KR20160114966A - Method for Processing Certification by using Secure Operating System - Google Patents

Method for Processing Certification by using Secure Operating System Download PDF

Info

Publication number
KR20160114966A
KR20160114966A KR1020150041527A KR20150041527A KR20160114966A KR 20160114966 A KR20160114966 A KR 20160114966A KR 1020150041527 A KR1020150041527 A KR 1020150041527A KR 20150041527 A KR20150041527 A KR 20150041527A KR 20160114966 A KR20160114966 A KR 20160114966A
Authority
KR
South Korea
Prior art keywords
program
secure
memory area
authentication
general
Prior art date
Application number
KR1020150041527A
Other languages
Korean (ko)
Inventor
김종서
Original Assignee
(주)에이티솔루션즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)에이티솔루션즈 filed Critical (주)에이티솔루션즈
Priority to KR1020150041527A priority Critical patent/KR20160114966A/en
Publication of KR20160114966A publication Critical patent/KR20160114966A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to an authentication processing method using a security operating system, and a method of processing an authentication using a security operating system according to the present invention includes a secure OS (Secure Operating System) having a secure kernel, A method executed by a wireless terminal equipped with an OS (Normal Operating System), the method comprising: a first step of the program (n) of the general OS receiving an authentication request from a server designated by a communication means of the wireless terminal; A second step in which the program (n) allocates a memory area accessible in the designated program (s) of the secure OS or identifies a pre-allocated memory area; A third step of generating an authentication code corresponding to the authentication request using the generated code generation algorithm; and a third step of causing the program (s) And a fifth step of the program (n) transmitting the authentication code of the memory area to the server through the communication means of the wireless terminal.

Description

[0001] The present invention relates to a secure operating system,

In a case where a secure operating system (OS) having a security kernel and a general OS in which a kernel structure is disclosed are provided in a user's wireless terminal in an authentication process using a user's wireless terminal, And generates an authentication code to perform an authentication procedure.

Various authentication services for performing various authentication procedures using a user wireless terminal including a smart phone possessed by a user as authentication means have been proposed. However, the operating system of the wireless terminal is not only equipped with a public kernel such as Linux, but also an open source for easy application creation and rapid distribution, and is easily hacked or used for rooting or jail-breaking The operating system itself can be easily modulated.

As a result, the authentication service using the wireless terminal of the conventional user as the authentication means actually uses the unsafe wireless terminal as the authentication means. Recently, a method of providing an authentication service in the form of a non-contact interface with a wireless terminal such as a NFC card has been sought. However, this inconveniences the user to have a separate authentication object other than the wireless terminal .

On the other hand, a Trust Zone technology has been proposed, in which one physical processor core is divided into two worlds, Secure World and Normal World, and each world is isolated. Trust Zone technology is equipped with a normal operating system in the normal world, and Secure World is equipped with a security-enhanced operating system. By keeping Secure World isolated from the normal world, even if the normal world is hacked or forged, security of the normal world and isolated secure world .

The isolation of Secure World and Normal World in Trust Zone technology is one of the key points to ensure the security of Secure World. An application executed in the secure world can directly access and control various components such as a display device, a communication device, and an input device provided in the terminal without using the operating system of the normal world (Patent Registration No. 10-1259824) . Although Secure World and Normal World physically share a single processor core in a single terminal and Secure World runs through Normal World, Secure and Normal Worlds, in terms of hardware and software, Other systems.

Accordingly, when a user inputs an OTP (One Time Password) while using the Internet banking through a personal computer, the OTP application is loaded in a secure world (= trust zone) of the wireless terminal possessed by the user and is executed to generate an OTP The user can visually recognize the OTP on the screen of the wireless terminal and use it in the form of inputting it to the Internet banking through the personal computer.

However, when the wireless terminal is used as the authentication means, the authentication application performing the authentication procedure must be installed on the general OS side of the wireless terminal. Even if a separate security app is mounted on the security OS, It is technically difficult to perform the authentication procedure in cooperation with each other.

SUMMARY OF THE INVENTION An object of the present invention to overcome the above problems is to provide a wireless terminal in which when a heterogeneous OS including a normal OS and a secure OS is mounted, (S) of the security OS or a pre-allocated memory area when confirming the authentication request using the authentication code through the program (s) of the security OS, And a method of processing an authentication using a security operating system in which a heterogeneous general OS and a secure OS interact with each other through the memory area to perform an authentication procedure based on an authentication code.

The authentication processing method using the security operating system according to the present invention is executed by a secure operating system (Secure Operating System) having a secure kernel (Kernel) and a wireless terminal equipped with a normal OS (kernel operating system) (N) of the general OS receives an authentication request from a server designated by a communication means of the wireless terminal, and a step (b) of causing the program (n) A second step of allocating a memory area accessible from the secure OS or checking a pre-allocated memory area; and a second step of allowing the program (s) of the secure OS to perform authentication using the code generation algorithm provided in the secure OS A step (c) of providing the generated authentication code to the memory area, (c) a step of generating the code by the program (s) And a fifth step of transmitting the authentication code of the memory area to the server through the means.

According to the present invention, the secure OS may include a trust zone installed in the processor.

According to the present invention, the authentication request may include an authentication request using a separate communication network distinguished from a communication network between the wireless terminal and the server.

According to the present invention, the authentication processing method using the secure operating system may further include: identifying whether the program (n) has the program (s) assigned to the secure OS installed or identifying the program (s) To the general OS storage area.

According to the present invention, the authentication processing method using the secure operating system may further include storing and holding status information on the program (n) immediately before the program (n) is switched to the secure OS .

According to the present invention, the second step may further include the step of the program (n) operating a secure OS through a SMC (Secure Monitor Call) command.

According to the present invention, in the second step, the program (n) can allocate the memory area to the general OS or the pre-allocated memory area.

According to the present invention, the second step may allocate the memory area to the security monitor that performs the switching procedure between the general OS and the secure OS, or may check the pre-allocated memory area.

According to the present invention, in the second step, the program (n) can allocate a memory area accessible from the program (s) of the secure OS to the security server on the network or check the pre-allocated memory area.

According to the present invention, the second step may further comprise setting the program (n) as a process of the general OS side in which the program (n) refers to the memory area.

According to another aspect of the present invention, there is provided a method of processing an authentication using a secure operating system, wherein the program (s) further comprises storing one or more fixed key values in a storage area of a secure OS, The authentication code can be generated by using the fixed key value as one of the seeds to be substituted into the code generation algorithm.

According to the present invention, the third step comprises the step of the program (s) confirming at least one dynamic key value via the secure OS, and the program (s) It is possible to generate an authentication code by using the seed as one of seeds to be substituted.

According to the present invention, in the third step, the program (s) accesses the input means of the wireless terminal through the secure OS to receive a PIN (Personal Identification Number), and the validity of the PIN And authenticating the user.

