, the digital system 100 may transmit the terminal one-time information to the authentication system 200 by including the terminal one-time information in a confirmation signal separately from the device authentication information. Of course. When the device authentication information is included in the confirmation signal, the terminal one-time information may or may not be generated based on the server generation key.

In addition, the device authentication information may further include at least one piece of authentication information (eg, terminal one-time information or terminal identification information) as well as the device one-time information.

The authentication system 200 may authenticate authentication information included in the authentication information by receiving authentication information (eg, device authentication information) included in the confirmation signal and authenticating the authentication information. The fact that authentication information is authenticated may mean that a device corresponding to the authentication information is authenticated. For example, if the device one-time information is authenticated, at least the user device 300 is authenticated, and if the terminal identification information (or terminal one-time information) is further used when generating the device one-time information, the digital system 100 is further authenticated. It works. In addition, when the terminal authentication information (or terminal one-time information) is included in the device authentication information, the digital system 100, which is a device corresponding to the terminal identification information (or the terminal one-time information), is authenticated.

According to another embodiment, the device one-time information is not generated in a manner similar to the challenge response method, that is, the server-generated key is not simply generated once as an input value of a predetermined one-time information generation algorithm. It may also be information encrypted with a predetermined encryption key (eg, device identification information and / or terminal identification information (or terminal one-time information)). In this case, the authentication system 200 may authenticate the user device 300 by decrypting the device one-time information and determining whether the decrypted result corresponds to the server generation key. At this time, the user device 300 and the authentication system 200 may use a symmetric key or an asymmetric key (e.g., PKI, etc.).

Whether the device one-time information is one-time information generated by using a server generation key as an input value or information obtained by simply encrypting the server generation key with a predetermined encryption key, the server generation key is transmitted to the authentication system 200 as described above. It may be a random number generated by, but is not necessarily limited to. That is, the server creation key suffices to be information (e.g., time information, etc.) that can be confirmed by the authentication system 200 at a certain point in time.

Hereinafter, the user device 300 or the digital system 100 generates one-time information by using the server generation key, and the authentication system 200 also generates one-time information by using the server generation key. 300 or the case of performing authentication on the digital system 100 will be described as an example. However, as described above, the user device 300 or the digital system 100 simply generates a value obtained by encrypting the server generated key as device one time information or terminal one time information, and the authentication system 200 generates the device one time. Of course, authentication may be performed by decrypting the information or the terminal one-time information.

The device authentication information including the device one-time information may be information that can be authenticated by the authentication system 200. To this end, the authentication system 200 may be provided with an authentication unit for authenticating the authentication information included in the device authentication information. The authentication unit may generate one-time information by itself to authenticate the device one-time information, as will be described later. Of course, at this time, the authentication unit may generate the one-time information using the server generation key transmitted to the user device 300 through the digital system 100. [ That is, the user device 300 may operate as an OTP client, for example, and the authentication unit may operate as an OTP server. Hereinafter, the one-time information generated by the authentication system 200 will be defined as 'server one-time information' for convenience of explanation.

In addition, when the terminal authentication information is further included in the device authentication information, the authentication unit may further authenticate the terminal identification information. To this end, the terminal identification information of the digital system 100 may be registered in advance in the authentication unit (or a system (eg, a mobile communication company system) capable of communicating with the authentication unit), and the registered information. And the terminal identification information included in the device authentication information may correspond to the terminal identification information.

As described above, according to the spirit of the present invention, the user device 300 may generate device authentication information, and the generated device authentication information may be authenticated by the authentication system 200.

Also, according to one embodiment, the user device 300 may be a payment card. Then, the device one-time information generated by the user device 300 may generate device one-time information by using the server generation key and the identification information of the user device 300. In this case, payment financial information of the payment card And user information including information (eg, UID, time information or any value) that is not related to information stored on the IC chip of the card (eg, card number, expiration date, CVC code, etc.) as financial information necessary for payment. It can be used as identification information of (300). In this case, since the settlement financial information may not be distributed to the digital system 100 or the authentication system 200, the security can be enhanced. In this case, even though the device one-time information and the device one-time information generation algorithm are leaked, there is no risk that the settlement financial information is leaked through reverse engineering or the like.

1, the digital system 100 can communicate with the authentication system 200 via a wired / wireless network, and can communicate with the user device 300 through a predetermined communication (e.g., a local area wireless communication) May be defined to include any type of data processing device capable of communicating over a network. For example, the digital system 100 may be a data processing device, such as a tablet, a music player, or the like, which is easy for the user to carry around. Of course, the digital system 100 is preferably capable of communicating with the authentication system 200 and / or the data processing apparatus 400 via a network.

In addition, the digital system 100 may generate authentication information that is to be included in the confirmation signal, that is, terminal authentication information. The function of generating the terminal authentication information by the digital system 100 may be implemented by installing predetermined software for implementing the technical idea of the present invention in the digital system 100.

In addition, the terminal one-time information included in the terminal authentication information may also be generated using the server generation key generated by the authentication system 200 as an input value. When the authentication information to be included in the confirmation signal is generated by the user device 300, since the device one-time information is generated using a server generation key, the terminal one-time information may be generated as a separate protocol without using a server generation key. May be generated. That is, the digital system 100 may be provided with a timer, and it may be easier to perform time synchronization with the authentication system 200 relative to the user device 300. Therefore, the terminal one-time information may be one-time information generated by using time information as an input value, such as a time synchronization method.

In addition, the terminal one-time information may also be generated using the identification information of the user device 300, that is, the device identification information (or device one-time information) as an input value. That is, the terminal one-time information may be generated based on the server generation key received from the authentication system 200 and the device identification information (or device one-time information). Of course, the terminal identification information of the digital system 100 may be further used. In this case, of course, similar effects to the case where the user device 300 uses the terminal identification information when generating the device one-time information may be obtained. In addition, as described above, not only the terminal one-time information but also device identification information (or device one-time information) may be further included in the terminal authentication information as the authenticated information.

In any case, the terminal authentication information may also be authenticated by an authentication unit provided in the authentication system 200. When the terminal authentication information is authenticated by the authentication unit, the device authentication information is also similar to that of the authentication, so a detailed description thereof will be omitted.

As a result, according to the spirit of the present invention, the digital system 100 may include the device authentication information generated by the user device 300 in the confirmation signal and transmit it to the authentication system 200, the terminal authentication information May be included in the confirmation signal and transmitted to the authentication system 200. Of course, in some embodiments, both the device authentication information and the terminal authentication information may be included in the confirmation signal and transmitted to the authentication system 200.

If the confirmation signal includes both the device authentication information and the terminal authentication information, the device one-time information (or the terminal one-time information) may be a server generation key (or server generation key and terminal identification information) as described above. The terminal one-time information (or the device one-time information) may be one-time information generated without using the server generation key.

For example, the confirmation signal may include the device authentication information and the terminal authentication information, and the device one-time information included in the device authentication information may include a server generation key and the terminal identification information transmitted through the digital system 100. (Or terminal one-time information) may be information generated. In this case, the terminal one-time information may be one-time information generated without using the server generation key.

Then, the authentication unit of the authentication system 200 may generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the terminal one-time information, and the device one-time information and / or the terminal one-time information. If it is certified, it can be judged that the authentication verification procedure was successful. Of course, if other authentication information is further included in the authentication information, the authentication information may be further authenticated.

In addition, pair authentication for authenticating whether the digital system 100 and the user device 300 are pairs as described below may be further performed, and it may be determined that the authentication verification procedure is successful only after such authentications are further performed. have.

The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the authentication system 200. [ The confirmation signal may mean only device authentication information or terminal authentication information, but does not necessarily mean one data set (or continuous packet data), but may also be information or signals separated in time or physically. That is, the digital system 100 may output the confirmation signal to the authentication system 200 a plurality of times.

Of course, when both the device authentication information and / or the terminal authentication information is authenticated by the authentication system 200, the authentication using the device identification information or the terminal identification information may be selectively omitted (i.e., the authentication information described above). The device identification information or the terminal identification information may not be included). In some embodiments, authentication may be performed using terminal identification information corresponding to the device authentication information or device identification information corresponding to the terminal authentication information.

In any case, according to the spirit of the present invention, the digital system 100 may include the device authentication information and / or the terminal authentication information in the confirmation signal and transmit it to the authentication system 200, and the authentication included in the confirmation signal. Information may be authenticated by the authentication system 200.

Meanwhile, the digital system 100 may generate the terminal authentication information only by communicating with the user device 300. According to an embodiment, the digital system 100 generates the terminal authentication information automatically in response to the reception of the authentication activity request information or by a predetermined request of the user, and when the communication is performed, the terminal authentication information. May be included in the confirmation signal and transmitted to the authentication system 200.

Therefore, even if the self-identification method according to the technical concept of the present invention includes the step of performing communication between the digital system and the user device and generating the terminal authentication information, the terminal authentication information must be generated after the communication. It should not be interpreted as a description to specify, but may be interpreted to include a case where the communication is performed after the generation of the terminal authentication information.

As a result, even if the digital system 100 is attacked by hacking or the like, the terminal authentication information may not be generated unless the user possesses the user device 300. Alternatively, even if the terminal authentication information is generated, the confirmation signal may not be transmitted, and thus identity authentication is not successful.

When the terminal's one-time information is generated based on the server generation key, the terminal's one-time information may include at least one of the server generation key received from the authentication system 200, And may be information generated by further inputting a value {key or seed}. In this case, the identification information of the user device 300 may be fixed identification information (eg, UID, etc.) of the user device 300. Of course, in this case, the identification information may also be registered in the authentication system 200. Therefore, unless communication with the user device 300 is performed, the terminal one-time information to be included in the terminal authentication information may not only be generated, and the authentication signal including the terminal authentication information may include the authentication system 200. Even though it is transmitted to, it may not be authenticated by the authentication system 200.

