KR20160139885A - Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method - Google Patents

Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method Download PDF

Info

Publication number
KR20160139885A
KR20160139885A KR1020150075748A KR20150075748A KR20160139885A KR 20160139885 A KR20160139885 A KR 20160139885A KR 1020150075748 A KR1020150075748 A KR 1020150075748A KR 20150075748 A KR20150075748 A KR 20150075748A KR 20160139885 A KR20160139885 A KR 20160139885A
Authority
KR
South Korea
Prior art keywords
authentication
user
smart device
information
certificate
Prior art date
Application number
KR1020150075748A
Other languages
Korean (ko)
Other versions
KR101724401B1 (en
Inventor
김재중
Original Assignee
한국정보인증주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국정보인증주식회사 filed Critical 한국정보인증주식회사
Priority to KR1020150075748A priority Critical patent/KR101724401B1/en
Publication of KR20160139885A publication Critical patent/KR20160139885A/en
Application granted granted Critical
Publication of KR101724401B1 publication Critical patent/KR101724401B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

A public authentication system using biometric information recognition is disclosed. User authentication through biometric information recognition of a user including a fingerprint and user policy information including usage time from a user are input to perform authorized authentication under conditions matching user policy information and division of a cryptographic key for authentication A biometric information template configuration corresponding to the biometric information and a password value of the biometric information template are extracted and stored, and the smart device Upon receipt of the authentication certificate issuance request, smart device authentication is performed, the hash value of the biometric information template is received, and after completion of the identity authentication including the password authentication and the biometric information authentication, Authorized certificate Authorized certification authority that transmits the encryption key to the smart device. It includes server.

Description

Technical Field [0001] The present invention relates to a system and method for authenticating a biometric information and a key division method, and a recording medium on which a program for performing the method is recorded. }

The present invention relates to a public authentication system and method for secure use of a public certificate, and more particularly, to a system and method for performing authentication authentication of biometric information and providing user control over usage time, usage site, usage history, .

Although the Internet has been rapidly spreading due to the characteristics of openness, broadcasting type, globality and accessibility, it has been widely used as a network aggregation of computer networks around the world, but its characteristics are that it can not be intercepted, intercepted, tampered, It has security vulnerability such as password decryption. Because of this vulnerability, damage cases such as damage by credit card number theft, personal information leakage, cyber securities account hacking are appearing.

Therefore, in the case of electronic transactions through the Internet, confidentiality is ensured through encrypted transmission and decryption of data, authentication of users through digital signatures, non-repudiation Non-Repudiation, Integrity, and Time of Electronic Transactions.

Digital signatures based on PKI (Public Key Infrastructure) have begun to be introduced in such a way as to meet the demand for safe and convenient Internet transaction. A PKI is an information protection standard that implements encryption and decryption of data using a public key and a private key. The PKI encrypts an electronic signature encrypted with a private key of a data creator, If it is given to the other party, the other party of the transaction can verify the identity of the person who created the data and whether the electronic document is changed by verifying the received digital signature using the public key of the data creator (sender). For this purpose, a certificate authority which is a trustworthy third party that has been granted a license by the state registers a public key for verifying the signer's digital signature value and its owner information through a public certificate as a seal certificate for cyber transaction And provides it to users who need verification. Therefore, a private key (secret key) must be securely maintained from all the hacking means for secure electronic commerce, and a method for securing the security of such private key to the maximum is required.

Generally, digital signatures can be performed through a user PC. However, it is necessary to install a separate program (ActiveX, Applet, etc.) in a user PC environment so that an Internet Explorer, chrome, safari, There is a problem that digital signatures can be performed through various web browsers. Most of the official certificates are kept on the hard disk, so if a malicious code program is installed through ActiveX (ActiveX), it is easy to hijack through the hacker. In the case of Android-based smartphones, there is a risk in financial transactions due to the storage of authorized certificates on the SD card, which is the target of smartphones and smartphone malicious programs.

In addition, when the web site login password and the authorized certificate private key password are used in the same manner, hacking and simple illegal copy of the authorized certificate private key are possible in various ways. Accordingly, it is difficult for the authorized local certificate of the duplicate to have the non-repudiation function, and the fingerprint is registered by checking the off-line of the specific web site, and the fingerprint is stored in the fingerprint security token. Scanned the user's fingerprint and compared it with the stored fingerprint information, and then inputting the private key password of the authorized certificate.

The present invention relates to a user authentication system and an authentication method using biometric information authentication and a key division method. More particularly, the present invention relates to a user authentication and financial transaction activity in an online electronic financial transaction, A personal authentication system for securing the electronic authentication and the electronic payment signature for the payment transaction is provided. Thus, by providing a method for authenticating a user in real time through biometric information of a user every time the user logs in, acquiring a secret key value, and encrypting and storing other key key values safely, And to provide a user authentication system and an authentication method that can further enhance functions and security levels.