According to the present invention, the authentication processing method using the secure operating system further includes encrypting the generated authentication code so that the program s is decrypted through a designated server, ) May provide the encrypted authentication code to the memory area.

According to the present invention, the authentication processing method using the secure operating system further includes the step of the program (n) confirming the encrypted authentication code from the memory area via the program (s), and the fifth step And the program (n) may transmit the encrypted authentication code to the server via the communication means of the wireless terminal.

According to the present invention, when a heterogeneous OS including a general OS and a secure OS is mounted on a wireless terminal, when a wireless terminal transmits an authentication code based authentication procedure in a program (n) of a general OS, An authentication code is generated and an authentication procedure is performed. Thus, even if the general OS of the wireless terminal is hacked or tampered, there is an advantage that authentication using the wireless terminal is securely provided.

1 is a diagram illustrating a configuration of an authentication system using a secure OS of a wireless terminal according to an embodiment of the present invention.
2 is a diagram illustrating a functional configuration of a wireless terminal according to an embodiment of the present invention.
3 is a diagram showing a functional configuration of a program according to an embodiment of the present invention.
4 is a diagram illustrating a process of preparing a program s in a secure OS according to an embodiment of the present invention.
5 is a diagram illustrating a process of interworking between a general OS and a secure OS according to an embodiment of the present invention.
6 is a diagram illustrating a process of generating an authentication code through a secure OS according to an embodiment of the present invention and performing an authentication procedure.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

1 is a diagram illustrating a configuration of an authentication system using a secure OS 220 of a wireless terminal 200 according to an embodiment of the present invention.

More specifically, FIG. 1 illustrates a method of generating an authentication code through a secure OS 220 isolated from a normal OS 210 provided in a user's wireless terminal 200 during an authentication process using a user's wireless terminal 200 1 is a block diagram illustrating a system for performing an authentication request authentication procedure using the first communication network according to an embodiment of the present invention. Referring to FIG. 1, It is to be understood that the invention may be practiced otherwise than as specifically described herein, but the invention may be practiced otherwise than as specifically described herein, The technical features thereof are not limited only by the method of implementation.

The authentication system according to the present invention includes a security OS 220 having a secure kernel 230 and a wireless terminal 200 of a user having a general OS 210 having a kernel structure disclosed therein, A mobile server 110 that communicates with the wireless terminal 200 of the wireless terminal 200 and an authentication server 115 that authenticates the authentication code generated through the secure OS 220 of the wireless terminal 200. Meanwhile, the authentication server 115 may be implemented through the mobile server 110 according to an embodiment.

In the case of providing the 2-channel authentication using the wireless terminal 200 of the user, the authentication system may include a user terminal 100, a user terminal 100 used by the user other than the user's wireless terminal 200 The mobile server 110 further includes an authentication requesting server 105 connected through a first communication network and the mobile server 110 communicates with the user's wireless terminal 200 through a separate second communication network different from the first communication network . Meanwhile, the authentication server 115 may be implemented in at least one of the authentication request server 105 and the mobile server 110, and / or the authentication request server 105 and the mobile server 110 may be one Lt; / RTI > server.

The user's wireless terminal 200 is a general term for a wireless communication terminal equipped with a secure OS 220 having a secure kernel 230 and a general OS 210 having a kernel structure disclosed, A smart phone, a mobile phone, and a tablet PC equipped with an ARM processor equipped with a microprocessor.

The mobile server 110 is a general term of a server that communicates with a wireless terminal 200 of a user who has installed the secure OS 220. The mobile server 110 preferably includes a program installed in the general OS 210 of the wireless terminal 200, And may include a server that communicates. Meanwhile, the mobile server 110 can communicate with a program installed in the secure OS 220 of the wireless terminal 200 according to an embodiment, and thus the present invention is not limited thereto.

The user terminal 100 may be a general term of a terminal used by the user in addition to the wireless terminal 200, and may preferably include a personal computer or a wired terminal such as a notebook computer. However, the user terminal 100 is not limited to a wired terminal but may include a wireless terminal 200 used by the user.

The authentication request server 105 is a general term of a server to which the user terminal 100 accesses, and may preferably include at least one of a web server, an Internet banking server, and a payment server that requests two-channel authentication. The authentication requesting server 105 authenticates the user's wireless terminal 200 through the mobile server 110 during a transaction procedure (or an authentication procedure requested from the user terminal 100) through the user terminal 100 Request a code.

The authentication server 115 collectively refers to a server that authenticates an authentication code generated through the secure OS 220 of the wireless terminal 200. When the authentication code is generated in an OTP form, . Or a server for authenticating the session key when the authentication code is generated in the form of a session key.

FIG. 2 is a diagram illustrating a functional configuration of a wireless terminal 200 according to an embodiment of the present invention.

2 is a block diagram illustrating a configuration of a wireless terminal 200 equipped with a security OS 220 having a secure kernel 230 and a general OS 210 having a kernel structure disclosed therein, 2 is a block diagram illustrating a functional configuration of a wireless terminal according to an exemplary embodiment of the present invention. Referring to FIG. 2, The present invention is not limited to the above-described embodiments, and various changes and modifications may be made without departing from the scope of the present invention. The wireless terminal 200 of FIG. 2 may include various terminals such as a smart phone, a tablet PC, and a PDA equipped with the secure OS 220 and the general OS 210.

2, the wireless terminal 200 includes a control unit 205, a memory unit 265, a screen output unit 235, a user input unit 240, a sound processing unit 245, and a short- A wireless network communication unit 255, a USIM reader unit 260, and a USIM, and has a battery for power supply.

The control unit 205 is a collective term for controlling the operation of the wireless terminal 200. The control unit 205 physically includes a processor and an execution memory and is connected to each component provided in the wireless terminal 200 and a bus ). Preferably, the processor may comprise an ARM processor.

According to the present invention, the control unit 205 controls the normal world in which a normal OS 210 in which a kernel structure, an API and a driver are disclosed, and a secure kernel And a secure world in which a secure operating system 220 (Secure Operating System) having an access point 230 is operated. The normal world and the secure world are constructed in a mutually isolated structure. Preferably, the secure OS 220 includes a Trust Zone of the ARM processor. Hereinafter, the functional unit for the present invention will be described on the general OS 210 and the security OS 220 by the control unit 205. FIG.

The memory unit 265 is a generic name of the nonvolatile memory corresponding to the storage unit included in the wireless terminal 200 and includes at least one program code executed through the control unit 205 and at least one And stores the data set.

According to the present invention, the memory unit 265 may include a general OS storage area accessed by the general OS 210 and a secure OS storage area accessed by the secure OS 220, I can not access the OS storage area. The general OS storage area may store program codes corresponding to applications executed through the general OS 210 and at least one data set used by applications of the general OS 210. [ The secure OS storage area may store program codes corresponding to applications executed through the secure OS 220 and at least one data set used by applications of the secure OS 220. [

The generic OS 210 has a kernel (hereinafter referred to as a "general kernel 215" in contrast to the security kernel 230 of the secure OS 220) The general kernel 215 of the wireless terminal 200 includes various components such as the screen output unit 235, the user input unit 240, the sound processing unit 245, the short range wireless communication unit 250, the wireless network communication unit 255, Resources, and may include a driver on the general OS 210 for this purpose. The general kernel 215 of the generic OS 210 can not access the secure OS storage area and the generic OS 210 and the secure OS 220 are isolated from each other.