In addition, the terminal one-time information generated by the digital system 100 may be generated based on information (e.g., terminal identification information, time information, an arbitrary value, etc.) irrelevant to the payment financial information. That is, as described in the device one-time information, the terminal's one-time information may be information that is irrelevant to the settlement financial information or information generated from irrelevant information. Therefore, there is no risk that the settlement financial information will be leaked even if leakage occurs in the terminal one-time information and terminal one-time information generation algorithm.

In addition, the confirmation signal transmitted to the authentication system 200 by the digital system 100 may include only information (eg, device identification information, terminal identification information, etc.) that is not related to the payment financial information. Security of the self-authentication method according to the technical spirit of the invention can be increased.

Device authentication information generated by the user device 300 may also be implemented to be generated by the user device 300 only when the digital system 100 and the user device 300 communicate. For example, when the user device 300 is a smart card such as a payment card or an electronic identity card, since the smart card is not provided with power independently, communication with the digital system 100 may be performed to generate the device authentication information. Of course it can. In addition, even when the user device 300 is provided with power and can generate device authentication information by itself, the user device 300 is configured to generate the device authentication information only by communicating with the digital system 100. Can be. The server generation key {and terminal identification information (or terminal one-time information) generated by the authentication system 200 may be transmitted to the user device 300 through the communication. Of course, in this case, software or an applet for implementing the technical idea of the present invention may also be installed in the user device 300.

In addition, the user device 300 may generate the device authentication information only when communication with the digital system 100 set as a pair is performed in advance. It is needless to say that information about the digital system 100 forming a pair with the user device 300 may be registered in the user device 300 in advance.

In any case, the confirmation signal transmitted by the digital system 100 to the authentication system 200 may include authentication information (eg, device authentication information and / or terminal authentication information), and the confirmation signal may be included in the digital system. Preferably, the user interface 300 and the user device 300 can be output from the digital system 100 to the authentication system 200 only when communication is performed. Therefore, even when only one of the device authentication information or the terminal authentication information is included in the confirmation signal, it is effective to authenticate that the user possesses another device (that is, the digital system 100 or the user device 300). .

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the confirmation signal.

The authentication confirmation procedure includes an authentication information authentication procedure for authenticating terminal authentication information generated by the digital system 100 and / or device authentication information generated by the user device 300. Whereby the legitimacy of the digital system 100 and / or the user device 300 can be authenticated.

On the other hand, when the authentication information includes only one-time information (in this case, the one-time information is generated without using the identification information of the device corresponding to the server-generated key or the one-time information generated by the corresponding device), the procedure of authenticating the one-time information is more detailed. Strictly speaking, software installed in the digital system 100 (ie, software for generating the terminal one-time information) and / or device for generating one-time information included in the user device 300 (eg, an IC chip of a smart card, etc.). ) Or software (for example, software installed on the user device 300 which is a separate mobile phone and generating device one-time information, an applet installed on a smart card, etc.).

Software installed in the digital system 100 or the user device 300 may be installed only in the digital system 100 or the user device 300 authenticated as a legitimate user's device. In this case, if the validity of the software is authenticated, the digital system 100 is also automatically authenticated.

However, since the software may be leaked or the software may be forged by an attack, an apparatus (eg, the user device 300 or the digital system 100) generating authentication information in the authentication information according to the technical idea of the present invention. Or identification information of a device corresponding to the device (for example, the digital system 100 or the user device 300) may be further included as the authentication information. Alternatively, identification information of the digital system 100 and / or the user device 300 may be included in the confirmation signal separately from the authentication information. Then, the authentication process may further include a process of authenticating identification information (ie, hardware) of the digital system 100 and / or the user device 300. The authentication confirmation procedure of the hardware of the digital system 100 and / or the user device 300 may be performed by the authentication system 200 and / or the terminal identification information of the digital system 100 and / or the device of the user device 300. The identification information may be checked, and success or failure may be determined by whether the terminal identification information and / or the device identification information correspond to information registered in advance in the authentication system 200.

As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the digital system 100 does not have the user device 300 registered in the authentication system 200 or holds the user device 300, If the digital system 100 registered in advance in the terminal 200 is not possessed, the authentication of the user is prevented from being successful.

The procedure for authenticating the device identification information according to an embodiment may be performed by the digital system 100. [ Alternatively, the procedure of authenticating the terminal identification information may be performed by the user device 300. That is, the digital system 100 may store identification information of the user device 300 that may be used for authentication in advance in the digital system 100, or may be used for the authentication in advance in the user device 300. ) May be stored, and the digital system 100 or the user device 300 determines whether the device that communicates with the device is a pre-registered device by the authentication system 200. There is a similar effect to the identification information and / or the terminal identification information is authenticated. However, since the digital system 100 and / or the user device 300 may have a greater risk of forgery than the authentication system 200, for security, the device identification information and / or Alternatively, it may be preferable that the terminal identification information is authenticated.

Of course, the procedure of authenticating the device identification information and / or the terminal identification information may be omitted when the terminal identification information (or device identification information) is used when generating the device one-time information (or the terminal one-time information). It may be. That is, when the device one-time information (or the terminal one-time information) is generated using the terminal identification information (or the device identification information), a procedure for separately authenticating the terminal identification information (or the device identification information) is performed. Even if the device one-time information is authenticated, the terminal identification information is authenticated.

The authentication procedure performed by the authentication system 200 may further include a pair authentication procedure for authenticating whether the digital system 100 and the user device 300 are a pair. That is, the digital system 100 and the user device 300 may be paired in advance. Only when the two devices forming the pair perform the communication, the authentication system 200 determines that authentication is successful . As described above, the authentication confirmation procedure can be successful only when the two devices used in the authentication action (that is, the communication between the digital system 100 and the user device 300) are paired by the user. In this case, if the digital system 100 and the user device 300 are both registered by the authentication system 200, even if they are not paired with each other, the authentication confirmation process may not be successfully processed, It is possible to have a synergistic effect.

Whether the two devices used in the authentication operation (digital system 100 and user device 300) are a pair may be authenticated by the authentication system 200, but may also be authenticated by the digital system 100 . That is, the confirmation signal can be transmitted only when the digital system 100 communicates with the user device 300 that is set to be paired with the digital system 100 in advance. To this end, the digital system 100 may have previously stored information (e.g., device identification information) about the user device 300 that is paired with the digital system 100 in advance. According to an embodiment, information about the digital system 100 set as a pair with the user device 300 may be stored in the user device 300, and the user device 300 pairs the digital system 100 with the user device 300. You can also authenticate the acknowledgment. If authentication is not performed, the device authentication information may not be generated, or predetermined control may be performed not to transmit the device authentication information to the digital system 100.

Meanwhile, the authentication request may be transmitted to the authentication system 200 before the authentication signal is transmitted to the authentication system 200. For example, the authentication request may be an authentication request transmitted from the predetermined data processing apparatus 400 to the authentication system 200. The data processing apparatus 400 is a device which is separate from the digital system 100 and used by a user of the digital system 100 and is connected to the authentication system 200 to request authentication, Mobile terminal, set-top box, IPTV, and the like. For example, a user may input identification information (e.g., a telephone number) of his or her digital system 100 through the data processing apparatus 400 to perform an authentication request.

Further, the data processing apparatus 400 may be implemented in various embodiments according to the types of services provided after the authentication according to the technical idea of the present invention succeeds. For example, if the service is a payment service, the data processing device 400 may be an agent terminal requesting payment for settlement. If the service is a service for opening a door, the data processing device 400 may be a device installed at a door. Various embodiments of the data processing apparatus 400 may be possible depending on the type of service.

According to an embodiment, the data processing apparatus 400 or the digital system 100 may make an authentication request to a predetermined service system 500. The service system 500 may transmit a predetermined service (for example, a request for authentication) to the authentication requesting device (for example, the data processing device 400 or the digital system 100) upon successful authentication of the user according to the technical idea of the present invention. Login, financial transaction, confirmation of specific information, issuance of a certificate, purchase of goods or services, payment, opening and closing of a door, etc.). A user may access the service system 500 through the data processing apparatus 400 or the digital system 100 and the service system 500 may be connected to the service system 500 in order to perform the service provided by the service system 500. [ And may request the data processing apparatus 400 or the digital system 100 to authenticate the user. In this case, the service system 500 allows the data processing apparatus 400 or the digital system 100 to access the authentication system 200 (for example, a web page or a UI provided by the authentication system 200) The data processing apparatus 400 or the digital system 100 may be controlled to receive the authentication from the authentication system 200 through the data processing apparatus 400 or the digital system 100 have. The data processing apparatus 400 or the digital system 100 may transmit the authentication request to the authentication system 200 by inputting information necessary for the authentication request (for example, identification information of the digital system 100) As shown in FIG.

Of course, in some implementations, the service system 500 may receive an authentication request from the data processing apparatus 400 or the digital system 100 and send the received authentication request to the authentication system 200 . That is, the service system 500 may mediate the authentication process according to the technical idea of the present invention. The fact that the data processing apparatus 400 or the digital system 100 transmits predetermined information or signals to the authentication system 200 is transmitted to the authentication system 200 through the service system 500 And the like. Of course, even when the authentication system 200 transmits predetermined information or signals to the data processing apparatus 400 or the digital system 100, the authentication system 200 may include the case of being transmitted through the service system 500 . ≪ / RTI >

Although the authentication system 200 and the service system 500 are implemented as separate physical devices in FIG. 1, the authentication system 200 may be included in the service system 500 . In other words, since the predetermined software that implements the function of the authentication system 200 is installed in the service system 500, the authentication according to the technical idea of the present invention may be performed.

