KR20140029067A - Methods and apparatus for electronically identifying personal identity - Google Patents
Methods and apparatus for electronically identifying personal identity Download PDFInfo
- Publication number
- KR20140029067A KR20140029067A KR1020120096783A KR20120096783A KR20140029067A KR 20140029067 A KR20140029067 A KR 20140029067A KR 1020120096783 A KR1020120096783 A KR 1020120096783A KR 20120096783 A KR20120096783 A KR 20120096783A KR 20140029067 A KR20140029067 A KR 20140029067A
- Authority
- KR
- South Korea
- Prior art keywords
- authentication
- information
- electronic
- identity
- personal information
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/20—Transfer of user or subscriber data
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention relates to an electronic identity verification device that satisfies essential security requirements, such as confidentiality, authentication, integrity, etc., and selects only the items requiring personal information of the user from among a plurality of identity information items, and then selects the selected identity on the user terminal. Identity information confirmation item setting unit for confirming whether or not to agree to the provision of personal information corresponding to the information item; An authentication arbitration unit for arbitrating authentication between the external server storing the user's personal information and the user terminal when receiving a consent to receive from the user terminal; and receiving a one-time volatile URI from the external server when the authentication is completed, And a personal information receiver configured to receive, receive, and display on the screen personal information corresponding to the selected identity information item based on URI information.
Description
The present invention relates to a secure electronic identity verification apparatus and method for requesting only the information required for identification by the electronic identity verifier, and provides only the information specified by the user of the user terminal to the person requesting identity verification.
Existing IDs (resident registration card, driver's license, passport, etc.) recorded the main information of the ID card on the surface in human readable form. The information recorded on these IDs can cause serious damage if they are leaked to the outside with sensitive personal information such as name, gender, date of birth, address, and photo.
However, on-line and off-line identification differs in the information that must be exposed in some cases. For example, if you are buying alcoholic beverages or buying tobacco at a store, it is sufficient to only check for ages 19 and over.However, if you create an account and withdraw money from a bank, additional verification such as name and social security number may be required. . However, current identification based on identification has the problem of exposing the main information such as name, gender, date of birth, address, and photo at the same time.
In order to solve these problems, the introduction of the electronic resident registration card (Patent No. 1999-0012099 "User Identification Method Using the Electronic Resident Card", etc.) is being promoted. There is a risk that all the information can be leaked, especially if the security system of the card is broken there is a problem that personal information can be leaked by a contactless reader.
For example, contactless smart cards are vulnerable to eavesdropping by wireless communication, and the problem of eavesdropping and hacking in smart cards is that the hacking of Mifare RFID card widely used as a public transportation card in Korea is reported in the news. I can see the seriousness. In addition, since hacking cases such as electronic passports and similar electronic ID cards are already well known, this type of electronic ID card has proved that its safety cannot be sufficiently secured.
The technical problem to be solved by the present invention is to provide an electronic identity verification apparatus and method having a high security by providing an electronic identity verifier that meets the essential security requirements such as confidentiality, authentication, integrity.
In order to solve the above technical problem, an electronic identification device according to an embodiment of the present invention includes a confirmation item input and output unit for transmitting a plurality of information items related to user identification to the user terminal; A provision item input / output unit configured to receive a provision item selected by the terminal based on the plurality of information items and transmit the received provision item to an external server managing a plurality of personal information; And a personal information receiver configured to receive personal information of the user corresponding to the provided item from the external server.
According to another preferred embodiment of the present invention, the electronic identity verification apparatus selects only items requiring personal information of the user from among a plurality of identity information items, and then provides the personal information corresponding to the selected identity information items to the user terminal. Identity information confirmation item setting unit for confirming whether to agree; An authentication mediation unit for arbitrating authentication between the external server storing the user's personal information and the user terminal when receiving the intention of consent from the user terminal; and receiving the disposable volatile URI from the external server when the authentication is completed. And a personal information receiver configured to receive, receive, and display on the screen personal information corresponding to the selected identity information item based on the URI information.
Electronic identification method according to an embodiment of the present invention comprises the steps of transmitting a plurality of information items relating to the user identification to the user terminal; Receiving a selected offer item from the terminal based on the plurality of information items and transmitting the selected offer item to an external server managing a plurality of personal information; And receiving the personal information of the user corresponding to the provided item from the external server.