According to an aspect of the present invention, there is provided an authentication system using biometric information recognition, comprising: user authentication through biometric information recognition of a user including a fingerprint and inputting user policy information including a usage time from the user; A smart device that is provided with an application for performing authorized authentication under conditions matching user policy information and dividing an encryption key for authentication of the user, user policy information input by the user, Extracts and stores the encryption value of the biometric information template corresponding to the information and the encrypted value of the biometric information template, and upon receipt of the authorization certificate issuance request from the smart device, performs smart device authentication, receives the hash value of the biometric information template , After completion of the personal authentication including the password authentication and the biometric information authentication, Group and a certification authority server for transmitting the requested certificate encryption key under the condition matching the user policy information to the smart device.

In a preferred embodiment, an application installed in a smart device divides a cryptographic key for authenticating the user, and a part of the divided cryptographic keys is entrusted to an accredited certification authority server, and the accredited certification authority server acquires information received from the smart device Transmits the part of the divided cryptographic key to the smart device when the authentication of the device including the at least one of PIN (Personnel Identification Number) authentication and biometric information authentication is completed.

In a preferred embodiment of the present invention, the application installed in the smart device is a fingerprint, an iris, a voice, a face, a cornea, a hand, etc. of a user through a fingerprint sensor, a iris recognition sensor, a speech recognition sensor, A biometrics template recording unit configured to form a template using the obtained biometrics data and to securely record and manage the template, and a biometrics template registration unit configured to acquire biometrics information, A certificate management unit for managing the authorized authentication use setting information and the certificate issued from the certification authority including the authorized certification authority, and replacing the certificate password with the biometric information conformity according to the user policy information set by the user Certificate Password Replacement and Authorized Certificate Usage from User A user policy information processing unit for receiving policy information and performing encryption key division according to the user policy, and a biometric authentication processing unit for processing a process necessary for biometric information authentication.

In a preferred embodiment, the authorized certification authority server includes a storage module for storing user's personal information, biometric information, user policy information, authorized authentication information, a communication module for communicating with the smart device, And an authentication module for controlling the transmission of the public authentication cryptographic key according to the coincidence of the cryptographic keys.

In a preferred embodiment, the authentication module includes a device authentication unit for authenticating a smart device held by a user, a user policy information determination unit for determining whether the entered user policy information matches the public certificate usage environment information, And an approval control unit for issuing an authorized certificate of the user or transmitting an encryption key necessary for using the issued public key certificate to the smart device after the authentication of the user including authentication and biometric information authentication is completed.

In the authentication method using the key division method according to another aspect of the present invention, the public authentication method using the key division method includes the steps of receiving input of the public authentication use environment policy information from the user in the smart device, A step of authenticating a PIN (Personnel Identification Number) or biometric information for authenticating the user in the smart device, a step of requesting a part of the divided cryptographic keys from the smart device to the server, Storing a part of the divided cryptographic keys after completing the device authentication upon receipt of the trust request from the smart device at the server, and when the server receives a request for transmission of a part of the divided cryptographic keys from the smart device, After completing the device authentication and authentication, some of the divided encryption keys are transferred to the smart device Phase and a smart device that comprises the step of receiving a portion of the divided encryption key from the server to perform the certification.

In a preferred embodiment, transmitting the part of the divided cryptographic keys to the smart device includes receiving device information from the smart device to perform device authentication, receiving the PIN number information from the smart device, Performing biometric authentication by receiving biometric information from the smart device, and controlling encryption key transmission based on the user policy information input by the smart device user.

In a preferred embodiment, the authorized authentication use environment policy information includes the authorized certificate use time information, the storage device of the authorized certificate, and the authorized certificate use website information.

In a preferred embodiment, the step of receiving the usage environment policy information further includes receiving the authentication process setting information from the smart device user.

In a preferred embodiment, the authentication process includes at least one of a PIN number authentication process and a biometric information authentication process, and the PIN number authentication process is replaced with a biometric information authentication process.

Through authentication of the user through the key partitioning method and user environment policy of the present invention, the user is assured of the security of electronic authentication and electronic payment for the authentication, financial transaction, settlement, and electronic payment transactions in online electronic financial transactions and the like .

Also, by providing a method of authenticating a user in real time using biometric information of a user every time the user logs in, acquiring a secret key value, and securely encrypting and storing and operating the other key values, Prevention and security.