According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the data processing apparatus 400 may be a predetermined merchant terminal (a POS device installed in a store, a mobile merchant terminal, or the like). In this case, the user or the merchant can transmit the authentication request to the authentication system 200 by inputting identification information (e.g., telephone number) of the digital system 100 of the user to the merchant terminal. In some cases, the user may notify identification information of his or her digital system 100 to a merchant site to perform payment at a remote site. Then, the merchant may transmit the authentication request to the authentication system 200 by inputting the identification information using the data processing apparatus 400, that is, a computer used at the merchant, or an affiliate terminal. If the authentication is successful by the authentication system 200, the payment requested by the data processing apparatus 400 may be finally approved. At this time, the service system 500 may be a predetermined card company system (or a financial institution system that performs card settlement). In addition, the authentication request and the payment request need not necessarily be performed separately. That is, the authentication request according to the embodiment of the present invention may be performed simultaneously with a predetermined service request (for example, payment, etc.). In this case, identification information of the digital system 100 for the authentication request Of course. Such an example will be described in detail later with reference to FIGS. 4 and 5. FIG.

According to another embodiment, the authentication request may be output by the digital system 100 and transmitted to the authentication system 200 together with the acknowledgment signal or separately from the acknowledgment signal. Such an example will be described with reference to FIG.

When the authentication request is received and an acknowledgment signal is received from the digital system 100, the authentication system 200 performs an authentication check procedure as described above based on the received acknowledgment signal. If the authentication is successful, Can successfully process the authentication of the data processing apparatus 400 or the digital system 100. That is, the received authentication request can be successfully processed. The service system 500 may then provide the data processing device 400 or a predetermined service requested by the digital system 100. Needless to say, another authentication of the user (for example, authentication using the authorized certificate, etc.) may be required after the authentication of the user according to the technical idea of the present invention succeeds.

In addition, the authentication procedure may further include authenticating user authentication information (e.g., PIN) of the user device 300. For example, when the user device 300 is a payment IC card, a password (i.e., a PIN number) set by the user may be preset in the user device 300. The user authentication information of the user device 300 may also be registered in the authentication system 200 in advance. Then, the authentication system 200 receives the user authentication information from the digital system 100 or the data processing apparatus 400, and if the received user authentication information corresponds to previously registered information, To be successful. Of course, the authentication of the user authentication information may be performed by the digital system 100 that communicates with the user device 300. In this case, the user authentication information of the user device 300 may be registered in the digital system 100 in advance.

When the authentication is performed by the user, the digital system 100 may output a confirmation signal to the authentication system 200, and the confirmation signal includes only authentication information (the device one-time information and / or the terminal one-time information). In addition, the device identification information of the user device 300 and / or the terminal identification information of the digital system 100 may be further included, and as a result, the user device 300 and / or the digital system 100 as described above. It is as described above that the authentication of the hardware) can be performed.

The terminal identification information may include identification information (eg, identification information of USIM, IMSI, IMEI, MAC) of hardware of the digital system 100 (eg, hardware (eg, USIM, network device, etc.) included in the digital system 100). Address, etc.). When the terminal identification information is included in the confirmation signal, the authentication system 200 may determine that the authentication confirmation procedure is successful only when the terminal identification information is registered in advance. Therefore, if the confirmation signal is not received through the digital system 100, which is a pre-registered terminal, even if the confirmation signal is transmitted to the authentication system 200 by a predetermined device, Therefore, there is an effect that a predetermined service may not be provided to the user. That is, it is possible to designate a digital system, thereby blocking unauthorized service requests through other terminals. Further, since an authentication action (payment authentication action) can be performed only through the designated digital system, there is an effect that smearing or manned middle attack can be prevented.

Meanwhile, the terminal one-time information generated by the digital system 100 or the device one-time information generated by the user apparatus 300 is displayed by the digital system 100, and the user inputs the terminal one- , The inputted terminal's one-time information may be included in the confirmation signal.

However, according to an exemplary embodiment of the present invention, the terminal may include the one-time information or the device one-time information and may be automatically included in the confirmation signal without input by the user, thereby providing convenience of authentication by the user. The risk of information leakage through key logging can be rather low. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the user device 300 and to authenticate the user by the authentication system 200 And ultimately by ensuring that the authentication procedure is successful.

The authentication system 200 includes all systems participating in receiving an authentication request, communicating with the digital system 100 and / or the data processing apparatus 400, or in deciding whether to grant an authentication request Can be defined as meaning. Of course, the authentication system 200 does not mean only one physical device, but may be a system that is organically coupled to a plurality of devices or systems to implement the technical idea of the present invention. For example, the authentication system 200 may receive the authentication request directly from the digital system 100 or the data processing apparatus 400, or may receive the authentication request via the service system 500 as described above have.

For example, in the case of a payment service, the authentication system 200 can directly transmit a settlement request (the settlement request is an authentication request) from the data processing apparatus 400, for example, a user's computer, an affiliate store terminal Or may receive a payment request (authentication request) via the service system (e.g., web server 500 that provides an online marketplace). In this case, the authentication system 200 may be a credit card company system that can settle the settlement request (authentication request) using the previously registered credit card information (the credit card company system in the present invention is not only an independent card company system, (Which means to include all financial institution systems (not shown) that perform card settlement). Also, according to an embodiment, a VAN system, a PG, or the like, which is connected to the card company system through a network and mediates a payment process, may be further included in the authentication system 200. [

Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of description, the digital system 100 is implemented as a mobile phone, and the identification information of the digital system 100 used for the authentication request is a mobile phone number of the mobile phone as an example. Although described, the scope of the present invention is not limited thereto.

2 shows a schematic configuration of a digital system according to an embodiment of the present invention.

Referring to FIG. 2, the digital system 100 includes a control module 110, a user equipment communication module 120, and a communication module 140. When the digital system 100 is implemented to generate terminal authentication information, the digital system 100 may further include a terminal authentication information generation module 130.

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

The control module 110 may include other components (eg, the user device communication module 120, the terminal authentication information generation module 130, and / or the communication module 140) included in the digital system 100. Functions and / or resources can be controlled.

The user equipment communication module 120 may communicate with the user equipment 300. [ The communication may be contact or non-contact communication as described above. According to an example, the communication may be a contactless short range wireless communication (e.g., NFC communication). When the communication is the NFC communication, the user can be authenticated only by tagging the digital system 100 and the user device 300, so that the convenience of the user can be enhanced. In addition, even when the user device 300 is in a wallet or a pocket, the NFC communication can be performed without removing the user device 300, so that the convenience of authentication can be enhanced. The user equipment communication module 120 may be implemented by, for example, an NFC chip or a module provided in the digital system 100. In addition, it is a matter of course that the embodiment of the user equipment communication module 120 may be varied according to the embodiment of the communication performed by the digital system 100 and the user equipment 300.

The control module 110 may generate or transmit an acknowledgment signal according to the technical idea of the present invention.

The communication module 140 may communicate with the authentication system 200. And may perform communication with the data processing apparatus 400 according to an embodiment.

The control module 110 may communicate with the user device 300 through the user device communication module 120. In addition, according to an embodiment, device authentication information and / or device identification information may be received from the user device 300. The server generation key received from the authentication system 200 through the user device communication module 120 and / or the terminal identification information (or terminal one-time information) of the digital system 100 may be transferred to the user device 300. You can also send. The transmission of the server generation key and / or the terminal identification information (or terminal one-time information) is performed when an authentication operation performed by a user, that is, communication between the digital system 100 and the user device 300 is performed. Can be. Of course, in some embodiments, the server generation key and / or the terminal identification information (or terminal one-time information) may be transmitted to the user device 300 separately from the authentication. For example, in the case of NFC communication, the user may have to perform a plurality of tagging. The server creation key may be transmitted to the user device 300 through the tagging of any one of a plurality of tagging, and if another tagging is performed, the user may be regarded as having the authentication operation.

The terminal authentication information generation module 130 may generate terminal authentication information. The terminal authentication information generation module 130 generates the terminal one-time information based on the server generation key (and the device identification information of the user device 300) received from the authentication system 200 as described above, and authenticates the terminal. Can be included in the information. Of course, if the terminal authentication information generation module 130 does not generate authentication information to be included in the confirmation signal, but authentication information to be included in the confirmation signal is generated by the user device 300, the terminal authentication information generation module 130 May simply generate the terminal one-time information to be included in the device authentication information or used for the device one-time information. The terminal authentication information generation module 130 may also generate the terminal one-time information based on the device identification information (or device one-time information) of the user device 300 or the identification information of the digital system 100. have.

In this case, the device identification information may be information irrelevant to payment financial information. For example, when the user device 300 is a payment card, the payment financial information (e.g., a card number) of the payment card may be the device identification information. However, according to the technical idea of the present invention, (For example, UID, etc.) irrelevant to the settlement financial information may be used as the device identification information.

The terminal authentication information generation module 130 may generate terminal authentication information including the generated terminal one-time information, and the terminal authentication information may include identification information of the digital system 100 and / or identification of the user device 300. Information (or device one-time information) may be further included. Of course, when the terminal one-time information is information generated using the device identification information (or device one-time information), the device identification information (or device one-time information) needs to be included in the terminal authentication information separately from the terminal one-time information. May not be present.

Then, the control module 110 generates a confirmation signal including the generated terminal authentication information (and / or device authentication information received from the user device 300), and generates the generated confirmation signal to the communication module 140 The control may be transmitted to the authentication system 200.

Or may include an authentication request in the acknowledgment signal. Alternatively, the confirmation signal may include an authentication signal indicating an authentication result using the user authentication information. It should be understood that the acknowledgment signal is not limited to one information or a continuously transmitted signal, and the acknowledgment signal may be transmitted to the authentication system 200 discontinuously in a plurality of times according to an embodiment.