The secure OS 220 includes a secure kernel 230 in which the kernel structure is not disclosed and the secure kernel 230 of the secure OS 220 includes the screen output unit 235, the user input unit 240, The mobile terminal 200 can access various resources of the wireless terminal 200 such as a processor 245, a short range wireless communication unit 250 and a wireless network communication unit 255 and can include a driver on the secure OS 220 for this purpose. Preferably, the secure kernel 230 of the secure OS 220 can not access the normal OS storage area, and the secure OS 220 and the normal OS 210 are isolated from each other.

The screen output unit 235 may include a display such as a liquid crystal display (LCD) or a touch screen including a touch input unit as a screen output unit provided in the wireless terminal 200 .

The general kernel 215 of the general OS 210 includes a driver for accessing and controlling the display or the touch screen of the screen output unit 235. The general kernel 215 is connected to the screen output unit 235, The security OS 220 can not access the screen output unit 235. In this case,

The secure kernel 230 of the secure OS 220 has a separate security driver for accessing and controlling the display or the touch screen of the screen output unit 235, The general OS 210 can not access the screen output unit 235 when accessing and controlling the display unit 235. [

The user input unit 240 may include a touch input unit of the touch screen when the screen output unit 235 includes a touch screen. A keypad, and a key button.

The general kernel 215 of the general OS 210 includes a driver for accessing and controlling a touch input unit, a keypad or a key button of the user input unit 240. The general kernel 215 controls the user input unit 240 The security OS 220 can not access the user input unit 240. In this case,

The secure kernel 230 of the secure OS 220 has a separate security driver for accessing and controlling the touch input unit, keypad or key button of the user input unit 240, When accessing and controlling the input unit 240, the general OS 210 can not access the user input unit 240.

The sound processing unit 245 may include sound output means and sound input means provided in the wireless terminal 200 and may include a speaker for outputting sound and a microphone for receiving sound.

The general kernel 215 of the general OS 210 includes a driver for accessing and controlling the speaker or microphone of the sound processing unit 245. The general kernel 215 accesses the sound processing unit 245 The security OS 220 can not access the sound processing unit 245 controlled by the general OS 210. [

The secure kernel 230 of the secure OS 220 includes a separate security driver for accessing and controlling the speaker or microphone of the sound processing unit 245. The secure kernel 230 is provided to the sound processing unit 245, The general OS 210 can not access the sound processing unit 245 controlled by the secure OS 220. In this case,

The wireless network communication unit 255 and the short-range wireless communication unit 250 are communication means for connecting the wireless terminal 200 to a communication network. Preferably, the wireless terminal 200 includes a wireless network communication unit 255 as a basic communication unit And may further include one or more short-range wireless communication units 250. FIG.

The wireless network communication unit 255 collectively refers to communication means for connecting the wireless terminal 200 to a wireless communication network via a base station. The wireless network communication unit 255 includes an antenna for transmitting and receiving a radio frequency signal of a specific frequency band, an RF module, And at least one processing module. The wireless network communication unit 255 may connect the wireless terminal 200 to a call network including a call channel and a data channel via an exchange and may transmit wireless network data based on a packet communication, To a data network providing communication (e.g., the Internet).

According to an embodiment of the present invention, the wireless network communication unit 255 is a mobile communication unit that performs at least one of connection to a mobile communication network, location registration, call processing, call connection, data communication, and handoff according to the CDMA / WCDMA / ≪ / RTI > Meanwhile, according to the intention of a person skilled in the art, the wireless network communication unit 255 may further include a portable internet communication configuration for performing at least one of connection to the portable Internet, location registration, data communication and handoff according to the IEEE 802.16 standard, It is evident that the present invention is not limited by the wireless communication configuration provided by the wireless network communication unit 255. [ That is, the wireless network communication unit 255 is a general term for a component that accesses a wireless communication network through a cell-based base station irrespective of a frequency band of a wireless section, a type of a communication network, or a protocol.

The general kernel 215 of the general OS 210 includes a driver for accessing and controlling the wireless network communication unit 255. When the general kernel 215 accesses and controls the sound processing unit 245 The security OS 220 can not access the wireless network communication unit 255 controlled by the general OS 210. [

The secure kernel 230 of the secure OS 220 has a separate security driver for accessing and controlling the wireless network communication unit 255. The secure kernel 230 may access the wireless network communication unit 255 The general OS 210 can not access the wireless network communication unit 255 controlled by the secure OS 220. [

The short range wireless communication unit 250 is a generic term of communication means for connecting a communication session using a radio frequency signal within a predetermined distance (e.g., about 10 m) as a communication medium and connecting the wireless terminal 200 to the communication network on the basis of the communication session. The wireless terminal 200 can be connected to the communication network through at least one of Wi-Fi communication, Bluetooth communication, public wireless communication, and UWB. According to an embodiment of the present invention, the short-range wireless communication unit 250 can connect the wireless terminal 200 to a data network providing packet-based short-range wireless data communication through a wireless AP.

The general kernel 215 of the general OS 210 includes a driver for accessing and controlling the short range wireless communication unit 250. When the general kernel 215 accesses and controls the sound processing unit 245 The secure OS 220 can not access the short range wireless communication unit 250 controlled by the general OS 210. [

The secure kernel 230 of the secure OS 220 includes a separate security driver for accessing and controlling the short range wireless communication unit 250. The secure kernel 230 may access the short range wireless communication unit 250 The general OS 210 can not access the short range wireless communication unit 250 controlled by the secure OS 220. In this case,

The USIM reader 260 is a generic term of a configuration for exchanging at least one data set with a universal subscriber identity module that is mounted or detached from the mobile station 200 based on the ISO / IEC 7816 standard , And the data set is exchanged in a half duplex communication manner through an APDU (Application Protocol Data Unit).

The USIM is an SIM type card having an IC chip according to the ISO / IEC 7816 standard, and includes an input / output interface including at least one contact connected to the USIM reader unit 260, (Or processing) the program code for the IC chip or extracting (or processing) the data set in accordance with at least one command transmitted from the wireless terminal 200 in connection with the input / output interface To the input / output interface.

According to the present invention, the general OS 210 is loaded with various applications operating using the general kernel 215, and the user can control various applications executed in the general OS 210 through the general kernel 215 The general OS 210 performs a user operation by a user input unit 240 controlled through the general kernel 215 while displaying one or more interface screens through a screen output unit 235, The application of the present invention performs a designated operation and provides various services to the user. Hereinafter, an application (or a program module embedded in or linked to an application) operating in accordance with the present invention on the general OS 210 is referred to as " program (n) 300 " Preferably, the program (n) 300 may include an application for performing an authentication procedure, such as a Certification Application executed in the general OS 210. However, the program (n) 300 is not limited to an authentication application, and may be any application that operates on the general OS 210, and belongs to the scope of the present invention.