1 is a block diagram illustrating a configuration of a public authentication system using biometric information recognition according to an embodiment of the present invention.
2 is a diagram illustrating a functional configuration of an application installed in a smart device according to an embodiment of the present invention.
3 is a diagram illustrating a configuration of a public key certificate authority server according to an embodiment of the present invention.
4 is a diagram illustrating a signal flow for certificate issuance in the public authentication system according to the embodiment of the present invention.
5 is a diagram illustrating a procedure of using a public authentication system using a key division method and biometric information according to an embodiment.
6A to 6E are views showing a public authentication service interface according to an embodiment.
7 is a diagram illustrating a configuration of a computer device in which a public authentication method using biometric information recognition and a key division method according to an embodiment of the present invention can be performed.

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a user authentication system and an authentication method using biometric information, user policy information, and a key division method, and more particularly, to an electronic authentication and electronic transaction authentication Authentication system for securing the safety of the user.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and the manner of achieving them, will be apparent from and elucidated with reference to the embodiments described hereinafter in conjunction with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. And is intended to enable a person skilled in the art to readily understand the scope of the invention, and the invention is defined by the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. It is noted that " comprises, " or "comprising," as used herein, means the presence or absence of one or more other components, steps, operations, and / Do not exclude the addition.

The term " module ", as used herein, should be interpreted to include software, hardware, or a combination thereof, depending on the context in which the term is used. For example, the software may be machine language, firmware, embedded code, and application software. In another example, the hardware can be a circuit, a processor, a computer, an integrated circuit, a circuit core, a sensor, a micro-electro-mechanical system (MEMS), a passive device, or a combination thereof.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings.

1 is a block diagram illustrating a configuration of a public authentication system using biometric information recognition according to an embodiment of the present invention.

Referring to FIG. 1, an authentication system using biometric information recognition and a key division method may include a smart device 100, an authorized certification authority server 200, and a service providing server 300.

The smart device 100 receives the biometric information of the user and the authentication certificate user policy information from the user. Herein, the biometric information means the user's personal information such as fingerprint, iris, voice, cornea, hand shape, etc., which can authenticate the user's identity and identity. The user policy information is user policy information including the authorized certificate use time, the prohibited time, the time of using the authorized certificate such as the authorized certificate use site and the prohibited site, and the web environment information, and controls the indiscriminate use of the authorized certificate Information.

The smart device 100 is provided with an application for providing a public authentication service using biometric information and a key division method according to an embodiment. Specifically, an application installed in the smart device 100 receives user authentication through biometric information recognition of a user including a fingerprint and authorized certificate user policy information including a usage time from the user, Means a program that performs authorized authentication under the condition and divides the encryption key for authentication of the user.

The authorized certification authority server 200 receives and stores the authorized authentication use policy information input by the user from the smart device 100 and stores the biometric information template configuration corresponding to the user's biometric information and the biometric information of the user, Extract and save the password value of the template.

Upon receiving the certificate issuance request from the smart device, the public certification authority server 200 first performs the smart device authentication, receives the hash value of the biometric information template for authentication, and performs the identity authentication. In the embodiment, the identity authentication is an authentication process including at least one of password authentication and biometric information authentication. For example, the identity authentication may be performed after the password authentication by performing biometric authentication to increase the security strength, or by replacing the password authentication with the biometric authentication, and then performing the identity authentication without inputting a password such as a PIN.

After the authentication of the user according to the embodiment is completed, the authorized certification authority server 200 transmits the requested authorized certificate encryption key to the smart device in accordance with the user policy information.

The smart device 100 receives the authentication certificate encryption key, performs public authentication, and transmits the authentication result to the service providing server 300. After authentication, the smart device 100 provides various services to the user.

The service providing server 300 according to the embodiment can not provide the various services to the consumers until it has to go through the website and accredited authentication procedure in which the online financial transaction occurs such as various financial transaction institutions including a bank, Server.

2 is a diagram illustrating a functional configuration of an application installed in a smart device according to an embodiment of the present invention.

More specifically, FIG. 2 shows an application 125 corresponding to a program configuration in which a key partition method and a biometric information of a user are replaced with a certificate password of a public key certificate, Those skilled in the art will be able to refer to and / or modify the FIGURE 1 to illustrate various implementations of the functionality of the smart device 100 However, the present invention is not limited to the technical features of the present invention. Preferably, the smart device 100 according to the embodiment of the present invention includes at least one smart phone, a mobile phone, a tablet PC, and the like.

2, the smart device 100 includes a control unit 101, a memory unit 113, a screen output unit 102, a key input unit 103, a sound output unit 104, a sound input unit 105, A biometrics recognition module 115, a wireless network communication module 108, a short range wireless communication module 107, a USIM reader 109 and a USIM 110, and a battery 106 for power supply do. According to an embodiment of the present invention, the wireless terminal 100 may further include an external memory interface unit 111 and an external memory unit 112.