The authentication system 200 may then perform an authentication procedure based on an acknowledgment signal including the authentication information. If the authentication confirmation process is successful, the authentication system 200 can process the authentication result as a successful authentication for the device (for example, the digital system 100 or the data processing device 400) that has output the authentication request . That is, the digital processing system 100 or the data processing apparatus 400 can successfully process the authentication request. For example, if the authentication confirmation process is successful, the authentication system 200 may transmit an authentication result indicating that the authentication of the user is successful to the data processing apparatus 400, the digital system 100, and / or the service system 500 Lt; / RTI >

When the device identification information is further included in the authentication information (device authentication information and / or terminal authentication information), the authentication system 200 may authenticate the user device 300 based on the device identification information. . In addition, when the terminal identification information is further included in the authentication information, the authentication system 200 may determine whether the digital system 100 is a pre-registered terminal based on the terminal identification information.

According to an embodiment of the present invention, payment financial information of the user device (eg, payment card, 300) may be further included as device identification information. That is, in this case, the user device 300 may be a payment card (ie, an IC card). When payment financial information is further included in the authentication information, the authentication system 200 may authenticate the user device 300 based on the payment financial information. However, even if the authentication information includes the terminal one-time information, if the payment financial information is included, there is a risk that the payment financial information may be leaked and the leaked payment financial information may be abused. Accordingly, when the authentication information further includes payment financial information of the user device 300, the authentication system 200 determines whether the digital system 100 is a pre-registered terminal based on the terminal identification information. It may be desirable to enhance security. Of course, as described above, the device identification information may be selected as identification information of the user device 300 irrelevant to the payment financial information.

Meanwhile, the communication module 140 may receive predetermined authentication action request information from the authentication system 200 or from the data processing apparatus 400. [ The authentication action request information may include information for requesting a user to perform an authentication operation, that is, to communicate the digital system 100 and the user device 300. [ In addition, the server generation key generated by the authentication system 200 may be received together with the authentication action request information.

The server creation key may be received together with the authentication action request information and may be received separately before or after the authentication action request information is received by the digital system 100. [ For example, in the digital system 100, predetermined software for implementing the technical idea of the present invention can be installed, and the technical idea of the present invention can be implemented only when the software is executed. In this case, the digital system 100 may automatically perform communication with the predetermined authentication system 200 when the software is executed. In this case, the server generation key may be received in advance. In any case, the digital system 100 may receive the server creation key from the authentication system 200 before the user performs an authentication operation.

Of course, only the signal indicating that the authentication request has been performed in the data processing apparatus 400 or the digital system 100 may be included in the authentication action request information.

The authentication action request information may be displayed on a display device (not shown) included in the digital system 100. The user can confirm the authentication action request information and perform authentication by requesting the digital system 100 and the user device 300 by tagging.

The communication module 140 may receive the authentication action request information from the authentication system 200 or may receive the authentication action request information from the data processing device 400. Such an example will be described later with reference to Figs.

Meanwhile, the control module 110 may determine whether the user device 300 is a device forming a pair with the digital system 100. And transmit the confirmation signal to the authentication system 200 only when the user device 300 is a device forming a pair with the digital system 100. [ Of course, the procedure for authenticating such a pair may be performed by the authentication system 200 as described above.

In addition, the control module 110 requests predetermined user authentication information (eg, PIN) before or after performing communication with the user device 300, and the user authentication information is stored in the user device 300 (eg, The terminal authentication information may be generated only when corresponding to the authentication information (for example, PIN information) of the payment IC card, or the confirmation signal including the device authentication information obtained from the user device 300 may be transmitted. It is possible to prevent the non-repudiation even if the user does not perform the process of checking the device one-time information or the terminal one-time information and directly inputting the device one-time information to the digital system 100 through the user authentication information.

If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the authentication system 200. For example, the digital system 100 may receive the user authentication information in advance before communicating with the user device 300. Or may receive the user authentication information from the user after the communication is performed. If the user authentication information does not correspond to the information set in the user device 300 in advance, the confirmation signal may not be transmitted. According to an embodiment, the user authentication using the user authentication information may be performed by the digital system 100 after the confirmation signal is transmitted. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication using the user authentication information to the authentication system 200 after transmitting the confirmation signal. Then, the authentication system 200 receiving the authentication signal may finally determine the success or failure of the authentication confirmation procedure.

Or the digital system 100 transmits the user authentication information received from the user to the authentication system 200 and determines whether the user authentication information corresponds to the user device 300 by the authentication system 200 .

3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.

3, an authentication system 200 according to an exemplary embodiment of the present invention includes a control unit 210, a communication unit 220, and an authentication unit 230. The authentication system 200 may further include a DB 240.

The configuration of the control unit 210, the communication unit 220, the authentication unit 230, and the DB 240 included in the authentication system 200 includes hardware for performing the technical idea of the present invention, And the functional and structural combination of the software. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

Also, the authentication system 200 does not mean any physical device. That is, an average expert in the technical field of the present invention can easily deduce that the authentication system 200 can be implemented by organically combining different physical devices through a network.

The authentication system 200 may be included in the service system 500 or may be implemented in a system separate from the service system 500. In addition, the operating system of the authentication system 200 and the service system 500 may be the same or different.

The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the communication unit 220, the authentication unit 230, and the DB 240) .

The communication unit 220 may perform communication with the digital system 100. In particular, the communication unit 220 may receive an acknowledgment signal from the digital system 100.

The authentication unit 230 may generate the server generation key as described above. In addition, an authentication verification procedure may be performed based on authentication information including one-time information (device one-time information or terminal one-time information) generated based on the server generation key. The one-time information may include device one-time information and / or terminal one-time information. For this, the authentication unit 230 may generate server one-time information using the server generation key transmitted to the digital system 100. [ Of course, the average expert in the technical field of the present invention can easily infer that the server one-time information can be generated by using the information used when generating the device one-time information or the terminal one-time information as an input value. There will be.

Also, according to an embodiment, as described above, the authentication unit 230 simply decrypts the device one-time information and / or terminal one-time information, and determines whether the decrypted result corresponds to the server generation key, .

The device one-time information and / or the terminal one-time information may be information generated by using identification information (or one-time information generated by the corresponding device) of the corresponding device. That is, the device one-time information may be information generated using not only the server generation key but also the terminal identification information (or terminal one-time information). The terminal one-time information may be information generated using not only the server generation key but also the device identification information (or device one-time information).

In this case, the authenticator 230 may generate server one-time information by further using the terminal identification information (device identification information) as well as the server generation key to authenticate the device one-time information (or terminal one-time information). Of course.

Of course, the authentication unit 230 may further authenticate the authenticated information when the authentication information further includes the authentication information other than the one-time information. Accordingly, the authentication confirmation procedure includes an authentication procedure for authenticating the authenticated information, the authentication using the device identification information, the authentication using the terminal identification information, the two devices used by the user for authentication, that is, the digital system ( As described above, at least one of the authentication of whether the pair 100 and the user device 300 are paired and / or the authentication of the user authentication information set in the user device 300 may be further included.

When the device identification information corresponding to the one-time information is included, the authentication confirmation procedure may not selectively include authentication using the corresponding device identification information. Of course, even if the device one-time information is authenticated by the authentication unit 230, the authentication information may include the device identification information as the authentication information separately, and even if the authentication using the device identification information is additionally performed, there is a real advantage. Can be. Similarly, even though the terminal one-time information is authenticated by the authenticator 230, the authentication information may separately include the terminal identification information as the authenticated information, and even if the authentication using the terminal identification information is performed, there may be a profit.

If the authentication unit 230 has succeeded in the authentication process, the control unit 210 can successfully process the authentication request that is already received or the authentication request included in the confirmation signal. The control unit 210 may send a signal indicating the authentication result to the service system 500 for success processing.

As described above, the DB 240 may previously store device identification information of the user device 300 and terminal identification information of the digital system 100 according to the spirit of the present invention. Also, the server generation key generated by the authentication unit 230 may be temporarily stored. Information on pair formation of the digital system 100 and the user apparatus 300, that is, information on which digital system 100 and which user apparatus 300 are formed in pairs, that is, pair setting information, Can be. In addition, user authentication information corresponding to the user device 300 may be stored in advance.

The communication unit 220 may receive an authentication request from the data processing apparatus 400 or the digital system 100. Needless to say, the authentication request may include identification information (e.g., telephone number) of the digital system 100. Then, the control unit 210 may transmit authentication action request information to the digital system 100 or the data processing apparatus 400 through the communication unit 220. [ The user can confirm the authentication action request information and communicate the digital system 100 and the user device 300. [ Then, the communication unit 220 can receive an acknowledgment signal output from the digital system 100.

Then, the authentication unit 230 may perform the authentication procedure.

For this, the authentication unit 230 may generate server one-time information corresponding to the digital system 100 or the user device 300. [ Of course, it is also possible to generate server one-time information corresponding to the digital system 100 and server one-time information corresponding to the user apparatus 300, respectively. To this end, the authentication unit 230 may provide at least one input value (key or seed) for generating one-time information for each digital system 100 and / or for each user equipment 300, Shared with the digital system 100 and / or each user device 300, or may share the manner (or algorithm) of obtaining the at least one key. Of course, the server creation key may be included in the at least one input value. Of course, a function or algorithm for generating the server one-time information is also the same as the function or algorithm in which the digital system 100 or the user device 300 generates the terminal one-time information or the device 300 one-time information can do.

As such, when the authenticator 230 generates the server one-time information, the authenticator 230 may perform an authentication verification procedure by determining whether the generated one-time information corresponds to the one-time information included in the authentication information. It should be noted that there are various embodiments of at least one input value and one-time information generation algorithm for the digital system 100, the user apparatus 300, and the authentication unit 230, respectively, to generate one- The average expert in the field will be able to easily reason.

Meanwhile, when the authentication information includes the terminal identification information, the authentication unit 230 determines whether the terminal identification information corresponds to information registered in advance in the DB 240, and if the result of the determination corresponds, the authentication confirmation You can determine that the procedure was successful.

The authentication unit 230 determines whether the digital system 100 and the user device 300 form a pair with each other based on information previously registered in the DB 240, The digital system 100 and the user device 300 form a pair to determine that the authentication confirmation procedure is successful.