According to an embodiment of the present invention, the program (n) 300 of the general OS 210 is provided in the upper part of the general kernel 215 on the OS structure and operates using the general kernel 215.

According to the present invention, at least one security application operating on the secure kernel 230 is installed in the secure OS 220. The security application on the secure OS 220 operates using the secure kernel 230 and may be used by the screen output unit 235 of the wireless terminal 200, the user input unit 240, the sound processing unit 245, The wireless network communication unit 255, the short-range wireless communication unit 250, and the like. Hereinafter, a security application (or a program module embedded in or interacting with a security application) operating in accordance with the present invention on a generic OS 210 is referred to as "program (s) 340" for convenience. Preferably, the program (s) 340 may include a secure app running in the secure OS 220.

According to an embodiment of the present invention, the program (s) 340 of the secure OS 220 is provided in the upper part of the secure kernel 230 on the OS structure and operates using the secure kernel 230.

The OS of the wireless terminal 200 is switched from the general OS 210 to the secure OS 220 in the secure OS 220 (or between the general OS 210 and the secure OS 220) Or a security monitor 225 (Secure Monitor) that performs a series of procedures for switching from the secure OS 220 to the generic OS 210. [ Since the security monitor 225 uses the command of the secure OS 220, FIG. 2 illustrates the security monitor 225 as being provided in the secure OS 220 for the sake of convenience.

The security monitor 225 monitors whether an SMC (Secure Monitor Call) command is issued through the kernel or an IRQ (Interrupt Request) to FIQ (Fast Interrupt Request) Can be performed.

3 is a diagram showing a functional configuration of a program according to an embodiment of the present invention.

3 shows a functional configuration of a program (n) 300 of the general OS 210 and a program (s) 340 of the secure OS 220. In the technical field of the present invention, It will be understood by those skilled in the art that various changes and modifications of the program may be made without departing from the spirit and scope of the present invention as defined by the following claims. The technical features thereof are not limited only by the method shown in FIG.

Referring to FIG. 3, the program (s) 340 of the secure OS 220 includes a code generation algorithm for generating an authentication code, and includes a fixed key And a key value storage unit 345 for storing the value in the secure OS storage area.

The program (s) 340 is a generic name of a program that is executed in the secure OS 220 and generates an authentication code. The program (s) 340 preferably includes a code generation algorithm (for example, a hash algorithm such as MD4, MD5, SHA, ). The program (s) 340 is recorded in the secure OS storage area according to a specified security procedure, and is executed when the OS of the wireless terminal 200 is switched to the secure OS 220.

When the program (s) 340 installed in the secure OS 220 is executed at least once, the key value storage unit 345 stores the key value storage area Make sure that the fixed key value is stored. If a fixed key value required for generating an authentication code is not stored in the key value storage area, the key value storage unit 345 acquires one or more fixed key values according to a designated procedure and stores the obtained fixed value in the key value storage area . The key value storage unit 345 may store the key value in the mobile server 110 (or the mobile terminal 110) using the communication unit of the wireless terminal 200 (e.g., the wireless network communication unit 255, (Or the authentication server 115 via the mobile server 110 to the authentication server 115 via the server 110 to receive the key value) To obtain a key value. Alternatively, the key value storage unit 345 may acquire at least one of unique information (e.g., MIN, IMSI, IMEI, etc.) allocated to the mobile station 200. The key value storage unit 345 stores the obtained one or more fixed key values in the key value author area set in the secure OS storage area, and the general OS 210 can not access the key value storage area.

Referring to FIG. 3, the program (s) 340 of the secure OS 220 includes PIN information for performing PIN (Personal Identification Number) authentication for dynamically generating an authentication code on the secure OS 220 And a PIN registration unit 350 for registering the PIN.

When the program (s) 340 mounted on the secure OS 220 is executed at least once, the PIN registration unit 350 registers PIN information for generating an authentication code in a designated PIN storage area on the secure OS storage area Make sure it is saved. If the PIN information is not stored in the PIN storage area, the PIN registration unit 350 acquires the access right of the screen output unit 235 and the user input unit 240 according to a designated procedure and outputs the access right to the screen output unit 235 And receives the PIN information through the user input unit 240 and stores the PIN information in the PIN storage area. The PIN registration unit 350 may encrypt the PIN information according to a designated encryption scheme and store the encrypted PIN information in the PIN storage area. The general OS 210 can not access the PIN storage area.

Referring to FIG. 3, the program (n) 300 of the general OS 210 includes an authentication request checking unit 305 for checking an authentication request for generating an authentication code and performing an authentication procedure, (S) 340 of the secure OS 220, or allocates a memory area accessible by the designated program (s) 340 of the secure OS 220, And a linking procedure unit 310 for checking the memory area. According to another embodiment of the present invention, the process of allocating the memory area or checking the pre-allocated memory area may be performed through the program (s) 340 of the secure OS 220, (s) 340 may include the configuration of assigning / checking the memory area as a scope of right.

The program (n) 300 is loaded on the general OS 210 and is executed on the general OS 210. Preferably, the program (n) 300 may be executed by a user operation via the user input unit 240, or by receiving a push via the communication means of the wireless terminal 200. [

When the program (n) 300 is executed, the authentication request confirmation unit 305 generates an authentication code through the secure OS 220 provided in the wireless terminal 200, and confirms whether the program (n) When the program (n) 300 is executed through pushing, the authentication request confirmation unit 305 can confirm whether an authentication code for performing an authentication procedure is requested through the push. For example, when requesting two-channel authentication from the user terminal 100 to the authentication requesting server 105, the mobile server 110 transmits a request for authentication to the general OS 110 of the wireless terminal 200 (N) 300 in response to the push request. In this case, the authentication request confirmation unit 305 may perform a process of authenticating the program (n) You can check if the code is requested. Meanwhile, the authentication request may be requested by the user through the user input unit 240, and thus the present invention is not limited thereto.

The interworking procedure unit 310 checks whether the secure OS 220 is loaded in the wireless terminal 200 at least once during the first execution of the program (n) 300 installed in the general OS 210 (S) 340 for generating an authentication code in the secure OS 220 when the secure OS 220 is installed in the wireless terminal 200. The secure OS 220 may include a program (s) If the program (s) 340 for generating an authentication code is installed in the secure OS 220, the interworking procedure unit 310 causes the secure OS 220 to load the program (s) And / or information identifying the program (s) 340 installed in the secure OS 220, in the general OS storage area.