The control unit 101 is a generic term for controlling the operation of the smart device 100. The control unit 101 includes at least one processor and an execution memory, Bus (BUS).

According to the embodiment of the present invention, the control unit 101 loads at least one program code included in the wireless terminal 100 into the execution memory through the processor, and transmits the result to the at least one component through the bus And controls the operation of the smart device 100. Hereinafter, the configuration of the application 125 of the present invention, which is implemented in the form of program code for convenience, will be described in the control unit 101. FIG.

The memory unit 113 is a general term of the nonvolatile memory provided in the smart device 100 and stores at least one program code executed through the control unit 101 and at least one data set used by the program code, do. The memory unit 113 basically includes a system program code and a system data set corresponding to the operating system of the smart device 100, a communication program code and a communication data set for processing a wireless communication connection of the smart device 100, The program code and the application data set are stored, and the program code and data set corresponding to the application 125 of the present invention are also stored in the memory unit 113. [

According to the embodiment of the present invention, the memory unit 113 provided inside the smart device 100 can set a secure storage area for securely recording and managing the biometric template configured through the biometric data recognized from the user's biometric In this case, the memory unit 113 provided in the wireless terminal 100 can perform a function of a secure element (SE) module for securely recording / managing the biometric template.

The application 125 according to the embodiment includes a certificate management unit 130, a biometric data acquisition unit 135, a biometric template recording unit 140, a biometric template deformation value verification unit 145, a certificate password replacement unit 150, A processing unit 155, a user policy information processing unit 160, a certificate password processing unit 165, an electronic signature processing unit 170, and the like.

The certificate management unit 130 stores the certificate file corresponding to the authorized certificate of the user issued or copied to the smart device 100 in the designated certificate storage area of the memory unit 113 and manages various key values provided in the certificate file Is a generic term for the program components. The certificate management unit 130 may be provided in the application 125 as shown in FIG. 1 or may be in the form of an external program that works with the application 125.

The biometric data acquisition unit 135 acquires the biometric data of the user's fingerprint, face, iris voice, face, cornea, hand, and the like through the fingerprint sensor, the iris recognition sensor, the voice recognition sensor, Shape, and the like, and encodes the biometric information into biometric data.

The biometric template recording unit 140 forms a template using the obtained biometric data, and records and manages the configured template securely. The biometric template deformation value confirmation unit 145 confirms the biometric template deformation value having hash of the recorded biometric template.

The certificate password replacing unit 150 can replace the certificate password of the public certificate with the verified biometric template deformation value according to the user policy information set by the user and apply it to the certificate file.

The biometric authentication processing unit 155 extracts the biometric template recorded in the storage area, constructs the biometric template for authentication corresponding to the biometric data of the user, and then compares the extracted biometric template with the configured biometric template for authentication, To authenticate the validity of the user's biometric data.

In particular, the user policy information processing unit 160 receives the authorized certificate use policy information from the user, and performs the encryption key division according to the user policy. Specifically, the user policy information processing unit 160 restricts the use time and the usage web site for limiting the use of the authorized certificate, divides the cipher key necessary for the user authentication according to the user request, When requesting the server 200 to commit, it generates a cryptographic key that is entrusted to the authorized certification authority server 200 through cryptographic key division.

When the deformation value of the biometric template is obtained, the certificate password processor 165 processes the obtained biometric template deformation value to be used as the certificate password of the public certificate managed by the certificate managing unit 130 .

When the biometric template deformation value is used as the certificate password, the digital signature processing unit 170 processes the digital signature process through the obtained private key.

In the application according to the embodiment, the encryption key for authentication of the user can be divided according to the user policy setting, and the security key of the authentication certificate can be strengthened by committing the encryption key to the server.

3 is a diagram illustrating a configuration of a public key certificate authority server according to an embodiment of the present invention.

Referring to FIG. 3, the authorized certification authority server 200 according to the embodiment includes an authentication module 210, a communication module 220, and a storage module 230.

The storage module 230 stores usage history information of the user, user policy information, device authentication information, and authorized authentication information.

The authentication module 210 controls the transmission of the public authentication cryptographic key according to the validity of the device authentication information received from the smart device. The authentication module 210 includes a device authentication unit 211, a user policy information determination unit 212, an information extraction unit 213, and an approval control unit 214.

The device authentication unit 211 performs smart device authentication carried out by the user. For example, the device authentication unit 211 performs authentication by verifying the digital signature of the smart device 100 and verifying whether the registered device certificate is valid or not, when the smart device 100 electronically signs the smart device 100 through various types of device certificates.

The user policy information determination unit 212 determines whether the entered user policy information matches the public certificate usage environment information. In the embodiment, the user policy setting is for preventing abuse of the authorized certificate. If the user policy information (for example, the use time of the certificate, etc.) inputted by the user does not correspond to the time information when the certificate is used, Restriction, etc., to stop the authentication process.