When the user authentication information (for example, the PIN information of the payment card, etc.) of the user device 300 is received from the digital system 100, the authentication unit 230 transmits the user authentication information to the DB 240) to determine that the authentication check procedure is successful. Or may determine whether the authentication procedure is successful based on the authentication signal received from the digital system 100. [

4 to 9 illustrate a data flow of a user authentication method using a user device according to an embodiment of the present invention. 4 to 6 show an embodiment in which only a server generated key is transmitted from the digital system 100 to the user device 300 through an authentication process, and FIGS. 7 to 9 show a user device through the authentication process. An embodiment in the case where the server generation key and the terminal identification information (or the terminal one-time information) are transmitted to 300 is shown.

FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.

4 illustrates an example in which an authentication request is made via the digital system 100. Referring to FIG. 4, the digital system 100 may send a predetermined authentication request to the authentication system 200 (S100 ). The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ). The authentication action request information may include a server creation key generated by the authentication system 200. In addition, the server generation key may be transmitted to the digital system 100 separately from the authentication action request information. The authentication activity request information may be displayed on the digital system 100. Of course, the server creation key may not be displayed by the digital system 100.

After confirming the authentication activity request information displayed on the digital system 100, the user may communicate the digital system 100 with the user device 300 (S120). The server creation key may be transmitted to the user device 300 through the communication. Then, the user device 300 may generate device authentication information based on the server generation key (S130). The user device 300 may generate device one-time information based on the server generation key and its identification information received through the communication, and include the generated device one-time information in the device authentication information. According to an embodiment, the user device 300 may further include device identification information in the device authentication information separately from the device authentication one-time information.

Then, the digital system 100 may obtain the device authentication information generated by the user device 300 from the user device 300 (S140).

Of course, the digital system 100 may generate terminal one-time information (S130-1). The terminal one-time information may also be generated based on the server generation key. Alternatively, the terminal one-time information may be generated by using information (eg, time information) separate from the server generation key as an input value. The control module 110 of the digital system 100 may control the terminal to generate the one-time information only when the communication is performed. In some cases, the terminal one-time information may be generated before the communication is performed (for example, when the authentication activity request information is received) (S130-1).

Then, the digital system 100 may include the device authentication information, and optionally include the terminal one-time information or its own identification information, that is, the terminal identification information in the confirmation signal, and transmit it to the authentication system 200. (S150).

As a result, the digital system 100 includes the device authentication information generated by the user device 300 in the confirmation signal, and the terminal one-time information or its own terminal identification information generated by the user according to an embodiment It may be further included in the confirmation signal.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S160). That is, an authentication procedure for authenticating device authentication information included in the confirmation signal may be performed. The authentication procedure for authenticating the device authentication information includes a step of authenticating the device one-time information included in the device authentication information, and when the device identification information further includes the device identification information as the authentication information, identifying the device. It may include a procedure for authenticating the information. In addition, when the terminal identification information (or terminal one-time information) is included in the confirmation signal, the authentication confirmation procedure may further include a procedure for authenticating the terminal identification information (or terminal one-time information).

If the authentication verification process is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S170). Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

As described above, the authentication system 200 determines whether the device identification information corresponds to previously registered information, whether the terminal identification information corresponds to previously registered information, and / or the digital system 100 and the Based on whether the user device 300 forms a pair, it may be determined whether the authentication confirmation procedure is successful.

FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

FIG. 5 illustrates an example in which an authentication request is performed by a predetermined data processing apparatus 400. Referring to FIG. 5, the data processing apparatus 400 includes an authentication request including identification information of the digital system 100. FIG. It may be transmitted to the authentication system 200 (S200). Alternatively, when the authentication system 200 inputs an authentication request including information (eg, identification information of a user) that can specify the digital system 100, the authentication system 200 is based on the information. Identification information of the digital system 100 may be determined.

The data processing apparatus 400 may be a computer or the like used by the user of the digital system 100. [ For example, the user can request an authentication online (S200) through a computer or the like, and in response, the authentication system 200 can transmit authentication action request information to the computer (S210-1). The user may perform an authentication operation to confirm the authentication action request information displayed on the computer and to communicate the digital system 100 and the user device 300 in operation S220. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S210). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 may transmit the authentication activity request information to the data processing device 400, and the server generation key may be transmitted to the digital system 100.

Then, the user can perform the authentication operation in response to this (S220).

According to another embodiment, the data processing apparatus 400 may be an affiliate terminal. That is, the user may want to perform settlement. In this case, the authentication request may be a payment request. The user may notify the affiliated store's identification information of the digital system 100 at an offline store or may directly input the identification information of the digital system 100. Alternatively, at a remote location, the user may request the merchant to perform a payment (authentication) request for a predetermined payment through telephone, messaging, or e-mail. Then, an authentication (payment) request may be transmitted to the authentication system 200 by inputting the identification information of the digital system 100 to the merchant terminal (S200). At this time, the authentication action request information may also be transmitted to the merchant terminal and / or the digital system 100 (S200, S200-1). Of course, the server generation key may be transmitted to the digital system 100. In response, the user may communicate an authentication action, i.e., the digital system 100 and the user device 300 (S220). The server creation key may be transmitted to the user device 300 through the communication.

Then, the digital system 100 may obtain device authentication information generated by the user device 300 (S230 and S240). As described above, the device authentication information may include device one-time information generated by the user device 300 based on the server generation key. The user device 300 may further include its identification information, that is, device identification information, in the device authentication information. Also, the digital system 100 may generate terminal one-time information (S230-1).

Then, the digital system 100 includes at least the device authentication information as the authentication system 200, and further includes terminal identification information (or the terminal one-time information) of the digital system 100 according to an embodiment. The signal may be transmitted (S250). Of course, the device identification information may include settlement financial information of the settlement card. In order to increase the security, the settlement financial information may be transmitted to the user system 300 even if the digital system 100 obtains the confirmation signal .

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S260). That is, an authentication procedure for authenticating device authentication information included in the confirmation signal may be performed. The authentication procedure for authenticating the device authentication information includes a step of authenticating the device one-time information included in the device authentication information, and when the device identification information further includes the device identification information as the authentication information, identifying the device. It may include a procedure for authenticating the information. In addition, when the terminal identification information (or terminal one-time information) is included in the confirmation signal, the authentication confirmation procedure may further include a procedure for authenticating the terminal identification information (or terminal one-time information). Then, the authentication result may be transmitted to the digital system 100 (S270). Or may be transmitted to the data processing apparatus 400 (S270-1). Of course, the authentication result may be transmitted to the service system 500.

Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the digital system 100. For example, an authentication requester other than the user (that is, a person who performs authentication confirmation) such as a family member, a relative or an acquaintance of the user inputs the identification information of the user to the data processing apparatus 400, (200).

For example, a user (authentication requester) who is not the user may need to log in to the user's web account, print a certificate on behalf of the user, or require a third party payment. There may be a case where a service is to be provided from the service system 500. In such a case, there was a risk that the authentication requester should be informed of the authentication information (eg, login information, public certificate password, card number, etc.).

However, according to the technical idea of the present invention, the authentication request and the authentication action may be made in a spatially separated state, and the user may perform the authentication without requiring the authentication requester to perform authentication. There is no need to provide information for.

Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.

Even in this case, the authentication system 200 may transmit the authentication action request information and the server generation key to the digital system 100 of the user, and the authentication action as described above may be performed by the user. Then, if an authentication confirmation procedure is performed by the authentication system 200 and the authentication confirmation procedure is successful, the authentication (payment) result can be transmitted to the data processing apparatus 400 and the digital system 100.

4 and 5, according to the present invention, since only the identification information of the digital system 100 is required for the authentication request, there is the ease of the authentication request, and the user uses his digital system 100 for authentication. It is only necessary to communicate (eg, tagging) the user device 300 with the user. As described above, although the authentication request is easy and the authentication is easy, the security can be very high as described above. Also, as shown in FIG. 4 and FIG. 5, the user can easily determine whether the authentication request is allowed even in the two-channel authentication due to the ease of authentication request and the convenience of the payment confirmation operation. Further, The login information, the authorized certificate password, etc.), and can perform the authentication operation safely.

According to another embodiment, as shown in FIG. 6, an authentication requester who is not a user inputs identification information of the digital system 100 to the data processing apparatus (eg, a computer, a mobile terminal of an authentication requester, etc.) 400, or If the authentication requester notifies the merchant side of the user's identification information or remotely, the merchant side may input the identification information of the digital system 100 to the data processing device (eg, the merchant terminal 400). Can be. Then, the data processing apparatus 400 may transmit authentication action request information (that is, payment related information including payment details, etc.) to the digital system 100. Of course, for this purpose, predetermined software for implementing the technical idea of the present invention may be installed in the data processing apparatus 400.

The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the settlement request corresponding to the authentication action request information, the user can perform the authentication operation as described above. The digital system 100 may then send an acknowledgment signal as described above to the authentication system 200. In this case, the confirmation signal may further include not only the device authentication information but also information necessary for a payment request (for example, information about an affiliated store, payment details, etc.). That is, the confirmation signal may further include an authentication (settlement) request to be transmitted to the authentication system 200.

The authentication system 200 may then perform an authentication procedure based on the acknowledgment signal. The authentication system 200 can transmit the authentication result to the data processing apparatus 400 and / or the digital system 100. [0050] FIG. Of course, in the case of payment, if the authentication confirmation procedure is successful, the authentication system 200 or the service system 500 determines whether or not the payment is approved and transmits the payment result to the data processing apparatus 400 and / (100).

As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.

FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

6, when the user notifies or inputs the identification information of his / her digital system 100, the data processing apparatus 400 receives the identification information (S300) To the digital system 100 (S310).

For example, when the user notifies the identification information of his / her digital system 100 or inputs the payment information to his / her mobile terminal 400 without providing a payment card to the store, the data processing apparatus 400 may transmit the identification information (S300) and transmits the authentication action request information corresponding to the authentication to the digital system 100 (S310). Then, when the user is seated or communicates with the user device 300 in the car, the digital system 100 may transmit a confirmation signal to the authentication system 200, the payment related information The corresponding payment request (ie, authentication request) may also be transmitted to the authentication system 200 by the digital system 100 and payment may be easily made. Therefore, in this case, not only the user device 300 but also the payment financial information of the user device 300 may not be transmitted to the affiliated store, which may be a secure payment solution.

According to an embodiment, the data processing apparatus 400 and the digital system 100 may perform short-range wireless communication. In this case, the authentication activity request information (payment related information) may be transmitted to the digital system 100 by short-range wireless communication between the data processing apparatus 400 and the digital system 100. At this time, the identification information of the digital system 100 may not need to be input to the data processing apparatus 400.

For example, when the technical idea of the present invention is applied to a payment service, when a settlement amount is input to a data processing apparatus (for example, an affiliate terminal 400), the user inputs the digital system 100 to the data processing apparatus 400 It is possible to perform short-range wireless communication. Then, authentication activity request information including payment related information (eg, payment details, affiliated store identification information, etc.) including the payment amount may be transmitted to the digital system 100 through the short range wireless communication (S310). The user can then remotely communicate the digital system 100 with his / her user device (e.g., the payment IC card 300). With this two short-distance wireless communication, the user can easily make a payment. In this case, the identification information of the digital system 100 of the user is not required to be notified to the merchant, and the settlement financial information of the user device 300 may not be transmitted to the merchant.

When the authentication act request information (payment related information) is transmitted from the data processing apparatus 400 to the digital system 100, the authentication act request information includes information necessary for an authentication request (payment request) (payment related information). May be included. When the authentication action request information is received, the digital system 100 can communicate with the authentication system 200 and receive a server creation key (S310-1)

When the authentication is performed by the user (S320), the device authentication information generated by the user device 300 and the authentication request (payment request) may be included in the confirmation signal and transmitted to the authentication system 200. There are (S320, S330, S330-1, S340, S350). That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200. Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. In addition, as described above, the digital system 100 may further include the terminal identification information (or terminal one-time information) in the confirmation signal.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S360). If the authentication confirmation procedure is successful, the authentication result may be transmitted to the digital system 100 (S370-1). Of course, the data processing apparatus 400 may also be transmitted (S370). Or to a given service system 500.

7 to 9 illustrate a case in which the user device 300 uses terminal identification information (or terminal one-time information) of the digital system 100 when generating the device authentication information.

Referring first to FIG. 7, the embodiment shown in FIG. 7 may be authenticated in a manner similar to that shown in FIG. 4. For example, the digital system 100 may transmit a predetermined authentication request to the authentication system 200 (S400). Then, the authentication request is received through the communication unit 220 of the authentication system 200, and the controller 210 may transmit the authentication activity request information to the communication module 140 of the digital system 100 (S410). ). In addition, a server generation key may be transmitted to the digital system 100 (S410).

After the user confirms the authentication activity request information, the user may communicate the digital system 100 with the user device 300 (S420). The server creation key may be transmitted to the user device 300 through the communication. In addition, terminal identification information of the digital system 100 may be further transmitted. Alternatively, the terminal one-time information generated by the digital system 100 may be transmitted to the user device 300 (S410-1, S420).

Then, the user device 300 may generate device authentication information including device one-time information. In this case, the device one-time information may be generated based on the server generation key (and device identification information), or may be generated based on the server generation key (and device identification information) and the terminal identification information (or terminal one-time information). It may be (S430). In the former case, the user device 300 may include the device one-time information and the terminal identification information (or the terminal one-time information) in the device authentication information. In the latter case, the device authentication information may include only the device one-time information.

Then, the digital system 100 may obtain the device authentication information generated by the user device 300 (S440).

When the terminal one-time information generated by the digital system 100 is transmitted to the user device 300 through the communication, the terminal one-time information may be generated before the communication is performed (S410-1). As described above, the terminal one-time information may or may not be generated based on the server generation key. In addition, although the device one-time information may not need a process input by the user, the terminal one-time information may need to be input by the user after being displayed by the digital system 100, the terminal one-time input Information may be transferred to the user device 300 through the communication.

In some embodiments, the digital system 100 transmits a server generation key and terminal identification information (or the terminal one-time information) to the user device 300 through the communication, and the server generation key and the terminal identification. The device authentication information may be generated based on the information. In this case, the digital system 100 transmits the terminal one-time information (or terminal identification information) to the authentication system 200 separately from the device authentication information obtained from the user device 300 in the confirmation signal. May be In this case, the terminal one-time information may be displayed by the digital system 100 and then input by the user, and the input terminal one-time information is included in the confirmation signal to be transmitted to the authentication system 200. Alternatively, the identification signal may be transmitted to the authentication system 200 separately from the confirmation signal through a user input.

When the device one-time information included in the device authentication information is generated based on the terminal identification information (or the terminal one-time information), when the device one-time information is authenticated by the authentication system 200, the digital system ( 100 also has the effect of being authenticated by the authentication system 200. In addition, the terminal identification information (or the terminal one-time information) may not be used when generating the device one-time information, but may be included as the authenticated information in the device authentication information. In this case, the device authentication information is included in the authentication system 200. The terminal identification information (or the terminal one-time information) may be authenticated when authenticating by.

In addition, the terminal one-time information may be included in the confirmation signal separately from the device authentication information. In this case, the authentication confirmation procedure performed on the authentication system 200 may further include an authentication procedure for authenticating the terminal one-time information. . That is, the digital system 100 is authenticated by the authentication of the device authentication information, and the digital system 100 is once again authenticated using the terminal one-time information.

The digital system 100 may include the device authentication information obtained from the user device 300 in the confirmation signal and transmit the device authentication information to the authentication system 200 (S450). As described above, according to the embodiment, the terminal identification information (or the terminal one-time information) may be further included in the confirmation signal.

Then, the authentication system 200 may perform an authentication confirmation procedure based on the confirmation signal (S460). If the authentication verification procedure is successful, the authentication system 200 may transmit to the digital system 100 that the authentication result, that is, the personal authentication is successful (S470).

When the device authentication information included in the confirmation signal is authenticated by the authentication system 200, information used to generate the device authentication information, that is, terminal identification information of the digital system 100 (or the terminal one-time information). This may mean that you are authenticated.

Therefore, the authentication is performed not only to the user device 300 but also to the digital system 100 by authentication of the device one-time information. Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

8 may be a case where authentication is performed in a manner similar to that shown in FIG. 5.

The data processing apparatus 400 may transmit an authentication request to the authentication system 200 by inputting identification information of the digital system 100 (S500). In response, the authentication system 200 may transmit authentication activity request information to the data processing apparatus 400 (S510-1). The user may check authentication request information displayed on the data processing apparatus 400 and perform authentication to communicate the digital system 100 and the user device 300 (S520). According to an implementation example, the authentication system 200 may transmit authentication activity request information to the digital system 100 (S510). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 transmits the authentication action request information to the data processing apparatus 400, and the server creation key may be transmitted to the digital system 100.

The user may then perform the authentication in response (S520).

Through the authentication, the digital system 100 may transmit not only the server generated key but also the terminal identification information (or the terminal one-time information) to the user device 300 (S520), in response to the user. The device 300 may generate device authentication information (S530).

As described above, the device authentication information may include device one-time information and terminal identification information (or the terminal one-time information). In this case, the device one-time information may be generated based on the server generation key. Alternatively, the device authentication information may include only the device one-time information, and in this case, the device one-time information may be information generated based on the server generation key and the terminal identification information (or the terminal one-time information).

Then, the digital system 100 may receive the device work authentication information generated by the user device 300 through the communication (S540). For example, the digital system 100 transmits the server generated key and the terminal identification information (or the terminal one-time information) and the server generated key and the terminal identification information through one short range wireless communication (eg, tagging). All of the device authentication information generated based on the reception can be performed.

In addition, the digital system 100 may generate terminal one-time information separately from the device authentication information (S510-2) and include the terminal signal in the confirmation signal or include the terminal identification information in the confirmation signal. As shown.

Then, the digital system 100 may transmit a confirmation signal including the device authentication information and optionally further including the terminal identification information (or the terminal one-time information) to the authentication system 200 (S550).

In response, the authentication system 200 may perform an authentication confirmation procedure based on the confirmation signal (S560). If the authentication verification procedure is successful, the authentication system 200 may transmit to the digital system 100 that the authentication result, that is, the personal authentication is successful (S570). For example, when the device authentication information included in the confirmation signal is authenticated by the authentication system 200, information used to generate the device authentication information, that is, terminal identification information of the digital system 100 (or the terminal one-time information). ) Can mean authentication. Therefore, the authentication is performed not only to the user device 300 but also to the digital system 100 by authentication of the device one-time information.

9 may be a case where authentication is performed in a manner similar to that shown in FIG. 6.

Referring to FIG. 9, when a user notifies or inputs identification information of his or her digital system 100, the data processing apparatus 400 receives the identification information (S600) and then the authentication act request information corresponding to the authentication. (Or payment related information) may be transmitted to the digital system 100 (S610).

When the authentication activity request information is received, the digital system 100 may communicate with the authentication system 200 to receive a server generation key (S610-1).

When the authentication is performed by the user (S620), the digital system 100 transmits a server generation key and terminal identification information (or the terminal one-time information) to the user device 300, and the user device 300. ), The device authentication information generated based on the server generation key and the terminal identification information (or the terminal one-time information) may be received (S620, S630, and S640). Since the embodiment of the device authentication information is the same as described with reference to FIGS. 7 and 8, a detailed description thereof will be omitted.

In addition, the digital system 100 may separately generate terminal one-time information (S630-1) and transmit it to the user device 300, or may include terminal one-time information (or terminal identification information) in the confirmation signal. As described above. Then, the digital system 100 may include the device authentication information and optionally transmit a confirmation signal further including terminal identification information (or the terminal one-time information) to the authentication system 200 (S660). The confirmation signal may further include an authentication request (payment request). Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200.

Then, the authentication system 200 may perform an authentication confirmation procedure based on the confirmation signal (S660). If the authentication confirmation procedure is successful, the authentication result may be transmitted to the digital system 100 (S670-1). Of course, it may be transmitted to the data processing device 400 (S670). Or to a given service system 500.

10 is a diagram illustrating a process of performing an authentication confirmation procedure by an authentication system according to an embodiment of the present invention.

Referring to FIG. 10, a series of processes in which an authentication confirmation procedure is performed by the authentication unit 230 of the authentication system 200, the authentication unit 230 may obtain a confirmation signal including at least device authentication information. There is (S710). The device one-time information included in the device authentication information may be information generated based on the server generation key generated and transmitted by the authentication unit 230.

Then, the authentication unit 230 generates the server one-time information based on the server generation key transmitted to the digital system 100 (S711), the generated server one-time information and the device one-time information included in the device authentication information Authentication of the one-time information for determining whether the correspondence can be performed (S712).

The device authentication information may further include the terminal one-time information (or the terminal identification information) as authenticated information. The terminal one-time information may be generated by a time synchronization method. In this case, the authentication system may generate separate server one-time information by using time information as an input value to authenticate the terminal one-time information. Alternatively, when the device one-time information is simply information on which the server generated key is encrypted based on the device identification information and the terminal identification information (or the terminal one-time information), the authentication unit 230 stores the device one-time information in advance. Authentication of the device one-time information may be performed by decrypting based on the identification information and the terminal identification information (or the terminal one-time information) and determining whether the decrypted information corresponds to the server generation key.

If authentication of the device one-time information is successful, the authentication verification procedure may be determined to be successful (S760). If authentication of the device one-time information fails, it may be determined that the authentication verification procedure has failed (S750).

When the authentication unit 230 includes only the device one-time information in the device authentication information, the authentication unit 230 may perform only authentication of the device one-time information. However, other authentication information {for example, device identification information and terminal identification information (or If the terminal one-time information)} is further included, as shown in FIG. 10, authentication of the device identification information (that is, authentication of the user device 300), authentication of the terminal identification information {that is, the digital system 100 At least one of authentication of hardware} and / or authentication of pairing may be further selectively performed.

In addition, when the terminal identification information (or the terminal one-time information) is included in the confirmation signal separately from the device authentication information, authentication of the terminal identification information (or the terminal one-time information) may be performed. And all of these authentications must be successful, it can be determined that the authentication verification procedure was successful (S760), if any one may be determined that the authentication verification procedure failed (S750).

In addition, although FIG. 10 illustrates a case where authentication of device identification information, authentication of terminal identification information, and authentication of pairing are sequentially performed, the order of these authentications may be changed.

As an example, as shown in FIG. 10, if authentication of the device one-time information is successful, the authentication unit 230 may perform user device 300 authentication using device identification information that may be included in the device authentication information. It may be (S720). If authentication of the user device 300 succeeds, it may be determined that the entire authentication confirmation procedure succeeded (S760). Of course, if authentication of the user device 300 fails, the authentication unit 230 may determine It may be determined that the authentication verification procedure has failed (S750).

In addition, the device authentication information or the confirmation signal may include terminal identification information, and the authentication unit 230 may further perform authentication using the terminal identification information (S730).

When the authentication unit 230 further performs authentication using the terminal identification information (S730), the authentication unit 230 is terminal identification information of the digital system 100 included in the confirmation signal or the device authentication information. And by determining whether the information registered in advance in the DB 240 corresponds to the hardware of the digital system 100 (S730). If the authentication of the hardware of the digital system 100 succeeds, it may be determined that the entire authentication confirmation procedure has succeeded (S760), or the pair authentication may be further performed (S730). Of course, if the authentication of the hardware of the digital system 100 fails, the authentication unit 230 may determine that the entire authentication confirmation procedure has failed (S750).

When the authentication unit 230 further performs pair authentication (S730), the authentication unit 230 may provide pair setting information registered in advance in the DB 240, that is, information about a digital system and a user device that forms a pair. In operation S740, pair authentication may be performed to confirm whether the digital system 100 and the user device 300 used in the authentication process are a pair. If pair authentication succeeds, it may be determined that the entire authentication confirmation procedure is successful (S760). Of course, if the pair authentication fails, the authentication unit 230 may determine that the entire authentication confirmation procedure has failed (S750).

11 is a diagram for explaining a process of transmitting a confirmation signal by a digital system according to one embodiment of the present invention.

Referring to FIG. 11, a user may input user authentication information (eg, PIN of a payment card) of the user device 300 through a predetermined application installed in the digital system 100 for authentication. (S800). In operation S810, the digital system 100 may communicate with the user device 300. In operation S820, the digital system 100 may receive device identification information of the user device 300.

The digital system 100 may perform user authentication to determine whether the user authentication information input from the user through communication with the user device 300 corresponds to the information set in the user device 300 (S830). If the user authentication succeeds, the digital system 100 may generate a confirmation signal including the device authentication information and transmit it to the authentication system 200 (S850). Of course, if user authentication fails (S830), the digital system 100 may terminate the process (S860). Of course, the authentication of the user authentication information may be selectively performed.

According to an implementation example, the digital system 100 may perform pair authentication (S840). When the pair authentication is more successful, the digital system 100 may transmit a confirmation signal (S850).

In order for the digital system 100 to perform pair authentication, the device identification information of the user device 300 forming a pair with the digital system 100 may be registered in the digital system 100 in advance. In some embodiments, identification information or terminal identification information of the digital system 100 that forms a pair with the user device 300 may be stored in a storage device of the user device 300. In this case, the digital system 100 may perform pair authentication by checking the information stored in the storage device.

In any case, when the digital system 100 and the user device 300 are not a pairing device, the digital system 100 does not transmit the confirmation signal to the authentication system 200 but performs the process. It may end (S860).

11 illustrates an example in which user authentication is performed before pair authentication, of course, pair authentication may be performed first.

In addition, in FIG. 11, input of user authentication information (eg, PIN) of the user device 300 may be performed at any time after a confirmation signal is transmitted to the authentication system 200 and before the authentication confirmation procedure ends. That is, after the digital system 100 transmits the confirmation signal to the authentication system 200, the digital system 100 may receive user authentication information of the user device 300 from the user and authenticate the user. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication to the authentication system 200. Then, the control unit 210 included in the authentication system 200 may determine the success or failure of the authentication confirmation process after confirming the authentication signal.

According to an embodiment, the digital system 100 transmits user authentication information to the authentication system 200, and the authentication of the user authentication information may be performed by the authentication system 200. In this case, the digital system 100 may transmit the user authentication information to the authentication system 200 at any point before the payment request is approved by the authentication system 200. For example, the user authentication information may be included in the confirmation signal, and the user authentication information may be transmitted to the authentication system 200 at any time before or after the transmission of the confirmation signal. Then, the authentication unit 230 included in the authentication system 200 can perform the user authentication using the user authentication information of the user device 300 stored in the DB 240. And, if the user authentication is successful, it may be determined that the authentication confirmation process is finally succeeded.

In the present specification, the case in which the authentication information included in the confirmation signal is the device authentication information generated by the user device 300 has been described mainly. However, the authentication information included in the confirmation signal is generated by the digital system 100. Of course, the terminal may also be authentication information. In this case, the digital system 100 can easily generate the terminal authentication information using the server generation key received from the authentication system 200 and the device identification information (or device one-time information) of the user device 300. Can be deduced.

12 is a view showing a schematic configuration of a user device according to an embodiment of the present invention.

Referring to FIG. 12, the user device 300 may include a computing unit 310 and a communication unit 320.

As described above, the user device 300 may be implemented in various ways, such as a smart card or IC card, a traffic card, a payment IC card, etc., capable of performing contact or contactless communication with the digital system 100.

The calculating means 310 may be an IC chip included in the IC card in the simplest form. The communication means 320 may be implemented as an RF antenna that can communicate with the digital system 100.

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100. Even in this case, the user device 300 may include a computing means (eg, a processor) capable of data processing and various communication means (eg, an NFC chip, a Bluetooth device, an RF antenna, etc.) capable of communicating with the digital system 100. ) May be included.

The communication means 320 may communicate with the digital system 100, that is, for authentication.

When the communication is performed, the calculating means 310 may generate device authentication information. As described above, when the server generation key is received from the digital system 100 through the communication as described above, the calculating means 310 generates device one-time information based on the server generation key (the device one-time information is generated by the server). It may be generated by using the identification information of the key and the device, or may be generated in various ways by using the server-generated key and various other information), and the device authentication information including the generated device one-time information may be generated. .

Alternatively, when the server generation key and the terminal identification information (or the terminal one-time information) are received from the digital system 100, the device one-time information based on the server generation key and the terminal identification information (or the terminal one-time information). May generate the device authentication information including the generated device one-time information. Or generate the device one-time information based on the server generation key and generate device authentication information including the generated device one-time information and the terminal identification information (or the terminal one-time information) received from the digital system 100. It may be.

The device authentication information generated by the computing means 310 may be transmitted to the digital system 100 through the communication, and a confirmation signal including the transmitted device authentication information may be transmitted by the digital system 100. May be sent to the authentication system 200. Then, an authentication confirmation procedure in which the transmitted confirmation signal is authenticated by the authentication system may be performed. In addition, an authentication request outputted from a predetermined data processing apparatus 400 or the digital system 100 to the authentication system 200 or the service system 500 connected to the authentication system 200 only after the authentication confirmation procedure is successful. Success can be handled.

The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (29)

The digital system performing communication with a predetermined user device for authenticating the user;
Receiving, by the digital system, device authentication information generated by the user device and transmitting a confirmation signal including the device authentication information to an authentication system through the communication; And
And performing an authentication confirmation procedure in which the transmitted confirmation signal is authenticated by the authentication system.
When the authentication confirmation procedure is successful, an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed.
The device authentication information,
And device one-time information generated by the user device based on a server generation key generated by the authentication system and transmitted to the user device through the digital system.
The apparatus of claim 1, wherein the device one-time information includes:
First device one-time information generated by the user device based on the server generation key; Or second device one-time information generated by the user device based on the server generation key and terminal identification information of the digital system delivered to the user device via the communication; ego,
The device authentication information,
And optionally terminal identification information of the digital system or terminal one-time information generated by the digital system.
The method of claim 1, wherein the user authentication method using the user device,
And displaying, on the data processing apparatus or the digital system, the authentication act request information output by the authentication system receiving the authentication request including the identification information of the digital system output from the data processing apparatus.
And when the authentication action request information is displayed, the digital system performs user communication with the user device.
The method of claim 1, wherein the user authentication method using the user device,
And receiving, by the digital system, authentication activity request information output from the data processing apparatus receiving the identification information of the digital system.
And the digital system performs the communication with the user device when the authentication activity request information is received.
According to claim 1, By the authentication system,
Server one-time information corresponding to the device one-time information, wherein the server one-time information is information generated based on the server generation key, and device one-time information included in the device authentication information from which the generated server one-time information is received. If it corresponds to the characterized in that the authentication verification procedure is successful, or
And decrypting the device one-time information and if the decryption result corresponds to the server generation key, the authentication verification procedure is successful.
The method of claim 5, wherein the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system.
By the authentication system,
And when the terminal identification information of the digital system is further authenticated or the terminal one-time information is further authenticated, the authentication verification procedure is successful.
The method of claim 1, wherein the user authentication method using the user device,
Receiving, via the communication, the device identification information of the user device by the digital system,
The step of transmitting the confirmation signal to the authentication system,
The digital system further including the device identification information in the confirmation signal and transmitting the identification information to the authentication system,
By the authentication system,
The authentication method using the user device characterized in that the authentication confirmation procedure is successful only if the device identification information is authenticated.
The method of claim 7, wherein the user device,
It is an IC card for payment.
The device identification information included in the confirmation signal,
And identification information of the user device irrelevant to payment financial information of the payment IC card.
The method of claim 1, wherein the transmitting of the confirmation signal to an authentication system comprises:
The digital system further including the terminal identification information of the digital system in the confirmation signal and transmitting the identification signal;
By the authentication system,
The user authentication method using the user device, characterized in that the authentication confirmation procedure is successful only if the terminal identification information is further authenticated.
The method of claim 1, wherein the user authentication method using the user device,
Determining, by the digital system, whether the user device is a pair preset to correspond to the digital system,
The user authentication method using the user device, characterized in that for transmitting the confirmation signal to the authentication system only when the user device is a predetermined pair as a result of the determination.
The digital system according to claim 1,
The user authentication method using the user device, characterized in that for transmitting to the authentication system by including in the confirmation signal without displaying the device authentication information.
The method of claim 1, wherein the user authentication method using the user device,
Requesting, by the digital system or the authentication system, user authentication information corresponding to the user device to a user of the digital system; And
Transmitting the user authentication information input in response to the request to the authentication system by the digital system or the data processing apparatus,
The user authentication method using the user device, characterized in that the authentication confirmation procedure is successful only if the user authentication information is further authenticated by the authentication system.
The digital system according to claim 1,
And the user device, wherein the user device is a payment IC card, does not include payment financial information in the confirmation signal.
Transmitting, by the authentication system, the server generation key to the digital system;
When the digital system communicates with a predetermined user device, the authentication system receiving a confirmation signal from the digital system, wherein the confirmation signal includes device authentication information generated by the user device;
Performing, by the authentication system, an authentication confirmation procedure for authenticating the device authentication information based on the received confirmation signal; And
If an authentication confirmation procedure for authenticating the device authentication information is successful, the authentication system successfully processes an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system. ,
The device authentication information,
And a device one-time information generated by the user device based on the server generation key transmitted from the digital system to the user device through the communication.
15. The method of claim 14, wherein the device one-time information,
First device one-time information generated by the user device based on the server generation key; Or second device one-time information generated by the user device based on the server generation key and terminal identification information of the digital system delivered to the user device via the communication; ego,
The device authentication information,
And optionally terminal identification information of the digital system or terminal one-time information generated by the digital system.
The method of claim 14, wherein the user authentication method using the user device,
Receiving, by the authentication system, the authentication request including identification information of the digital system from the data processing apparatus; And
Transmitting, by the authentication system, authentication activity request information to the digital system or the data processing device in response to the reception;
And after the confirmation signal is received from the digital system, the authentication system performs the authentication confirmation procedure after transmitting the authentication activity request information.
The method of claim 14, wherein the authentication system performs an authentication confirmation procedure for authenticating the device authentication information based on the received confirmation signal.
The authentication system generates server one-time information corresponding to the device one-time information, wherein the server one-time information is information generated based on the server generation key, and includes the generated server one-time information in the received device authentication information. Determining whether it corresponds to device one-time information; or
And the authentication system decrypting the device one-time information and determining whether the decryption result corresponds to the server generation key.
The method of claim 17, wherein the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system.
The authentication system performing the authentication confirmation procedure for authenticating the device authentication information based on the received confirmation signal,
Authenticating, by the authentication system, terminal identification information of the digital system; or
And authenticating, by the authentication system, the terminal one-time information.
The method of claim 14, wherein the user authentication method using the user device,
And authenticating, by the authentication system, whether the pair is set to correspond to each other in advance between the digital system and the user device which have transmitted the confirmation signal.
The user authentication method using the user device that determines that the pair authentication is successful only if the authentication confirmation procedure.

Communicating by the user device with the digital system for identity authentication;
Generating, by the user device, device authentication information;
Transmitting device authentication information generated by the user device to the digital system;
A confirmation signal including the transmitted device authentication information is transmitted by the digital system to an authentication system; And
And performing an authentication confirmation procedure in which the transmitted confirmation signal is authenticated by the authentication system.
When the authentication confirmation procedure is successful, an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed.
The device authentication information,
And device one-time information generated by the user device based on a server generation key generated by the authentication system and transmitted to the user device through the digital system.
The method of claim 20, wherein the generating of the device authentication information by the user device comprises:
The user device generates first device one-time information based on the server generation key, or the second device one-time information based on the terminal identification information received by the user device from the digital system via the server generation key and the communication. Generating the device authentication information by generating a;
The user device may further include terminal identification information of the digital system or terminal one-time information generated by the digital system in the device authentication information including the first device one-time information or the second device one-time information. Identity authentication method using a user device characterized in that there is.
A computer-readable recording medium having recorded thereon a program for performing the method according to any one of claims 1 to 21.
In a digital system,
A user device communication module for communicating with a user device for authentication of an authentication request;
And a control module for transmitting a confirmation signal to the authentication system when the communication with the user device is performed through the user device communication module, wherein the confirmation signal includes device authentication information generated by the user device.
By the authentication system,
If an authentication confirmation procedure for authenticating the device authentication information included in the confirmation signal is successful, the authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed. Characterized in that,
The device authentication information,
And device one-time information generated by the user device based on a server generation key generated by the authentication system and transmitted to the user device through the digital system.
The method of claim 23, wherein the device one-time information,
First device one-time information generated by the user device based on the server generation key; Or second device one-time information generated by the user device based on the server generation key and terminal identification information of the digital system delivered to the user device via the communication; ego,
The device authentication information,
And optionally, terminal identification information of the digital system or terminal one-time information generated by the digital system.
The method of claim 23, wherein the digital system,
And a terminal one-time information generation module for generating the terminal one-time information.
A communication unit for receiving a confirmation signal output by the digital system when the digital system communicates with a predetermined user device, wherein the confirmation signal includes device authentication information generated by the user device;
An authentication unit for generating a predetermined server generation key and performing an authentication confirmation procedure for authenticating the device authentication information included in the received confirmation signal; And
And a control unit for successfully processing an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system when the authentication confirmation procedure for authenticating the device authentication information is successful.
The device authentication information,
Authentication by the user device comprising the device one-time information generated by the user device based on the server generated key generated by the authentication unit and transmitted from the digital system to the user device through the communication. system.
The method of claim 26, wherein the device one-time information,
First device one-time information generated by the user device based on the server generation key; Or second device one-time information generated by the user device based on the server generation key and terminal identification information of the digital system delivered to the user device via the communication; ego,
The device authentication information,
And optionally, terminal identification information of the digital system or terminal one-time information generated by the digital system.
Communication means for performing communication with a digital system;
Comprising a calculation means for generating device authentication information when the communication is performed through the communication means,
The device authentication information generated by the computing means is transmitted to the digital system, and if the confirmation signal containing the transmitted device authentication information is transmitted by the digital system to the authentication system, the transmitted confirmation signal is transmitted to the authentication system. The authentication verification process, which is authenticated by
When the authentication confirmation procedure is successful, an authentication request outputted from a predetermined data processing apparatus or the digital system to the authentication system or a service system connected to the authentication system is successfully processed.
The device authentication information,
And device one-time information generated by the computing means based on the server generation key generated by the authentication system and transmitted through the digital system.
The method of claim 28, wherein the calculating means,
Generate first device one-time information based on the server generation key, or generate second device one-time information based on the server generation key and the terminal identification information received from the digital system through the communication. Create,
Wherein said calculating means comprises:
The terminal authentication information of the digital system or the terminal one-time information generated by the digital system may be further included in the device authentication information including the first device one-time information or the second device one-time information. User device.

Images