Upon confirming the authentication request using the authentication code through the authentication request confirmation unit 305, the interworking procedure unit 310 transmits the program (s) 340 to the secure OS 220 based on the identification information (S) 340 installed in the secure OS 220. In addition,

(S) 340 of the secure OS 220 through the identification information and / or the identification information, the interworking procedure unit 310 reads the general kernel 215 (N) 300 immediately before switching to the secure OS 220 via the network interface. Preferably, the interworking procedure unit 310 transmits a program requiring the authentication code through the general kernel 215 at the time of switching the OS of the wireless terminal 200 from the general OS 210 to the secure OS 220 the OS of the wireless terminal 200 is switched from the general OS 210 to the secure OS 220 by storing the state information of the wireless terminal 200 in the general OS storage area, When the state of the program (n) 300 is changed to a state requiring the authentication code (for example, an interface screen state of the program (n) 300, a program (n) The state of the communication session of the mobile station, etc.).

According to an embodiment of the present invention, the interworking procedure unit 310 may be configured such that the interworking procedure unit 310 performs the interworking with the secure OS 220 immediately before switching to the secure OS 220 (for example, immediately before the secure OS 220 is driven via the SMC command) The program (n) 300 may be initialized and / or the general OS 210 may be initialized in the process of switching the general OS 210 to the secure OS 220 by maintaining the state information of the program (n) At the time of switching the OS of the wireless terminal 200 from the secure OS 220 to the normal OS 210 even if an exceptional situation occurs such as a page fault occurs during the procedure of switching from the secure OS 220 to the secure OS 220, The state of the program (n) 300 can be restored to the state immediately before switching to the secure OS 220 using the state information.

(S) 340 of the secure OS 220 and / or the status information of the program (n) 300 is stored in the secure OS 220, The interworking procedure unit 310 generates an SMC command for driving the secure OS 220 through the general kernel 215. [ The security monitor 225 verifies the validity of the SMC command and performs a procedure for driving the secure OS 220 according to the SMC command when the verification is successful.

Meanwhile, the linking procedure unit 310 can access the security OS 220 while being accessible from the program (n) 300 at a predetermined time point before, during, or after starting the operation of the secure OS 220. [ (S) 340, or identifies the pre-allocated memory area. For example, the allocated memory area may include a shared memory for inter-process communication between the program (n) 300 of the generic OS 210 and the program (s) 340 of the secure OS 220 have. While the common shared memory is allocated within the OS for inter-process communication within the same OS, the memory region of the present invention is used for heterogeneous inter-process communication executed in a heterogeneous OS including the general OS 210 and the secure OS 220 Which is a shared memory for providing the data.

According to the first memory area allocation method of the present invention, the linking procedure unit 310 allocates the memory area on the general OS 210 or confirms the memory area allocated on the general OS 210 . In this case, the security monitor 225 may access or monitor the memory area of the general OS 210, and the program (s) 340 of the secure OS 220 may be accessed through the security monitor 225 (Or access to) the memory area of the OS 210 indirectly.

According to the second memory area allocation method of the present invention, the interworking procedure unit 310 allocates the memory area on the security monitor 225 or the memory area allocated to the security monitor 225 have. In this case, the interworking procedure unit 310 can allocate the memory area to the security monitor 225 or check the memory area allocated to the security monitor 225 through the SMC command.

According to the third memory area allocation method of the present invention, the interworking procedure unit 310 can access (or access) the program (n) 300 and can also access the program (s) 340 The mobile server 110 can allocate the memory area to the mobile server 110 on the accessable (or connectable) network, or can identify the memory area allocated to the mobile server 110. [ When the memory area is allocated to the mobile server 110 on the network, the program (n) 300 of the general OS 210 and the program (s) 340 of the secure OS 220 are each connected to the mobile server 110 110 to read or write data to and from the memory area.

The interworking procedure unit 310 may set the program (n) 300 as a process of the general OS 210 that refers to the allocated memory area. Preferably, the interworking procedure unit 310 provides a PID (Process ID) of the program (n) 300 to the memory area so that the program (s) 340 of the secure OS 220 operates The program (s) 340 can set the program (n) 300 as a process of the general OS 210 to read the data written in the allocated memory area.

If a memory area accessible by the program (s) 340 of the secure OS 220 is allocated or at least one pre-allocated memory area is identified through at least one of the first to third memory area allocation methods, The procedure unit 310 may set a program (s) 340 designated as a process accessible to the allocated memory area in the secure OS 220. [ For example, the interworking procedure unit 310 may store the address information of the allocated memory area (e.g., a memory address of a RAM, a memory address of a RAM provided in the processor, (S) 340 of the secure OS 220 through the security monitor 225 and a network address (and / or identification value) identifying the memory area . ≪ / RTI >

(S) 340 of the secure OS 220 is allocated / verified and / or the memory area is made accessible in the program (s) 340 of the secure OS 220 The interworking procedure unit 310 is configured to interlock with the security monitor 225 to prevent access to the memory area from other processes other than the program (n) 300 of the processes of the general OS 210 . Preferably, the interworking procedure unit 310 uses the memory access control function of the security monitor 225 to control the process of the general OS 210 in a process other than the program (n) Can not be accessed.

When the secure OS 220 is activated by the SMC command and the program (s) 340 of the secure OS 220 is executed, the access right of the allocated / confirmed memory area is managed by the security monitor 225 (S) 340 of the secure OS 220. In this case,

Referring to FIG. 3, the program (s) 340 of the secure OS 220 may identify a memory area allocated through at least one of the first to third memory area allocation methods and refer to the memory area And an interlock processing unit 355 for performing a procedure for interlocking.

When the secure OS 220 is activated and the program (s) 340 of the secure OS 220 is executed, the interworking processor 355 interlocks with the operation procedure performed through the security monitor 225, (S) 340, and performs a series of procedures for accessing the memory area in the program (s) 340. The program (s) Preferably, the interlocking processor 355 may perform a procedure of obtaining an access right to the memory area.

Meanwhile, the interworking processor 355 may check the memory area at any time before referring to the memory area in the program (s) 340, and the interlocking processor 355 may check the memory area at a specific time The present invention is not limited thereto.

Referring to FIG. 3, when the user's PIN information is stored in the designated PIN storage area of the secure OS 220 through the PIN registration unit 350, the program (s) And a PIN authentication unit 360 for receiving the PIN information through the input means of the wireless terminal 200 and authenticating the validity.

When the secure OS 220 is activated and the program (s) 340 of the secure OS 220 is executed, the PIN authenticator 360 transmits the screen output unit 235 and the user input unit 240, displays an interface for PIN authentication on the screen output unit 235, inputs PIN information through the user input unit 240, and compares the PIN information with the PIN information stored in the PIN storage area (Or verification operation) to verify the validity of the input PIN information.

Referring to FIG. 3, the program (s) 340 of the secure OS 220 includes an authentication code generation unit 370 for generating an authentication code corresponding to the authentication request using a code generation algorithm, And a key value verifier 365 for verifying at least one fixed key value and / or at least one dynamic key value to be substituted into the code generation algorithm according to an embodiment of the present invention.

When the security OS 220 is activated and the program (s) 340 of the secure OS 220 is executed and / or the PIN authentication is successful, the authentication code generation unit 370 generates the authentication code (N) 300 of the secure OS 220 in response to the authentication request identified through the program (n) 300 of FIG.

On the other hand, if more than one fixed key value is needed to generate the authentication code, the key value verifier 365 stores the key value in the key value storage area of the secure OS 220 through the key value storage 345 The authentication code generation unit 370 can dynamically generate an authentication code corresponding to the authentication request by substituting the fixed key value into the seed of the code generation algorithm.

Meanwhile, when at least one dynamic key value is required to generate the authentication code, the key value verifier 365 uses at least one of the at least one You can check the dynamic key value. For example, the key value validation unit 365 may use a timer accessible by the secure OS 220 to set a time value to be confirmed through the timer of the secure OS 220 to a dynamic key value (Or the authentication server 115 via the mobile server 110) via the communication means, and / or obtain the access right to the communication means of the wireless terminal 200, (Or a random number value) to be used as the dynamic seed of the code generation algorithm from the mobile server 110 (or from the authentication server 115) and a key value to be used as a dynamic seed. If at least one dynamic key value is confirmed through the key value validation unit 365, the authentication code generation unit 370 substitutes the dynamic key value into the seed of the code generation algorithm, The authentication code can be dynamically generated.

Alternatively, the authentication code generation unit 370 may substitute one or more fixed key values and at least one dynamic key value, which are confirmed through the key value verification unit 365, into the seed of the code generation algorithm, The authentication code can be dynamically generated.

Referring to FIG. 3, the program (s) 340 of the secure OS 220 includes a password (cipher) for encrypting the generated authentication code so as to be decryptable through the designated mobile server 110 (or the authentication server 115) A processing unit 375, and an authentication code providing unit 380 for providing the encrypted authentication code to the memory area.

When the authentication code is generated through the authentication code generation unit 370, the encryption processing unit 375 uses the encryption method and the encryption key that can be decrypted through the designated mobile server 110 (or the authentication server 115) And encrypts the generated authentication code.

The authentication code providing unit 380 provides the encrypted authentication code to the memory area identified through the interlock processing unit 355. The security monitor 225 transmits the encrypted authentication code to the memory area From the secure OS 220 to the generic OS 210. [ Preferably, the authentication code providing unit 380 reads the generated authentication code through the program (n) 300 of the general OS 210 or inserts the generated authentication code into the memory area Can be recorded.

According to a modified embodiment of the present invention, the authentication code providing unit 380 transmits the encrypted authentication code to the mobile server 110 (or the mobile server 110 via the communication means of the wireless terminal 200) To the authentication server 115). In this case, the authentication code may not be provided to the memory area.

When the OS of the wireless terminal 200 is switched to the general OS 210 according to an embodiment of the present invention, the interworking procedure unit 310 of the program (n) 300 acquires the access right of the memory area (Or based on the acquired rights) to access the memory area. Meanwhile, the interworking procedure unit 310 of the program (n) 300 may restore the status of the program (n) 300 immediately before switching to the secure OS 220 using the status information.

Referring to FIG. 3, the program (n) 300 of the general OS 210 refers to the memory area and checks an authentication code generated through the program (s) 340 of the secure OS 220 And transmits the verified authentication code to the mobile server 110 (or the authentication server 115 via the mobile server 110) through the communication means of the mobile terminal 200 And an authentication code processing unit 320.

When the OS of the wireless terminal 200 is switched to the general OS 210, the authentication code checking unit 315 refers to the memory area in cooperation with the linking procedure unit 310, (S) 340 of the program (s) 340 confirms the authentication code provided to the memory area.

When the authentication code generated through the program (s) 340 of the secure OS 220 is confirmed through the authentication code verifying unit 315, the authentication code processing unit 320 transmits the authentication code to the wireless terminal 200 The authentication code can be transmitted to the mobile server 110 (or the authentication server 115 via the mobile server 110) via the means. The authentication code processing unit 320 may transmit the authentication code to the mobile server 110 (or the authentication server 115 via the mobile server 110) without outputting the authentication code. The authentication code encrypted through the program (s) 340 of the secure OS 220 is not decrypted by the general OS 210. [

The mobile server 110 (or the authentication server 115) receiving the authentication code generates a key value and a code generation algorithm that are the same as the method of generating the authentication code in the program (s) 340 of the secure OS 220, The authentication code corresponding to the authentication request may be generated by authenticating the validity of the authentication code.

FIG. 4 is a diagram illustrating a process of preparing a program (s) 340 in the secure OS 220 according to an embodiment of the present invention.

In more detail, FIG. 4 illustrates a process of loading one or more fixed key values for loading a program (s) 340 in the secure OS 220 and generating an authentication code. In the technical field of the present invention Those skilled in the art will appreciate that various ways of practicing the process of preparing the program (s) 340 (e.g., omitting some of the steps or changing the order) However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited by the method shown in FIG.

Referring to FIG. 4, the program (n) 300 of the general OS 210 is connected to the security OS 220 (220) on the basis of the model (or the type of the processor) of the wireless terminal 200 ) (Trust zone) is mounted (400). If the secure OS 220 is installed in the wireless terminal 200, the program (n) 300 performs a procedure for loading the program (s) 340 specified in the secure OS 220 (405).

(S) 340 is loaded (410) in the secure OS 220 according to a designated procedure and the program (s) 340 obtains one or more fixed key values according to a designated procedure 415 (420) in a key value storage area of the secure OS storage area. Meanwhile, the program (s) 340 can perform a procedure for registering PIN information for generating an authentication code according to an embodiment of the present invention. The program (s) 340 stores the registered PIN information in a PIN storage area (425).

When the program (s) 340 is loaded on the secure OS 220, the program (n) 300 of the general OS 210 transmits the program (s) 340 to the secure OS 220 (S) 340 mounted on the secure OS 220 and / or information identifying the presence of the program (s) 340 mounted on the secure OS 220.

FIG. 5 is a diagram illustrating an interoperation process between a general OS 210 and a secure OS 220 according to an embodiment of the present invention.

5 shows a process in which the program (n) 300 of the general OS 210 works in conjunction with the program (s) 340 of the secure OS 220 when confirming the authentication request using the authentication code 5, and various modifications to the exemplary embodiments of the present invention will be apparent to those skilled in the art, and various modifications and changes may be made thereto without departing from the spirit and scope of the present invention. It is to be understood that the invention may be practiced otherwise than as specifically described herein, but it is to be understood that the invention is not limited to the disclosed embodiments, No.

Referring to FIG. 5, the program (n) 300 of the general OS 210 receives an authentication request from a server designated by the communication means of the wireless terminal 200 or reads a user operation and uses the authentication code The authentication request is confirmed (500). For example, when the user terminal 100 accesses the authentication request server 105 through the first communication network and requests authentication using the user's wireless terminal 200, the mobile server 200 associated with the authentication request server 105 110 may request an authentication code to the user's wireless terminal 200 through a second communication network that is different from the first communication network. In this case, a program executed by the general OS 210 of the wireless terminal 200 n) 300 may receive an authentication request using the authentication code from the mobile server 110. [

The program (n) 300 generates a program (s) 340 (340) for generating an authentication code on the security OS 220 side of the wireless terminal 200 using the identification information when the authentication request using the authentication code is confirmed (Step 505). If the program (s) 340 is not installed in the secure OS 220, the program (n) 300 executes a procedure for loading the program (s) 340 into the secure OS 220 Can be performed.

Meanwhile, if the program (s) 340 is loaded on the secure OS 220, the program (n) 300 may transmit status information of the program (n) 300 before switching to the secure OS 220 (S) 340 of the secure OS 220 and allocates a memory area accessible by the program (s) 340 of the secure OS 220, The allocated memory area is checked (515). If the memory area is allocated / confirmed, the program (n) 300 sets the access right of the program (n) 300 for the allocated / confirmed memory area, and at the same time, The OS of the wireless terminal 200 is switched to the secure OS 220 through the security monitor 225 while setting the program (s) 340 to access the memory area (520) (525).

When the OS of the wireless terminal 200 is switched to the secure OS 220 and the program s 340 is executed 530, the program s 340 performs the process shown in FIG. 4 It is determined whether the PIN information is registered in the PIN storage area of the secure OS 220. If the PIN information is registered in the PIN storage area of the secure OS 220, the access right to the screen output unit 235 and the user input unit 240 of the wireless terminal 200 is acquired, And outputs the input interface and confirms the PIN information input through the interface (535). If the PIN information is inputted, the program (s) 340 authenticates the validity of the entered PIN information through the PIN information stored in the PIN storage area (540). If the validity of the PIN information is not authenticated (S) 340 processes the OS of the wireless terminal 200 to the general OS 210 in step 545. If the OS of the wireless terminal 200 is switched to the general OS 210 The program (n) 300 of the general OS 210 restores the state of the program (n) 300 before switching to the secure OS 220 (550).

Meanwhile, if the validity of the PIN information is authenticated, the program (s) 340 identifies a memory area that is allocated through the program (n) 300 and can be shared with the program (n) 300 555). The memory area may be allocated through the program (s) 340 according to an implementation method, and the present invention may also include an embodiment in which the program (s) 340 allocates the memory area. If the memory area accessible by the program (s) 340 is not confirmed, the program (s) 340 processes the OS of the wireless terminal 200 to switch to the general OS 210 (545) , When the OS of the wireless terminal 200 is switched to the general OS 210, the program n of the general OS 210 transmits the program n (n) before switching to the secure OS 220 300 are restored (550).

Meanwhile, if a memory area accessible by the program (s) 340 is confirmed, the program (s) 340 confirms the access right to the memory area (560). If the access right to the memory area is not confirmed, the program (s) 340 processes the OS of the wireless terminal 200 to switch to the general OS 210 (545) (N) 300 of the general OS 210 restores the state of the program (n) 300 before switching to the secure OS 220 when the OS of the general OS 210 is switched to the general OS 210 (550).

6 is a diagram illustrating a process of generating an authentication code through the secure OS 220 and performing an authentication procedure according to an embodiment of the present invention.

In more detail, FIG. 6 shows an example in which the program (n) 300 of the general OS 210 is provided to the secure OS 220 through the secure OS 220 by generating and providing an authentication code in the program (s) And the authentication code generated by the security OS 220 is referred to and / or modified by the person skilled in the art to which the present invention belongs. It will be appreciated that various implementations of the code-based authentication process (e.g., omitting some steps or changing the order) may be inferred, but the present invention includes all of the above- The technical features are not limited only by the method shown in FIG.

Referring to FIG. 6, a memory area shared by the program (s) 340 of the secure OS 220 with the program (n) 300 of the general OS 210 is checked through the process shown in FIG. 5 When the access right is confirmed, the program (s) 340 dynamically generates an authentication code using a code generation algorithm provided in the secure OS 220 (610).

Meanwhile, when one or more fixed key values are stored in the key value storage area of the secure OS storage area through the process shown in FIG. 4 and one or more fixed key values are used to generate the authentication code, the program s 340 confirms (600) one or more fixed key values stored in the key value storage area of the secure OS storage area through the process shown in FIG. 4, and transmits the identified one The authentication code can be dynamically generated by substituting the fixed key value (610).

If the at least one dynamic key value is used to generate the authentication code, the program (s) 340 may include resources (e.g., a timer, communication means) of the wireless terminal 200 accessible via the secure OS 220, Etc.) at step 605 and dynamically generate the authentication code by substituting the identified at least one dynamic key value into the code generation algorithm of the secure OS 220 610).

Meanwhile, when at least one fixed key value and at least one dynamic key value are used to generate the authentication code, the program (s) 340 stores the key value of the secure OS storage area through the process shown in FIG. (At step 605) at least one dynamic key value identified using the resources of the mobile station 200, and then transmits the generated code to the secure OS 220 The authentication code may be dynamically generated (610) by substituting the fixed key value and the at least one dynamic key value of the one-way identified in the algorithm.

The program (s) 340 encrypts (615) the authentication code to be decrypted through a designated server (e.g., the mobile server 110 or the authentication server 115), and transmits the encrypted authentication code to the general OS (N) 300 of the first memory 210 to the memory area shared with the program (n) 300 in step 620. The program (s) 340 may provide the authentication code to the memory area without encrypting the authentication code according to an embodiment of the present invention. In this case, the authentication code may be transmitted through the program (n) 300 of the general OS 210 Lt; / RTI > The program (s) 340 processes the OS of the wireless terminal 200 to be converted into the general OS 210 (625). When the OS of the wireless terminal 200 is switched to the general OS 210 (N) 300 of the general OS 210 restores the state of the program (n) 300 before switching to the secure OS 220 in step 630.

The program (n) 300 of the generic OS 210 identifies and accesses (635) a memory area shared with the program (s) 340 of the secure OS 220, (S) 340 of the application 220 to verify (640) the dynamically generated and encrypted authentication code. If the dynamically generated and encrypted authentication code is not confirmed through the program (s) 340 of the secure OS 220, the program (n) 300 outputs an authentication code error and the program (n) 300) may be initiated (645).

When the dynamically generated and encrypted authentication code is confirmed through the program (s) 340 of the secure OS 220, the program (n) 300 transmits the program (s) 340 of the secure OS 220 (650) to the designated server (for example, the mobile server 110 or the authentication server 115) using the communication means of the wireless terminal 200. [ The server receives and decrypts the authentication code and generates a code verification value through a key value and a code generation algorithm that are the same as the manner in which the program (s) 340 of the secure OS 220 has generated the authentication code Thereby authenticating the validity of the authentication code, thereby performing the authentication procedure corresponding to the authentication request of FIG.

100: user terminal 105: authentication request server
110: mobile server 115: authentication server
200: wireless terminal 210: general OS
215: General kernel 220: Security OS
225: Security Monitor 230: Security Kernel
300: program (n) 305: authentication request confirmation unit
310: Interworking Procedure Unit 315: Authentication Code Verification Unit
320: authentication code processing unit 340: program (s)
345: key value storage unit 345: PIN registration unit
355: interlock processor 360: PIN authentication unit
365: key value verification unit 370: authentication code generation unit
375: encryption processing unit 380: authentication code providing unit

Claims (15)

A method for executing a secure operating system (OS) having a secure kernel and a normal operating system (OS) having a kernel structure,
A first step of the program (n) of the general OS receiving an authentication request from a server designated by the communication means of the wireless terminal;
A second step of allocating a memory area accessible by the program (n) in the designated program (s) of the secure OS or identifying a pre-allocated memory area;
A third step of the program (s) of the secure OS generating an authentication code corresponding to the authentication request using a code generation algorithm included in the secure OS;
The program (s) providing the generated authentication code to the memory area; And
And transmitting the authentication code of the memory area to the server through the communication unit of the wireless terminal.
The method of claim 1,
And a trust zone mounted on the processor.
2. The method of claim 1,
And a request for authentication using a separate communication network distinguished from a communication network between the wireless terminal and the server.
The method according to claim 1,
Further comprising the step of identifying that the program (n) has the program (s) assigned to the secure OS installed or the identification information identifying the program (s) mounted on the secure OS in the general OS storage area A method for authentication processing using a secure operating system.
The method according to claim 1,
Further comprising the step of storing and maintaining status information on the program (n) immediately before the program (n) is switched to the secure OS.
2. The method according to claim 1,
Further comprising the step of the program (n) operating a secure OS through an SMC (Secure Monitor Call) command.
2. The method according to claim 1,
Wherein the program (n) allocates the memory area to a general OS or identifies a pre-allocated memory area.
2. The method according to claim 1,
Wherein the program (n) allocates the memory area to the security monitor performing the switching procedure between the general OS and the secure OS, or verifies the pre-allocated memory area.
2. The method according to claim 1,
Wherein the program (n) allocates a memory area accessible from the program (s) of the secure OS to the security server on the network or identifies a pre-allocated memory area.
2. The method according to claim 1,
Further comprising setting the program (n) as a process of a general OS side in which the program (n) refers to the memory area.
The method according to claim 1,
Further comprising the step of the program (s) storing one or more fixed key values in a storage area of the secure OS,
Wherein the third step generates the authentication code using one or more fixed key values stored in the code generation algorithm as one of the seeds to be substituted into the code generation algorithm.
2. The method according to claim 1,
The program (s) verifying at least one dynamic key value via the secure OS; And
Wherein the program (s) generates the authentication code by using the identified dynamic key value as one of the seeds to be substituted into the code generation algorithm.
2. The method according to claim 1,
Receiving the PIN (Personal Identification Number) by accessing the input means of the wireless terminal through the security OS; And
And authenticating the validity of the PIN entered through the secure OS. ≪ Desc / Clms Page number 19 >
The method according to claim 1,
Further comprising encrypting the generated authentication code so that the program (s) is decrypted through a designated server,
Wherein the step (c) provides the encrypted authentication code to the memory area by the program (s).
The method according to claim 1,
Further comprising: the program (n) verifying the encrypted authentication code from the memory area via the program (s)
Wherein the program (n) transmits the encrypted authentication code to the server via the communication means of the wireless terminal.
KR1020150041527A 2015-03-25 2015-03-25 Method for Processing Certification by using Secure Operating System KR20160114966A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150041527A KR20160114966A (en) 2015-03-25 2015-03-25 Method for Processing Certification by using Secure Operating System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150041527A KR20160114966A (en) 2015-03-25 2015-03-25 Method for Processing Certification by using Secure Operating System

Related Child Applications (1)

Application Number Title Priority Date Filing Date
KR1020170009492A Division KR20170010341A (en) 2017-01-20 2017-01-20 Method for Processing Certification by using Secure Operating System

Publications (1)

Publication Number Publication Date
KR20160114966A true KR20160114966A (en) 2016-10-06

Family

ID=57164346

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150041527A KR20160114966A (en) 2015-03-25 2015-03-25 Method for Processing Certification by using Secure Operating System

Country Status (1)

Country Link
KR (1) KR20160114966A (en)

Similar Documents

Publication Publication Date Title
KR102242218B1 (en) User authentication method and apparatus, and wearable device registration method and apparatus
CN105325021B (en) Method and apparatus for remote portable wireless device authentication
KR101628615B1 (en) Method for Providing Safety Electronic Signature by using Secure Operating System
KR101662947B1 (en) Method for Providing Session Security by using Secure Operating System
KR101628610B1 (en) Method for Providing One Time Password by using Secure Operating System
KR20160124336A (en) Method for Providing Electronic Signature by using Secure Operating System
KR20170010341A (en) Method for Processing Certification by using Secure Operating System
KR101628614B1 (en) Method for Processing Electronic Signature by using Secure Operating System
KR102193696B1 (en) Method for Providing Safety Login based on One Time Code by using User’s Card
KR101866031B1 (en) Method for Providing Server type One Time Password by using Secure Operating System
KR20170095797A (en) Method for Processing Certification by using Secure Operating System
KR20160114966A (en) Method for Processing Certification by using Secure Operating System
KR101505735B1 (en) Method for Authenticating Near Field Communication Card by using Time Verification
KR101702770B1 (en) Method for Providing Security Keypad by using Secure Operating System
KR102358598B1 (en) Method for Processing Two Channel Authentication by using Contactless Media
KR101678793B1 (en) Method for Verifying Integrity of Application by using Secure Operating System
KR20160114961A (en) Method for Providing One Time Password Linked Transaction by using Secure Operating System
KR101972492B1 (en) Method for Operating Multiple One Time Password based on SD Memory
TWI733590B (en) Identity recognition system and method using active nfc tag and tokenization
KR101777041B1 (en) Method for Generating One Time Password based on Asynchronous Local Area Radio Communication
KR101777042B1 (en) Card for Generating Electronic Signature based on Asynchronous Local Area Radio Communication
KR101777043B1 (en) Method for Generating Electronic Signature based on Asynchronous Local Area Radio Communication
KR101972485B1 (en) Method for Operating Multiple One Time Password based on USIM
US20220014911A1 (en) Method, first and second device and system for connecting to at least one chip
KR101846646B1 (en) Method for Providing Security Communication based on Asynchronous Local Area Radio Communication

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
AMND Amendment
A107 Divisional application of patent
J201 Request for trial against refusal decision
J301 Trial decision

Free format text: TRIAL NUMBER: 2017101000311; TRIAL DECISION FOR APPEAL AGAINST DECISION TO DECLINE REFUSAL REQUESTED 20170120

Effective date: 20181022