The information extraction unit 213 extracts information required for authentication from the storage module 230 and inputs the extracted information to the approval control unit 214. [

If the smart device authentication is successfully completed, the approval control unit 214 issues the user's authorized certificate or transmits the encryption key necessary for using the issued public key certificate to the smart device 100 according to the user setting policy.

In the authorized certification authority server according to the embodiment of the present invention, the cryptographic key entrusted from the smart device is stored according to the user policy information, and after the authentication of the user is completed, the cryptographic key is transmitted to the smart device to use the authorized certificate Thereby enhancing security. In addition, by using the user policy information for the authentication control of the user, abuse of the authorized certificate is prevented.

Hereinafter, the authentication method of the key division scheme according to the embodiment of the present invention will be described in turn through the signal flow diagram and the embodiment of the authorized authentication service display shown in Figs. 6A to 6E. In describing the function (function) of the key division authentication method according to the present invention, a description overlapping with the function of the authorized authentication system using biometric information will be omitted.

4 is a diagram illustrating a signal flow for certificate issuance in the public authentication system according to the embodiment of the present invention.

Referring to FIG. 4, in the public authentication system according to the embodiment, the public key certificate server may include an authentication authority server that provides a cloud service.

In order to issue a certificate, the smart device 100 downloads an application that performs public authentication according to a key division method and user policy information (S411). (Step S412), PIN number setting (step S413), and biometric information registration step (step S414) in the smart device 100 according to the authentication procedure of the downloaded application. In the embodiment, the biometric information registration is performed by registering biometric information capable of authenticating the user as unique biometric information such as fingerprint, iris, voice, face, and hand shape through various sensors and cameras installed in the smart device 100 .

Then, in the smart device 100, a process of extracting smart phone unique information is performed for device authentication (S415). Here, the smart phone unique information means a unique identifier including a device ID, a memory ID, and the like that can authenticate the smart device. After extracting the unique information, the smart device 100 transmits a device certificate or a certificate issuance request signal to the authorized certification authority 300 or the related server (S416).

Upon receiving the issuance request signal from the authorized certification authority 300, the issuance request signal is issued in step S417 according to the device authentication result and the received signal in step S417. The issued certificate is transmitted to the smart device 100, (Step S418).

     The smart device 100 performs a process of receiving user policy information (S419). In the embodiment, the user policy information refers to usage environment policy information for certificate security such as usage time setting for preventing certificate abuse, setting of a used website, and security level setting. Here, the security level setting is, for example, to set an authentication process for the user, and sets the authentication process according to the user's convenience and a desired security level. The user authentication process can be selected by performing the password authentication and the biometric information authentication process according to the user's selection, performing the password authentication or biometric authentication process, or inputting the biometric information as the password replacement information have.

When the user policy input is completed, the input policy information is transmitted to the authorized certification authority 300 or the related server in operation S420. The authorized certification authority 300 stores and registers the received policy information, and transmits the policy information registration result to the smart device 100 (S421).

The smart device 100 divides the security key to enhance the authentication key security level (S422). In the security key division process according to the embodiment, the security key is divided (Key = Part1 + Part 2), and a password is set to a certain portion of the keys constituting the security key so that the security key can be completed only when the passwords match do. As a result, a higher security level can be maintained when performing public authentication with a single security key.

The smart device 100 stores a part (Part 1) of the divided security key (S423) and transmits the consignment of the security key (Part 2) of another part excluding the stored part to the accredited certification authority 300 or the related server (S424).

The server 200 or the authorized certification authority 300 receiving the trust request stores the divided security key (Part 2) (S425). After the storage is completed, the security key (Part 2) of the divided part is transmitted to the smart device 100 (S426).

5 is a diagram illustrating a procedure of using a public authentication system using a key division method and biometric information according to an embodiment.

In the case of using the fingerprint information according to the embodiment of the present invention, the biometric information is recognized through the touch of the user, and the recognized fingerprint information may replace the password. , The term "touch certificate" is used instead of the "public certificate".

Referring to FIG. 5, in step S1, a process of requesting a touch certificate from a service provider (SP) is performed in a client N-screen (Smart phone). As shown in FIG. 6C, the touch certificate refers to a certificate capable of performing public authentication by sensing a touch of a user and recognizing fingerprint information. As shown in the display example shown in FIG. 6B, the touch certificate according to the embodiment can display the issuing organization (e.g., Woori Bank, Kookmin Bank, etc.) inside the certificate, thereby enhancing the convenience of identifying the user's certificate. 6A shows an embodiment of a certificate display for enhancing certificate identification convenience, according to an embodiment. As shown in FIG. 6A, an effective authority, a personalization agent, a use purpose and a registration authority of a certificate are displayed to improve user convenience.

In step S2, the service providing server receiving the touch certificate request transmits a QR code or Push message for performing authentication to the client terminal.

In step S3, the QR code and the push message received from the smart device are read. Thereafter, in step S4, when the customer terminal inquires the user policy from the authorized certification authority, the authorized certification authority performs a process of transmitting the related user policy information and the certificate list to the smart device.

In step S6, a process of confirming user policy information (e.g., site, usage time and authentication method) transmitted from the smart device is performed. In step S7, a process of selecting a public key certificate desired by the user is performed in the smart device.

In step S8, user authentication (e.g. fingerprint or PIN authentication) of the selected authorized certificate is performed.

In step S9, the digital signature for the user authentication or the device authentication is generated. In step S10, the digital signature for the user authentication or the device authentication is transmitted to the accredited certification authority.

In step S11, the device digital signature is verified. In step S12, the device certificate is verified according to the device digital signature verification result.

In step S13, the authorized certification authority performs a process of requesting the withdrawal of the key (part 2) entrusted to the authentication service provision cloud or the related server (CS, Credential Server). At this time, the key (part 2) is a part of the divided security key.

In step S14, a process of fetching a part (part 2) of the divided security key is performed in the server (CS). In step S15, a part (part 2) of the fetched security key is transmitted to the smart device.

In step S16, a process (Key = Part1 + Part2) of combining a part (part 2) of the security key received from the smart device with a part (Part 1) of the security key previously stored and a secret key decryption process are performed.

In step S17, a public electronic signature is generated based on the key combination, and in step S18, the public electronic signature generated is transmitted to the accredited certification authority.

In step S19, a certificate use record is extracted according to an authorized digital signature. In step S20, a public certification authority transmits a certified electronic signature to the smart device.

In step S21, the official digital signature transmitted from the smart device is transmitted to the service providing server, and the service provided by the service providing server is provided to the user through the smart device.

According to the embodiment of the present invention, by using the biometric information, the user policy information, and the key division method in the authentication process of the user, electronic authentication for the user, electronic authentication for the payment transaction, And the like.

Meanwhile, the data flow-based large-scale data stream processing method according to an embodiment of the present invention can be implemented in a computer system or recorded on a recording medium. 6, the computer system includes at least one processor 121, a memory 123, a user input device 126, a data communication bus 126, a user output device 127, And may include a storage 128. Each of the above-described components performs data communication via the data communication bus 122. [

The computer system may further include a network interface 129 coupled to the network. The processor 121 may be a central processing unit (CPU) or a semiconductor device that processes instructions stored in the memory 123 and / or the storage 128.

The memory 123 and the storage 128 may include various forms of volatile or nonvolatile storage media. For example, the memory 123 may include a ROM 124 and a RAM 125.

Meanwhile, the data flow-based large-scale data stream processing method according to the embodiment of the present invention described above can be implemented as a computer-readable code on a computer-readable recording medium. The computer-readable recording medium includes all kinds of recording media storing data that can be decoded by a computer system. For example, there may be a ROM (Read Only Memory), a RAM (Random Access Memory), a magnetic tape, a magnetic disk, a flash memory, an optical data storage device and the like. The computer-readable recording medium may also be distributed and executed in a computer system connected to a computer network and stored and executed as a code that can be read in a distributed manner.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Therefore, the scope of the present invention should not be limited by the illustrated embodiments, but should be determined by the scope of the appended claims and equivalents thereof.

Claims (11)

An authorized authentication system using biometric information recognition,
A user authentication unit configured to receive a user authentication information including a user's biometric information including a fingerprint and user time information including a usage time from the user to perform authorized authentication under a condition matching the user policy information, A smart device equipped with an application for dividing the application;
Storing user policy information input by the user, extracting a biometric information template configuration corresponding to the biometric information of the user and the biometric information, and a password value of the biometric information template,
Upon receipt of the authentication certificate issuing request from the smart device, performing the smart device authentication, receiving the hash value of the biometric information template, and after completion of the authentication including the password authentication and the biometric information authentication, A public certification authority (CA) server for transmitting the requested public key to the smart device under a matching condition;
The authentication system using biometric information recognition.
The method of claim 1, wherein the application installed in the smart device
Divides the cryptographic key for authentication of the principal, and subcontracts a part of the divided cryptographic key to the authorized certification authority server,
Wherein the authorized certification authority server completes the device authentication through the information received from the smart device, and when the identity authentication including at least one of PIN (Personnel Identification Number) authentication and biometric information authentication is completed,
And transmits a part of the divided cryptographic key to the smart device.
The method of claim 1, wherein the application installed in the smart device
The biometric information including at least one of the fingerprint, the face, the iris, the voice, the cornea, and the hand shape of the user is obtained through the fingerprint recognition sensor, the iris recognition sensor, the voice recognition sensor and the camera of the smart device, a biometric data obtaining unit for encoding the biometric data;
A biometric template recording unit configured to construct a template using the obtained biometric data and securely record and manage the configured template;
A certificate management unit for managing the public authentication use setting information input by the user and the certificate issued by the certification authority including the public certification authority;
A certificate password replacement unit for replacing the certificate password with the biometric information according to the user policy information set by the user; And
A user policy information processor for receiving authorized certificate use policy information from the user and performing an encryption key division according to the user policy; And
A biometric authentication processing unit for processing a process necessary for the biometric information authentication;
And a biometric information authentication system for authenticating the biometric information.
The system according to claim 1, wherein the authorized certification authority server
A storage module for storing usage history information of the user, user policy information, device authentication information, and authorized authentication information;
A communication module for communicating with the smart device;
An authentication module for controlling the transmission of the public authentication cryptographic key according to whether the electronic signature of the device certificate received from the smart device and the validity of the certificate match; Wherein the biometric information recognition system comprises:
5. The apparatus of claim 4, wherein the authentication module
A device authentication unit for authenticating the smart device owned by the user;
A user policy information determination unit for determining whether the input user policy information matches the public certificate usage environment information; And
An approval control unit for issuing the user's authorized certificate after the completion of the smart device authentication authentication or transmitting the encrypted key required for using the issued authorized certificate to the smart device;
And a biometric information authentication system for authenticating the biometric information.
In a public authentication method using a key division method,
Receiving the authorized authentication use environment policy information from the user in the smart device;
Completing the device authentication by communication between the smart device and the server;
Performing PIN (Personnel Identification Number) authentication or biometric information authentication for authenticating the user in the smart device;
Requesting a part of the divided encryption keys from the smart device to the server;
Storing a part of the divided cryptographic keys when the server receives the trust request from the smart device; And
When the server receives a transmission request for a part of the divided cryptographic keys from the smart device, transmitting a part of the divided cryptographic keys to the smart device after completing the device authentication; And
The smart device performing a public authentication by receiving a part of the divided encryption keys from the server; The authentication method using the key division method including the key division method.
7. The method of claim 6, further comprising: transmitting a portion of the partitioned cryptographic keys to the smart device
The step
Performing device authentication by receiving device information from the smart device;
Receives the PIN number information from the smart device and performs first-name authentication
step;
Performing biometric authentication by receiving biometric information from the smart device;
Based on the user policy information input by the smart device user,
Controlling transmission; Using a key partition scheme
One accredited certification method.
The method according to claim 6, wherein the authorized authentication use environment policy information
A public key certificate use time information, a storage device of the public key certificate, and a website information for using the public key certificate.
The method of claim 6, wherein the step of receiving the usage environment policy information comprises:
Receiving authentication process setting information from the smart device user; The authentication method according to claim 1, further comprising:
10. The method according to claim 9,
A PIN number authentication process, and a biometric information authentication process,
Wherein the PIN number authentication process is replaced with a biometric information authentication process.
A computer-readable recording medium on which a program for implementing the method of claim 6 is recorded.
KR1020150075748A 2015-05-29 2015-05-29 Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method KR101724401B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150075748A KR101724401B1 (en) 2015-05-29 2015-05-29 Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150075748A KR101724401B1 (en) 2015-05-29 2015-05-29 Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method

Publications (2)

Publication Number Publication Date
KR20160139885A true KR20160139885A (en) 2016-12-07
KR101724401B1 KR101724401B1 (en) 2017-04-07

Family

ID=57573268

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150075748A KR101724401B1 (en) 2015-05-29 2015-05-29 Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method

Country Status (1)

Country Link
KR (1) KR101724401B1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667609A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment
KR20190124552A (en) * 2018-04-26 2019-11-05 한국조폐공사 Method for storing and restroring block chain-based key and user terminal using the same
KR20200038899A (en) * 2018-03-29 2020-04-14 (주)키스톤랩 Ready Pending trading system based electronic wallet and method for trading the same
KR102117931B1 (en) * 2019-08-22 2020-06-02 정성원 Method of conducting second user authentication using for block chain stored in multiple node in server
KR20200118303A (en) 2019-04-04 2020-10-15 (주)누리텔레콤 Private key securing methods of decentralizedly storying keys in owner's device and/or blockchain nodes
KR20220040976A (en) * 2020-09-24 2022-03-31 박성기 Identity verification system using user-based personal information replacement connect information and method thereof
WO2022169273A1 (en) * 2021-02-05 2022-08-11 (주)이스톰 Method for managing electronic certificate on basis of biometric information
CN116680673A (en) * 2023-06-20 2023-09-01 深圳市彤兴电子有限公司 Identity verification method and device for display and computer equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102397651B1 (en) * 2021-12-28 2022-05-16 주식회사 꾼미디어 User customized advertising method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005517348A (en) * 2002-02-05 2005-06-09 シュアテイ インコーポレイテッド A secure electronic messaging system that requires a key search to derive a decryption key
JP2009043042A (en) * 2007-08-09 2009-02-26 Nec Corp Authentication system and authentication method
KR20140063014A (en) * 2012-11-16 2014-05-27 사단법인 금융결제원 Method for substituting password of certificate by using biometrics
KR20140076275A (en) * 2012-12-12 2014-06-20 한국전자통신연구원 Authentication method for smart system in cloud computing environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005517348A (en) * 2002-02-05 2005-06-09 シュアテイ インコーポレイテッド A secure electronic messaging system that requires a key search to derive a decryption key
JP2009043042A (en) * 2007-08-09 2009-02-26 Nec Corp Authentication system and authentication method
KR20140063014A (en) * 2012-11-16 2014-05-27 사단법인 금융결제원 Method for substituting password of certificate by using biometrics
KR20140076275A (en) * 2012-12-12 2014-06-20 한국전자통신연구원 Authentication method for smart system in cloud computing environment

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667609A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment
CN108667609B (en) * 2017-04-01 2021-07-20 西安西电捷通无线网络通信股份有限公司 Digital certificate management method and equipment
US11363010B2 (en) 2017-04-01 2022-06-14 China Iwncomm Co., Ltd. Method and device for managing digital certificate
KR20200038899A (en) * 2018-03-29 2020-04-14 (주)키스톤랩 Ready Pending trading system based electronic wallet and method for trading the same
KR20190124552A (en) * 2018-04-26 2019-11-05 한국조폐공사 Method for storing and restroring block chain-based key and user terminal using the same
KR20200118303A (en) 2019-04-04 2020-10-15 (주)누리텔레콤 Private key securing methods of decentralizedly storying keys in owner's device and/or blockchain nodes
KR102117931B1 (en) * 2019-08-22 2020-06-02 정성원 Method of conducting second user authentication using for block chain stored in multiple node in server
KR20220040976A (en) * 2020-09-24 2022-03-31 박성기 Identity verification system using user-based personal information replacement connect information and method thereof
WO2022169273A1 (en) * 2021-02-05 2022-08-11 (주)이스톰 Method for managing electronic certificate on basis of biometric information
CN116680673A (en) * 2023-06-20 2023-09-01 深圳市彤兴电子有限公司 Identity verification method and device for display and computer equipment
CN116680673B (en) * 2023-06-20 2024-04-16 深圳市彤兴电子有限公司 Identity verification method and device for display and computer equipment

Also Published As

Publication number Publication date
KR101724401B1 (en) 2017-04-07

Similar Documents

Publication Publication Date Title
US20220201477A1 (en) Anonymous authentication and remote wireless token access
US11218480B2 (en) Authenticator centralization and protection based on authenticator type and authentication policy
TWI667585B (en) Method and device for safety authentication based on biological characteristics
KR101724401B1 (en) Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method
US11664997B2 (en) Authentication in ubiquitous environment
CN105429760A (en) Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)
CN105516104A (en) Identity verification method and system of dynamic password based on TEE (Trusted execution environment)
WO2007094165A1 (en) Id system and program, and id method
CN104820814A (en) Second-generation ID card anti-counterfeiting verification system
CN110807624A (en) Digital currency hardware cold wallet system and transaction method thereof
KR20090019576A (en) Certification method and system for a mobile phone
EP3443501B1 (en) Account access
CN106156549B (en) application program authorization processing method and device
KR101868564B1 (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
KR20200022194A (en) System and Method for Identification Based on Finanace Card Possessed by User
KR101611099B1 (en) Method for issuing of authentication token for real name identification, method for certifying user using the authentication token and apparatus for performing the method
KR101936941B1 (en) Electronic approval system, method, and program using biometric authentication
JP2006293473A (en) Authentication system and authentication method, terminal device, and authentication device
KR101619282B1 (en) Cloud system for manging combined password and control method thereof
KR101613664B1 (en) Security system reinforcing identification function on the electronic business using certificate
KR102440879B1 (en) System and method for complex authentication that combines RFID tags and simple passwords
KR101804845B1 (en) OTP authentication methods and system
KR101592475B1 (en) Illegal using preventing system for membership internet service
KR20200103615A (en) System and Method for Identification Based on Finanace Card Possessed by User
JP2019133555A (en) Communication system, terminal device, and program

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E90F Notification of reason for final refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant