KR20150085173A - Method for Managing Certificate - Google Patents

Abstract

The present invention relates to a method for managing a certificate. According to the present invention, the method for managing a certificate comprises: a first step where a management server receives a certificate use message from a designated server which performs certificate use procedures on the paths for the certificate use procedures; a second step where the management server validates that the certificate use procedures is actually conducted on the paths for the certificate use procedures by using the certificate use message; a third step where the management server generates certificate use information that the certificate use procedures is conducted on the paths for the certificate use procedures by using certificate procedure information corresponding to the certificate use message; and a fourth step where the management server notifies to the user about the information of the certificate use to the wireless terminal of the user after building the communication channel to the designated terminal of the user.

Description

Methods for Managing Certificates {Method for Managing Certificate}

The present invention can be applied to a case where it is confirmed that a procedure using a certificate issued to a user in cooperation with a designated procedure server on a certificate use procedure path is being performed and a procedure of using a certificate issued to the user on the certificate use procedure path is performed It generates certificate use information for the use of the user's certificate and notifies the user of the use of the certificate.

Under the Digital Signature Act, certificates have been regarded as the most recognized means of authentication for non-face-to-face transactions or non-face-to-face communications using networks. However, attempts have been made to replace certificate-based authentication with other certificates because of the inconvenience of requiring users to visit the RA to issue certificates for issuing and to require a certificate medium to store the certificate for use of the certificate . However, any alternative authentication method does not completely replace certificate based authentication, but is used as an auxiliary authentication method.

However, as hacking techniques including smsing have improved recently, certificate hijacking and hacking are increasing day by day. Moreover, with the recent activation of smartphones, the service to store and use certificates in smart phones has been activated, and the number of certificate hijacking and hacking targeting smart phones is increasing more and more (http://www.hankyung.com/news /app/newsview.php?aid=2013122544771). It is safe to say that the certificate is no longer an authorized authentication method.

Nonetheless, certificates are still used as certified authentication methods for non-face-to-face transactions or non-face-to-face authentication. Even if future certificates lose their qualification as 'certified', they will be used as a means of authentication for non-face-to-face transactions or non-face-to-face authentication. Currently, banks that mainly provide certificate-based authentication provide an electronic financial fraud prevention service that allows a user to input a number indicated by a previously registered password or voice memo using ARS (Automatic Response Service) or the like, It is a service and can not prevent or detect certificate hijacking or hacking.

In addition, the conventional electronic financial fraud prevention service has a problem that it is possible to easily bypass the authentication procedure through the smoothing of a smart phone. In particular, a service provided by a bank forming a direct service contact with users Even if the user subscribes to the electronic financial fraud prevention service of the bank, the hacker can not fundamentally block the problem of using the personal information of the user who has been exposed for a long time and releasing the service and abusing the service.

In order to solve the above problems, an object of the present invention is to provide a method and system for managing a certificate in a network, wherein a management server receives a certificate use message from a designated procedure server performing a certificate use procedure on a certificate use procedure path, Generates certificate use information indicating that the certificate use procedure is being performed on the certificate use procedure path using the certificate procedure information corresponding to the certificate use message, And informs the terminal of the certificate use information through messaging or telephone call to the terminal.

A method for managing a certificate according to the present invention includes a first step of a management server receiving a certificate use message from a designated procedure server performing a certificate use procedure on a certificate use procedure path, A second step of confirming that the certificate use procedure is being performed on the usage procedure path; and a second step of confirming that the certificate use procedure is being performed on the certificate use procedure path using the certificate procedure information corresponding to the certificate use message A third step of generating the certificate use information for the real user through the call channel by connecting the call channel to the designated wireless terminal of the real user who has issued the certificate, And a fourth step of performing a procedure for notifying It should.

According to the present invention, the second step can confirm that the certificate path establishment / verification procedure is being performed on the certificate use procedure path.

According to the present invention, the second step can confirm that a certificate validity authentication procedure using a certificate revocation list (CRL) is performed on the certificate use procedure path.

According to the present invention, the second step can confirm that the certificate validity authentication procedure using the online certificate status protocol (OCSP) is being performed on the certificate use procedure path.

According to the present invention, the second step can confirm that a procedure using an electronic signature algorithm using a certificate is being performed on the certificate use procedure path.

According to the present invention, in the second step, it can be confirmed that a procedure using a certificate using a hash algorithm is being performed on the certificate use procedure path.

According to the present invention, the second step can confirm that a procedure using an encryption algorithm using a certificate is being performed on the certificate use procedure path.

According to the present invention, the second step can confirm that at least one of the certificate issuing procedure, the certificate re-issuing procedure, the certificate renewal procedure, the certificate copy procedure, and the certificate revocation procedure is performed on the certificate use procedure path .

According to the present invention, the certificate management method further includes checking the certificate procedure information corresponding to the certificate use message by the management server, and the second step is to read the certificate procedure information, It can be confirmed that the procedure of using the certificate is being performed on the path.

According to the present invention, the certificate procedure information includes at least one specification definition information defined in a specification related to the certificate use procedure, and includes at least one non-standard definition information that is exchanged or acquired through the certificate use procedure path for the certificate use procedure And may include standard information.

According to the present invention, the certificate procedure information includes certificate identification information for identifying the certificate used in the certificate use procedure, issuer identification information for identifying the issuer issuing the certificate, certification authority identification information for identifying the authorized certification authority of the certificate, The issuing organization identification information identifying the personalization agent of the issuing institution.

According to the present invention, the certificate procedure information includes medium identification information for identifying a certificate medium storing a certificate, requesting organization identification information for identifying a requesting organization requesting the use of the certificate, procedure identification information for identifying the certificate use procedure, And at least one identification information of the requested terminal identification information. Meanwhile, the terminal identification information includes identification information matching with the unique identification code of the terminal registered through the designated terminal registration procedure, identification information matching the unique authentication code of the terminal program identified through the program mounting / authentication procedure, (Global Positioning System) -based location information of the terminal, identification information that matches the base station-based location information of the terminal, identification information that matches the base station-based location information of the terminal, Information, and identification information that is matched with a telephone number of the terminal.

According to the present invention, the certificate procedure information may include at least one of a procedure value required for using a certificate and a certificate use value generated using a certificate.

According to the present invention, the certificate management method further includes the steps of: the management server verifying at least one designated identification information previously designated for authenticating the validity of the certificate use procedure among the identification information included in the certificate procedure information; The management server may further include authenticating the validity of the certificate use procedure by authenticating the identified designated identification information. Meanwhile, the designation identification information may include at least one designation identification information among medium identification information for identifying the certificate medium storing the certificate, procedure identification information for identifying the certificate use procedure, and terminal identification information for requesting the use of the certificate.

According to the present invention, the certificate management method may include the steps of: the management server verifying at least one designated value that is predetermined to authenticate the validity of the certificate use procedure among the procedure value and the certificate use value included in the certificate procedure information And authenticating the validity of the certificate use procedure by the management server authenticating the identified designated value.

According to the present invention, the certificate management method further includes storing the notification target certificate identification information for identifying the usage of the notified certificate by the management server, and the management server further includes storing at least one A step of comparing and authenticating the certificate identification information of the notification target certificate with the notification target certificate identification information; and when the management server matches the notification target certificate identification information with the notification target certificate identification information, And confirming that it is being performed.

According to the present invention, the certificate management method further includes storing the notification subject issuer identification information for identifying the use of the notified certificate by the management server, and the management server further comprises storing at least one Comparing the issuer identification information with the notification subject issuer identification information; comparing, when the issuer identification information is matched with the notification subject issuer identification information, And confirming that it is being performed.

According to the present invention, the certificate management method further includes storing the notification target procedure identification information for identifying the use of the notified certificate by the management server, wherein the management server is configured to transmit the at least one Comparing the procedure identification information with the notification target procedure identification information; comparing, when the procedure identification information is matched with the notification target procedure identification information, And confirming that it is being performed.

According to the present invention, the certificate use information includes at least one of the date and time when the certificate issued to the user is used, the authority information of the certificate to the authorized certification authority, the authority information of the certificate issuing authority, At least one of information, certificate use field information, certificate medium information in which a certificate is recorded, transaction information in which a certificate is used, and terminal information used in a certificate use, in a string form or a structure form.

According to the present invention, the certificate management method may further include the step of the management server receiving a certificate use approval signal for the certificate use information from a wireless terminal of an actual user to which the communication channel is connected. Meanwhile, the certificate management method may further include the step of the management server providing the procedure approval server with the approval approval result corresponding to the certificate use approval signal.

According to the present invention, the certificate management method may further include receiving, by the management server, a certificate use rejection signal for the certificate use information from a wireless terminal of an actual user to which the call channel is connected. Meanwhile, the certificate management method may further include the step of the management server providing a use rejection result corresponding to the certificate use denial signal to the procedure server.

According to the present invention, the management server may include a server which does not form a direct contact with the requesting terminal side requesting the use of the certificate on the certificate use procedure path.

According to the present invention, the management server can form a communication contact with a wireless terminal of an actual user who has issued the certificate on a separate channel different from the certificate use procedure path.

According to the present invention, it is recognized that a certificate issued to a user is directly used in a certificate use procedure regardless of various electronic financial fraud prevention services provided by a conventional bank, and based on the certificate usage information Is notified to the actual user who has issued the certificate, thereby advantageously managing the certificate securely without a separate auxiliary authentication means, and detecting and blocking the certificate hacking and illegal transaction in any way.

1 is a schematic diagram of a configuration of a certificate management system according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating a configuration of a procedure server and a management server according to an embodiment of the present invention.
3 is a diagram illustrating a process of performing a certificate use procedure between a requesting terminal and a procedure server according to an embodiment of the present invention.
4 is a diagram illustrating a process of notifying the use of a certificate according to an embodiment of the present invention.
5 is a flowchart illustrating a process of approving or denying a certificate according to an embodiment of the present invention.
6 is a flowchart illustrating a process of approving or denying a certificate according to another embodiment of the present invention.
7 is a flowchart illustrating a process of using a certificate request procedure between a requesting terminal and a procedure server according to an embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention. For example, it is possible that a configuration provided on the server side is implemented on the terminal side, or conversely, a configuration portion provided on the terminal side is implemented on the server side.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

FIG. 1 is a schematic diagram of a configuration of a certificate management system according to an embodiment of the present invention.

In more detail, FIG. 1 shows whether a procedure using a certificate issued to a user is being performed on a certificate use procedure path, and when certificate use procedure is confirmed, generates certificate use information for use of the certificate and notifies the user 1, and various modifications and changes may be made to the present invention without departing from the spirit and scope of the present invention as defined by the following claims. , Or subdivided, or combined). However, the present invention includes all of the above-mentioned embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

The certificate management system of the present invention includes a requesting terminal 100 for requesting a procedure using a certificate issued to a user, a procedure server 100 for performing at least one procedure using a certificate issued to the user, (110), and a management server (110) for checking whether a procedure using a certificate issued to the user is being performed on the certificate use procedure path, generating certificate use information for use of the certificate when the certificate use procedure is confirmed, (200), and includes a user terminal (105) used by a user who actually receives the certificate.

The certificate use procedure path of the present invention includes a communication path formed through a communication network to perform the requested certificate use procedure from the requesting terminal 100. [ Accordingly, the present invention defines, as the procedure server 110, a server interlocking with the management server 200 among at least one server directly performing the certificate use procedure on a communication path formed through a communication network to perform a certificate use procedure The management server 200 checks whether a procedure for using a certificate issued to the user is being performed on the certificate use procedure path in connection with the procedure server 110 provided on the certificate use procedure path, It is possible to define the server as a server which generates the certificate use information for the use of the certificate and notifies the user of the generated certificate use information. According to the embodiment of the present invention, in order to maintain the independence of the certificate use information notification, the management server 200 does not form a direct contact with the requesting terminal 100 requesting the use of the certificate on the certificate use procedure path However, it is also possible to perform the communication with the user terminal 105 corresponding to the information receiving means of the actual user who has been issued the certificate of the certificate use procedure or the actual user's communication means through the separate channel distinguished from the certificate use procedure path To form a contact.

The user of the present invention can perform the registration operation through the RA and the issuance operation through the CA according to the specified standard (e.g., KCAC.TS.CRMF, KCAC.TS.CMP, KCAC.TS.RS, etc.) (For example, KCAC.TS.CERTPROF, etc.) is issued and / or reissued and stored in the designated certificate medium (e.g., KCAC.TS.UI, KCAC.TS.HSMS, KCAC.TS.HSMU, CAC.TS (For example, see KCAC.TS.CT, etc.), and the certificate is suspended (See, for example, KCAC.TS.CRLPROF). Here, the certificate medium includes an internal memory unit of the requesting terminal 100, an external memory unit (e.g., a hardware security module (HSM), a USB memory, a security token, etc.) detached from the requesting terminal 100, (E. G., A mobile token, a cloud storing certificates, etc.) that interfaces with the mobile device 100 (e. G., The mobile device 100) and is expandable as needed. According to an embodiment of the present invention, at a designated time point before or after performing a certificate use procedure such as issuing, reissuing, updating, copying, stopping and discarding a certificate via the user terminal, A subscriber program for using the recorded certificate is provided and / or driven. The subscriber program is also provided and / or driven at the time of starting the certificate-based service using the certificate recorded in the certificate medium.

The requesting terminal 100 is a collective term of a terminal requesting a procedure for using a certificate issued to a user, preferably a terminal used by a user who has issued a certificate. However, the present invention is not limited thereto. I suppose. The requesting terminal 100 may be any type of terminal including a wired terminal (e.g., a personal computer, a notebook computer) and a wireless terminal (e.g., a smart phone, a mobile phone, a tablet PC, etc.) And is not limited to a specific terminal type or category. For example, if a refrigerator or an air conditioner can request the use of a certificate through a communication network, the request terminal 100 corresponds to the present invention.

According to an embodiment of the present invention, the requesting terminal 100 displays a certificate selection interface for using the certificate-based service, and the certificate selection interface is displayed in the form of a program execution screen, a certificate window , Or in page form. The requesting terminal 100 includes and / or drives a subscriber program to display the certificate selection interface. According to the embodiment of the present invention, it is preferable that the certificate use procedure for the certificate issued to the user in the position of the requesting terminal 100 is considered to be started at the time when the certificate selection interface is displayed on the requesting terminal 100 Do. However, the certificate use procedure of the present invention is not limited to the certificate use procedure based on the certificate selection interface, and it is preferable that the certificate issuance procedure of the present invention also includes procedures such as certificate issuance, reissue, renewal, copying, .

According to an embodiment of the present invention, a subscriber program driven by a requesting terminal 100 displays a certificate selection interface according to a specified standard (e.g., KCAC.TS.NSACA), and displays a certificate available in the requesting terminal 100 And extracts and displays at least one certificate-related information to be used in the request terminal 100 from at least one certificate medium.

When at least one certificate-related information is extracted and / or displayed from the certificate medium specified through the certificate selection interface, the subscriber program displays the certificate corresponding to the specified standard (e.g., KCAC.TS.CERTVAL, KCAC.TS.OCSP, etc.) / RTI > and / or establishes a path to be used, and / or authenticates the certificate validity (e.g., certificate status, etc.). Meanwhile, the time point at which the certificate path establishment / verification procedure and / or the certificate validity authentication procedure is performed may be performed at any time before or during the actual use of the certificate issued to the user. Procedure and / or the time at which the certificate validity authentication procedure is performed.

According to an embodiment of the present invention, the certificate validity authentication procedure may include a certificate validity authentication procedure using a certificate revocation list (CRL) or a certificate validity authentication procedure using an online certificate status protocol (OCSP) . Preferably, the certificate revocation list is provided to the service providing organization and is periodically updated in association with the accredited certification authority. Accordingly, the certificate validity authentication procedure using the certificate revocation list is performed through a server provided in the service provider, and the certificate use information notification using the certificate validity information can be transmitted to a server provided in the service provider or to a server provided in the service provider May be provided through the production server. Preferably, the OCSP server for authenticating the validity of the certificate through the on-line status confirmation protocol is provided in the authorized certification authority. Therefore, the certificate validity authentication procedure using the online status confirmation protocol is performed by a server provided in a service provider and an OCSP server provided in a public certification authority in cooperation with each other, and the certificate use information notification using the server is provided in a server May be provided through an operation server associated with a server provided in the public certification authority or may be provided through a server provided in the service providing organization or an operation server associated with a server provided in the service providing organization according to an implementation method .

According to the present invention, the certificate path establishment / verification procedure and / or the certificate validity authentication procedure can be performed by using the certificate issued to the user on the certificate use procedure path before the certificate issued to the user in the certificate management technique of the present invention is actually used It is one of the key procedures to ensure that the procedure is being performed. Thus, the procedure server 110 and / or the management server 200 of the present invention can be either one of the servers directly involved in the certificate path establishment / verification procedure and / or the certificate validity authentication procedure, And / or a server that interacts with a server directly involved in the certificate validity authentication procedure.

If at least one of the above-described certificate path establishment / verification procedure and / or certificate validity authentication procedure is performed, the subscriber program is transferred to a specified standard (e.g., KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC, etc.) And uses the certificate issued to the user by using at least one of digital signature and / or hash and / or encryption through at least one designated algorithm.

A certificate-based service (e.g., a certificate-based login, a certificate-based electronic signature, etc.) may be provided via at least one of electronic signatures and / or hashing and / or encryption using the specified algorithm, Is one of the core procedures for checking whether a procedure using the certificate issued to the user is being performed on the certificate use procedure path while the certificate issued to the user is actually used in the certificate management technology of the present invention.

The procedure server 110 is a generic name of a server that is provided on a certificate use procedure path and performs at least one of a certificate use procedure, preferably a service providing organization capable of providing a certificate-based service specified on a certificate use procedure path And a certification authority server included in the authorized certification authority or the personalization agent used for the certificate service procedure and / or the certificate use procedure. That is, the procedure server 110 may be any server as long as it exists on the path for using the certificate, and is not limited by the type or category of the specific server or the server operating agency. According to an embodiment of the present invention, a certificate use procedure for a certificate issued to a user in the context of the procedure server 110 may include confirming that a certificate-based service is requested from the requesting terminal 100, Is considered to be initiated from the time when it is determined that the certificate-based service is to be started. However, the certificate use procedure of the present invention is not limited to the certificate use procedure based on the certificate based service, and it is preferable that the certificate use procedure of the present invention also includes a procedure of issuing the certificate, reissuing, updating, copying and discarding.

According to the first procedure server 110 of the present invention, the procedure server 110 may include a service providing server provided in a service providing organization capable of providing the certificate-based service designated by the requesting terminal 100 . Here, the service providing organization is a general term of an institution that provides a service using a certificate, and is preferably an electronic transaction institution (for example, a bank, a credit card company, a securities company, an insurance company, (E.g., a portal site, an organization that operates a homepage), a government agency (e.g., a patent office, an e-government), an intermediary agency that relays a certificate-based service (e.g., a payment gateway, It includes all institutions and is not limited by the type or category of the particular institution. Hereinafter, the features of the present invention will be described mainly for the embodiment in which the service providing organization is an electronic transaction institution for convenience. However, it should be apparent that the features of the present invention are not limited thereto.

According to the first embodiment of the first procedure server 110, the procedure server 110 is provided in an electronic transaction providing organization (for example, a bank, a credit card company, a securities company, an insurance company, etc.) And at least one server among various electronic transaction related servers that provide an electronic transaction service. For example, the procedure server 110 may include at least one banking-related server among various banking-related servers such as an Internet banking server, a mobile banking server, and an electronic financial server.

According to the second embodiment of the first procedure server 110, the procedure server 110 is provided in the electronic transaction providing organization and includes a certificate transaction (e.g., certificate issuance, certificate re-issuance, certificate suspension, Validation, certificate roaming, and the like). For example, the procedure server 110 may include an RA server provided in a financial institution performing an RA (Registration Authority) service of a certificate among electronic transaction providing organizations that provide certificate related services. Alternatively, the procedure server 110 may include a CRL server that processes a certificate validation check using a certificate revocation list (CRL) among servers of an electronic transaction providing agency. Alternatively, the procedure server 110 may include an OCSP request server for requesting real-time certificate validation to an online certificate status protocol (OCSP) server of an accredited certification authority among servers of an electronic transaction providing agency.

According to the third embodiment of the first procedure server 110, the procedure server 110 is provided in the electronic transaction providing organization and performs a certificate-based authentication task (e.g., certificate-based login authentication or certificate-based digital signature verification And the like), and various certificate-based authentication servers that process the authentication information. For example, the procedure server 110 may include an authentication server that processes a certificate-based login authentication job among servers of an electronic transaction providing organization. Alternatively, the procedure server 110 may include an authentication server for processing a certificate-based digital signature verification job among the servers of the electronic transaction providing organization. Alternatively, the procedure server 110 may include a directory server that is provided in the electronic transaction providing institution or can be referred to by the authentication server of the electronic transaction providing institution.

According to the second procedure server 110 of the present invention, the procedure server 110 may include a certification authority of the certificate used in the certificate use procedure or a certification authority server provided in the personalization institution. It is possible to include a server of the highest certification authority according to the implementation method. Hereinafter, for convenience, the authority in which the certification authority server is provided is referred to as an " authorized certification authority ". However, the present invention is not limited thereto, and the certification authority may not be a 'certified' certification institution.

According to the first embodiment of the second procedure server 110, the procedure server 110 is provided in the authorized certification authority to perform a certificate operation (for example, certificate issuance, certificate re-issuance, certificate revocation, certificate revocation, Inspection, certificate roaming, and the like). For example, the procedure server 110 may include a CA server that performs a Certificate Authority (CA) service of a public certification authority. Alternatively, the procedure server 110 may include an OCSP server that handles real-time certificate validation at an authorized certification authority.

According to the second embodiment of the second procedure server 110, the procedure server 110 is provided in the authorized certification authority to perform a certificate-based authentication task (e.g., certificate-based login authentication or certificate-based digital signature verification Based authentication server that processes a plurality of certificate-based authentication servers. For example, the procedure server 110 may include an authentication server for processing a certificate-based login authentication job among servers of the authorized certificate authority. Alternatively, the procedure server 110 may include an authentication server for processing a certificate-based digital signature verification job among the servers of the authorized certification authority. Alternatively, the procedure server 110 may include a directory server provided in a public certification authority or implemented in an electronic transaction institution.

The management server 200 checks whether a procedure using a certificate issued to the user is being performed on the certificate use procedure path. If the certificate use procedure is confirmed, the management server 200 generates certificate use information about the use of the certificate and notifies the user As a generic term of the server, preferably, it may cooperate with at least one server provided on the certificate use procedure path. That is, the management server 200 may be any server as long as it is capable of confirming the use of the certificate and generating and notifying the use information of the certificate, and is not limited by the type, category, or server operating agency of the specific server. According to an embodiment of the present invention, the management server 200 may register a predetermined information (for example, a user terminal (for example, a user terminal) for providing certificate use information from a user who has issued a certificate and / 105), a proxy registration through a communication company / agency, etc.) is confirmed, it is desirable to maintain a state of checking whether a procedure using a certificate issued to the user is being performed on the certificate use procedure path.

According to the embodiment of the present invention, the management server 200 can confirm the certificate use procedure in connection with the service providing server and / or the certification authority server provided on the certificate use procedure path, or generate and notify the certificate use information Lt; / RTI > The management server 200 may be provided in the service providing organization or may be provided in the certification authority or may be provided in a separate operating entity (or business entity) The present invention is not limited thereto.

According to the first embodiment of the third management server 200, the management server 200 is provided in various electronic transaction related servers and electronic transaction providing organizations provided in an electronic transaction providing agency and providing an electronic transaction service A server for interfacing with at least one server among the various certificate-related servers for providing the certificate service, and various certificate-based authentication servers for processing the certificate-based authentication service in the electronic transaction provider.

According to the second embodiment of the third exemplary management server 200, the management server 200 is provided in various certificate-related servers and public certification authorities provided in a public certification authority to provide certificate services, And a server interworking with at least one of the various certificate-based authentication servers that process the authentication service.

According to an embodiment of the present invention, the procedure server 110 may transmit a certificate use message to the management server 200 during the process of using the certificate. Alternatively, the procedure server 110 stores log information during a certificate use procedure, and transmits a certificate use message corresponding to the log information to the management server 200 according to a request (or a designated transfer condition) of the management server 200 .

According to an embodiment of the present invention, the management server 200 interacts with the procedure server 110 through a predetermined interworking interface. If the procedure server 110 and the management server 200 are separate servers provided in different organizations, the interworking interface includes a network such as a communication network or a private network connecting the procedure server 110 and the management server 200 can do. If the procedure server 110 and the management server 200 are separate servers provided in the same institution, the interworking interface may include the internal network of the institution.

The user terminal 105 is a general term of a terminal used by a user who has been issued a certificate from a public certification authority (for example, KFTC or the like) or a certificate issuing organization. The user terminal 105 includes a wireless terminal 105 (for example, A tablet PC, etc.) and a wired terminal (e.g., a personal computer, a notebook computer, etc.).

FIG. 2 is a diagram illustrating a configuration of a procedure server 110 and a management server 200 according to an embodiment of the present invention.

2 is a functional block diagram of the procedure server 110 and the management server 200 shown in FIG. 1. Referring to FIG. 2, if a person skilled in the art is familiar with the present invention, (E.g., some of the components may be omitted, or broken down or combined) with respect to the configuration of the procedure server 110 and the management server 200 by referencing and / or modifying the procedure server 110 and / , The present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

According to the embodiment of the present invention, the requesting terminal 100 is one of the terminals requesting the certificate-based service using the certificate issued to the user, preferably the user terminal 105 used by the user himself or herself, It is assumed that the invention may not be. The subscriber program driven by the requesting terminal 100 displays a certificate selection interface according to a specified standard (for example, KCAC.TS.NSACA), and searches and retrieves a certificate medium having a certificate available at the requesting terminal 100 And extracts and displays at least one certificate related information to be used in the requesting terminal 100 from at least one certificate medium.

When at least one certificate-related information is extracted and / or displayed from the certificate medium specified through the certificate selection interface, the subscriber program displays the certificate corresponding to the specified standard (e.g., KCAC.TS.CERTVAL, KCAC.TS.OCSP, etc.) / RTI > and / or establishes a path to be used, and / or authenticates the certificate validity (e.g., certificate status, etc.). The time at which the certificate path establishment / verification procedure and / or the certificate validity authentication procedure is performed may be performed at any time before or during the actual use of the certificate issued to the user. And / or the time at which the certificate validity authentication procedure is performed.

If at least one of the above-described certificate path establishment / verification procedure and / or certificate validity authentication procedure is performed, the subscriber program is transferred to a specified standard (e.g., KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC, etc.) And uses the certificate issued to the user by using at least one of digital signature and / or hash and / or encryption through at least one designated algorithm. A certificate-based service (e.g., a certificate-based login, a certificate-based electronic signature, etc.) is provided via at least one of electronic signature and / or hash and / or encryption using the specified algorithm.

Referring to FIG. 2, the procedure server 110 includes a service procedure execution unit 115 for performing a service procedure for providing a requested service from the requesting terminal 100, (1? N? N) certificate use procedure associated with the service procedure among the N (N> 1) certificate use procedures performed using the certificate, or the n-th certificate use procedure And a certificate procedure performing unit 125 that performs some of the procedures. Here, the N certificate use procedures may include a process of issuing a certificate, a process of reissuing, renewing, and copying a certificate, various procedures using a certificate through a subscriber program, a procedure of stopping and discarding a certificate issued, And the n-th certificate use procedure includes at least one certificate use procedure that is currently performed or being performed in cooperation with the requesting terminal 100 during the N-use certificate procedure. Each of the n-th certificate use procedures consists of T (T > 1) execution procedures, and some of the n-th certificate use procedures include at least one of the first to t- One execution procedure (e.g., t (1 < t T) execution procedure, etc.).

When the requesting terminal 100 requests a service to the procedure server 110 through a communication network, the service procedure performing unit 115 performs a procedure for providing the requested service. The service includes all services that can be provided through a communication network such as a login service, a user authentication service, a web-based service, a financial transaction service, and a payment service, and is not limited to a specific service. In order to receive the service, the request terminal 100 may be provided with a program for starting a browser or using a separate service. In this case, the role of the service procedure execution unit 115 of the procedure server 110 may be a service providing service provided by the service terminal 100, The service procedure execution unit 115 may be omitted because the providing server will process the service.

At a designated time before, during, or after the service procedure is performed, the certificate use determination unit 120 determines whether the use of the certificate issued to the user is necessary to provide the service according to a designated procedure. The determination of the necessity of certification may be made based on the kind of the service procedure and / or the order of the procedure being performed. In the case where a program for using the service is provided to the requesting terminal 100 according to an embodiment of the present invention, the determination of the necessity of the certificate may be made through the program of the requesting terminal 100, And the certificate use determination unit 120 may be interlocked with each other, and thus the present invention is not limited thereto.

When the use of the certificate is determined through the certificate use determination unit 120, the certificate procedure execution unit 125 identifies the n-th certificate use procedure to be performed in association with the service procedure among N certificate use procedures, And performs the identified n-th certificate use procedure in connection with the terminal 100 side. The certificate procedure execution unit 125 may provide a procedure for providing a certificate selection interface to the requesting terminal 100 (e.g., a procedure for operating a subscriber program included in the requesting terminal 100, (E.g., a certificate selection interface is displayed or a program for operating a subscriber program is provided), and performs at least one procedure using a certificate in conjunction with a subscriber program driven in the request terminal 100. [

According to an embodiment of the present invention, the n-th certificate use procedure performed by the certificate procedure performing unit 125 includes at least one of a procedure for establishing / verifying a certificate path, a certificate validity authentication procedure, and a procedure using a specified algorithm .

According to the method of the present invention, identification information for identifying a certificate on the certificate use procedure path in accordance with a specification (for example, KCAC.TS.DN, KCAC.TS.SIVID, etc.) while the n-th certificate use procedure is performed and (E.g., KCAC.TS.LDAP, KCAC.TS.TSP, KCAC.TS.NTP, &lt; / RTI &gt;&lt; RTI ID = (For example, various parameters and variables defined in various standards for use of the certificate) and / or certificates (for example, certificates, etc.) for use of the certificate in accordance with the certificate, KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC A usage value (e.g., a value generated according to various standards for using a certificate), and the like may be exchanged.

In the case of the method for receiving the certificate use approval message or the certificate use rejection message from the terminal 105 of the actual user who has issued the certificate with respect to the n-th certificate use procedure according to the embodiment of the present invention, The certificate authority 125 may temporarily wait until the nth certificate use procedure is not finalized until the certificate use approval or the certificate use rejection is confirmed and the nth certificate use procedure may be selectively performed according to the use approval result or the use rejection result It is possible to finish the final processing.

Referring to FIG. 2 according to a first procedure notification method of the present invention, the procedure server 110 includes a certificate procedure check unit 130 (FIG. 1) for checking the nth certificate use procedure being performed through the certificate procedure execution unit 125 A procedure information confirmation unit 135 for checking the certificate procedure information related to the verified n-th certificate use procedure, and a certificate use confirmation unit 135 for generating and managing a certificate use message for the certificate use procedure using the verified certificate procedure information And a certificate procedure notification unit 140 for transmitting the certificate to the server 200.

The certificate procedure confirmation unit 130 designates and stores procedure identification information for identifying M (1? M? N) certificate use procedures that can be identified in the procedure server 110 among N certificate use procedures, And verifies whether the n-th certificate use procedure performed through the certificate procedure execution unit 125 is included in the M certificate use procedures. Preferably, the M certificate use procedures include at least one of a certificate path establishment / verification procedure, a certificate validity authentication procedure, and a procedure using a specified algorithm. A certificate renewal procedure, a certificate renewal procedure, a certificate copy procedure, and a certificate revocation procedure, which are performed through the procedure server 110.

The procedure information verification unit 135 has an information list of the certificate procedure information to be checked for the certificate use information notification for the M certificate use procedures, n certificate use procedure is included in the M certificate use procedures, certificate procedure information corresponding to the information list is checked in association with the n-th certificate use procedure.

According to the method of the present invention, the certificate procedure information includes the specification definition information defined in the specification related to the n-th certificate use procedure. Preferably, the specification definition information includes certificate identification information for identifying a certificate on the certificate use procedure path according to a specified specification (e.g., KCAC.TS.DN, KCAC.TS.SIVID, etc.), issuer identifying the issuer who issued the certificate Identification information, certification authority identification information for identifying the authorized certification authority, personal identification agent identification information for identifying the certificate issuing authority (Normally, the authorized certification authority and the certificate issuing authority for the user's certificate are the same, (For example, see KCAC.TS.CTL, etc.), and the present invention includes all of the permitted certificate use procedures), and may include the identification information of a designated standard (e.g., KCAC. TS, LDAP, KCAC.TS.TSP, KCAC.TS.NTP, KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC), various procedure values and / or certificate usage values Write down One can be included. The standard definition information may include information defined in each standard as it is or may include information agreed between the procedure server 110 and the management server 200 based on the information defined in the standard.

Meanwhile, the procedure information confirmation unit 135 may further confirm at least one non-standard information used for performing the n-th certificate use procedure as the certificate procedure information, in addition to the standard definition information. The non-standard information includes medium identification information (e.g., an identifier for identifying the type of the certificate medium and / or a unique code for uniquely identifying the certificate medium) identifying the certificate medium, a requesting organization identification A procedure identification information for identifying a type of information use procedure, a result identification information for identifying a result of using various certificates, terminal identification information for requesting the use of a certificate (e.g., a unique identification code of a terminal registered through a designated terminal registration procedure (E.g., a unique code recorded in a physical configuration unit constituting a terminal, etc.), a unique authentication code of the terminal-side program identified through a predetermined program mounting or authentication procedure (e.g., A unique code stored in the designated storage area of the terminal, etc.) (Eg, fixed IP address, MAC address, etc.) that is registered through the information sharing procedure between the registered information or the information sharing between the related organizations (eg, ISP) (ISP) -based location information (e.g., local information of the requesting terminal 100 that can be verified by the ISP) of the terminal registered through the information sharing procedure between the ISPs (GPS) based on the GPS (Global Positioning System) -based location information of the terminal registered through the information sharing procedure between the terminal (e.g., the communication company and the terminal manufacturer) (For example, the requesting terminal 100 is a wireless terminal that forms a wireless section with a base station) based on the base station-based position information of the terminal registered through the information sharing procedure between the base station If the (For example, the requesting terminal 100 transmits a telephone call) to the registered terminal through the information sharing procedure between the identification information, the information registration, or the association entity (e.g., communication company) (E.g., a telephone number assigned to the terminal when possible), and the like). If the non-standard information is the information defined in the standard corresponding to the n-th certificate use procedure or can be replaced with the information defined in the standard, the information defined in the standard may be used / replaced.

If at least one specification definition information for the n-th certificate use procedure is included in the procedure information verification unit 135 and certificate procedure information including at least one non-standard information is identified according to the method, The procedure notification unit 140 generates a predetermined certificate use message for containing the identified certificate procedure information or for transmitting the confirmed certificate procedure information to the management server 200. [ The certificate use message may include certificate procedure information in a data field or the certificate use message may be used for notification and the certificate procedure information may be provided to the management server 200). According to an embodiment of the present invention, the certificate use message may be variously performed according to the relationship between the procedure server 110 and the management server 200. [

According to the first certificate use messaging method of the present invention, if the management server 200 does not perform the procedure related to the use of the certificate, the certificate procedure notifying unit 140 notifies the identified certificate procedure information to the management And transmits the generated certificate use message to the management server 200 for transmission to the server 200. For example, if the procedure server 110 is an authentication server and the n-th certificate use procedure is a digital signature procedure using a certificate and the management server 200 is a separate server connected to an authentication server, 125) has verified the digital signature value, the certificate procedure notification unit 140 may include standard definition information for the digital signature verification procedure, and may include at least one A certificate use message including non-standard information may be generated and transmitted to the management server 200.

Referring to FIG. 2 according to a second procedure notification method of the present invention, the procedure server 110 includes a log storage unit (not shown) for storing log information about a certificate use procedure performed through the certificate procedure performing unit 125 A certificate procedure checking unit 130 for checking the n-th certificate use procedure performed through the certificate procedure performing unit 125 using the log information related to the certificate use procedure among the log information, A procedure information confirmation unit 135 for confirming the certificate procedure information related to the n-th certificate use procedure, and a certificate use message for the certificate use procedure using the verified certificate procedure information to transmit to the management server 200 (Not shown).

If the requested certificate use procedure or some procedure is being performed or performed by the request terminal 100 through the certificate procedure execution unit 125, the log storage unit 145 may transmit And stores the log information about the certificate use procedure being performed or performed in the designated storage area.

The certificate procedure confirmation unit 130 may select log information related to the certificate use procedure from among the stored log information through the log storage unit 145, and / or group each procedure log for each certificate. The certificate procedure check unit 130 reads the sorted and / or grouped log information to confirm the n-th certificate use procedure and confirms whether the n-th certificate use procedure is included in the M certificate use procedures .

If it is confirmed that the n-th certificate use procedure is included in the M certificate use procedures through the certificate procedure confirmation unit 130, the procedure information check unit 135 may acquire, from the log information, Identifies the certificate procedure information, which includes one or more specification definition information and includes at least one non-standard information according to the implementation method. The certificate procedure notification unit 140 generates a predetermined certificate use message for containing the identified certificate procedure information or for transmitting the identified certificate procedure information to the management server 200. [

According to the second certificate use messaging method of the present invention, the certificate procedure notification unit 140 manages the certificate based on the specification definition information and / or non-standard information included in the certificate procedure information through the procedure information verification unit 135 Determines whether or not to notify the server 200 of the n-th certificate use procedure, and includes the certificate procedure information verified through the procedure information verification unit 135 or transmits the verified certificate procedure information to the management server 200 And transmits the generated certificate use message to the management server 200.

According to the third certificate use messaging method of the present invention, the certificate procedure notification unit 140 receives the procedure notification request information from the management server 200, and in response to the procedure notification request information, Or generate a predetermined certificate use message for transferring the identified certificate procedure information to the management server 200 and transmit the generated certificate use message to the management server 200. [ The procedure information confirmation unit 135 may check and maintain the certificate procedure information before the procedure notification request information is received or may update the certificate procedure information based on the log information in response to receiving the procedure notification request information .

Referring to FIG. 2, the management server 200 includes notification target identification information for identifying a notification target to which certificate use information is to be notified, and an information storage unit 205 for storing and managing user information on a specified storage medium do. On the other hand, in the case of notifying the notification object without distinguishing it separately according to the embodiment, the notification object identification information may not be separately stored or managed.

According to an embodiment of the present invention, the user information is a generic name of user-related information that is identified for uniquely identifying a user who is to be issued a certificate from information registered in the CA through the RA for issuing a certificate. The user information includes a user name, a resident registration number Personal information, and includes information identifying the user's information receiving means or communication means for receiving the certificate use information. The information for identifying the information receiving means of the user includes at least one of the information of the user's wireless terminal (for example, the mobile phone number, the account information given in the wireless network to which the wireless terminal 105 is connected, Program identification information (e.g., push token, account information mapped with the program, etc.), user's member account information, user's mail address information, and the like. Alternatively, the information for identifying the user's communication means may include information about the user's wireless terminal (e.g., a telephone number assigned to the wireless terminal 105 so as to make a telephone call), a call terminal used by the user (e.g., , A landline telephone, a VoIP phone, etc.), and the like. The personal information is unchanged until the revocation of the certificate after being registered through the RA, but some of the information identifying the information receiving means or the communication means (for example, mobile phone number, etc.) may be changed. Therefore, the information identifying the user's information receiving means or the communication means of the user information can be effectively updated through the user authentication process using a separate channel.

According to the first information storage method of the present invention, the information storage unit 205 may include at least one of the notification subject certificate identification information for identifying the notification subject certificate and / or the notification subject issuer identification information for which the notification subject certificate is issued The notification target identification information and / or the notification subject issuer identification information may be mapped to the user information that has been issued the certificate. According to the method, the information storage unit 205 further confirms the notification target identification information that identifies the authorized certification authority or the certificate issuing organization (for example, the management server 200 determines whether the management server 200 is an authorized certification authority or an organization associated with a certificate issuing organization Server) and store it.

According to an embodiment of the present invention, in the first information storage method, the information storage unit 205 stores a notification agreement (for example, an application agreement, a communication agreement, etc.) from a user who has issued the certificate in the process of issuing / And / or issuer identification information for the certificate issued / reissued to the user based on the non-face agreement and / or the agreement of the issuer, And can be stored as identification information in a storage medium designated as described above. (Or subscription / authentication) of the user via the user terminal 105 or a program assigned to the user terminal 105 (for example, the user's wireless terminal 105) is mounted and driven The information storage unit 205 stores the certificate identification information for the certificate issued / reissued to the user through the notification agreement or the designated information registration procedure performed in communication with the user terminal 105 (or the program) and / It is possible to confirm the issuer identification information and store the identified certificate identification information and / or issuer identification information in the storage medium designated as the notification target identification information.

According to the second information storage method of the present invention, the information storage unit 205 can determine the notification target procedure identification information that identifies the notified certificate use procedure and store it in the storage medium, and preferably, The information may be mapped to the user information from which the certificate is issued.

According to an embodiment of the present invention, in the second information storage method, the information storage unit 205 stores m (1? M? N or 1? m &amp;le; M) of the notification target certificate use procedure, determines the notification target procedure identification information for identifying the determined m notification target certificate use procedures, and then transmits the determined procedure identification information as the notification target identification information And can be stored in a storage medium. According to an embodiment of the present invention, the notification target process identification information is not stored in the storage medium, but may be provided in the form of a program code in the certificate procedure confirmation unit 130 and / or the notification target verification unit 220 described below. For example, the m notification target certificate use procedures include procedures related to a certificate operation task such as a certificate path establishment / verification procedure, a certificate validity authentication procedure, a procedure using a specified algorithm, and the like. , Certificate renewal procedures, certificate copying procedures, certificate revocation procedures, and the like.

According to the third information storage method of the present invention, the information storage unit 205 can identify the valid certificate medium identification information in which the certificate issued to the user is effectively recorded, and store the valid certificate medium identification information in a designated storage medium. Here, the valid certificate medium includes a certificate medium in which a certificate issued to the user at the time of issuing / reissuing / copying the certificate is actually recorded. For example, if the user issues a certificate to the HSM at the time of issuing the certificate and copies it to the user's wireless terminal 105, the valid certificate medium includes the user's HSM and the user's wireless terminal 105 .

According to the fourth information storage method of the present invention, when a terminal capable of using a certificate issued to the user is designated and registered, the information storage unit 205 confirms the unique identification code for the designated registered terminal, And stores the unique identification code in the storage medium designated as the identification information for the designated terminal. Here, the unique identification code may be a unique identification code stored in a memory unit of the terminal, a unique identification code for a program installed in the terminal, a unique identification code recorded in a physical configuration unit constituting the terminal, And a unique identification code of the chip to be detached.

According to the fifth information storage method of the present invention, the information storage unit 205 can store identification information and / or user information in a form of combining the first to fourth information storage methods, The invention is not limited.

Referring to FIG. 2, the management server 200 includes a certificate procedure receiver 210 for receiving a certificate use message for an n-th certificate use procedure being performed or performed on a certificate use procedure path, A certificate procedure checking unit 130 for confirming a n-th certificate use procedure being performed on the certificate use procedure path based on the certificate usage procedure procedure path or confirming that the n-th certificate use procedure is being performed on the certificate use procedure path, And a procedure information confirmation unit 135 for confirming the certificate procedure information related to the n-th certificate use procedure being performed or performed on the certificate use procedure path based on the message.

The certificate procedure receiving unit 210 receives the certificate use message for the n-th certificate use procedure being performed on the certificate use procedure path. According to an embodiment of the present invention, the certificate procedure receiving unit 210 receives at least one of the first to third certificate use messaging methods from the procedure server 110 performing the n-th certificate use procedure among the N certificate use procedures The certificate use message may be received according to the certificate use messaging method.

According to another embodiment of the present invention, the certificate procedure receiving unit 210 may receive the certificate use message from the requesting terminal 100. Meanwhile, when the certificate medium of the certificate to be used in the request terminal 100 is implemented in the form of a separate communication terminal other than the request terminal 100 (for example, a mobile token), the certificate procedure receiving unit 210 may correspond to the certificate medium Receiving the certificate use message from the communication terminal. It should be apparent that the present invention includes an embodiment for receiving a certificate use message from the requesting terminal 100 or a separate communication terminal in addition to the procedure server 110.

According to an embodiment of the present invention, the certificate use message includes certificate procedure information for a n-th certificate use procedure being performed on the certificate use procedure path, or receives the certificate procedure information from the procedure server 110 Lt; / RTI &gt; information.

The procedure information checking unit 135 checks the certificate procedure information related to the n-th certificate use procedure being performed or performed on the certificate use procedure path based on the certificate use message. According to an embodiment of the present invention, the certificate procedure information includes standard definition information (e.g., specification information (e.g., certificate identification information, issuer identification information, certification authority identification information, N) of at least one certificate used to perform the n-th certificate use procedure according to an embodiment of the present invention. Non-standard information (e.g., medium identification information for identifying the certificate medium, requesting institution identification information for identifying the requesting authority that requested the use of the certificate, procedure identification information for identifying the n-th certificate use procedure type, Identification information, terminal identification information requesting the use of the certificate, and the like).

When the certificate use message includes the certificate procedure information, the procedure information verification unit 135 can check certificate procedure information related to the n-th certificate use procedure being performed or performed on the certificate use procedure path from the certificate use message have. Meanwhile, when the certificate use message is a message for transmitting the certificate procedure information held in the procedure server 110, the procedure information checking unit 135 receives the certificate use message from the procedure server 110, Process information can be received.

The certificate procedure confirmation unit 130 can confirm that the procedure of using the certificate on the certificate use procedure path is being performed based on the certificate use message received from the procedure server 110. [ When the certificate use message corresponding to the n-th certificate use procedure is received from the request terminal 100 or the separate communication terminal through the certificate use procedure path according to the method, It can be confirmed that the procedure of using the certificate on the route of the certificate use procedure is being performed.

If the certificate procedure information corresponding to the certificate use message is confirmed, the certificate procedure verification unit 130 reads the certificate procedure information and can confirm that the procedure of using the certificate on the certificate use procedure path is being performed. For example, the certificate procedure verification unit 130 reads at least one of the identification information and / or the procedure value and / or the certificate usage value included in the certificate procedure information and uses the certificate on the certificate usage procedure path It can be confirmed that the procedure is being performed.

According to the first certificate use confirmation embodiment of the present invention, the certificate procedure confirmation unit 130 may use the certificate use message and / or read the certificate procedure information to generate a certificate path establishment / Verification process is being performed.

According to the second certificate use confirmation embodiment of the present invention, the certificate procedure confirmation unit 130 may use the certificate use message and / or read the certificate procedure information, and perform a certificate validity authentication procedure Can be confirmed.

According to the third certificate use confirmation embodiment of the present invention, the certificate procedure confirmation unit 130 may use the certificate use message and / or read the certificate procedure information, and use the specified algorithm on the designated certificate use procedure path Procedure (e.g., certificate-based login or certificate-based electronic signature, etc.) is being performed.

According to the fourth certificate use confirmation embodiment of the present invention, the certificate procedure verification unit 130 may use the certificate use message and / or read the certificate procedure information to perform a certificate issuance procedure, It is confirmed that at least one of a certificate re-issuance procedure, a certificate renewal procedure, a certificate copy procedure, and a certificate revocation procedure is being performed.

Referring to FIG. 2, the management server 200 may include a certificate use authentication unit 215 that authenticates whether the use of the certificate corresponding to the n-th certificate use procedure being performed or performed on the certificate use procedure path is valid have.

The certificate use authenticating unit 215 identifies at least one designated identification information previously designated for authenticating the validity of the n-th certificate use procedure from the identification information included in the certificate procedure information corresponding to the n-th certificate use procedure And the certificate identification information is authenticated using the previously stored identification information to authenticate the validity of the n-th certificate use procedure, and / or certificate procedure information corresponding to the n-th certificate use procedure is added to the procedure value and the certificate use value The validity of the n-th certificate use procedure may be verified and the validity of the n-th certificate use procedure may be verified by performing a verify operation on the specified value. Here, the designated identification information for the certificate use authentication includes at least one of identification information for identifying at least one of medium identification information for identifying the certificate medium storing the certificate, procedure identification information for identifying the certificate use procedure, and terminal identification information for requesting the use of the certificate .

According to the first authentication use authentication method of the present invention, when the certificate procedure information includes the medium identification information that identifies the certificate medium recording the certificate used in the n-th certificate use procedure, The control unit 215 compares the valid certificate medium identification information stored in the storage medium with the verified medium identification information through the information storage unit 205 to determine whether the certificate medium in which the certificate used in the n-th certificate use procedure is recorded, Issued / reissued / copied certificate medium. For example, if the type of the certificate medium corresponding to the medium identification information is the hard disk of the computer, the certificate use authenticating unit 215 may determine that the n-th certificate It can be determined that the certificate medium used in the use procedure is not valid. Or the valid certificate medium of the user is the HSM and the wireless terminal 105 and the type of the certificate medium corresponding to the medium identification information is the wireless terminal 105 but the wireless terminal 105 corresponding to the medium identification information, If the wireless terminal 105 corresponding to the valid certificate medium identification information is different, the certificate use authentication unit 215 may determine that the certificate medium used for the n-th certificate use procedure is invalid.

According to the second certificate use authentication method of the present invention, the certificate use authentication unit 215 may use the identification information included in the certificate use message and the identification information included in the certificate use message according to at least one notification target verification method among the first, And the comparison result of the stored identification information can be used as the authentication result of verifying the validity of the use of the certificate. According to the embodiment of the present invention, the certificate use authenticating unit 215 uses the comparison result of the identification information used for the confirmation of the notification object as the authentication result authenticating the validity of the use of the certificate, The comparison result of the identification information other than the comparison result of the specific identification information used in the use of the certificate can be used as the authentication result of verifying the validity of the use of the certificate.

According to the third certificate use authentication method of the present invention, when the procedure use information included in the nth certificate use procedure is included in the certificate procedure information, The authentication unit 215 may perform a specified verification operation on the procedure value or the value of the certificate use to authenticate whether the use of the certificate is valid. For example, when the certificate procedure information includes a certificate use value including a certificate-based login operation value or a certificate-based electronic signature value, the terminal performs a specified verification operation on the certificate-based login operation value or the certificate-based digital signature value Thereby authenticating that the use of the certificate is valid.

Referring to FIG. 2, the management server 200 has a notification object verifying unit 220 for verifying whether the n-th certificate use procedure being performed or performed on the certificate use procedure path is a certificate corresponding to a notification object can do. On the other hand, when notifying the certificate use information without distinguishing the notification object separately, the notification confirmation unit 220 can be omitted.

In the case of distinguishing a subject to be notified according to an embodiment of the present invention, the notification subject confirmation unit 220 confirms the n-th certificate use procedure corresponding to the certificate use message and / or the certificate procedure confirmation unit 130 It is possible to confirm whether the used certificate use procedure corresponds to the designated certificate use procedure.

According to the first notification target verification method of the present invention, the notification target verification unit 220 identifies at least one of the certificate identification information and the issuer identification information included in the certificate procedure information identified through the certificate use message And compares the received certificate identification information or the issuer identification information with the notification target certificate identification information or the notification subject issuer identification information stored in the storage medium through the information storage unit 205, Or the issuer identification information of the notification target. If the certificate identification information or the issuer identification information included in the certificate procedure information matches the notification subject certificate identification information or the notification subject issuer identification information, the notification subject confirmation unit 220 can confirm that the notification subject certificate is used have. If the notification target certificate identification information or the notification subject issuer identification information is not stored in the storage medium, the notification subject confirmation unit 220 refers to the server of the authorized certification authority or the certificate issuing organization and notifies the notification target certificate identification information or notification It is possible to refer to the target issuer identification information.

According to the second notification target verification method of the present invention, the notification target verification unit 220 confirms the procedure identification information included in the certificate procedure information identified through the certificate use message, And checks whether the procedure identification information and the n-th certificate use procedure included in the certificate procedure information match the notification target procedure identification information. If the procedure identification information included in the certificate procedure information is matched with the notification target procedure identification information, the notification subject verification unit 220 can confirm that the notification target certificate is used.

According to the third notification target verification method of the present invention, it is possible to check whether the notification target certificate is used by combining the first and second notification target verification methods, and thus the present invention is not limited thereto. According to another embodiment of the present invention, it is possible to check whether the notification target certificate is used by using the identification information other than the identification information cited in the first and second notification target verification methods. Which are not intended to limit the scope of the invention.

Referring to FIG. 2, the management server 200 includes a usage information generating unit 225 for generating certificate usage information for a certificate use being performed or performed on a certificate use procedure path, Or a method of notifying a certificate use information message to a designated information receiving means or connecting a call channel with a specified calling means of an actual user who has issued a certificate to the communication means of the actual user via the communication channel, And a usage information notifying unit 230 for performing a procedure for notifying the user of the information.

It is confirmed that the n-th certificate use procedure is being performed on the certificate use procedure path through the certificate procedure confirmation unit 130, and / or the validity of the certificate use is authenticated through the certificate use authentication unit 215, and / The usage information generating unit 225 generates the use certificate containing information indicating that the certificate issued to the user is used for the use of the certificate, . Here, the certificate use information includes information on the date and time when the certificate issued to the user is used (for example, date information included in the certificate use message or date and time when the certificate use message is received) (For example, authority information having the procedure server 110 that transmitted the certificate use message), certificate use field information (for example, Such as a computer, a floppy disk, a security token, a USB medium, an HSM, a mobile phone, a smart phone, a USIM, a mobile token, etc.), a certificate issuer Transaction information in which the certificate is used, and terminal information (e.g., information corresponding to the terminal identification information) used in the use of the certificate.

When the certificate use information is notified to the information receiving means of the user, the certificate use information may be in the form of a character string including one or more specified information. For example, the certificate use information may be formed of a string structure such as &quot; You are logged in with a certificate issued by xx at xx bank xxx on XX XXX XXXX &quot;. Or the certificate utilization information may be in the form of structure information available in the user terminal 105 and / or the designated program corresponding to the information receiving means of the actual user.

When the certificate use information is notified to the user's communication means, the certificate use information may be in the form of a character string including at least one specified information and convertible into a voice comment. Alternatively, the certificate use information may be used to generate (or combine) a voice announcement that can be transmitted through a communication channel to a user terminal 105 corresponding to an actual user's communication means in an ARS (Automatic Response Service) or CTI Structure information format.

The utilization information notifying unit 230 confirms the user information based on at least one identification information included in the certificate procedure information and identifies the information receiving means of the actual user corresponding to the user information. The information receiving means of the actual user may be a user terminal of a user capable of receiving a message, a program provided in the user's wireless terminal 105, a user account mapped with a program provided in the user's wireless terminal 105, A user's membership account, and a user's mail address. That is, the information receiving means of the user may include an individualized terminal capable of receiving a message, such as a user's wireless terminal 105, an account mapped with a program and / or a program provided in the user's personalized terminal, A member account or mail address of a user who can transfer usage information to a user can be included in the information receiving means of the user even if the user terminal 105 is not personalized. Hereinafter, the features of the present invention will be described with reference to an embodiment in which the user's information receiving means is a program provided in the user's wireless terminal 105 or the user's wireless terminal 105 for convenience.

If the program of the user's wireless terminal 105 or the user's wireless terminal 105 corresponding to the information receiving means of the user is confirmed, the usage information notifying unit 230 notifies the usage information To the user's wireless terminal (105) or the user's wireless terminal (105).

For example, if the user's information receiving means is the user's wireless terminal 105 and the designated messaging procedure is wireless messaging (e.g., SMS, MMS, etc.) using the phone number of the wireless terminal 105, The information notifying unit 230 generates a wireless message including the certificate use information in the body of the wireless message and includes the telephone number of the user's wireless terminal 105 in the receiving side information and transmits the generated wireless message to the user's wireless terminal 105 (For example, a dispatch request to a designated dispatch server). Alternatively, the usage information notifying unit 230 generates a wireless message including access information on the storage medium after storing the certificate use information in a designated storage medium, and transmits the generated wireless message to the user's wireless terminal 105 And may transmit the certificate use information stored in the storage medium to the user's wireless terminal 105 at the request of the wireless terminal 105 that has received the wireless message. The notification procedure may be performed through the usage information notification unit 230 or through a separate message server (not shown).

Alternatively, if the program provided to the user's wireless terminal 105 by the user's information receiving means is push messaging for the program of the wireless terminal 105, the usage information notifying unit 230 After storing the certificate use information in a designated storage medium, generates a push notification for transferring the certificate use information stored in the storage medium to the program of the wireless terminal 105, (For example, a push notification request via a designated push server), and may then transmit the certificate use information stored in the storage medium to the program of the wireless terminal 105 that has received the push message. The notification procedure may be performed through the usage information notification unit 230 or through a separate notification server (not shown).

Alternatively, if the communication means of the user is a wireless terminal 105 of a user who can make a telephone call, the usage information notifying unit 230 connects a call channel with a designated wireless terminal 105 of an actual user who has issued the certificate, The user terminal can perform the procedure for notifying the actual user's wireless terminal 105 of the certificate use information through the communication channel, and the certificate use information can be transmitted through the voice message (or voice signal) The user can be notified. Preferably, the call channel connection and / or notification procedure may be performed through the ARS server or the CTI server associated with the management server 200. If the ARS function or the CTI function is provided in the management server 200 In this case, the call channel connection and / or notification procedure may be performed through the management server 200.

The program included in the wireless terminal 105 of the user or the wireless terminal 105 of the user who has received the certificate use information message displays the certificate use information corresponding to the certificate use information message on the screen, ), Displays an interface for approving or rejecting the use of the certificate corresponding to the certificate use information, generates a certificate use approval message or a certificate use rejection message based on a user operation on the interface, ).

The wireless terminal 105 of the user who has been notified of the certificate use information through the call channel outputs the certificate use information in the form of a voice message (or voice signal), and the guidance information (DTMF) signal that can be transmitted and received through the call channel based on the received signal (or voice signal), and transmit the signal through the call channel. The certificate use approval signal or the certificate use rejection signal is transmitted to the management server 200 through the designated path.

Referring to FIG. 2, when the management server 200 notifies the certificate use information to the information receiving means of the user, the management server 200 receives the certificate use approval message from the user terminal 105 that has received the certificate use information message And a result providing unit 245 for providing a procedure approval result corresponding to the certificate use acceptance message to the procedure server 110. [

A certificate use approval message is generated and transmitted from the user terminal 105 that has received the certificate use information message, that is, the program included in the user's wireless terminal 105 or the user's wireless terminal 105 according to the embodiment of the present invention The use approval receiving unit 235 receives the certificate use approval message through the designated communication network. For example, when the user's wireless terminal 105 transmits a certificate use approval message through wireless messaging, the use approval reception unit 235 transmits the certificate using the communication network via the mobile communication network providing the wireless messaging And may receive a usage approval message. Alternatively, when transmitting the certificate use approval message through the data network in the program provided in the user's wireless terminal 105, the use approval receiving unit 235 transmits the certificate use approval message Lt; / RTI &gt;

According to the embodiment of the present invention, the certificate use approval message may include a use approval password input from the user terminal 105, and the use approval password may be compared with the previously registered password. (Or available) to the user terminal 105 through the certificate copying procedure, the certificate use acceptance message may include a certificate (or an available certificate) provided to the terminal 105 of the actual user And the usage approval value may be authenticated through a separate certificate use procedure different from the nth certificate usage procedure requested from the requesting terminal 100. [

When the certificate use approval message is received through the use approval receiving unit 235, the result providing unit 245 confirms the use approval result corresponding to the certificate use approval message, (110).

2, when the management server 200 notifies the certificate use information to the information receiving means of the user, the management server 200 receives the certificate use rejection message from the user terminal 105 that has received the certificate use information message Rejection receiving unit 240 and a result providing unit 245 for providing the procedure deny result corresponding to the certificate denial message to the procedure server 110. [

A certificate use rejection message is generated and transmitted from the user terminal 105 that has received the certificate use information message, that is, the program included in the user's wireless terminal 105 or the user's wireless terminal 105 according to the embodiment of the present invention The use rejection receiving unit 240 receives the certificate use rejection message through the designated communication network. For example, when the wireless terminal 105 of the user transmits a certificate use rejection message through wireless messaging, the use rejection receiving unit 240 transmits the certificate use rejection message through the communication network via the mobile communication network providing the wireless messaging, A use reject message may be received. Or transmits the certificate use rejection message through the data network in a program provided in the user's wireless terminal 105, the use rejection receiving unit 240 transmits the certificate use rejection message through the communication network via the data network, Lt; / RTI &gt;

When the certificate use rejection message is received through the use rejection receiving unit 240, the result providing unit 245 checks the use rejection result corresponding to the certificate use rejection message, (110).

Referring to FIG. 2, when the management server 200 notifies the certificate use information to the user's communication means, the management server 200 receives a certificate use approval signal from the user terminal 105 that has been notified of the certificate use information through the call channel And a result providing unit 245 for providing a procedure approval result corresponding to the certificate use acceptance signal to the procedure server 110. [

When the user terminal 105 informed of the certificate use information through the call channel, that is, the user's wireless terminal 105 according to the embodiment of the present invention transmits a certificate use approval signal through the call channel, 235 receive the certificate use acceptance signal via the designated communication path. For example, when the authentication value (for example, the pre-registered password, the authentication number informed through the voice message of the call channel (or the voice signal)) input by the user's wireless terminal 105 is input and transmitted in DTMF signal form The use approval receiving unit 235 may receive the certificate use approval signal through a designated communication path including the communication channel.

According to the embodiment of the present invention, the certificate use approval signal may include a use approval password input from the user terminal 105, and the use approval password may be compared with the previously registered password. The certificate use approval signal may include an authentication number informed via a voice message (or voice signal) of the call channel, and the authentication number input from the user terminal 105 may be compared with the notified authentication number .

When the certificate use approval signal is received through the use approval receiving unit 235, the result providing unit 245 confirms the use approval result corresponding to the certificate use approval signal, (110).

Referring to FIG. 2, when notifying the certificate use information to the user's communication means, the management server 200 receives a certificate use rejection signal from the user terminal 105 that has been notified of the certificate use information through the communication channel And a result providing unit 245 for providing the procedure server 110 with a use rejection result corresponding to the certificate use rejection signal.

When the user terminal 105 notified of the certificate use information through the call channel, that is, the user's wireless terminal 105 according to the embodiment of the present invention transmits a certificate use denial signal through the call channel, 240 receives the certificate use denial signal via the designated communication path. For example, when the authentication value (for example, the pre-registered password, the authentication number informed through the voice message of the call channel (or the voice signal)) input by the user's wireless terminal 105 is input and transmitted in DTMF signal form The use approval receiving unit 235 may receive the certificate use rejection signal through a designated communication path including the communication channel.

When the certificate use rejection signal is received through the use rejection receiving unit 240, the result providing unit 245 confirms the use rejection result corresponding to the certificate use rejection signal, (110).

Referring to FIG. 2, the procedure server 110 receives a use approval result approved by the user from the management server 200, or receives a use reject result rejected by the user from the management server 200 And a result receiving unit 150 for receiving the result.

When the result of the use approval is received through the result receiving unit 150, the certificate procedure performing unit 125 performs an n-th certificate use procedure corresponding to the use approval result (for example, using the n-th certificate through the procedure server 110 (T + 1) performing procedure of the n-th certificate use procedure to be performed through the procedure server 110 based on the use approval when the t-th performing procedure of the procedure is performed, ) To provide certificate-based services.

On the other hand, when the result of rejection is received through the result receiving unit 150, the certificate procedure execution unit 125 generates a certificate-based authentication error for the n-th certificate use procedure that is being performed, Provides authentication error results.

3 is a flowchart illustrating a process of using a certificate between a requesting terminal 100 and a procedure server 110 according to an embodiment of the present invention.

3 illustrates a process of using a certificate in cooperation with a requesting terminal 100 and a procedure server 110 when a certificate is required to be used during a service procedure according to a service request of the requesting terminal 100 Those skilled in the art will appreciate that reference to and / or modification of FIG. 3 may be used to determine various ways of practicing the certificate use procedure (e.g., some steps may be omitted, However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 3, a requesting terminal 100 requests a service through a communication network 300, and the procedure server 110 performs a requested service procedure 305 from the requesting terminal 100 through a communication network, And confirms the service procedure provided to the request terminal 100 through the communication network (305).

If the certificate-based service is to be provided for the performed or verified service procedure, the requesting terminal 100 checks the procedure value necessary for using the certificate based on the previously performed service procedure (310), and operates the subscriber program And displays a certificate selection interface (310). Meanwhile, the procedure server 110 may perform a procedure of providing a certificate selection interface to the requesting terminal 100 or providing a procedure value necessary for using the certificate (310)

The subscriber program of the requesting terminal 100 identifies at least one certificate medium having a certificate available in the requesting terminal 100, extracts the certificate-related information in cooperation with the certificate medium, and displays it on the certificate selection interface (315).

If a certificate to be used for the certificate-based service is selected through the certificate selection interface, the subscriber program of the requesting terminal 100 authenticates the certificate using the certificate medium corresponding to the selected certificate (for example, Etc.) (320).

The subscriber program of the requesting terminal 100 decides to perform the n-th certificate use procedure among the N certificate use procedures according to the certificate related standard (325). However, the certificate use procedure to be performed for one certificate-based service (for example, a certificate-based login or a certificate-based digital signature) is not limited to only the n-th certificate use procedure, For the base service, more than one certificate use procedure is performed in conjunction. However, the embodiment of the present invention describes the features of the present invention in detail on the basis of the n-th certificate use procedure. If a person skilled in the art is familiar with the present invention, It is possible to apply to the certificate use procedure other than the use procedure, and the present invention covers all such embodiments.

The subscriber program of the requesting terminal 100 may perform a first through a (t-1) -th processing to be performed on the terminal side among the T performing procedures for the n-th certificate use procedure according to the specification related to the n-th certificate use procedure The procedure is processed (330). If the first to t-th execution procedures are processed, the subscriber program of the requesting terminal 100 requests to process the t-th procedure of the n-th certificate use procedure through the certificate use procedure path 335). Here, the first to (t-1) -th execution procedures are collectively referred to as execution procedures to be performed on the terminal side on the certificate use procedure path for the n-th certificate use procedure, and it is possible to include a plurality of associated procedures.

The procedure server 110 on the certificate use procedure path checks (340) the first through t-1 execution procedures processed at the requesting terminal 100 side for the n-th certificate use procedure (340) (T-1) -th execution procedure, the certificate use value generated through the first through the (t-1) -th execution procedures is checked (340).

The procedure server 110 processes the t-th execution procedure to be performed on the server side on the certificate use procedure path for the n-th certificate use procedure (345). Here, the t-th execution procedure does not refer to only one procedure, but is a collective term of execution procedures to be performed on the server side on the certificate use procedure path for the n-th certificate use procedure, It is possible.

If a procedure value or a usage value of a certificate is provided to the requesting terminal 100 as needed during the t-th execution procedure of the n-th certificate use procedure to perform the terminal-side execution procedure, The subscriber program of the requesting terminal 100 provides the procedure value or the value of the certificate used for the terminal side operation procedure to the requesting terminal 100 and the subscriber program of the requesting terminal 100 should be performed on the terminal side using the procedure value or the certificate usage value (330), and repeating the process (335) of requesting an execution procedure associated with the procedure server (110) on the certificate use procedure path.

FIG. 4 is a diagram illustrating a process of notifying the use of a certificate according to an embodiment of the present invention.

4, the management server 200 confirms the n-th certificate use procedure being performed on the certificate use procedure path through the process shown in Fig. 3, and then, based on the n-th certificate use procedure, If the person skilled in the art is familiar with the present invention, it is possible to refer to and / or modify the FIG. 4 to generate the certificate use information notification process It is to be understood that the invention may be practiced otherwise than as specifically described herein, but it is to be understood and appreciated that the invention may be practiced otherwise than as specifically described herein, Its technical characteristics are not limited.

Referring to FIG. 4, when the n-th certificate use procedure is performed on the certificate use procedure path through the process shown in FIG. 3, the procedure server 110 on the certificate use procedure path The certificate procedure information is confirmed based on the first to t-th procedures performed on the certificate use procedure path (400).

If the certificate procedure information for the n-th certificate use procedure is confirmed, the procedure server 110 generates (405) a certificate use message for transmitting the certificate procedure information to the management server 200, And transmits the certificate use message to the management server 200 (410). Preferably, the certificate use message may be generated and transmitted according to the first to fourth certificate use messaging methods.

The management server 200 receives the certificate use message from the procedure server 110 on the certificate use procedure path (415). Meanwhile, the management server 200 can receive the certificate use message from the requesting terminal 100 or another communication terminal in the certificate use procedure according to the embodiment, and thus the present invention is not limited thereto.

The management server 200 confirms the n-th certificate use procedure being performed on the certificate use procedure path based on the certificate use message (420).

If the n-th certificate use procedure is confirmed, the management server 200 confirms (425) the certificate procedure information related to the n-th certificate use procedure being performed on the certificate use procedure path, The validity of the n-th certificate use procedure is confirmed through the identification information and / or the designated value (430).

If the validity of the n-th certificate use procedure is authenticated, the management server 200 determines whether the n-th certificate use procedure corresponds to the use of the notified certificate based on the identification information included in the certificate procedure information 435).

If the n-th certificate use procedure corresponds to the use of the notified certificate, the management server 200 generates a certificate for performing the certificate use procedure on the certificate use procedure path based on the certificate procedure information of the n-th certificate use procedure The usage information is generated (440), the information received by the information receiving means of the actual user (for example, the wireless terminal 105 of the user who can receive the message, the program installed in the user wireless terminal 105, (At least one of a user account mapped with a program provided in the terminal 105, a member account of the user, and a mail address of the user) (445), and then the certificate corresponding to the certificate use information A procedure of notifying the use message is performed (450).

FIG. 5 is a diagram illustrating a process of approving or denying a certificate according to an embodiment of the present invention.

5 is a flowchart illustrating a method of using a certificate used by a real user of a certificate based on a certificate use information message notified to a user through the process shown in FIG. Approval and / or denial of use. If the person skilled in the art is familiar with the present invention, referring to and / or modified with reference to FIG. 5, (For example, an operation method in which some steps are omitted or the order is changed). However, the present invention includes all of the above-mentioned embodiments, and the technical features Is not limited.

Referring to FIG. 5, the terminal 105 of an actual user who has received the certificate used in the n-th certificate use procedure performed through the process shown in FIG. 3 uses the designated communication network through the process shown in FIG. A procedure for notifying the certificate use information message is performed (500), and a procedure for checking the certificate use information based on the certificate use information message notification through the communication network is performed (505).

If the certificate use information is confirmed on the basis of the certificate use information message notification, the user terminal 105 displays the identified certificate use information (510), and the certificate use approval Or deny the use of the certificate to decline the use (510).

The user terminal 105 confirms the approval or non-use of the certificate of the actual user for the certificate use information through the certificate use approval / denial interface (515).

If the approval of the use of the actual user is confirmed through the certificate use approval / denial interface, the user terminal 105 transmits a certificate use approval message to the management server 200 (520) And receives the certificate use approval message (525). The management server 200 checks the approval result approved by the actual user based on the certificate use approval message to the procedure server 110 in operation 530 and provides the approval result to the procedure server 110 (535).

If the denial of the actual user's use of the certificate is confirmed through the certificate use approval / denial interface, the user terminal 105 transmits a certificate use rejection message to the management server 200 in operation 540, The user terminal receives the certificate use rejection message (545). The management server 200 confirms the use rejection result denied by the actual user based on the certificate use denial message to the procedure server 110 in operation 550 and transmits the use denial result to the procedure server 110 (555). If the nth certificate use procedure is not validated through the process shown in FIG. 4, the management server 200 generates a use rejection result for the validity result of the nth certificate use procedure (step 560 ), The procedure server 110 may provide the use rejection result (555).

FIG. 6 is a flowchart illustrating a process of approving or denying a certificate according to another embodiment of the present invention.

6 is a flowchart illustrating a process of transmitting a certificate request message from a requesting terminal 100 on a certificate use procedure path to a certificate requesting user based on certificate use information notified to a user using a call channel through the process shown in FIG. If the person skilled in the art is familiar with the present invention, referring to and / or modifying FIG. 6, the process of processing the use approval / It is to be understood that the invention may be practiced otherwise than as specifically described herein, but it will be appreciated that the invention may be practiced otherwise than as specifically described herein, The technical characteristics thereof are not limited.

Referring to FIG. 6, the terminal 105 of the actual user who has received the certificate used in the n-th certificate use procedure performed through the process shown in FIG. 3 performs the process shown in FIG. 4 or 5 (600) in response to the certificate use information notification procedure for receiving the certificate use information based on the telephone call. If the call channel is connected, the user terminal 105 outputs certificate usage information in the form of a voice message (or voice signal) received through the call channel (605).

On the other hand, when the user is requested to use or deny the use of the certificate for the use of the certificate together with the certificate use information notification (for example, when a voice message (or a voice signal) requesting the use approval or the use rejection is output) The terminal 105 confirms the certificate use approval or the certificate use rejection selection input by the user based on the voice message (or voice signal) (610).

If the approval of the use of the user's certificate is confirmed based on the voice message (or voice signal), the user terminal 105 transmits a certificate use approval signal through the call channel (615) (620) the certificate use acceptance signal over the designated communication path. The management server 200 checks the approval result approved by the actual user based on the certificate use approval signal to the procedure server 110 in step 625 and provides the approval result to the procedure server 110 (630).

If the user's denial of use of the certificate is confirmed on the basis of the voice message (or voice signal), the user terminal 105 transmits a certificate denial signal through the call channel (635) (640) the certificate use denial signal over the designated communication path. The management server 200 confirms the rejection result rejected by the actual user based on the certificate use rejection signal to the procedure server 110 in operation 645 and provides the rejection result to the procedure server 110 (650). Meanwhile, if the n-th certificate use procedure is not validated through the process shown in Fig. 4, the management server 200 generates a use rejection result for the n-th certificate use procedure validation result (655 ), The procedure server 110 may provide the use rejection result (650).

7 is a flowchart illustrating a process of using a certificate between a requesting terminal 100 and a procedure server 110 according to an embodiment of the present invention.

In more detail, FIG. 7 illustrates a process of processing a n-th certificate use procedure that is selectively performed on a certificate use procedure path according to a certificate use approval or a use deny determined through the process shown in FIG. 5 or 6 , Those skilled in the art will be able to refer to and / or modify this FIG. 7 to illustrate the various ways of practicing the certificate use procedure (e.g., some steps omitted, However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited by the method shown in FIG.

Referring to FIG. 7, when the result of the use approval by the user is received (700) from the management server 200 through the process shown in FIG. 5 or 6, the procedure server 110 The server-side execution procedure on the certificate use procedure path for the n-th certificate use procedure that is being performed through the process shown in FIG. 3 is processed (705). 4, FIG. 5, or FIG. 6, another certificate use procedure is being performed in addition to the n-th certificate use procedure, or a certificate use procedure performed through the process shown in FIG. 4, FIG. 5, The procedure server 110 may process the server-side execution procedure on the certificate use procedure path for the certificate use procedure that is being performed through the process shown in FIG. 3 (step 705) .

If the n-th certificate use procedure is completed, the procedure server 110 confirms whether the certificate-based authentication is performed according to the n-th certificate use procedure (710). Here, the certificate-based authentication is a result based on the n-th certificate use procedure being performed in the procedure server 110 provided on the certificate use procedure path, and is a result different from the use approval result. That is, even if the use approval result is received through the process shown in FIG. 5 or 6, if an error occurs during the execution procedure of the n-th certificate use procedure, the certificate based authentication may fail.

If the certificate-based authentication is successful, the procedure server 110 performs a certificate use procedure associated with the n-th certificate use procedure based on the certificate-based authentication, or performs a certificate use procedure associated with the n-th certificate use procedure (715), the requesting terminal 100 performs a procedure of performing a terminal-side operation of the certificate use procedure associated with the n-th certificate use procedure or a procedure of using the certificate-based service (720) .

On the other hand, if the use rejection result is received (725) from the management server 200 through the process shown in FIG. 5 or 6, or if the certificate based authentication fails even if the use approval result is received from the management server 200 , The procedure server 110 determines 730 a certificate based authentication error for the nth certificate use procedure and provides 735 a certificate based authentication error to the requesting terminal 100, And receives and outputs the certificate-based authentication error (740).

100: request terminal 105: user terminal
110: procedure server 115: service procedure performing unit
120: certificate use determination unit 125: certificate procedure execution unit
130: Certificate procedure confirmation unit 135: Procedure information verification unit
140: certificate procedure notifying unit 145: log storage unit
150: result reception unit 200: management server
205: information storage unit 210: certificate procedure receiver
215: Certificate use authentication unit 220: Notification object confirmation unit
225: Usage information generating unit 230: Usage information notifying unit
235: Usage approval reception unit 240: Use rejection reception unit
245: Results

Claims (27)

A first step of the management server receiving a certificate use message from a designated procedure server performing a certificate use procedure on a certificate use procedure path;
A second step of the management server verifying that the certificate use procedure is being performed on the certificate use procedure path using the certificate use message;
A third step in which the management server generates certificate use information indicating that the certificate use procedure is being performed on the certificate use procedure path using the certificate procedure information corresponding to the certificate use message; And
And a fourth step of performing a procedure for the management server to notify the certificate use information to the wireless terminal of the actual user through the call channel by connecting a call channel with a designated wireless terminal of the actual user who has issued the certificate How to manage certificates that contain.
2. The method according to claim 1,
And verifying that a certificate path establishment / verification procedure is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that a certificate validity authentication procedure using a certificate revocation list (CRL) is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that a certificate validity authentication procedure using an online certificate status protocol (OCSP) is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that a procedure using an electronic signature algorithm using a certificate is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that a procedure using a hash algorithm using a certificate is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that a procedure using an encryption algorithm using a certificate is being performed on the certificate use procedure path.
2. The method according to claim 1,
And confirming that at least one of a certificate issuing procedure, a certificate re-issuing procedure, a certificate renewal procedure, a certificate copying procedure, and a certificate revocation procedure is performed on the certificate use procedure path.
The method according to claim 1,
Further comprising the step of the management server verifying the certificate procedure information corresponding to the certificate use message,
Wherein the second step reads the certificate procedure information and verifies that the certificate use procedure is being performed on the certificate use procedure path.
2. The method of claim 1,
And one or more specification definition information defined in the specification related to the certificate use procedure,
And at least one non-standard information exchanged or obtained through the certificate use procedure path for the certificate use procedure.
2. The method of claim 1,
Certificate identification information that identifies the certificate used in the certificate use procedure,
Issuer identification information that identifies the issuer that issued the certificate,
The certification authority identification information for identifying the authorized certification authority of the certificate,
And issuing institution identification information for identifying the issuing institution of the certificate.
2. The method of claim 1,
Medium identification information for identifying the certificate medium storing the certificate,
Requesting institution identification information for identifying the requesting institution requesting the use of the certificate,
Procedure identification information that identifies the procedure for using the certificate,
And at least one identification information of the terminal identification information requesting the use of the certificate.
13. The method of claim 12,
Identification information matching the unique identification code of the terminal registered through the designated terminal registration procedure,
Identification information matching with the unique authentication code of the terminal program identified through the program mounting / authentication procedure,
Identification information matching with the fixed address of the terminal,
Identification information matching with an ISP (Internet Service Provider) -based location information of the terminal,
Identification information matching with GPS (Global Positioning System) -based location information of the terminal,
Identification information matching with base station-based location information of the terminal,
And at least one of identification information matching a telephone number of the terminal.
2. The method of claim 1,
The procedure values necessary for using the certificate,
And at least one value of a certificate use value generated using the certificate.
The method according to claim 1,
Confirming at least one designated identification information previously designated to authenticate the validity of the certificate use procedure among the identification information included in the certificate procedure information; And
And authenticating the validity of the certificate use procedure by authenticating the identified identification information by the management server.
16. The information processing apparatus according to claim 15,
Medium identification information for identifying the certificate medium storing the certificate,
Procedure identification information that identifies the procedure for using the certificate,
And at least one of the terminal identification information requesting the use of the certificate.
The method according to claim 1,
Confirming at least one designated value that is predetermined for authenticating the validity of the certificate use procedure among the procedure value and the certificate use value included in the certificate procedure information; And
And authenticating the validity of the certificate use procedure by authenticating the identified designated value by the management server.
The method according to claim 1,
Further comprising storing the notification subject certificate identification information for identifying the usage of the notification subject certificate by the management server,
Comparing and authenticating the at least one certificate identification information included in the certificate procedure information with the notification target certificate identification information; And
And confirming that the management server is performing a notification subject certificate use procedure on the certificate use procedure path when the certificate identification information is matched with the notification subject certificate identification information. How to manage.
The method according to claim 1,
Further comprising storing the notification subject issuer identification information for identifying the use of the notification subject certificate by the management server,
Comparing the at least one issuer identification information included in the certificate procedure information with the notification subject issuer identification information; And
And confirming that the management server is performing the notification subject certificate use procedure on the certificate use procedure path when the issuer identification information is matched with the notification subject issuer identification information How to manage.
The method according to claim 1,
Further comprising storing the notification target procedure identification information for identifying the use of the notified certificate by the management server,
Comparing and authenticating the at least one procedure identification information included in the certificate procedure information with the notification target procedure identification information; And
And confirming that the management server is performing a notification subject certificate use procedure on the certificate use procedure path if the procedure identification information matches the notification subject procedure identification information. How to manage.
The information processing apparatus according to claim 1,
Date information of the certificate issued to the user, institution information of the certification authority of the certificate, institution information of the certificate issuing authority, at least one institution information involved in the certificate use procedure, certificate use field information, Wherein the at least one of the certificate information, the certificate medium information, the transaction information used in the certificate, and the terminal information used in the certificate use is included in the form of a character string or a structure.
The method according to claim 1,
Further comprising the step of the management server receiving a certificate use approval signal for the certificate use information from a wireless terminal of an actual user to which the communication channel is connected.
23. The method of claim 22,
Further comprising the step of the management server providing the procedure acceptance result corresponding to the certificate use acceptance signal to the procedure server.
The method according to claim 1,
Further comprising the step of the management server receiving a certificate use rejection signal for the certificate use information from a wireless terminal of an actual user to which the communication channel is connected.
25. The method of claim 24,
Further comprising the step of the management server providing to the procedure server a use rejection result corresponding to the certificate use rejection signal.
The management server according to claim 1,
And a server that does not form a direct contact point with a requesting terminal requesting a certificate use on the certificate use procedure path.
The management server according to claim 1,
And establishing a communication contact with a wireless terminal of an actual user who has issued the certificate on a separate channel different from the certificate use procedure path.

Images