KR20140046674A - Digital certificate system for cloud-computing environment and providing method thereof - Google Patents

Abstract

Disclosed are a digital certificate system for cloud-computing and a method for providing same. The digital certificate system for cloud-computing described above includes a user DB where an open key of a user is stored; a generation module that generates generation data which includes certificate target data for the certification of the user requesting a service when a service request for the service is received from a terminal of the user; an interface module that receives signed certificate target data from a certification organization system or a predetermined certification server when a signature request including the certificate target data included in the generation data generated by the generation module is transferred from a predetermined certification server to the certification organization system where the certificate of the user is stored through a predetermined certification process performed based on the generation data and signature is performed on the certificate target data by the certification organization system; and a verification module that verifies the received signature certificate target data by using the open key stored in the user DB or determines the presence or absence of the identification by receiving the verified result from the certification server. [Reference numerals] (100) Service system; (200) Certification server; (300) Certification organization system; (600) Terminal certification system

Description

Cloud certificate system and providing method {Digital certificate system for cloud-computing environment and providing method

The present invention relates to a cloud authorized authentication system and a method for providing the same, and more particularly, to a cloud authenticated authentication system and a method for providing the cloud authenticated authentication system and a method thereof, And a method of providing the same.

Generally, when using a predetermined service (for example, a financial transaction through a financial institution, a purchase on an online market, a payment, etc.) through a wire / wireless communication network, the service providing side confirms whether the user requesting the current service is a legitimate user There is a need. That is, the service is provided after performing the identity authentication for determining whether the service name is a requested service name. Failure to do so can result in catastrophic loss to legitimate users.

Accordingly, various efforts are being made to perform highly secure personal authentication.

For example, efforts to detect malicious code, prevent phishing, and the like have been continued through a security solution such as ActiveX (ActiveX). However, these security solutions are relatively expensive, and it is true that every service provider is unlikely to offer security solutions to all users, and the types of malicious code and phishing are diverse, so security solutions must also be continually updated or upgraded Even if such an update or upgrade is performed, security vulnerabilities are newly discovered. In addition, when the security solution is developed in a form dependent on a specific browser such as an ActiveX, there is a problem that the security solution can not be applied to a user who does not use the specific browser.

On the other hand, various methods such as login, digital certificate (public certificate), security card, and OTP are used as the authentication method of the user. In particular, the authentication method using the public certificate is a simple and high-security asymmetric encryption method, which is a widely used authentication method.

However, the authentication method using the public key certificate (hereinafter, referred to as 'certificate') is a method in which the authentication is performed when the certificate is installed in the terminal to which the service is to be provided. Therefore, There was an inconvenience.

In recent years, a malicious user (a hacker or a phishing subject) has been issued a certificate of a person other than a person using the leaked personal information frequently. As a countermeasure for such a problem, Of the total number of people in the world. Such measures may slightly increase the security, but the convenience or usability of the user may be significantly reduced.

In addition, recently, a certificate issued to a party party is also hacked. In this case, the certificate is hacked mainly because the security of the terminal installed with the certificate is poor. In particular, when an input device such as a keyboard or a mouse is used for inputting a password for authentication, there is a problem that input values can be leaked to a malicious user through key logging or the like. The security is significantly lowered.

The following is the background of the problem that the security is lowered through the certificate.

Since information security is directly related to the reliability of Internet banking service in the wake of the commercialization of Internet banking service, various information security technologies have been reviewed from the design process to guarantee the safety of financial transactions.

Most of the Internet banking users were using MS Windows and MS Internet Explorer at the time of 1997 ~ 1998, and at that time MS Internet Explorer was using the PKCS # 11 protocol to enable the browser to work with the HSM (Hardware Security Module) It was technically the best choice to use a security token (HSM).

Financial institution Internet banking service designers already knew that even though Internet banking users can securely generate / store encryption keys, there are too many potential threats to handling encryption keys in software.

In other words, storing the encryption key in the hacked PC's hard disk or memory is useless.

Therefore, it was considered to be the safest way to use a security method - ie, a security token (HSM: Hardware Security Module) - to create and store public certificates and encrypted private keys inside independent hardware devices.

However, since the price of security token (HSM) was too high at about 40,000 ~ 50,000 KRW, financial institutions were worried that HSM purchase burden would be a big obstacle to the spread of Internet banking service despite high security of HSM. Could not be adopted.

Instead, as a workaround, an Internet banking user downloads and stores an authorized certificate and an encrypted private key on his / her PC and then uses the encrypted private key for financial transactions. The risk that the authorized certificate and the encrypted private key are exposed to a hacker may be exploited In order to prepare, we adopted a very inexpensive information protection scheme which paid a fixed security OTP (secret card) for each user.

However, hackers are very clever and hardly ever attempted hacking against a secure Internet banking server.

We have exploited various hacking techniques by concentrating on the laxity of PC and users of Internet banking users who have much less security than servers.

Financial institutions are also using a variety of complementary measures such as a keyboard security solution to prevent memory hacking, the spread of an OTP generator for self-certification, and the introduction of a 2-channel authentication method for the purpose of postponing and preventing hacking. But this sort of countermeasures by financial institutions is like putting rags on rook or rag. Financial institutions that have succeeded in spreading Internet banking early on are spending a huge amount of money on information security in order to enhance security. But those information protection solutions may be a temporary solution, but they are not enough to be an essential solution.

Financial institutions have benefited from the expansion of the Internet banking user base in a short period of time with an inexpensive security method that does not use HSM, but financial institutions are burdened with information security more and more day by day.

As of 2012, Internet banking services have spread to mobile banking, and have become a part of the daily lives of Koreans, and their awareness of security and their level of willingness to pay have also increased greatly. In addition, the needs and desires for safe and convenient Internet banking services are increasing.

Therefore, in the present invention, a technical idea of providing an HSM server, i.e., a cloud-based authentication method, as an essential solution for security of the Internet banking service is required.

In other words, the ultimate alternative to dramatically increase the security strength of the Internet banking service is that all users of the Internet banking service use the HSM (security token). However, in order to do so, the financial institution or the user must bear the cost of purchasing the HSM, and the inconvenience that the user must carry the HSM (security token) at all times remains as a problem. .

That is, the user can authenticate himself / herself through the certificate not depending on the terminal to which the service is to be provided, and the identity authentication procedure using the certificate can be performed without being dependent on the web client (e.g., browser) A system and method capable of performing authentication by means of a certificate in a clouding environment so that security is increased through authentication and storage of a certificate in a highly secure external system, .

SUMMARY OF THE INVENTION Accordingly, it is a technical object of the present invention to provide a method and system for storing a certificate, which has been installed in a user terminal, in an external security system having high security, And to provide a system and method for performing authentication.

It is another object of the present invention to provide a system and method for authenticating a person through a certificate without depending on a web client.

In addition, by verifying whether or not an authentication terminal authenticated to the terminal of the service requester is possessed, it is possible to prevent the degradation of security that may be caused by the fact that the certificate is not installed in the service request terminal, And to provide a method and system for providing such a system.

In addition, when the service request terminal and the authentication terminal are different from each other, information necessary for authentication can be transmitted through scanning (or photographing), so that typing or clicking of information is unnecessary, And to provide a system and method that can be relatively secure against attacks that may occur when information necessary for authentication is transmitted through a network.

Also, since information transmitted from the service system to the service request terminal can be coded in a predetermined 2D or 3D code and transmitted, a large amount of data can be transmitted safely and can be decoded only by an authentication terminal or an authentication server, And to provide a system and method that can be relatively secure against leakage or attack of the system.

The present invention also provides a system and method for performing authentication through a certificate and performing authentication of an authentication terminal and / or a service system, thereby making it possible to secure the authentication terminal against forgery or damage through a phishing site or the like.

In addition, since the certificate can be authenticated through a certificate while being stored in a predetermined certification authority system having a relatively higher security level than the user terminal, it is possible to provide excellent security not only in the use of the certificate but also in the storage itself And a method thereof.

The cloud authorized authentication system according to an embodiment of the present invention for realizing the above technical idea includes a user DB storing a public key of a user and a service providing server for receiving the service request of the service from the user terminal, Generated by the generation module from a predetermined authentication server through a predetermined authentication process performed based on the generation information, for generating generation information including authentication target information for authenticating the authentication server When the signature request including the authentication object information included in the information is transmitted to the certification authority system storing the user's certificate and the authentication object information is signed by the certification authority system, For receiving from an institutional system or a predetermined authentication server And a verification module for verifying the received authentication information using the public key stored in the user DB or receiving the verified result from the authentication server to determine whether the authentication information is authentic.

According to another embodiment, the cloud authorized authentication system includes a server DB including authentication terminal identification information of an authentication terminal authenticated as a terminal of the user, and certificate identification information of the user stored to match with the authentication terminal identification information, When the service request of the service is transmitted to the service system, at least a part of generation information generated by the service system and including authentication object information for authenticating the user, identification information of the authentication terminal, Extracting the certificate identification information stored in the server DB based on the identification information of the authentication terminal included in the received service authentication request signal, The extracted certificate identification information, the authentication object information And a signature request module for sending a signature request containing the password to the certification authority system, wherein the authentication subject information signed by the certification authority system in response to the signature request is sent to the service system, And when the authentication information is received by the authentication server, the transmitted signed authentication object information is verified and the identity authentication is performed.

According to another embodiment of the present invention, the cloud authorized authentication system includes a certificate DB for storing a user certificate, a service DB for receiving the service request of the service from the user terminal to the service system, A signature request receiving module for receiving, from a predetermined authentication server, a signature request including the authentication subject information included in the generation information through a predetermined authentication process after generation information including authentication subject information for generating the authentication subject information is generated; And a signature module for signing the authentication subject information using the certificate password included in the signature request in response to the received signature request and for transmitting the signed authentication subject information to the service system or the authentication server, Wherein the signed authentication object information is the information When the authentication information is transmitted to the authentication server, the transmitted signed authentication object information is verified by the service system or the authentication server and the identity authentication is performed.

According to another embodiment of the present invention, the cloud authorized authentication system includes a service system that performs a predetermined service after the authentication of the user is performed, an authentication terminal that is previously authenticated as the terminal of the user, an authentication server, Wherein the service system is configured to authenticate the user requesting the service when the service request of the service is received from the user terminal, and the terminal of the user may be the authentication terminal And transmits the generated information to the user terminal. The authentication terminal receives the generation information from the terminal or the service system of the user, and generates at least a part of the generated information, the authentication The identification information of the terminal, and the password of the certificate And the authentication server extracts the certificate identification information stored in the server DB of the authentication server based on the identification information of the authentication terminal included in the received service authentication request signal, And transmits the signature request including the extracted certificate identification information, the authentication object information, and the password to the certification authority system, wherein the certification authority system receives the certificate password included in the signature request in response to the received signature request Signing the authentication subject information, and transmitting the signed authentication subject information to the service system or the authentication server.

According to another embodiment, the cloud authorized authentication system includes a service system that performs a predetermined service after the authentication of the user is performed, an authentication terminal that is previously authenticated as the terminal of the user, and an authentication server, When the registration request of the authentication terminal is received from the service system, the terminal of the user, or the terminal of the user may be the authentication terminal, generates second generation information including the identification information of the user, And after receiving the second generation information from the terminal or the service system of the user, the authentication terminal determines whether any of the second generation information or the identification information of the user included in the second generation information, Outputs a terminal registration request signal including the authentication terminal identification information to the authentication server, Is the identification information of the authentication terminal after it is determined whether or not the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system, when a corresponding one another characterized in that the registration to the authentication server.

According to another embodiment of the present invention, the cloud authorized authentication system includes a service system that performs a predetermined service after the authentication of the user is performed, an authentication terminal that is previously authenticated as the terminal of the user, an authentication server, Wherein the certificate system includes a certificate identification information of the certificate when the registration request of the certificate is received from the user terminal of the user system and the terminal of the user is the authentication terminal, And transmits the generated third generation information to the terminal of the user. After receiving the third generation information from the terminal or the service system of the user, the authentication terminal transmits the third generation information or the third generation information to the terminal And a certificate including the authentication terminal identification information, And the authentication server matches the authentication terminal identification information registered in advance in the authentication server with the certificate identification information included in the certificate registration request signal .

A method of providing a cloud authorized authentication system including a service system that performs a predetermined service after a user's authentication is performed, the method comprising: receiving a service request of the service from the user terminal; Generating generation information including authentication target information for authenticating the user requesting the service by the service system; transmitting the generation information to the terminal of the user by the service system; Receiving signed authentication object information from a predetermined certification authority system or a predetermined authentication server and verifying the signed authentication object information received by the service system, Based on the generated information, The signature request including the authentication object information is transmitted to the certification authority system storing the user certificate, and the authentication object information is signed by the certification authority system .

According to another aspect of the present invention, there is provided a method of providing a cloud authorized authentication system including an authentication server for performing authentication of a user for performing a predetermined service after authentication of a user is performed, Storing certificate identification information of the user to be matched with authentication terminal identification information of the authentication terminal authenticated as a user terminal and the authentication terminal identification information; receiving the service authentication request signal from the authentication terminal by the authentication server; The authentication server extracting certificate identification information matching the identification information of the authentication terminal based on the identification information of the authentication terminal included in the service authentication request signal; The authentication object information included in the service authentication request signal, Sending a signature request containing a password of the certificate to the certificate authority system storing the certificate, wherein when the signature request is sent to the certificate authority system, The private key is acquired and the authentication object information is signed by the obtained private key and output to the service system or the authentication server.

A method of providing a cloud authorized authentication system including an authentication authority system for performing authentication of a user for performing a predetermined service after a user's authentication is performed to solve the technical problem, Storing a certificate of the user; receiving, by the certification authority system, a signature request including authentication object information, identification information of the certificate, and a password of the certificate from a predetermined authentication server; Extracting a private key of the certificate through a password of the certificate in response to the received signature request; signing the authentication subject information using the extracted private key by the certification authority system; And transmits the signed authentication object information to the authentication server or the service system Wherein the signature request is a request for authentication of the service from the user terminal to the service system when a service request of the service is received from the terminal of the user, And outputting the certification authority system after being performed through the authentication server and the authentication server, the process being pre-authenticated as the terminal of the user.

In order to solve the above-described technical problem, there is provided a service system for performing a predetermined service after user authentication is performed, an authentication terminal that is previously authenticated as a terminal of the user, an authentication server, A method of providing a cloud authorized authentication system includes the steps of authenticating the user who has requested the service when the service request of the service is received from the service system of the user and the terminal of the user may be the authentication terminal And transmitting the generated information to the terminal of the user. The method of claim 1, further comprising: generating generation information including authentication target information for the user terminal, The identification information of the authentication terminal, and the secret Outputting a service authentication request signal including a call to the authentication server, the authentication server requesting the authentication server to transmit the service authentication request signal to the authentication server, Extracting information, sending a signature request including the extracted certificate identification information, the authentication subject information, and the password to the certificate authority system, and sending, by the certificate authority system, Extracting the private key of the certificate using the certificate secret included in the request, signing the authentication object information, and transmitting the signed authentication object information to the service system or the authentication server.

A method of providing a cloud authorized authentication system including a service system for performing a predetermined service after a user's authentication of the user is performed, an authentication terminal that is previously authenticated as a terminal of the user, and an authentication server, When the registration request of the authentication terminal is received from the service system of the user terminal and the terminal of the user may be the authentication terminal, generates second generation information including the identification information of the user, Wherein the authentication information includes at least one of identification information of the user included in the second generation information or the second generation information after the authentication terminal receives the second generation information from the terminal or the service system of the user, And outputting a terminal registration request signal including the authentication terminal identification information to the authentication server Wherein the authentication server determines whether the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system and then registers the identification information of the authentication terminal in the authentication server if they correspond to each other .

In order to solve the above-described technical problem, there is provided a service system for performing a predetermined service after user authentication is performed, an authentication terminal that is previously authenticated as a terminal of the user, an authentication server, A method of providing a cloud authorized authentication system includes a step of, when receiving a registration request of a certificate from the service system, the terminal of the user and the terminal of the user being the authentication terminal, Generating third generation information and transmitting the generated third generation information to the terminal of the user; and after the authentication terminal receives the third generation information from the terminal or the service system of the user, And the authentication terminal identification information, The authentication server matches the authentication terminal identification information registered in advance in the authentication server with the certificate identification information included in the certificate registration request signal to register the certificate registration request signal to the authentication server .

The cloud authorized authentication system providing method may be stored in a computer-readable recording medium on which the program is recorded.

Wherein the cloud authorized authentication system comprises UI providing means for providing a UI for receiving a storage location of a certificate and a password of a certificate, when the cloud UI provided by the UI providing means is selected by the system, A certificate information acquiring means for receiving information on a certificate corresponding to the identification information from an certification authority system corresponding to the cloud UI when the identification information is input and displaying information on the received certificate; .

According to the cloud authorized authentication system and the method for providing the same according to the technical idea of the present invention, since the user can perform authentication of the user without installing a certificate in the terminal requesting the service, there is an effect of remarkable improvement in convenience.

In addition, since a terminal requesting a service does not need to perform an authentication protocol such as search of a certificate and encryption / decryption through a public key, authentication of the user through a certificate is not dependent on the web client such as the conventional ActiveX There is an effect that can be.

In addition, since authentication is performed only when an authentication terminal authenticated by the terminal of the service requester is possessed, it is possible to perform two-channel authentication, and it is possible to prevent degradation of security, which may be caused by no need to install a certificate in the service request terminal It is effective.

In addition, when the service request terminal and the authentication terminal are different from each other, information necessary for authentication can be transmitted through scanning (or photographing), so that typing or clicking of information is unnecessary, There is an effect. In addition, since the information required for authentication is not transmitted through the network, it is relatively safe to attack through the network.

Also, since information transmitted from the service system to the service request terminal can be coded in a predetermined 2D or 3D code and transmitted, a relatively large data transmission can also be performed in a short time, and the code can be transmitted to a relatively secure authentication terminal Decryption is performed only by the authentication server. Therefore, even if the security of the service request terminal is low, the identity authentication can be securely performed.

Also, since the authentication of the authentication terminal and / or the service system can be performed while performing the authentication through the certificate, it is possible to prevent falsification of the authentication terminal and / or loss through the phishing site.

In addition, since the certificate can be authenticated through a certificate while being stored in a predetermined certification authority system having a relatively higher security level than the user terminal, it is possible to provide excellent security not only in the use of the certificate but also in the storage itself There is an effect.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the technical idea of the present invention, are as follows.
1 is a diagram showing a schematic configuration of a cloud authorized authentication system according to an embodiment of the present invention.
2 is a diagram showing a schematic configuration of a service system included in a cloud authentication system according to an embodiment of the present invention.
3 is a diagram illustrating a schematic configuration of an authentication server included in a cloud authorized authentication system according to an embodiment of the present invention.
4 is a diagram showing a schematic configuration of an authentication authority system included in a cloud authentication system according to an embodiment of the present invention.
5 is a diagram showing a schematic configuration of an authentication terminal included in a cloud authentication system according to an embodiment of the present invention.
FIG. 6 is a diagram for explaining a method of performing identity authentication when a predetermined service is requested according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention.
7 is a diagram illustrating a process of registering a user's authentication terminal according to a method of providing a cloud authentication system according to an embodiment of the present invention.
FIG. 8 is a diagram illustrating a process of registering a user certificate according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention. Referring to FIG.
FIG. 9 is a view for explaining generated information coded according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention. Referring to FIG.
10 is a view for explaining a method of inputting a certificate password by an authentication terminal according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention.
FIG. 11 shows an example of a user interface when a method of providing a cloud authorized authentication system according to an embodiment of the present invention is applied.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component.

Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

1 is a diagram showing a schematic configuration of a cloud authorized authentication system according to an embodiment of the present invention.

Referring to FIG. 1, a cloud authorized authentication system 1 according to an embodiment of the present invention includes a service system 100, an authentication server 200, a certification authority system 300, and an authentication terminal 500. The cloud authorized authentication system 1 may further include a user terminal 400 performing a service request to the service system 100. The authentication server 200 may implement the technical idea of the present invention by performing wired / wireless communication with a predetermined terminal authentication system 600 to authenticate that the authentication terminal 500 is the terminal of the user himself / herself.

1 illustrates an example in which a user terminal 400 and an authentication terminal 500 requesting a service from the service system 100 are different from each other. 500 may be the same terminal. That is, the authentication terminal 500, which is previously authenticated as the user's terminal, may request the service system 100 for a predetermined service.

According to an embodiment, the authentication terminal 500 may be implemented as a user's mobile terminal (e.g., a mobile phone, a smart phone, a PDA, or the like). However, the present invention is not limited thereto, and all types of data processing apparatuses having data processing capabilities and communication functions necessary for realizing the technical idea of the present invention may be implemented in the authentication terminal 500.

Meanwhile, the terminal 400 of the user may be defined to include all types of data processing devices used by a user to request a service to the service system 100.

Hereinafter, a description will be given mainly of a case where a terminal 400 of a user requesting a service and an authentication terminal 500 are separately provided, but the scope of rights of the present invention is not limited thereto.

The service system 100 may be a system for providing a predetermined service to the terminal 400 of the user. The service system 100 may be any type of data processing device capable of providing a predetermined service to the user's terminal 400 after performing a personal authentication such as a financial institution system, an online market system, Can be defined as including meaning. Examples of the service provided to the user terminal 400 include a variety of services such as login, financial transaction (inquiry, transfer, payment, etc.), purchasing of goods, public service (inquiry of records, issuance of documents, etc.) have.

The service system 100 may perform authentication of the user using the (authorized) certificate and then provide the service requested by the user's terminal 400 if the user authentication is successful. In the authentication method using the conventional certificate, the user must be stored in the terminal (e.g., the user terminal 400) requesting the service so that the user can authenticate himself / herself through the certificate. The fact that the certificate is stored or installed means that the information of the certificate (for example, the certificate serial number, the personalization agent, the user information, the validity period, the public key, the signature of the personalization institution, etc.) It can mean. The private key may be encrypted with a certificate password. In addition, the information of the certificate may be registered in advance in the service providing system (for example, the service system 100), and the information of the certificate may include the public key of the certificate. As described above, in the conventional method, only the user side carries the private key, and performs authentication by performing encryption of the predetermined information with the other party having the public key. Accordingly, in the conventional method, the terminal 400 of the user requesting the service has to always store the certificate so that the user can be authenticated and services are possible. Accordingly, in order to request a predetermined service to a system that performs authentication using a certificate, only a terminal equipped with a certificate has to be used, or a certificate must be physically carried at all times.

However, according to the technical idea of the present invention, when the service system 100 carries out the authentication of the user's identity, not the certificate stored in the terminal requesting the service, that is, the terminal 400 of the user, The user authentication can be performed using the stored other system, that is, the certificate stored in the certification authority system 300. Therefore, when the user uses the service, the user is not dependent on the terminal (i.e., the service can be provided irrespective of whether the certificate is installed), and the user does not have to carry the certificate.

In addition, one of the main reasons that a certificate is hacked in the related art is that a terminal on which a certificate is installed is a terminal that is low in security and vulnerable to an attack. However, according to the technical idea of the present invention, a user's certificate can be stored in the certification authority system 300, and the certification authority system 300 will have a high level of security device and / or solution, The prevention of the risk of hacking and the stability of the certificate storage itself are improved. Therefore, it is very dangerous to install a certificate of a user in a conventional computer or the like, and it is still dangerous even when a removable storage medium is used. However, according to the technical idea of the present invention, The risk of performing authentication of the user through the certificate is very low. The certification authority system 300 may not only store the user's certificate but also perform the function of issuing the certificate. That is, the certification authority system 300 may be a system of a certificate issuing authority.

Meanwhile, in order for the service system 100 to authenticate the user of the user through a certificate, if the predetermined information is signed by the system storing the certificate, the service system 100 receives the signed information and the received information is to be verified . According to the conventional method, a user's terminal storing a certificate encrypts predetermined information with a private key of a certificate, signs the information, and decrypts the signed information with a public key in a system that provides the service. However, according to the technical idea of the present invention, since the certificate is owned by the certification authority system 300, the signature of the predetermined information (authentication subject information to be described later) can be performed by the certification authority system 300 . On the other hand, the authentication of the signed information can be performed by the service system 100 so that the authentication can be performed. Depending on the implementation, the verification of the signed information may be performed by a given authentication server 200. Then, the service system 100 may receive the authentication result from the authentication server 200. Of course, in order for the authentication server 200 to verify the signed information, the authentication server 200 may have a public key of the certificate.

Meanwhile, the authentication server 200 can confirm whether a person requesting a service using the terminal 400 of the user has a previously authenticated authentication terminal 500. Accordingly, the authentication server 200 can prevent the authentication of the user from being performed successfully even if the user knows the password of the certificate, as long as the authentication terminal 200 does not possess the authentication terminal 500. Accordingly, there is an effect that two-channel authentication is performed through whether the password of the certificate is known and whether or not the authentication terminal 500 is present. In addition, the authentication server 200 may verify whether the authentication terminal 500 is forged and / or the service system 100 is forged or falsified. Accordingly, when the authentication terminal 500 is a mobile phone, it is possible to filter the performance of authentication of a user through a clone phone or the like, and it is possible to prevent a malicious attack or a malicious attack through a phishing site similar to a predetermined web page provided by the service system 100 It is possible to prevent damage from being caused.

In addition, the authentication server 200 may register a user's authentication terminal 500 or match a user's certificate with the authentication terminal 500 and register the same. Accordingly, the authentication server 200 may perform the overall control and verification of the identity authentication procedure to implement the technical idea of the present invention. When the authentication terminal 500 is a mobile phone of the user, the authentication server 200 can determine whether to register the authentication terminal 500 through the terminal authentication system 600. [

The terminal authentication system 600 may be, for example, a mobile communication company system providing a mobile communication service. Generally, in order to utilize the mobile communication service, the face-to-face confirmation is performed by a mobile communication company or a dealer, so that a reliable user and information about the mobile phone of the user are maintained in the mobile communication company system. Accordingly, the authentication server 200 can confirm registration of the terminal requested to be registered with the authentication terminal 500 through the mobile communication company system, and perform registration. However, the terminal authentication system 600 may be implemented by any type of system that maintains and / or manages information about the user and the terminal of the user (i.e., the authentication terminal 500).

The user's terminal 400 may refer to any type of data processing device capable of requesting the service system 100 for a predetermined service. The terminal 400 of the user can transmit / receive predetermined information to implement the technical idea of the present invention through wired / wireless communication with the service system 100. The user terminal 400 may be provided with a web client for accessing the service system 100 and requesting a predetermined service. Conventionally, in order to perform authentication using a certificate, the web client must have various configurations that can perform authentication using a certificate. For example, various configurations (for example, ActiveX (ActiveX), etc.) for a firewall, a keyboard security, an authorized certificate security and the like should be installable or interoperable with the web client. In such a case, Or authentication can be performed only for a specific web client that can be interlocked. In addition, in order to perform the authentication of the user through the certificate without depending on the web client, the conventional service system 100 develops a solution for performing the above configuration or function for various web clients used by the user, Had to be provided. However, according to the technical idea of the present invention, as described later, the web client installed in the service system 100 simply displays the information received from the service system 100, It is possible to perform authentication of the user according to the technical idea of the invention.

Meanwhile, the authentication terminal 500 generates a predetermined request signal including the generation information transmitted directly from the service system 100 or through the user terminal 400, and transmits the generated request signal to the authentication server 200). ≪ / RTI > When authentication of a predetermined service is performed, the authentication terminal 500 outputs a service authentication request signal for requesting authentication of a predetermined service provided by the service system 100 to the authentication server 200 . As will be described later, when requesting registration of the authentication terminal 500 or requesting registration of a certificate, a corresponding terminal registration request signal or a certificate registration request signal may be output to the authentication server 200, respectively. Accordingly, a process performed by the technical idea of the present invention is a process in which a request of a process to be performed by the authentication terminal 500 is transmitted to the authentication server 200, Lt; / RTI > may be controlled depending on whether or not it performs the action corresponding to the request. It goes without saying that the process to be performed at each point in time may be determined depending on what request the terminal 400 of the user transmits to the service system 100.

Also, as described above, the user terminal 400 and the authentication terminal 500 are not necessarily separately provided. According to an embodiment, the authentication terminal 500 implemented in a mobile phone may perform a service request, a terminal registration request, and / or a certificate registration request to the service system 100. Alternatively, a desktop, a notebook, or the like may be an authentication terminal 500, and in this case, the authentication terminal 500 may perform various authentication requests or registration requests directly to the authentication server 200 without going through a mobile phone or the like .

In the case where a terminal requesting a service to the service system 100, that is, a terminal 400 of a user and the authentication terminal 500 are separately provided, predetermined generation information for implementing the technical idea of the present invention The user terminal 400 needs to be transferred to the authentication terminal 500. At this time, the transmission of such information is not performed through wired / wireless communication, but may be performed through scanning or photographing. Therefore, since the user does not need to input information necessary for transmission of information through the input device such as a keyboard or a mouse to the user terminal 400, the risk that the wired or wireless communication becomes an object of attack and the information is intercepted It is possible to reduce the amount of information that the user has to directly input, thereby reducing the inconvenience or time required to authenticate the user.

The transfer of information from the service system 100 to the user terminal 400 and the transfer of information from the user terminal 400 to the authentication terminal 500 may be performed in a 2D or 3D- It can be done in 3D code form. Therefore, there is a relatively safe effect on the outflow of information unless there is a solution capable of decoding such code. Since the decryption solution can be installed only in the authentication terminal 500 and / or the authentication server 200, which is regarded as a relatively safe device, secure and large-capacity data can be efficiently transmitted.

Hereinafter, specific configurations of the cloud authentication system 1 according to the technical idea of the present invention will be described.

2 is a diagram showing a schematic configuration of a service system included in a cloud authentication system according to an embodiment of the present invention.

Referring to FIG. 2, the service system 100 includes a generation module 110, an interface module 120, a verification module 130, and a user DB 140. The service system 100 may further include a first authentication code generation module 150.

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the 'module' may mean a logical unit of a predetermined code and a hardware resource for the predetermined code to be executed, and may be a code physically connected to the module, or a kind of hardware Or may be easily deduced to the average expert in the field of the present invention.

2 to 4, the service system 100, the authentication server 200, and the certification authority system 300 are shown as one device, but they are not necessarily implemented as any one physical device. That is, the service system 100, the authentication server 200, and the certification authority system 300 may each be a system in which a plurality of physical devices are combined and implemented. Accordingly, some of the configurations included in each of the service system 100, the authentication server 200, and the certification authority system 300 may be implemented or installed in any one of the physical devices, and some of the configurations may be implemented in different physical devices May be installed.

The generation module 110 may generate generation information including authentication target information for authenticating the user who requested the service when a service request of a predetermined service is received from the user terminal 400. [ Also, when the registration request of the authentication terminal 500 is received from the service system 100, the generation module 110 may generate second generation information including information necessary for registration. In addition, when the registration request of the certificate is received from the service system 100, the generation module 110 may generate third generation information including information necessary for certificate registration.

The generation information may include at least authentication target information necessary for authenticating the user. The authentication object information may be information to be signed to authenticate a user requesting the service, and may vary according to the type and implementation of the service system 100. For example, when the service is a financial transaction, it may be information (for example, account, user, transaction history information, etc.) necessary for financial transaction. Or payment information when the service is a payment request for purchasing a predetermined article or service. In some implementations, the information may be separately generated for authentication in the service system 100. In any case, the authentication object information may be information that is to be signed by the certification authority system 300, and the authentication object information may include at least one of the type of the service, the type of the service system, and / Can be varied. The generation information is generated by the generation module 110 when a service request is requested from the user terminal 400. The generated information is transmitted to the authentication server 200 through the authentication terminal 500, If the predetermined verification is successfully performed by the authentication server 200, the signature request of the authentication object information included in the generation information can be performed.

Meanwhile, the generation module 110 may generate the second generation information and / or the third generation information.

The second generation information may be information generated by the generation module 110 when a registration request of the authentication terminal 500 is received from the terminal 400 of the user. The second generation information may include information necessary for registration of the authentication terminal 500. The information required for registration of the authentication terminal 500 may include identification information of the user (e.g., a user's name, birthday, etc.). In some implementations, a telephone number corresponding to the authentication terminal 500 may be included.

The third generation information may be information generated by the generation module 110 when a certificate registration request is received from the user terminal 400. [ The third generation information may include information necessary for registration of the certificate. The information necessary for registration of the certificate may include certificate identification information included in the certificate information (e.g., a certificate identification number (serial number), personalization agent, user information, valid period, public key, Number, issuing organization, etc.).

The second generation information and the third generation information generated by the generation module 110 are respectively transmitted to the authentication server 200 through the authentication terminal 500. When a predetermined verification is performed, The registration of the authentication terminal 500 based on the information included in the information and the certificate registration based on the information included in the third generation information can be performed by the authentication server 200. [

The generation information, the second generation information, and / or the third generation information may further include a predetermined first authentication code to be verified by the authentication server 200. The first authentication code may be information used to determine the authenticity of the service system 100 that generates the generation information, the second generation information, and / or the third generation information. For example, the first authentication code may be a series of information generated by a predetermined One Time Password (OTP) generation solution distributed by the authentication server 200, and the first authentication code may include a first authentication code May be generated by the generating module 150. In addition, a predetermined configuration for verifying the first authentication code generated by the first authentication code generation module 150 may be included in the authentication server 200, May be a first authentication code verification module included in the first authentication code verification module 200. The first authentication code verification module may be, for example, a server OTP generation solution. That is, the first authentication code generation module 150 performs the function of the OTP token, and the first authentication code verification module can perform the function of the OTP authentication server. It will be readily apparent to one of ordinary skill in the art that the first authentication code can be changed at each generation of the generation information, the second generation information, and / or the third generation information. Accordingly, when the first authentication code is included in the generation information, the second generation information, and / or the third generation information, the authenticity of the service system 100 can be verified, It is possible to prevent leakage or damage of information through a site or the like. Needless to say, the generation information, the second generation information, and / or the third generation information may further include identification information that can identify the service system 100.

According to an example, the generation information, the second generation information, and / or the third generation information may be plain text information, but may be implemented with codes expressed in 2D or 3D. In this case, the generation module 110 may specify the information to be included in the generation information, the second generation information, and / or the third generation information, and then generate the code by coding the specified information. When the generated information is implemented with a predetermined code, a lot of information can be compressed and transmitted, and input by a user's input device can be reduced. In addition, since information can be acquired only when there is a solution capable of decoding the code, a solution capable of decoding the code is provided only to a reliable device, thereby reducing information leakage.

The interface module 120 transmits authentication target information included in the generated information to the certification authority system 300 through a predetermined authentication process, and the transmitted authentication target information is signed by the certification authority system 300 , It can receive signed authentication object information from the certification authority system 300 or the authentication server 200.

The authentication process includes a transfer of the generated information to the authentication terminal 500, a service authentication request signal output from the authentication terminal 500 to the authentication server 200, verification by the authentication server 200, And may include a series of processes of the signature request that the authentication server 200 outputs to the certification authority system 300 in case of success.

The transmission of the generated information to the authentication terminal 500 may include a process in which the generated information is transmitted to the authentication terminal 500 directly or through the terminal 400 of the user.

The service authentication request signal output by the authentication terminal 500 to the authentication server 200 may include at least a part of the generated information, a certificate password, and terminal identification information. When the authentication terminal 500 receives the generation information from the service system 100 or the user terminal 400, the generation of the service authentication request signal includes generating Information included in the generated information may be included in the service authentication request signal and transmitted to the authentication server 200. In addition, necessary information among the information included in the generated information (at least a part of the decoded information, for example, The first authentication code, and / or the identification information of the service system 100) to be included in the service authentication request signal and transmitted to the authentication server 200.

When the generated information is implemented with a predetermined code and the authentication terminal 500 performs decoding of the code, the service authentication request signal includes a part of information (e.g., authentication target information, The first authentication code, and / or the identification information of the service system 100) may be included and output to the authentication server 200. In a case where the code is decoded by the authentication server 200, the service authentication request signal may include the code itself and be output to the authentication server 200.

The authentication terminal 500 may also generate a second authentication code for determining authenticity of the authentication terminal 500 and include the generated second authentication code in the service authentication request signal . The second authentication code may also be an OTP, and a configuration for verifying the second authentication code may be included in the authentication server 200. That is, the authentication server 200 may include a second authentication code verification module, and the second authentication code verification module may serve as an OTP server for verifying the second authentication code. As described above, there is an effect of filtering the case of performing authentication of the identity through the authentication terminal 500 through the second authentication code, for example, through a duplicate phone or the like.

The verification module 130 may receive the authentication subject information signed from the certification authority system 300 or the authentication server 200 and verify the received authentication subject information. The verification module 130 may perform a series of processes for decrypting the signed authentication target information using the public key of the certificate to verify the signed authentication target information. When the signed authentication target information is decrypted using the public key of the certificate, it can be determined that the authentication has succeeded. Signed authentication object information may be directly received from the certification authority system 300 or may be received through the authentication server 200. [ According to an embodiment, the signed authentication target information is verified by the authentication server 200, and the verification module 130 may receive only a verification result from the authentication server 200. [ If the verification module 130 determines that the authentication has been successfully performed by the verification module 130 regardless of whether the verification module 130 directly or verifies the result, the service system 100 transmits the verification result to the user terminal 400 And may provide the requested service (e.g., login, financial transaction, online purchase, etc.).

The user DB 140 may have the certificate of the user registered. The fact that the user's certificate is registered means that the certificate information of the certificate is registered, and the certificate information may include information on the public key of the certificate. Of course, the user DB 140 may further store various information about the user (e.g., user name, login information, address, etc.). The certificate is registered by the user terminal 400 after the certificate registration request is received by the service system 100 and the verification is performed by the authentication server 200 through a predetermined process. 140, or may be registered directly by the user's terminal (400).

3 is a diagram illustrating a schematic configuration of an authentication server included in a cloud authorized authentication system according to an embodiment of the present invention.

Referring to FIG. 3, the authentication server 200 includes a receiving module 210, a signature request module 220, and a server DB 230. The authentication server 200 includes a first authentication code verification module 240, a second authentication code verification module 250, a terminal registration module 260, a certificate registration module 270, and / or a first decoding module 280 ). ≪ / RTI >

The server DB 230 stores authentication terminal identification information of the authentication terminal 500 authenticated as the terminal of the user and certificate identification information of the user (for example, information on the certificate issuing organization, Certificate information, etc.). Also, the authentication terminal identification information may be stored in the server DB 230 by matching with the identification information (e.g., name, birthday, telephone number, etc.) of the user. The user identification information and the authentication terminal identification information may be registered in advance in the server DB 230 through the authentication terminal registration process and the certificate identification information may also be registered in the server DB 230 in advance through the certificate registration process .

Further, the technical idea of the present invention may be applied to a plurality of service systems. That is, a plurality of service systems can be authenticated to the authentication server 200. Accordingly, information about the service system may be stored in the server DB 230 at this time. The information on the service system may include, for example, information on the identification of the service system assigned by the authentication server 200, a communication IP, a communication port, and a service name. When a service authentication request signal including information on the service system is received by the authentication server 200, the authentication server 200 identifies the service system, and then, based on the identified result, The authentication code of the included service system 100 can be verified.

When the service request of the service is transmitted from the user terminal 300 to the service system 100, the reception module 210 transmits at least a part of the generated information generated by the service system, the identification information of the authentication terminal, And a service authentication request signal including the password of the certificate from the authentication terminal 500. The service authentication request signal may further include a first authentication code generated by the service system 100. In addition, the service authentication request signal may further include a second authentication code generated by the authentication terminal 500. [ In addition, the generation information may further include identification information of the service system 100.

If the generated information is implemented with a predetermined code as described above, the service authentication request signal may include the code itself. In such a case, the code may be decoded by the first decoding module 280. Then, the authentication object information included in the code can be obtained. Further, if the code includes the first authentication code and / or the identification information of the service system 100, the first authentication code and / or the identification information of the service system 100 can be obtained. Meanwhile, when the generated information is implemented with a predetermined code, the code may be decoded by the authentication terminal 500. [ In this case, the service authentication request signal may include the authentication object information, the first authentication code, and / or the identification information of the service system 100 obtained as a decoding result. The identification information of the authentication terminal 500 may be extracted by the authentication terminal 500 and included in the service authentication request signal. Also, the certificate password may be input from the user and included in the service authentication request signal through the authentication terminal 500.

Then, the signature request module 220 can verify the authentication request based on the received service authentication request signal. The verification of the authentication request may include a step of determining whether the service authentication request signal is received through the authentication terminal 500 registered in advance in the server DB 230. [ Therefore, for a predetermined service request received from a terminal not registered in advance, that is, the terminal not the user's authentication terminal 500, the signature request module 220 determines that authentication is failed and sends a determination result to the service system 100 ). For this, the signature request module 220 may determine whether the identification information of the authentication terminal 500 included in the service authentication request signal is registered in the server DB 230 in advance. Or the identification information of the authentication terminal 500 included in the server DB 230 and the corresponding user identification information and the authentication terminal identification information and the user identification information included in the service authentication request signal correspond to each other.

When it is verified that the service authentication request signal is output from the registered authentication terminal 500, the signature request module 220 transmits the service authentication request signal to the server DB 300 based on the identification information of the authentication terminal included in the service authentication request signal. And extracts the certificate identification information stored in the certificate storage unit 230. Then, the certificate authority system 300 may transmit a signature request including the extracted certificate identification information, the authentication subject information, and the password of the certificate.

Meanwhile, as described above, the signature request module 220 may send the signature request to the certification authority system 300 when the first authentication code and / or the second authentication code included in the service authentication request signal are verified Output. To this end, the signature request module 220 may receive a verification result from the first authentication code verification module 240 and / or the second authentication code verification module 250. And may send the signature request to the certification authority system 300 upon receipt of a signal from the first authentication code verification module 240 and / or the second authentication code verification module 250 that verification has been successful.

The first authentication code verification module 240 and / or the second authentication code verification module 250 may perform the function of verifying the first authentication code and / or the second authentication code as described above . The first authentication code and / or the second authentication code may be an OTP generated by an OTP generation solution installed in advance in the service system 100 and / or an OTP generation solution installed in advance in the authentication terminal 500 Lt; RTI ID = 0.0 > OTP < / RTI > In addition, the first authentication code verification module 240 and / or the second authentication code verification module 250 may each function as an OTP authentication server. However, it goes without saying that any authentication method capable of authenticating the authenticity of the service system 100 and / or the authentication terminal 500 may be used in addition to the OTP method.

Meanwhile, the receiving module 210 may receive a terminal registration request signal corresponding to the registration request of the authentication terminal 500 and / or a certificate registration request signal corresponding to the certificate registration request.

The terminal registration request signal may include second generation information generated by the service system 100 and the authentication terminal identification information. The second generation information may include identification information (e.g., name, birthday, etc.) of the user requesting the service through the service system 100. In some implementations, a telephone number corresponding to the authentication terminal 500 may be included. The telephone number may be information stored in advance in the service system 100. The second generation information may be implemented by a predetermined code as described above and the code may be decoded by the first decoding module 280 included in the authentication terminal 500 or the authentication server 200 Is as described in the above generation information. That is, the terminal registration request signal may include the second generation information itself or the identification information of the user included in the second generation information.

When the terminal registration request signal is received, the terminal registration module 260 determines whether the terminal identification information (e.g., device identification information) included in the terminal registration request signal and the user identification information match the actual ownership relationship That is, if the user corresponding to the user identification information is the owner of the authentication terminal 500 corresponding to the identification information of the authentication terminal 500, the identification information of the authentication terminal 500 is registered in the server DB 230 . In addition, the terminal registration module 260 can determine whether the identification information (e.g., device identification information) and the user identification information match the actual ownership relationship, through the terminal authentication system 600 have. Although the terminal authentication system 600 may be a mobile communication company system as described above, any system storing information on the ownership relationship of the authentication terminal 500 may be the terminal authentication system 600 Of course. Also, the terminal registration module 260 may register the identification information of the authentication terminal 500 and corresponding user identification information in the server DB 230.

Also, the terminal registration request signal may include a first authentication code generated by the service system 100 and / or a second authentication code generated by the authentication terminal 500, as described above. The terminal registration module 260 may then verify the first authentication code and / or the second authentication code by the first authentication code verification module 240 and / or the second authentication code verification module 250 The identification information of the authentication terminal 500 may be registered. Verification of authenticity of the service system 100 and / or the authentication terminal 500 using the first authentication code and / or the second authentication code is the same as or similar to that described in the service authentication request signal, Omit it.

Meanwhile, when the receiving module 210 receives the certificate registration request signal, the certificate registration module 270 can register the certificate in the server DB 230. The certificate registration request signal may include third generation information generated by the service system 100. The third generation information may include the certificate identification information. The certificate identification information may be extracted from the certificate information registered in advance in the service system 100. Alternatively, when the certificate is not registered in the service system 100 in advance, the service system 100 transmits an issuance request of the certificate to the certification authority system 300, Or may be extracted from the certificate information received from system 300. Also, the third generation information may be implemented with a predetermined code as described above. In this case, the third generation information itself may be included in the certificate registration request signal, and after the third generation information is decoded by the authentication terminal 500, the certificate identification information included in the decoded information It may be included in the certificate registration request signal. If the third generation information itself is included in the certificate registration request signal, the third generation information may be decoded by the first decoding module 280 included in the authentication server 200.

Then, the certificate registration module 270 may register the certificate identification information in the server DB 230 so as to match the identification information of the authentication terminal 500 based on the certificate registration request signal. The registration of matching with the identification information of the authentication terminal 500 may be interpreted to mean a case where the registration is performed by matching with the user identification information matched with the identification information of the authentication terminal 500. [

Meanwhile, the certificate registration request signal may include a first authentication code generated by the service system 100 and / or a second authentication code generated by the authentication terminal 500. Then, whether the authenticity of the service system 100 and / or the authentication terminal 500 is verified based on the first authentication code and / or the second authentication code, the certificate identification information is transmitted to the server DB 230, As described above.

4 is a diagram showing a schematic configuration of an authentication authority system included in a cloud authentication system according to an embodiment of the present invention.

Referring to FIG. 4, the certification authority system 300 includes a signature request receiving module 310, a signature module 320, and a certificate DB 330. The certification authority system 300 may further include a certificate transmission module 340. Also, depending on the implementation, the issuing module may further include an issuing module (not shown) for issuing the certificate. If the certificate issuing module 300 further includes the issuing module (not shown), the certification authority system 300 may also serve as a certificate issuing authority. In the case where the certificate authority system 300 stores the certificate and the certificate can be used according to a user's request, the certification authority system 300 may be implemented as a predetermined HSM (Hardware Security Machine or Module) . Therefore, each individual user can provide much higher stability than a case where a certificate is stored and used in a storage device such as a general data hard disk having low safety due to high cost.

The certification authority system 300 is operated by a certificate issuing organization of a public certificate to implement the technical idea of the present invention. In some implementations, the certification authority system 300 may be implemented to operate in an operating entity (e.g., a financial institution, a commercial institution) of the service system 100.

The signature request receiving module 310 may receive a signature request from the authentication server 200. For example, when a service request is transmitted from the user terminal 300 to the service system 100, generation information including authentication target information for authenticating the user generated by the service system 100 is generated. A signature request including the authentication object information included in the generation information may be output from the authentication server 200 and received by the signature request receiving module 310 through a predetermined authentication process.

The signing module 320 may then sign the authentication object information using the certificate secret included in the signature request in response to the received signature request. For this, the signing module 320 may decrypt the private key from the certificate corresponding to the certificate identification information included in the signature request using the certificate secret. And a signature process of encrypting the authentication object information included in the signature request using the decrypted private key. The signature module 320 may send the signed authentication object information to the service system 100 or the authentication server 200.

Then, the transmitted signed authentication object information can be verified by the service system 100 or the authentication server 200. [ For verification, the service system 100 or the authentication server 200 may store the public key of the certificate. In addition, when the authentication subject information signed by the authentication server 200 is verified, the service system 100 may receive the verification result. Then, the service system 100 may transmit the verification result to the user's terminal 400 for the purpose of non-repudiation after the verification is successful.

The certificate DB 330 may store the user's certificate.

Meanwhile, the certification authority system 300 may further include a certificate transmission module 340. The certificate transmission module 340 may transmit the certificate information of the user to the service system 100 when the registration request of the certificate is received from the service system 100. If the user's certificate does not exist, the process of issuing the user's certificate by the issuing module (not shown) may be further performed. Of course, at this time, the issuing module (not shown) may receive information (e.g., user information and password) necessary for issuing the certificate from the service system 100 and / or the user terminal 400 . The certificate transmission module 340 may transmit the certificate information of the issued certificate (or the certificate identification information that may be included in the certificate information) to the service system 100.

5 is a diagram showing a schematic configuration of an authentication terminal included in a cloud authentication system according to an embodiment of the present invention.

Referring to FIG. 5, the authentication terminal 500 includes an identification information extraction module 520 and a request module 540. The authentication terminal 500 may further include the photographing module 510 and / or the second decoding module 530 and the second authentication code generation module 550.

The identification information extraction module 520 may extract the identification information of the authentication terminal 500. The identification information of the authentication terminal 500 may be device identification information of the authentication terminal 500. According to an embodiment, the telephone number of the authentication terminal 500 may be the identification information of the authentication terminal 500. [ In any case, the identification information of the authentication terminal 500 may be unique to the authentication terminal 500.

The request module 540 may generate the service authentication request signal, the terminal registration request signal, and / or the certificate registration request signal as described above. At this time, the request module 540 may include the identification information of the authentication terminal 500 in the service authentication request signal, the terminal registration request signal, and / or the certificate registration request signal. And output the generated signal to the authentication server 200.

Meanwhile, the request module 540 may include a second authentication code for verifying authenticity of the authentication terminal 500 in the service authentication request signal, the terminal registration request signal, and / or the certificate registration request signal have. The second authentication code may be generated by the second authentication code generation module 550 and transmitted to the request module 540.

Meanwhile, the photographing module 510 may photograph the code when the code corresponding to the generation information, the second generation information, and / or the third generation information is displayed on the user terminal 400 . The photographed code may then be decoded by the second decoding module 530. All or part of the decoded information may be selected by the request module 540 and included in the service authentication request signal, the terminal registration request signal, and / or the certificate registration request signal.

Of course, it is needless to say that the generation information, the second generation information, and / or the third generation information are implemented with a predetermined code, and the code itself is generated by the service authentication request signal, the terminal registration request signal, The second decoding module 530 may not be included in the request signal.

Hereinafter, a description will be made of a process in which a method of providing a cloud authorized authentication system according to the technical idea of the present invention is performed, with reference to FIG. 6 to FIG.

FIG. 6 is a diagram for explaining a method of performing identity authentication when a predetermined service is requested according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention.

The service authentication process shown in FIG. 6 may be performed after the authentication terminal 500 and the certificate are registered in the authentication server 200. [

Referring to FIG. 6, the user terminal 400 may request a predetermined service to the service system 100 (S10). Then, the service system 100 may generate generation information corresponding to the service request (S20). The generation information may include authentication target information to be a signature target. The authentication object information may vary according to the type of service, the type and / or implementation of the service system 100. For example, when the service is a financial transaction request, the authentication object information may be financial transaction information (account, user, transaction details, etc.). Or information determined by the service system 100 regardless of the service type may be the authentication object information (e.g., identification information of the user).

Meanwhile, the service system 100 may generate a first authentication code for authenticating the service system 100 (S15), and may include the generated first authentication code in the generation information. The generation information may be text information, but it may be a predetermined code expressed in 2D or 3D.

Then, the service system 100 can transmit the generation information to the user's terminal 400 (S30). The generated generation information may be transmitted to the authentication terminal 500 (S40). The generation information may be transmitted directly from the service system 100 to the authentication terminal 500 according to an embodiment. Of course, the authentication terminal 500 may perform the service request as described above.

If the generated information is implemented with a predetermined code and the generated information is transmitted to the user's terminal 400, the user's terminal 400 can display the generated information at step S35. An example of this is shown in Fig.

The predetermined code 10 may be transmitted to the user's terminal 400 and displayed as shown in FIG.

The transmission of the generation information may then be performed by the authentication terminal 500 photographing the code 10 displayed on the user's terminal 400. [ Then, the generation information (i.e., the code 10) may be transmitted to the authentication terminal 500 as shown in FIG. 9, and the generated generation information 20 may be transmitted to the authentication terminal 500, (Not shown).

Then, the authentication terminal 500 may request the user for a certificate password. For this, the authentication terminal 500 may display a predetermined UI requesting the certificate password on the authentication terminal 500, and the result may be as shown in FIG.

Referring again to FIG. 6, the authentication terminal 500 receiving the generation information and receiving the certificate password from the user can generate a service authentication request signal (S50). Also, the authentication terminal 500 may generate a second authentication code for authenticating the authentication terminal 500 (S47), and may include the generated second authentication code in the service authentication request signal. When the generated information is decoded by the authentication terminal 500, the generated information is decoded by the authentication terminal 500 (S45), and the decrypted result information (the first authentication Code and / or service system 100 identification information) may be included in the service authentication request signal.

When the generated service authentication request signal is transmitted to the authentication server 200 (S60), the authentication server 200 can verify the authentication request based on the service authentication request signal (S70). The verification may include determining whether the service authentication request signal is received from the registered authentication terminal 500, whether the service system 100 is authentic, and whether the authentication terminal 500 is authentic. If the authentication request is verified (S70), the authentication server 200 may output a signature request to the certification authority system 300 (S80). According to an embodiment, information to be included in the signature request may be specified after the generation information included in the service authentication request signal is further decoded.

The signature request may include the authentication subject information, the certificate identification information, and the certificate password.

In response to the received signature request, the certification authority system 300 can sign the authentication object information (S90). Then, the signed authentication object information may be transmitted to the service system 100 (S100). In response to the transmission, the service system 100 may verify the signed authentication information (S110). The verification result may be transmitted to the user terminal 400.

Depending on the implementation, the signed authentication object information may be transmitted to the authentication server 200 (S100-1). Then, the authentication server 200 may output the received signed authentication object information to the service system 100. According to an embodiment, the authentication server 200 may verify the signed authentication target information (S100-2) and transmit the verification result to the service system 100 (S100-3). Then, the service system 100 can determine whether the authentication of the user is successful based on the received verification result, and selectively provide the requested service to the user terminal 400. [

7 is a diagram illustrating a process of registering a user's authentication terminal according to a method of providing a cloud authentication system according to an embodiment of the present invention.

Referring to FIG. 7, the user terminal 400 may transmit a terminal registration request of the authentication terminal 500 to the service system 100 (S200). Then, the service system 100 may generate second generation information (S210). After the service system 100 generates the first authentication code (S205), the service system 100 may include the generated first authentication code in the second generation information. The second generation information may include user identification information.

The generated second generation information may be transmitted to the user's terminal 400 (S220). And may be transmitted directly to the authentication terminal 500 according to an embodiment.

The generated second generation information may be displayed on the terminal 400 of the user (S225), and the displayed second generation information may be captured and transmitted by the authentication terminal 500 (S230).

Then, the authentication terminal 500 may generate a terminal registration request signal based on the transmitted second generation information (S240). The terminal registration request signal may include the user identification information and the identification information of the authentication terminal 500 extracted by the authentication terminal 500. In this case, the process of decoding the second generation information may be performed first (S235). Or the second generation information and the identification information of the authentication terminal 500 may be included. Also, the authentication terminal 500 may generate the second authentication code (S237) and then include the generated second authentication code in the terminal registration request signal.

The generated terminal registration request signal may be transmitted to the authentication server 200 (S250). Then, the authentication server 200 can perform verification (S255). The verification may include determining whether the service system 100 is authentic and / or whether the authentication terminal 500 is authentic.

In step S260, the terminal authentication system 600 may check whether the authentication terminal 500 is owned by the user. If the authentication terminal 500 corresponding to the identification information of the authentication terminal 500 is owned by the user corresponding to the user identification information, the authentication server 200 can register the authentication terminal 500 S270).

FIG. 8 is a diagram illustrating a process of registering a user certificate according to a method of providing a cloud authorized authentication system according to an embodiment of the present invention. Referring to FIG.

Referring to FIG. 8, the user terminal 400 may transmit a certificate registration request to the service system 100 (S300). Then, the service system 100 may generate the third generation information (S310). After the service system 100 generates the first authentication code (S305), the service system 100 may include the generated first authentication code in the third generation information. The second generation information may include the certificate identification information.

The service system 100 may request the certification authority system 300 of the user's certificate (S301). The request may include identification information of the user. Then, the certification authority system 300 can transmit the certificate identification information (or certificate information) of the user to the service system 100 (S303). If the user's certificate is not stored in the certification authority system 300, the process of issuing and storing the user's certificate by the certification authority system 300 may be performed (S302).

The generated third generation information may be transmitted to the user's terminal 400 (S320). And may be transmitted directly to the authentication terminal 500 according to an embodiment.

The generated third generation information may be displayed on the terminal 400 of the user (S325), and the displayed third generation information may be captured and transmitted by the authentication terminal 500 (S330).

Then, the authentication terminal 500 can generate a certificate registration request signal based on the transmitted third generation information (S340). The certificate registration request signal may include the certificate identification information and the identification information of the authentication terminal 500 extracted by the authentication terminal 500. In this case, the process of decoding the 23rd information may be performed first (S335). Or the third generation information and identification information of the authentication terminal 500 may be included. Also, the authentication terminal 500 may generate the third authentication code (S337), and then include the generated second authentication code in the certificate registration request signal.

The generated certificate registration request signal may be transmitted to the authentication server 200 (S350). Then, the authentication server 300 can perform verification (S355). The verification may include determining whether the service system 100 is authentic and / or whether the authentication terminal 500 is authentic.

When the verification is performed, the authentication server 200 can register the certificate (S360). In addition, a signal to register the certificate may be transmitted to the service system 100 (S370). Then, the service system 100 can also register the certificate. According to an embodiment, when the certificate information is received from the certification authority system 300 (S303), the service system 100 may register the certificate directly.

FIG. 11 shows an example of a user interface when a method of providing a cloud authorized authentication system according to an embodiment of the present invention is applied.

Referring to FIG. 11, when the method of providing a cloud authorized authentication system according to the technical idea of the present invention is applied, the user interface 30 as shown in FIG. 11 is connected to the user terminal 400 and / 500). The user interface 30 may represent a UI provided by the user software for the authorized certificate management to the user. The user software can select a location where a user's public certificate is stored. When the location is selected, the user software can automatically search for a certificate existing at a selected location and provide the certificate to the user. And if at least one of the discovered certificates is selected by the user, authentication via the selected certificate is enabled.

According to the technical idea of the present invention, the user software is a location where a certificate is stored as shown in FIG. 11, and a predetermined UI (cloud selection UI , 31). At this time, only the certificate of the user among the certificates stored in the certification authority system 300 can be searched. For this purpose, the user software may transmit the identification information of the user to the certification authority system 300, and the certification authority system 300 is responsive to the information of the at least one certificate corresponding to the user Type, user identification information, expiration date, information on the issuing organization (the subject of the certification authority system), and the like) to the user terminal 400 and / or the authentication terminal 500 as shown in FIG. To this end, the user software provides a predetermined UI to the user terminal 400 and / or the authentication terminal 500 for receiving the identification information of the user when the UI 31 is selected, The user's identification information may be input through the user interface.

Also, when a certificate is selected, a predetermined UI for inputting a certificate password (password) may be provided to the user as shown in FIG.

If the information of the user's certificate stored in the certification authority system 300 is selected by the user, the authentication of the user can be performed by the above-described procedure.

The user software includes a UI providing means for providing a UI for receiving a certificate storage location and a certificate password, and a cloud UI 31 provided by the UI providing means for providing the terminal 400 with the user software Or 500), input means for inputting identification information of the user, and means for receiving a certificate corresponding to the identification information from the certification authority system 300 when the identification information is inputted and displaying the received information And a certificate information acquiring unit for acquiring the certificate information. When one of the displayed certificate information is selected, the password of the certificate corresponding to the selected certificate information can be obtained by the password UI provided by the UI providing means.

Also, the software for the user may be used in the certificate issuing step, and at this time, the cloud UI 31 may be selected by the user terminal 400 and / or the authentication terminal 500 as the certificate issuing location . Then, the certification authority system 300 issues a certificate, encrypts the issued certificate and the private key received through the user software, and stores the encrypted private key in the certification authority system 300.

Meanwhile, the user may desire to transfer a certificate installed in a predetermined terminal (e.g., 400 or 500), that is, the certificate information and the encrypted private key, to the certification authority system 300. In this case, the terminal 400 or 500 can receive a certificate movement request and movement location through a predetermined UI provided by the user software. If the movement location is the certification authority system 300, the user software may transmit the certificate to the certification authority system 300 and delete the certificate stored in the terminal 400 or 500.

The method of providing a cloud authorized authentication system according to an embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (32)

A cloud authentication system including a service system for performing a predetermined service after authentication of a user is performed,
A user DB storing the public key of the user;
A generation module for generating, when the service request of the service is received from a terminal of a user, generating generation information including authentication target information for authenticating the user who requested the service;
A signature request including the authentication object information included in the generation information generated by the generation module from a predetermined authentication server through a predetermined authentication process performed based on the generation information stores the user's certificate An interface module for receiving signed authentication object information from the certification authority system or a predetermined authentication server when the authentication object information is transmitted to the certification authority system and the authentication object information is signed by the certification authority system; And
And a verification module for verifying the received signed authentication object information using the public key stored in the user DB or receiving a verified result from the authentication server to determine whether the authentication is performed by the user.
The method according to claim 1,
When a service authentication request signal including at least a part of the generated information, identification information of the authentication terminal, and a password of the certificate is received by the predetermined authentication terminal registered in advance in the authentication server, the authentication server,
The authentication server extracts the certificate identification information of the user stored in advance in the authentication server based on the identification information of the authentication terminal, and transmits a signature request including the extracted certificate identification information, the authentication object information, To the certification authority system. ≪ Desc / Clms Page number 20 >
3. The system of claim 2, wherein the service system further comprises a first authentication code generation module for generating a first authentication code that is an authentication code of the service system,
Wherein the first authentication code generated by the first authentication code generation module is included in the generation information and the service authentication request signal and is received by the authentication server,
Wherein the authentication server verifies the first authentication code through a first authentication code verification module for verifying the first authentication code included in the service authentication request signal and transmits the signature request to the certification authority system To the cloud.
The authentication terminal according to claim 2, wherein the authentication terminal includes a second authentication code generation module for generating a second authentication code that is an authentication code of the authentication terminal,
Wherein the second authentication code generated by the second authentication code generation module is included in the service authentication request signal and is received by the authentication server,
Wherein the authentication server verifies the second authentication code through a second authentication code verification module for verifying the second authentication code and sends the signature request to the certification authority system if verification is successful.
3. The method according to claim 2, wherein the generation information is a predetermined 2D code including the authentication object information or a code implemented in 3D,
The authentication process comprises:
And a process in which when the code is transmitted to the user terminal and then displayed on the user terminal, the displayed code is photographed by the authentication terminal and transmitted to the authentication terminal.
The system according to claim 2,
And decrypting the private key of the certificate using the password included in the signature request, and signing the authentication target information using the decrypted private key.
3. The method according to claim 2, wherein, when the registration request of the authentication terminal is received from the terminal of the user, the generation module generates second generation information including the identification information of the user and transmits the second generation information to the user terminal,
When a terminal registration request signal including any one of identification information of the user included in the second generation information or the second generation information and the authentication terminal identification information is transmitted to the authentication server by the authentication terminal,
Wherein the authentication server judges whether the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system and then registers the identification information of the authentication terminal in the authentication server when they correspond to each other Cloud Authorized Certification System.
8. The system according to claim 7, wherein the second generation information includes a first authentication code for authenticating the service system, the first authentication code is transmitted to the authentication server via the authentication terminal, The identification information of the authentication terminal is registered before the first authentication code is verified,
Wherein the authentication terminal includes a second authentication code for authenticating the authentication terminal in the terminal registration request signal, and if the second authentication code is verified by the authentication server, Is registered in the cloud authentication system.
3. The method of claim 2, wherein, when the registration request of the certificate is received from the user terminal, the generation module generates third generation information including the certificate identification information of the certificate and transmits the third generation information to the user terminal,
If a certificate registration request signal including any one of the third generation information or the certificate identification information included in the third generation information and the authentication terminal identification information is transmitted to the authentication server by the authentication terminal,
Wherein the authentication server matches and registers the authentication terminal identification information registered in advance in the authentication server and the certificate identification information.
The information processing apparatus according to claim 9, wherein the third generation information includes a first authentication code for authenticating the service system, the first authentication code is transmitted to the authentication server via the authentication terminal, The certificate identification information is registered before the first authentication code is verified,
The authentication terminal includes a second authentication code for authenticating the authentication terminal in the certificate registration request signal and the certificate identification information is registered by the authentication server so that the second authentication code is verified by the authentication server Wherein the cloud authentication system comprises:
10. The system of claim 9,
Transmitting a registration request of the certificate to the certification authority system when the registration request of the certificate is received, and receiving the certificate identification information of the certificate from the certification authority system by the certification authority system.
There is provided a cloud authorized authentication system including an authentication server for performing authentication of a user for a service system that performs a predetermined service after user authentication is performed,
A server DB including authentication terminal identification information of an authentication terminal authenticated as a terminal of the user and certificate identification information of the user stored to be matched with the authentication terminal identification information;
When a service request of the service is transmitted from the user's terminal to the service system, at least some of the generated information generated by the service system and including authentication target information for authenticating the user, identification information of the authentication terminal, and A receiving module for receiving a service authentication request signal including a password of the certificate from an authentication terminal; And
A signature including the certificate identification information, the authentication subject information, and the password extracted from the certificate identification information stored in the server DB based on the identification information of the authentication terminal included in the received service authentication request signal; A signature request module for sending a request to the certification authority system;
When the authentication subject information signed by the certification authority system in response to the signature request is transmitted to the service system or received by the authentication server, the transmitted signed authentication subject information is verified and the authentication of the identity is performed Cloud certified authentication system featuring.
The method of claim 12, wherein the service authentication request signal includes a first authentication code, which is an authentication code of the service system generated by the service system,
The authentication server includes:
Further comprising a first authentication code verification module for verifying the first authentication code included in the service authentication request signal,
Wherein the signature request module comprises:
And transmits the signature request to the certification authority system if verification of the first authentication code is successful.
13. The method of claim 12, wherein the service authentication request signal includes a second authentication code, which is an authentication code of the authentication terminal generated by the authentication terminal,
The authentication server includes:
And a second authentication code verification module for verifying the second authentication code included in the service authentication request signal,
Wherein the signature request module comprises:
The cloud authorized authentication system for transmitting the signature request to the certification authority system only after the verification of the second verification code is successful.
13. The method of claim 12, wherein the generation information is a predetermined 2D code including the authentication object information or a code implemented in 3D,
The service authentication request signal includes:
Wherein when the code is transmitted to the user terminal and then displayed on the user terminal, the displayed code is generated by the authentication terminal after being photographed by the authentication terminal and transmitted to the authentication terminal system.
13. The authentication server according to claim 12,
Further comprising a terminal registration module,
When the second generation information including the identification information of the user is generated by the service system and transmitted to the user terminal after the registration request of the authentication terminal is received from the user terminal,
The receiving module,
Receiving the terminal registration request signal including any one of the identification information of the user included in the second generation information or the second generation information and the authentication terminal identification information from the authentication terminal,
Wherein the terminal registration module determines whether the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system and registers the authentication terminal identification information in the server DB when they correspond to each other Cloud Authorized Certification System.
The terminal according to claim 16, wherein the terminal registration request signal includes at least one of a first authentication code for authenticating the service system or a second authentication code for authenticating the authentication terminal,
The terminal registration module includes:
Wherein at least one of the first authentication code or the second authentication code is verified by a first authentication code verification module or a second authentication code verification module included in the authentication server to register the authentication terminal identification information, .
13. The authentication server according to claim 12,
Further comprising a certificate enrollment module,
When the registration request of the certificate is received by the service system from the terminal of the user and third generation information including the certificate identification information of the certificate is generated by the service system and transmitted to the terminal of the user,
The receiving module,
Receiving a certificate registration request signal including any one of the third generation information or the certificate identification information included in the third generation information and the identification information of the authentication terminal from the authentication terminal,
The certificate registration module includes:
Wherein the authentication server identifies and registers the identification information of the authentication terminal registered in advance in the authentication server and the certificate identification information.
The method of claim 18, wherein the certificate registration request signal includes at least one of a first authentication code for authenticating the service system or a second authentication code for authenticating the authentication terminal,
The certificate registration module includes:
Wherein at least one of the first authentication code or the second authentication code is validated by at least one of a first authentication code verification module included in the authentication server or a second authentication code verification module included in the authentication server, Authentication system.
A cloud authentication system including a certification authority system for performing authentication of a user for a service system that performs a predetermined service after authentication of a user is performed,
A certificate DB for storing the user's certificate;
The service request of the service is received from the user terminal to the service system and generation information including authentication object information for authenticating the user generated by the service system is generated, A signature request receiving module for receiving a signature request including the authentication object information included in the information from a predetermined authentication server; And
And a signature module for signing the authentication subject information using the certificate secret included in the signature request in response to the received signature request and for transmitting the signed authentication subject information to the service system or the authentication server,
Characterized in that when the signed authentication object information is transmitted to the service system or the authentication server, the transmitted signed authentication object information is verified by the service system or the authentication server, and the identity authentication is performed. Authentication system.
21. The system of claim 20,
And a certificate transmission module for transmitting identification information of the certificate to the service system when a registration request of the certificate is received from the service system.
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user;
An authentication server; And
And an authentication authority system storing the user's certificate,
The service system comprises:
When the service request of the service is received from the user's terminal, the terminal of the user may be the authentication terminal, generates generation information including authentication object information for authenticating the user who has requested the service, To the terminal,
The authentication terminal,
After receiving the generated information from the user terminal or the service system, and outputs a service authentication request signal including at least a portion of the generated information, identification information of the authentication terminal, and the password of the certificate to the authentication server; ,
The authentication server includes:
Extracting the certificate identification information stored in the server DB of the authentication server based on the identification information of the authentication terminal included in the received service authentication request signal, and extracts the extracted certificate identification information, the authentication subject information, and the password. Sends a signature request to the certification authority system,
The certification authority system comprises:
In response to the received signature request, signing the authentication target information using a certificate password included in the signature request, and transmitting the signed authentication target information to the service system or the authentication server.
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user; And
Includes authentication server,
The service system comprises:
When the registration request of the authentication terminal is received from the terminal of the user, wherein the terminal of the user may be the authentication terminal, the second generation information including the identification information of the user is generated and transmitted to the terminal of the user.
The authentication terminal,
After receiving the second generation information from the user terminal or the service system, the second generation information or any one of the identification information of the user included in the second generation information, and the identification terminal identification information Outputting a terminal registration request signal to the authentication server;
The authentication server includes:
After determining whether the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system, and if they correspond to each other, the cloud authorized authentication system, characterized in that for registering the identification information of the authentication terminal to the authentication server .
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user;
An authentication server; And
And an authentication authority system storing the user's certificate,
The service system comprises:
When the registration request of the certificate is received from the terminal of the user, wherein the terminal of the user may be the authentication terminal, the third generation information including the certificate identification information of the certificate is generated and transmitted to the terminal of the user.
The authentication terminal,
After receiving the third generation information from the user terminal or the service system, the third generation information or any one of the certificate identification information included in the third generation information, and the authentication terminal identification information Output the certificate registration request signal to the authentication server,
The authentication server includes:
And authenticating and registering the authentication terminal identification information registered in the authentication server and the certificate identification information included in the certificate registration request signal.
In the method of providing a cloud authorized authentication system, including a service system for performing a predetermined service after the user's own authentication is performed,
The service system receiving a service request of the service from a user terminal;
Generating generation information including authentication object information for authenticating the user who has requested the service by the service system;
The service system transmitting the generation information to the user terminal;
Receiving, by the service system, signed authentication target information from a predetermined certification authority system or a predetermined authentication server; And
Wherein the service system verifies the received signed authentication object information,
When a predetermined authentication process is performed based on the generated information transmitted to the user's terminal, a signature request including the authentication target information is transmitted to the authentication server to the certification authority system that stores the user's certificate. And providing the certification subject information by the certification authority system.
In the service system for performing a predetermined service after the user's own authentication is performed, a method for providing a cloud authorized authentication system including an authentication server for performing a self-authentication,
Storing the certificate identification information of the user so that the authentication server matches the authentication terminal identification information of the authentication terminal authenticated as the terminal of the user and the authentication terminal identification information;
The authentication server receiving a service authentication request signal from the authentication terminal;
Extracting certificate identification information matching the identification information of the authentication terminal based on identification information of the authentication terminal included in the service authentication request signal; And
And transmitting a signature request including the certificate identification information extracted by the authentication server, the authentication target information included in the service authentication request signal, and a password of the certificate to a certification authority system storing the certificate. ,
When the signature request is transmitted to the certification authority system, the private key of the certificate through the password is obtained by the certification authority system, and the authentication target information is signed by the obtained private key, so that the service system or the authentication is performed. Cloud certified authentication system providing method characterized in that the output to the server.
In the method of providing a cloud accredited authentication system including a certification authority system for performing a self-identification, for a service system that performs a predetermined service after the user's own authentication is performed,
The certificate authority system storing the user's certificate;
The certificate authority system receiving a signature request including authentication object information, identification information of the certificate, and a password of the certificate from a predetermined authentication server;
Extracting a private key of the certificate via the password of the certificate in response to the received signature request;
Signing the authentication object information using the extracted private key by the certification authority system; And
Wherein the certification authority system outputs the signed certification target information to the authentication server or the service system,
The signature request is a terminal of the user, if a service request for the service is received from the user's terminal to the service system, the predetermined authentication process based on the generated information including the authentication target information generated by the service system. Cloud authentication system providing method characterized in that the output of the certification authority system after being performed through a pre-certified authentication terminal and the authentication server.
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user;
An authentication server; And
In the method of providing a cloud authorized authentication system including a certification authority system for storing the user's certificate,
When the service request of the service is received from the service system, the terminal of the user and the terminal of the user may be the authentication terminal, generation information including authentication object information for authenticating the user requesting the service is generated To the terminal of the user;
After the authentication terminal receives the generation information from the user's terminal or the service system, the authentication terminal authenticates the service authentication request signal including at least a part of the generation information, identification information of the authentication terminal, and a password of the certificate. Outputting to a server;
Extracting the certificate identification information stored in the server DB of the authentication server based on the identification information of the authentication terminal included in the service authentication request signal received by the authentication server, and extracting the extracted certificate identification information, the authentication target information, And transmitting a signature request including the password to the certification authority system. And
In response to the signature request received by the certification authority system, signing the authentication target information using the certificate password included in the signature request, and transmitting the signed authentication target information to the service system or the authentication server. How to provide cloud certification system.
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user; And
In the method of providing a cloud authorized authentication system including an authentication server,
When the service system receives a registration request of the authentication terminal from the terminal of the user, wherein the terminal of the user may be the authentication terminal, the terminal generates the second generation information including the identification information of the user. Transmitting to;
After the authentication terminal receives the second generation information from the user's terminal or the service system, any one of the second generation information or the identification information of the user included in the second generation information, and the authentication terminal Outputting a terminal registration request signal including identification information to the authentication server;
And determining, by the authentication server, whether the user identification information and the authentication terminal identification information correspond to each other through a predetermined terminal authentication system, and registering the identification information of the authentication terminal in the authentication server when they correspond to each other. How to provide cloud certification system.
A service system that performs a predetermined service after the user authentication of the user is performed;
An authentication terminal which is previously authenticated as the terminal of the user;
An authentication server; And
In the method of providing a cloud authorized authentication system including a certification authority system for storing the user's certificate,
When the service system receives a registration request of the certificate from the terminal of the user, wherein the terminal of the user may be the authentication terminal, the terminal generates the third generation information including certificate identification information of the certificate. Transmitting to;
After the authentication terminal receives the third generation information from the user's terminal or the service system, any one of the third identification information or the certificate identification information included in the third generation information, and the authentication terminal identification Outputting a certificate registration request signal including information to the authentication server;
And registering, by the authentication server, the authentication terminal identification information previously registered in the authentication server and the certificate identification information included in the certificate registration request signal.
A computer-readable recording medium having recorded thereon a program for performing the method according to any one of claims 24 to 30.
In a system where user software for certificate management is installed,
The system comprises:
UI providing means for providing a UI for receiving a storage location of the certificate and the certificate password;
Input means for receiving input of identification information of a user when the cloud UI provided by the UI providing means is selected by the system; And
When the identification information is input, the cloud accredited authentication system including a certificate information acquisition means for receiving information on the certificate corresponding to the identification information from the certification authority system corresponding to the cloud UI, and display information on the received certificate .

Images