According to the present invention, since the electronic identity checker performs only simple transfer of the user's personal information from the user terminal to the external server managing the personal information, the problem of exposing the main information of the individual through the electronic identity checker can be solved. In addition, problems such as MITM and wireless section eavesdropping can be solved.
In addition, since the electronic identity checker does not hold personal information in the user's terminal as a preferred embodiment of the present invention, even if the terminal is lost and transferred to the malicious hacker, the hacker cannot grasp the personal information. Accordingly, the present invention can maintain high security by providing essential security requirements such as confidentiality, authentication, integrity, nonrepudiation, etc. in identity verification.
1A is a diagram illustrating an embodiment of an electronic identity verification system according to the present invention.
Figure 1b is a view showing a configuration in which the authentication server and the DB server as an embodiment of the electronic identity verification system according to the present invention.
2 is a view showing a screen in which an identification process is performed in an electronic identification device and a user terminal according to the present invention.
3 is a block diagram showing the configuration of a user terminal according to the present invention.
4A and 4B are block diagrams showing the configuration of the electronic identity checker according to the present invention.
5 is a block diagram showing the configuration of an external server according to the present invention.
6A, 6B and 6C are flowcharts illustrating an electronic identity verification method according to an embodiment of the present invention.
7 is a flowchart illustrating a method of electronic identity verification through a DB server according to an embodiment of the present invention.
8 is a flowchart illustrating an electronic ID payment procedure using an EAP-TLS authentication procedure in an active electronic identity checker according to an embodiment of the present invention.
9 is a preferred embodiment of the present invention, the EAP-Request (Identity), EAP-Response (Identity), EAP-Success (Identity) of the existing EAP protocol by modifying the EAP-TLS type electronic identity card as shown in Table 2 The procedure for performing authentication and authentication is shown.
FIG. 10 shows a simplified flowchart of an electronic ID authentication and authentication procedure based on EAP-AKA among various EAP-based authentication protocols.
FIG. 11 is a flowchart illustrating a case where an authentication rejection occurs while authenticating an electronic ID using the EAP-AKA method.
12 shows a procedure of confirming actual identification information using information such as MSK, which is additionally generated information when the electronic identification providing server and the electronic identification card authentication period EAP-AKA authentication method are followed.
FIG. 13 illustrates an embodiment of performing authentication between the electronic
Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. 1A is a schematic diagram of an electronic identity verification system according to the present invention.
Referring to FIG. 1A, the electronic identity verification system of the present invention includes a
In FIG. 1A, the
For example, if the
The
The
As shown in FIG. 1, the
Referring to FIG. 2, the
In this case, the user input device such as a button may be replaced with buttons in a touch screen display device that receives input from a screen display device, and replaced with a functional device that enables input of necessary information by various other means (PC connection, etc.). Can be.
In addition, the
The
1B is a schematic diagram of an electronic identity verification system in which an
Referring to FIG. 1B, the electronic identity verification system of the present invention includes a
The
The external server (FIG. 1,300) to the
The authentication procedure of the
The
As one preferred embodiment of the present invention, in order to verify an electronic identity card, security requirements such as confidentiality, authentication, and integrity must be satisfied. To this end, the electronic identification system should provide a very high level of authentication. However, the authentication level can be determined according to the importance of the user.
For example, there may be a difference in security level between providing sensitive information such as social security number, and providing only a general date of birth, and depending on necessity, may use the authentication process used in internet banking or 3G network. You can use authentication methods such as AKA in use at However, it is practically difficult for the active
Therefore, in the present invention, an EAP-TLS authentication procedure using a certificate between a terminal and an authentication server for network access authentication, or various authentication methods such as AKA and SIM of GMS used in 3G can be utilized to use an efficient and flexible method. Use the method you have. For this, see FIGS. 8 to 13.
2 illustrates a screen in which an identity verification procedure is performed in the
The user of the electronic identity checker (FIGS. 1 and 200) selects an item necessary for identity verification from the items displayed on the screen of the electronic identity checker (FIGS. 1 and 200) (103). The user terminal (FIGS. 1 and 100) displays the name of the electronic identity checker (FIGS. 1 and 200) and the requested item on the screen of the user terminal (FIGS. 1 and 100), and asks the user to provide personal information about the item. A screen that can be determined is displayed (105). If the user agrees to provide personal information on the item, the user terminal (FIGS. 1 and 100) performs authentication by an external server (FIGS. 1 and 300) via the electronic identity checker (FIGS. 1 and 200). Done.
When the authentication of the user terminal is completed, the electronic identity checker (FIGS. 1 and 200) receives personal information from an external server (FIGS. 1 and 300), and when the identification is completed, the electronic identity checker (FIGS. 1 and 200) is identified. The display device of the electronic identity checker (FIGS. 1 and 200) indicates that the verification is completed normally (107).
The electronic identity checker should be able to verify the identity information from the authenticated server or from an external server. To this end, the electronic identity checker displays the received information based on the URI information received from an external server or an authentication server.In this case, when a request is made to a URI, the external server verifies it based on information such as a session key. Upon completion, the information is sent to the electronic identity checker. In this case, the URI used uses a volatile URI that can be used only once and is discarded immediately after the use is completed. In addition, the external server or certificate server should log the URI request if any and provide the service based on the information.
Specifically, in order to perform authentication of the electronic identity checker, unique identification value information such as IMEI (International Mobile Equipment Identity) or IMSI (International Mobile Subscriber Identity) of the electronic identity checker should be used. Must be encrypted with the secret key of the electronic identity checker and recorded on the server.
To this end, a preferred embodiment of the present invention uses a unique identification key value (eg, Identity) that can distinguish an active credit card for authentication in the authentication procedure.
The authentication server must separately manage the information of the identity provider corresponding to the identity and securely. When the authentication of the identity is completed, the authentication server must determine that the authentication of the identity provider is completed and process the information so that it can be provided. Therefore, the identity itself has no problem even when exposed to the outside, and can be implemented as a value that can be transmitted in a wireless section.
3 is a block diagram schematically showing the internal configuration of the
Referring to FIG. 3, the
The confirmation
Referring to FIG. 2, when the
The
4A is a block diagram schematically illustrating a configuration of an
Referring to FIG. 4A, the
The identity information verification
The method of receiving identification information required for identification in the identification information confirmation
Depending on the needs of the
The identity information confirmation
Upon receipt of the consent from the
When the authentication is successfully completed between the
In another embodiment, when the
In another embodiment of the present invention, the
The
Figure 4b shows a block diagram of an
Referring to FIG. 4B, the
The
According to an embodiment of the present invention, the
The
As the
5 is a block diagram schematically showing an internal configuration of an
Referring to FIG. 5, the
The user
6A is a flowchart illustrating an electronic identity verification method in an electronic identity verification system according to an embodiment of the present invention.
The
The
The
When receiving the authentication completion signal of the
The
The
6B is a flowchart illustrating an electronic identity verification method in an electronic identity verification system according to an embodiment of the present invention.
The
The
The
The
The
6C is a flowchart schematically illustrating a procedure of verifying an electronic identity using DB location information by an
The
The
The
7 is a flowchart schematically illustrating an electronic identity authentication procedure when the
When the
The
The
If the connection is normally completed, the
The
8 is a flowchart illustrating an electronic ID payment procedure using an EAP-TLS authentication procedure in an active electronic identity checker according to an embodiment of the present invention.
In an exemplary embodiment of the present invention, in order to determine information required for identification of the electronic ID card in addition to the authentication, additional information such as a name, a photo, a social security number, an address, a gender, and a date of birth may be used.
To this end, vendor-specific functionality can be used as a new message type in the EAP protocol defined in RFC3748, or a new type can be added.
In a preferred embodiment of the present invention, type 254 Expanded Type may be utilized as shown in Table 1. In addition, it should be noted that various extension methods such as adding a new type can be used and various modifications are possible.
Referring to Figure 8 describes the electronic ID payment flow using the EAP-TLS authentication procedure in the active electronic identity checker as follows. The electronic identity checker, which has received the identification information, waits until communication with the electronic identity card is possible through the local area network, and when communication is enabled, sends an EAP-Start method from the electronic identity card (S810) and the
The
Since the authentication method can be variously supported depending on the local area network and the electronic ID, it is necessary to introduce a structure that can be used in all authentication methods. Therefore, it can be used in various authentication methods by piggybacking the electronic ID information in the EAP message shown in Table 2 below.
9 is a preferred embodiment of the present invention, the EAP-Request (Identity), EAP-Response (Identity), EAP-Success (Identity) of the existing EAP protocol by modifying the EAP-TLS type electronic identity card as shown in Table 2 The procedure for performing authentication and authentication is shown.
The
For the security of such information for EAP-TLS authentication, the carrier may issue in advance in the form of OTA (Over The Air) in a smart phone or the like, and support for issuance in a separate offline form.
In addition, the EAP-TLS authentication method provides a similar level of certification in the accreditation process in Internet banking, but it is difficult to popularize due to the burden of mounting and managing the accreditation certificate on the electronic identity card. Therefore, the EAP-TTLS authentication method can be used in which only the server mounts the public certificate and the electronic ID does not use the public certificate. You can also use other authentication methods, such as EAP-AKA or EAP-SIM.
FIG. 10 shows a simplified flowchart of an electronic ID authentication and authentication procedure based on EAP-AKA among various EAP-based authentication protocols.
The AKA authentication method is a secure authentication method that provides mutual authentication between server and clients as a method used for authentication in an existing communication system. It is an authentication method using a shared secret of K and OPc, and the authentication procedure is possible based on the modified message of EAP-Request (Identity), EAP-Response (Identity), and EAP-Success as in FIG. Do.
Like the TLS authentication method, the important authentication information such as K and OPc used for authentication in the EAP-AKA-based authentication method should be impossible to inquire, input, and delete in the
FIG. 11 is a flowchart illustrating a case where an authentication rejection occurs while authenticating an electronic ID using the EAP-AKA method.
When processing the electronic ID authentication, the user using the user terminal in which the electronic ID is implemented enters the verification request information into the
12 illustrates a procedure of confirming actual identification information by using information such as MSK, which is additionally generated information when the electronic identification providing server and the electronic identification card authentication period EAP-AKA are authenticated.
8 to 11 and some other drawings are illustrated on the assumption that the electronic identity providing server and the electronic identification card authentication server are implemented as one server for the convenience of description. In FIG. 12, the electronic identification providing server and the electronic identification card are illustrated. It shows a specific embodiment implemented separately by the authentication server.
The electronic identity providing server and the electronic identity authentication server may be generally installed to be installed in the same place and utilize devices such as the same firewall. However, in the present invention, even if the two servers exist in different locations, a mutual VPN (Virtual Private Network) Or even if the secure channel is provided and services through the HTTPS or the like does not cause a problem.
Referring to Figure 12, in another preferred embodiment of the present invention discloses a new authentication procedure between the
In detail, after performing the EAP-AKA authentication (S1200), if the authentication is successfully completed, the electronic identification
In addition, when the
The electronic
In this case, however, it should be noted that if a user accesses a new URI for information such as a photo from a URI sent from the electronic ID checker, the URI must also be the same volatile URI, and the information must be used only once. The information used must be destroyed immediately and authentication by KEY value should be performed.
The
The
As another preferred embodiment of the present invention, in order to further enhance security, the electronic
In principle, the e-identity provision server should discard the URI if the call is successful or fail, but if OTP is used, an error may occur due to the time difference between each end. You can increase the number of failed authentication attempts from one to a certain number of times. For example, N can be 3, and 3 is a commonly used number of retries for common password entry failures.
FIG. 13 illustrates an embodiment of performing authentication between the electronic
FIG. 13 illustrates an EAP-AKA-based authentication procedure commonly used in 3G mobile phones as an example of EAP-AKA-based authentication. In this embodiment, EAP-AKA authentication is performed directly between an electronic identity authenticator and an electronic identity verification server. For example. Therefore, since the authenticator from the standard is not included, the TLS authentication procedure using a standard protocol such as HTTPS can be utilized.
After authenticating the
In addition, to further enhance security, the authentication procedure of the OTP and the
The present invention has proposed a structure capable of electronic ID authentication using various EAP authentication methods as described above. In the
The present invention can also be embodied as computer-readable codes on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like, and also in the form of a display by a carrier wave (for example, transmission over the Internet). It includes what is implemented. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
So far I looked at the center of the preferred embodiment for the present invention. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The items of the present invention are shown in the claims rather than the foregoing description, and all differences within the equivalent items will be construed as being included in the present invention.
Claims (9)
An authentication mediation unit for arbitrating authentication between an external server storing the user's personal information and the user terminal when receiving the intention of consent from the user terminal; and
Receiving a one-time volatile URI from the external server when the authentication is completed, the personal information receiving unit for receiving and displaying on the screen the personal information corresponding to the selected identity information item based on the URI information; Electronic identity verification device comprising a.
It may be implemented to use a different authentication method according to the security strength of the user's personal information, wherein the authentication method includes an EAP-TLS authentication method, EAP-TTLS method, EAP-AKA method, EAP-SIM method Electronic identity verification device.
In order to receive and display personal information corresponding to the selected identity information item on the screen based on the URI information, an International Mobile Equipment Identity (IMEI) or an International Mobile Subscriber Identity (IMSI), which is identification value information of an electronic identification device, is displayed. Authenticate the electronic identity verification device, and when the authentication is completed, the external server stores a log indicating that the electronic identity verification device receives personal information corresponding to the selected identity information item. Device.
Electronic identity verification device, characterized in that for using the identity of the electronic identification card implemented in the user terminal for authentication.
Electronic identification device, characterized in that for performing short-range communication with the user terminal.
Generating an OTP using the identification value information of the electronic identification device with respect to the URI, and permitting the electronic identification device to access the external server using the URI only during the time when the generated OTP is maintained. Electronic identification device, characterized in that.
And a DB server for storing authentication information and a user's personal information. In this case, the authentication arbitration unit arbitrates authentication between the user terminal and the authentication server, and the personal information receiver receives the URI from the authentication server. Receiving the personal information corresponding to the selected identity information item to the DB server based on the received URI.
If the identity of the electronic ID card is inappropriate or the authentication fails, the electronic identity verification device for receiving the authentication failure reason from the external server and transmits to the user terminal.
A message transmitting step of confirming whether the electronic identification device agrees to provide personal information corresponding to the selected identity information item to a user terminal;
Mediating authentication between an external server storing the user's personal information and the user terminal when receiving a consent to consent from the user terminal;
Receiving a disposable volatile URI from the external server when authentication is completed between the external server and the user terminal;
Requesting and receiving the personal information corresponding to the selected identity information item from the external server based on the received URI information, and displaying the received personal information on the screen of the electronic identity verification device. How to identify yourself at
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120096783A KR20140029067A (en) | 2012-08-31 | 2012-08-31 | Methods and apparatus for electronically identifying personal identity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120096783A KR20140029067A (en) | 2012-08-31 | 2012-08-31 | Methods and apparatus for electronically identifying personal identity |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140029067A true KR20140029067A (en) | 2014-03-10 |
Family
ID=50642325
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120096783A KR20140029067A (en) | 2012-08-31 | 2012-08-31 | Methods and apparatus for electronically identifying personal identity |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140029067A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020060114A1 (en) * | 2018-09-21 | 2020-03-26 | 삼성전자 주식회사 | Device for providing identification information, and system for same |
US11449631B2 (en) | 2019-03-21 | 2022-09-20 | Samsung Electronics Co., Ltd. | Electronic device for managing personal information and operating method thereof |
-
2012
- 2012-08-31 KR KR1020120096783A patent/KR20140029067A/en not_active Application Discontinuation
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020060114A1 (en) * | 2018-09-21 | 2020-03-26 | 삼성전자 주식회사 | Device for providing identification information, and system for same |
US11449631B2 (en) | 2019-03-21 | 2022-09-20 | Samsung Electronics Co., Ltd. | Electronic device for managing personal information and operating method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9641520B2 (en) | Secure authentication in a multi-party system | |
US9647840B2 (en) | Method for producing a soft token, computer program product and service computer system | |
JP5601729B2 (en) | How to log into a mobile radio network | |
US10050791B2 (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
GB2547472A (en) | Method and system for authentication | |
BR102014023229A2 (en) | method for multi-factor transaction authentication using wearable devices | |
US11329824B2 (en) | System and method for authenticating a transaction | |
US11432146B2 (en) | Multi-factor authentication providing a credential via a contactless card for secure messaging | |
US9443069B1 (en) | Verification platform having interface adapted for communication with verification agent | |
US20210256102A1 (en) | Remote biometric identification | |
KR20140029067A (en) | Methods and apparatus for electronically identifying personal identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |