KR20190130206A - SECURITY ENHANCED THIRD PARTY'S SECURITY AUTHENTICATION SYSTEM OF IoT DEVICES IN CASE OF LOST AND METHOD THEREOF - Google Patents

Abstract

The present invention relates to a third-party security authentication system and method of an IoT device with enhanced loss security. Disclosed are a third-party security authentication system and method of an IoT device with enhanced loss security, the system including an authentication server which previously stores GPS information on an area where a mobile terminal is mainly used, registers the IoT device to be remotely controlled in the mobile terminal, and requests deletion of automatic logging-in from the mobile terminal when receiving, from the mobile device, a request for remote control of the IoT device and GPS information received from the mobile terminal and GPS information of the area do not match a predetermined number of times or more. According to the present invention. The third-party security authentication system and method of an IoT device with enhanced loss security can solve a security problem that may be caused by loss by deleting an automatic log-in function of the mobile terminal by using the GPS information even when the mobile terminal legitimately registered is lost.

Description

SECURITY ENHANCED THIRD PARTY'S SECURITY AUTHENTICATION SYSTEM OF IoT DEVICES IN CASE OF LOST AND METHOD THEREOF}

The present invention relates to a third-party security authentication system and method for IoT devices with enhanced security for lost security, and the IoT security for enhanced security that can maintain security even when a mobile terminal registered to properly use the IoT device is lost. A third party security authentication system and method are provided.

In general, authentication technologies for controlling IoT devices using existing mobile terminals primarily use authentication information such as ID and password, and secondly, use security card or bio information (fingerprint, iris, etc.). When a mobile terminal is lost or when a mobile terminal or an IoT device is hacked, authentication information such as an authentication key is leaked and reused, or a security check program logic may be ineffective through forgery / modulation of a program.

When the mobile terminal or IoT device is hacked as described above, there is a risk that property and life damage, personal privacy or corporate confidentiality, etc. may leak due to unauthorized control of the IoT.

That is, for example, when the mobile terminal itself is hacked, the security authentication key, the physical code of the mobile terminal, etc. are seized and reused, and the security procedure may be disabled through forgery / modulation of the program. In addition, during the authentication and control process between the mobile terminal and the IoT device, the communication packet may be exposed to sniffing, spoofing, and packet manipulation.

On the other hand, in order to prevent the hacking of the authentication information as described above, a separate authentication device such as an authentication card or USB may be used when authenticating a mobile terminal, but when using a separate authentication device such as an authentication card or USB, There was a possibility of loss and the cost of purchase, and inconvenience of having to carry it separately.

In addition, there is a problem that security restrictions occur in controlling the IoT devices in the mobile terminal because the authentication process is different between IoT device manufacturers.

In order to solve this problem, there has been an attempt for a third-party authentication method that includes an external authentication server and performs authentication of a mobile terminal and an IoT device. However, in the case of such third party authentication, a lot of automatic login functions are used when logging in to an IoT device using a mobile terminal. However, if an authorized mobile terminal is lost, the IoT device can be accessed automatically by automatic login, thus having a problem of freely accessing the IoT device.

Republic of Korea Patent Publication No. 10-2015-035971 (2015.04.07.published) Republic of Korea Patent Publication No. 10-2014-045829 (published Apr. 17, 2014) Republic of Korea Patent Publication No. 10-2016-0121775 (Published October 20, 2016)

In the present invention, in order to prepare for hacking during the user authentication and communication process between the mobile terminal and the IoT device, periodically check the GPS information of the mobile terminal during the third party authentication, and will not be located within the registered area within a certain time. In this case, the present invention provides a third-party security authentication system and method for a lost security-enhanced IoT device having a security processor that deletes an automatically stored login ID and password.

The present invention as described above is a third party security authentication system for IoT devices with enhanced loss prevention, an IoT device capable of transmitting and receiving data through a wired / wireless internet network, and a mobile terminal for remotely controlling the operation of the IoT device through a wired / wireless internet network. And, if there is a remote control request for the IoT device from the mobile terminal includes an authentication server for approving the remote control for the IoT device.

The authentication system performs an IoT device capable of transmitting and receiving data through a wired / wireless internet communication network, and performs data transmission and reception with the IoT device through the wired / wireless internet communication network, and remotely controls the operation of the IoT device through the data transmission and reception, and the IoT device A mobile terminal having an automatic login function which is automatically logged in to a mobile terminal, and pre-stores GPS information of an area in which the mobile terminal is mainly used, and registers the IoT device to be the remote control target with the mobile terminal, When there is a remote control request for the IoT device from the mobile terminal, if the GPS information received from the mobile terminal and the GPS information of the region mainly used are inconsistent for a predetermined number or more, request the mobile terminal to delete the automatic login. The mobile terminal is registered for remote control of the IoT device An authentication server for authenticating whether the mobile terminal is an authorized mobile terminal and approving remote control to the IoT device when the mobile terminal is the legitimate mobile terminal, and the authentication server masters the mobile terminal according to the control authority for the IoT device. Register and classify into a master and a family, and obtain the approval of the second mobile terminal classified as the master when registering the IoT device to the first mobile terminal classified into the family. Register the IoT device.

The authentication server checks whether the terminal information of the mobile terminal matches the terminal information of the mobile terminal pre-registered in the authentication server when the IoT device is registered, and if the terminal information matches each other, Registering the IoT device to the mobile terminal requesting registration.

In addition, the authentication server, when changing or deleting the information of the registered IoT device, the terminal information of the mobile terminal requesting information change or deletion of the IoT device and the terminal information of the mobile terminal previously registered in the authentication server; Check whether they match, and if the terminal information is matched with each other, changing or deleting the information on the IoT device.

In addition, the authentication server receives the integrity verification key of the control application of the IoT device installed in the mobile terminal, and after checking whether the program of the application is changed using the integrity verification key, the program of the application If not changed, characterized in that for registering the IoT device to the mobile terminal.

The authentication server may be configured to register the mobile terminal into a master and a family according to the control authority for the IoT device, and register the IoT device according to the registration request of the first mobile terminal classified into the family. And registering the IoT device with the first mobile terminal with the approval of the second mobile terminal classified as the master.

The random number value may be generated by the IoT device or the authentication server and provided to the mobile terminal.

The terminal information may include a physical code, a location, and equipment identification information. The physical code of the mobile terminal may be, for example, MAC address information or USIM information, and the location information of the mobile terminal and identification information of the terminal may be, for example. For example, it is characterized in that the information such as IP address, GPS information, telephone number.

The integrity verification key may be a key generated by using version information or checksum information of the application.

The present invention also provides a third party security authentication method in a third party security authentication system including a mobile terminal, an IoT device, and an authentication server connected through a wired / wireless internet network, wherein the authentication server remotely controls the IoT device. A first step of registering the requesting mobile terminal, a second step of registering an IoT device to be the remote control target in the mobile terminal, and a mobile terminal requesting a remote control for the IoT device from the mobile terminal; A third step of authenticating whether the mobile terminal is a legitimate mobile terminal registered for remote control of the IoT device; a fourth step of approving remote control of the IoT device if the mobile terminal requested for remote control is a legitimate mobile terminal; A fifth step of pre-registering GPS information on a region mainly used; a sixth step of receiving GPS information of a mobile terminal; Comparing the GPS information about the area where the horse is mainly used with the GPS information received in the sixth step, and if there is a discrepancy more than a predetermined number of times, and the seventh step of deleting the login ID and password stored in the mobile terminal, the authentication server, The mobile terminal is classified and registered as a master and a family according to the control authority for the IoT device, and the second mobile terminal classified as a master is approved when the IoT device is registered to the first mobile terminal classified as a family. Acquiring and registering the IoT device with the first mobile terminal.

The authenticating may include generating a first authentication key (receive key) using a random number in the authentication server and terminal information of the mobile terminal transmitted from the IoT device, and storing the previously registered mobile terminal. Receiving from the IoT device a second authentication key (generated key) generated using the terminal information and the random number transmitted from the IoT device, comparing the first authentication key with the second authentication key, And authenticating the mobile terminal as the legitimate mobile terminal when the first authentication key and the second authentication key coincide with each other.

In addition, the present invention is a third-party security authentication system for the mobile terminal and the IoT period, the IoT device capable of transmitting and receiving data through a wired and wireless Internet network, and performs data transmission and reception with the IoT device through the wired and wireless Internet network, the data transmission and reception A mobile terminal for remotely controlling the operation of the IoT device through the mobile terminal, an application verification server for registering the IoT device to be the remote control target with the mobile terminal, and managing information on the registered IoT device and the mobile terminal; When there is a remote control request for the IoT device from the mobile terminal, the mobile terminal authenticates whether the mobile terminal is a valid mobile terminal registered for remote control of the IoT device in connection with the application verification server, and requests the remote control. If the mobile terminal is the legitimate mobile terminal for the IoT device Includes an authentication server that accepts remote control.

In addition, the authentication server, when there is a remote control request for the IoT device from the mobile terminal, receives a random number and the first authentication key (receive key) generated from the application verification server, and transmitted from the IoT device After generating a second authentication key (generation key) using the terminal information of the mobile terminal and the random number, and comparing the first authentication key and the second authentication key, the first authentication key and the second authentication key If is matched, characterized in that the mobile terminal is determined to be a legitimate mobile terminal.

The random number value may be generated by the application verification server and provided to the authentication server and the mobile terminal.

The present invention also provides a third party security authentication method in a third party security authentication system including a mobile terminal, an IoT device, an application verification server, and an authentication server connected through a wired / wireless internet network. Registering the mobile device requesting remote control for the mobile terminal; registering the IoT device to be the remote control target with the mobile terminal in the application verification server; Transmitting the request to the authentication server when receiving a remote control request to the authentication server; and interworking with the application verification server in the authentication server to determine whether the mobile terminal is a valid mobile terminal registered for remote control of the IoT device. Authenticating the remote server; Approving remote control for the IoT device when the requesting control mobile terminal is the legitimate mobile terminal.

The authenticating may include receiving a first authentication key (receive key) generated by using the random number and the random number from the application verification server in the authentication server, and receiving the mobile terminal from the IoT device in the authentication server. Receiving the terminal information to generate a second authentication key (receive key) using the terminal information and the random number, comparing the first authentication key with the second authentication key, and comparing the first authentication key with And if the second authentication key matches, authenticating the mobile terminal with the legitimate mobile terminal.

According to the present invention, in the third-party security authentication of the mobile terminal and the IoT period, forgery / forgery check of the application program for remote control of the IoT device in preparation for hacking of the mobile terminal by introducing a third-party security authentication server, mobile terminal-IoT A third party checks and authenticates security authentication packets between devices, and generates a random number and applies a process of generating an authentication code by selecting one of physical code, location, and device identification information according to the random number. There is an advantage that can enhance the integrity and security of the security authentication process between IoT devices.

In addition, the authentication server according to the present invention stores the GPS information for the frequently used area for the legitimate mobile terminal of the IoT device, if the mobile terminal wants to control the IoT device, after receiving the GPS information from the mobile terminal, input When the mobile terminal is lost by providing a function to delete the ID and password required for automatic login stored in the mobile terminal if a difference is found more than a predetermined number of times compared to the GPS information of the pre-stored GPS information and the pre-stored frequently used area. It is also possible to provide adequate security.

Registers the IoT device to be remotely controlled for the mobile terminal that is not forged / modulated in the application program using the integrity verification key of the application for IoT remote control, and random number when there is a remote control request for the IoT device from any mobile terminal. By checking whether the authentication keys generated by the mobile terminal and the authentication server match each other using the value, the remote control of the IoT device is approved only for the mobile terminal with the matching authentication key. There is an advantage that does not cause damage such as unauthorized control and information change of the IoT device.

In addition, during the authentication and control process between the mobile terminal and the IoT device, it is possible to prevent the communication packet from being exposed to sniffing, spoofing, packet manipulation, and the like, and using a separate authentication device such as a conventional authentication card or USB when authenticating the mobile terminal. By using a one-time authentication key that combines a unique key and a random number, such as terminal information of the mobile terminal, to reduce the risk of loss and inconvenience in using a separate authentication device, such as an authentication card or USB, and increase the security, This has the advantage of saving the cost of implementing an authentication system.

1 is a block diagram of a third-party security authentication system for the mobile terminal and the IoT period according to the first embodiment of the present invention.
2 is a flow chart for registering / modifying / deleting a mobile terminal for controlling an IoT device in an authentication server according to a first embodiment of the present invention.
3 is a flowchart of registering / modifying / deleting an IoT device in a mobile terminal upon initial purchase of an IoT device according to the first embodiment of the present invention.
4 is a flowchart of registering / modifying / deleting a mobile terminal (Family) to a mobile terminal (Master) to control an IoT device according to the first embodiment of the present invention.
5 is a flowchart of registering / modifying / deleting an IoT device in a mobile terminal according to a first embodiment of the present invention.
6 to 7 are signal processing flowcharts for authenticating a mobile terminal accessing an IoT device in the IoT terminal security authentication system according to a first embodiment of the present invention.
8 to 9 are signal flow diagrams for authenticating a mobile terminal and a mobile terminal accessing an IoT device in an IoT term security authentication system according to another embodiment of the present invention.
10 is a block diagram illustrating a third party security authentication system for a mobile terminal and an IoT period according to another embodiment of the present invention.
11 is a flowchart of registering / modifying / deleting a mobile terminal controlling an IoT device in an application verification server according to another embodiment of the present invention.
12 is a flowchart of registering / modifying / deleting an IoT device in a mobile terminal upon initial purchase of an IoT device according to an embodiment of the present invention.
FIG. 13 is a flowchart of registering / changing / deleting a mobile terminal (Family) to a mobile terminal (Master) to control an IoT device according to an embodiment of the present invention.
14 is a flowchart of registering / modifying / deleting an IoT device in a mobile terminal according to another embodiment of the present invention.
15 to 16 are signal processing flowcharts for authenticating a mobile terminal accessing an IoT device in a mobile terminal and an IoT term security authentication system according to another embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings will be described in detail the operating principle of the present invention. In the following description of the present invention, when it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. Terms to be described later are terms defined in consideration of functions in the present invention, and may be changed according to intentions or customs of users or operators. Therefore, the definition should be made based on the contents throughout the specification.

1 illustrates a configuration of a mobile terminal and an IoT period third party security authentication system according to an embodiment of the present invention.

In the third party security authentication system according to an embodiment of the present invention, the authentication server 100, the mobile terminal 200, the IoT device 230 and the wired and wireless Internet network, etc., the group (type) of the terminal is mobile UE-IoT periods (1: m, n: 1, n: m) can be connected to the terminal group. Here, the wired / wireless internet network may be, for example, a communication network capable of directly connecting to an IoT device such as a voice communication network, a data communication network, and a Wi-Fi network.

In this case, IoT communication refers to a form evolved from USN (Ubiquitous Sensor Network), M2M (Machine to Machine). In other words, if M2M was primarily intended for communication between end-devices and people, the IoT would expand the scope of things to secure objects such as security devices, smart home appliances, heating and cooling devices, CCTV, lighting equipment, and temperature control devices. Communication that enables communication. In such IoT technology, sensing technology, communication technology, service technology, etc. exist, and through this, information of all things is constructed in a network like a wired / wireless internet network, and various services can be provided through acquired information. The IoT is a concept of an IoT space network that forms intelligent relationships such as sensing, networking, and information processing in cooperation with humans, things, and services in three distributed environment elements without explicit human intervention. The IoT, which is a major component of the IoT, includes not only communication equipment in wired and wireless networks, but also people, vehicles, bridges, various electronic equipment, cultural assets, and physical objects constituting a natural environment. The IoT extends the concept of M2M capable of intelligent communication between people and objects, objects and objects using a network, and interacts with all information in the real world and the virtual world as well as objects.

Hereinafter, an operation of each component of the third party security authentication system according to an embodiment of the present invention will be described in detail with reference to FIG. 1.

First, the authentication server 100 may be a server for authenticating whether the mobile terminal 200 accessing the IoT device 230 and performing remote control is a legitimate mobile terminal.

That is, the authentication server 100 performs an operation of registering / modifying / deleting the mobile terminal 200 for accessing an IoT device according to an embodiment of the present invention. In addition, when the mobile terminal 200 receives an authentication request for accessing the IoT device 230 after registration of the mobile terminal 200, the terminal information transmitted from the mobile terminal 200 and the mobile registered in the authentication server. By comparing the terminal information of the terminal, and checking whether the application program for controlling the IoT device has been changed, etc. to authenticate the mobile terminal 200, it is possible to remotely control the IoT device 230 in the mobile terminal 200. .

Such, the authentication server 100, the management log DB (110), authentication DB (120), management terminal DB (130), packet deodorization prevention unit 112, ID / Password (ID / Password) management unit 116, Authentication unit 122, authentication application (APP) management unit 112, source code modulation check unit 114, mobile terminal (Master / Family) management unit 118, IoT device management unit 126, inquiry management unit 128, A module such as a log manager 129 may be mounted.

The management terminal DB 130 stores the terminal information for the registered mobile terminal 200 and the IoT device 230, and sets the GPS information for the region mainly using the registered mobile terminal 200. An example of a common area could be a home or business location. Since the mobile terminal 200 is equipped with a GPS sensor, GPS information may be obtained or registered by converting an input address into GPS using the provided GPS sensor. The authentication DB 120 stores result values for authentication approval, authentication rejection, and authentication error, version information of the authenticated application and application program, and application integrity verification key information received from the mobile terminal or the IoT device 230. The management log DB 110 records a log of all operations executed by the authentication server 100 to manage information data such as status inquiry and statistics.

The packet deodorization prevention unit 112 prevents a packet transmitted and received between the mobile terminal 200 and the authentication server 100 from being stolen.

The ID / password manager 116 manages information on the login ID / password assigned to the mobile terminal 200 to log in to the authentication server 100.

If there is a remote control request for the IoT device 230 from the mobile terminal 200, the authenticator 122 authenticates whether the corresponding mobile terminal 200 is a legitimate mobile terminal having a remote control authority.

The authentication application manager 124 manages the version information and the integrity verification key of the authenticated IoT device control application.

The IoT device manager 126 manages information on the IoT device 230 registered in the authentication server 200.

The source code modulation check unit 114 checks forgery or modulation of an IoT device control application installed in the mobile terminal 200. In this case, the source code modulation check unit 114 may check forgery or modulation of the application by using checksum information of the application included in the integrity verification key of the application transmitted from the mobile terminal 200, for example. It may be, but is not limited thereto.

The mobile terminal (Master / Family) manager 118 manages the mobile terminal 200 registered in the authentication server 100. At this time, the mobile terminal 200 may be a mobile terminal (Master) 210 divided into a master and a mobile terminal (Family) 220 divided into a family according to the control authority for the IoT device 230, the mobile When the terminal (Master) 210 wants to register / change / delete the IoT device 230 in the mobile terminal (Family) 220, the authority to approve the registration / change / delete may be set. have.

The inquiry management unit 128 manages the information that the mobile terminal 200 accesses the authentication server 100 and inquires. The log manager 129 manages various log records of the mobile terminal 200 logging in to the authentication server 100.

The mobile terminal 200 may refer to a user terminal device capable of remotely controlling the IoT device 230 by accessing the IoT device 230 through a wired or wireless internet network. The mobile terminal 200 may be, for example, a terminal device such as a mobile phone, a smartphone, a PAD, a tablet, or the like that uses a voice communication network, a data communication network, and a Wi-Fi network to control the IoT device 230. It is not limited to this.

In addition, the mobile terminal 200 registers with the authentication server 100 to perform remote control on the IoT device 230, and remotely to the IoT device 230 through an authentication procedure through the authentication server 100. The control authority may be approved to remotely control the IoT device 230.

Such a mobile terminal 200 may be, for example, a transmission packet manager 211, an ID / password manager 212, a terminal approval manager 213, a login manager 214, an authentication manager 215, a security key manager ( 216, a module such as an IoT device operation management unit 217 may be mounted.

The transmission packet manager 211 manages packet transmission and reception of transmitted data (security key, mobile terminal information, etc.). The ID / password manager 212 manages an ID / password for logging in to the authentication server 100 and the IoT device 230. The terminal approval management unit 213 manages usage approval for the IoT device 230 with respect to the mobile terminal (Family) 220 accessing the IoT device 230.

The login manager 214 manages information on which the mobile terminal 200 logs in to the IoT device 230 or the authentication server 100. The authentication manager 215 manages the integrity verification key information of the application for controlling the IoT device installed in the mobile terminal 200.

The security key manager 216 generates and manages terminal information of the mobile terminal 200 as a security key. The terminal information of the mobile terminal 200 generated as the security key is the authentication server 100 for the mobile terminal 200. It may be used for registration of a furnace and performing authentication for remote control of the IoT device 230. The IoT device operation management unit 217 manages information on the IoT device 230 registered in the mobile terminal 200.

The IoT device 230 refers to an electronic device capable of wired and wireless Internet communication, and may include a security device for controlling various sensors, smart home appliances, heating and cooling devices, CCTV, lighting equipment, temperature control devices, hub equipment, and the like. That is, the IoT device 230 may be a device such as a refrigerator, a smart TV, or the like equipped with a communication function in the home, and home automation control for controlling various home devices connected by home automation. Device or the like.

In addition, the IoT device 230 may perform communication with the mobile terminal 200 through a wired / wireless internet network, and receive a remote control command transmitted from the mobile terminal 200 authenticated by the authentication server 100 to remotely control the command. The operation corresponding to the operation may be performed.

The IoT device 230 includes a transmission packet manager 231, an ID / password manager 232, an operation terminal register 233, a login verification unit 234, an authentication manager 236, a security key manager 237, Modules such as the random number generator 238 are mounted.

The transmission packet manager 231 manages information about packets transmitted and received between the mobile terminal 200 and the packets transmitted and received between the authentication server 100. The ID / password manager 232 manages the ID and password set to log in to the IoT device 230. The operation terminal registration unit 233 registers and manages information on the mobile terminal 200 registered to perform remote control on the IoT device 230. The login verification unit 234 examines the ID / password input from the mobile terminal 200 with respect to the mobile terminal 200 attempting to log in to the IoT device 230 and checks whether the login attempt is justified.

The authentication manager 236 manages the integrity verification key information of the application for controlling the IoT device installed in the IoT device 230. The security key manager 237 manages security key information generated by using terminal information of the mobile terminal 200 transmitted from the mobile terminal 200. The random number generator 238 generates a random number value for security authentication of the mobile terminal 200. The random number may be generated when the mobile terminal 200 registered in the authentication server 100 performs authentication for remotely controlling the IoT device 230. The generated random number is the mobile terminal 200 and the authentication server 100. May be provided respectively.

Meanwhile, although FIG. 1 illustrates that the random number generator 238 is provided in the IoT device 230, this is just one embodiment, but embodiments of the present invention are not limited thereto. That is, the random number generator 238 may be provided in the authentication server 100 as the random number generator 132 of the reference number 132 instead of the IoT device 230 according to the system configuration.

At this time, when the random number generation unit 132 is provided in the authentication server 100, the IoT device 230 for the random number required for authentication of the mobile terminal 200 requesting a remote control for the IoT device 230 It can be generated in the authentication server 100, the authentication server 100 is not provided with a random number value for the authentication of the mobile terminal 200 from the IoT device 230 at the time of authentication of the mobile terminal 200 In addition, the random number value may be directly generated and provided to the mobile terminal 200.

Data transmitted between the mobile terminal 200 and the IoT device 230 in the security authentication system may be transmitted through a wired or wireless Internet network, the transmitted packet is an authentication application installed in the mobile terminal 200, IoT device 230 or By using the authentication module to perform its own security check (packet deodorization prevention) it is possible to ensure the safety of the transmitted packet, it is possible to secure communication between the mobile terminal 200, IoT device 230.

2 is a flowchart illustrating a procedure for registering / modifying / deleting a mobile terminal to control an IoT device in an authentication server according to an exemplary embodiment of the present invention.

The mobile terminal 200 controls the IoT device 230 by registering the mobile terminal (Master) 210 and the mobile terminal (Master) 210 to perform a master role having a main control authority for the IoT device 230. It may be classified as a mobile terminal (Family) 220 that can be, but is not limited thereto. In addition, the mobile terminal (Master) 210 and the mobile terminal (Family) 220 are both required to register in the authentication server (100). Therefore, hereinafter, in the description of FIG. 2, both the mobile terminal (Master) 210 and the mobile terminal (Family) 220 will be collectively referred to as a mobile terminal 200.

Referring to FIG. 2, in order to perform operations such as registering / modifying / deleting the mobile terminal 200 in the authentication server 100, an IoT device control application must be installed and driven in the mobile terminal 200.

First, in the case of the process of registering the mobile terminal 200 to the management terminal DB 130 of the authentication server 100, after logging in to the authentication server 100 in the mobile terminal 200, the application for IoT device control The terminal information including the integrity verification key and the GPS information of the mobile terminal 200 is transmitted to the authentication server (100). At this time, the mobile terminal 200 transmits the GPS information about the area mainly used. The GPS information of such a predominantly used area may be defined as GPS information of a certain area range. For example, when receiving an address, the GPS range located within a certain range may be determined based on the GPS information of the address.

In this case, the integrity verification key is information for determining whether the application program is forged / modulated by hacking or the like, and may include, for example, version information or checksum information of the application, but is not limited thereto. It doesn't happen. In addition, the physical code of the terminal information of the mobile terminal 200 may be used as security key information for authentication for the mobile terminal 200 in the authentication server 100, such terminal information, for example, the mobile terminal 200 ) Can be physical code, location information, and equipment identification information. In addition, the physical code may be MAC address information or USIM information of the mobile terminal 200, but is not limited thereto.

At this time, in performing the login to the authentication server 100, the mobile terminal 200, for example, inputs an ID (ID), password (password), etc. previously assigned to access the authentication server 100 from a user or the like. It can receive and log in to the authentication server (100). Such an ID, password, etc. may be pre-assigned from the authentication server 100 before registration, and may be recognized by the user of the mobile terminal 200.

Then, the authentication server 100 registers the terminal information including the GPS information of the mobile terminal 200 and the integrity verification key of the application in the management terminal DB 130 of the authentication server 100. GPS information about a frequently used area can be used to delete the login ID and password stored when the mobile terminal 200 is lost.

Subsequently, when the authentication server 100 performs the registration on the mobile terminal 200 which requests the registration by logging in as described above, the mobile terminal 200 authenticates the terminal information of the mobile terminal 200 and the integrity verification key of the application. The DB 120 and the management terminal DB 130 may be notified that registration is normally completed.

Next, in the case of the process of changing the information of the mobile terminal 200 registered in the authentication server 100, the mobile terminal 200 performs a login to the authentication server 100.

Subsequently, the mobile terminal 200 transmits the integrity verification key of the application installed in the mobile terminal 200 and the changed terminal information of the mobile terminal 200 to the authentication server 100. In this case, the changed terminal information may be a physical code, location information and equipment identification information of the new mobile terminal 200 as the mobile terminal 200 is changed, and the physical code is the mobile terminal 200 as described above. May be MAC address information or USIM information. In addition, the location and equipment identification information is information to check where the equipment to be transmitted and the equipment is correct when transmitting data. For example, the installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be included information. At this time, GPS information about the frequently used area is also input again.

Then, the authentication server 100 compares the integrity verification key of the application received from the mobile terminal 210 with the application integrity verification key of the pre-registered mobile terminal 200, the changed GPS information of the mobile terminal 200 Store the terminal information including the management terminal DB (130).

Subsequently, when the authentication server 100 normally performs the terminal information change on the mobile terminal 200 that requests the information change by logging in as described above, the authentication server 100 transmits a change operation completion message to the mobile terminal 200 and completes the change operation. .

Meanwhile, in this case, if the login password for the authentication server 100 is continuously set to the default (default), the authentication server 100 may request the password change to the mobile terminal 200.

Accordingly, the mobile terminal 200 changes the login password and transmits it to the authentication server 100. Then, the authentication server 100 modifies the login password, notifies the mobile terminal 200 of the modification result, and terminates the password change process.

Meanwhile, in the description, for example, only the information change of the mobile terminal 200 has been described, but in the case of deleting the terminal information for the mobile terminal 200, the terminal for the registered mobile terminal 200 through the same process as the change procedure. Information can be deleted.

3 is a flowchart illustrating a procedure for registering / modifying / deleting an IoT device in the mobile terminal 200 upon initial purchase of an IoT device according to an embodiment of the present invention. In this case, the mobile terminal 200 for registering / modifying / deleting the IoT device 230 will be described with an example of a mobile terminal (Master) 210 registered as a master in the authentication server 100.

Referring to FIG. 3, in order to perform a process of registering / modifying / deleting the IoT device 230 in the mobile terminal (Master) 210, the mobile terminal 200 is registered / modified / in the authentication server 100. As in the case of deleting, an IoT device control application must be installed and driven in the mobile terminal (Master) 210.

First, in the case of the process of registering the IoT device 230 in the mobile terminal (Master) 210, after logging in to the IoT device 230 from the mobile terminal (Master) (210), the mobile terminal (Master) ( It transmits the integrity verification key of the application installed in the 210 and the terminal information of the mobile terminal (Master) (210) to the IoT device (230). In this case, the terminal information of the mobile terminal (Master) 210 may be, for example, a physical code, location information and equipment identification information of the mobile terminal (Master) (210).

At this time, in performing the login to the IoT device 230, the mobile terminal (Master) 210, for example, when the first purchase of the IoT device 230, ID, password, etc. assigned to the IoT device 230, the mobile terminal A user of the master 210 may log in to the IoT device 230.

Then, the IoT device 230, the terminal information of the mobile terminal (Master) 210, the integrity verification key of the application for controlling the IoT device installed in the mobile terminal (Master) 210 and the information of the IoT device 230, the authentication server ( 100). In this case, the information of the IoT device may refer to, for example, a unique identification code recognized through an operation portable, attached, imprinted, serial number assigned to the IoT device 230, but is not limited thereto.

As described above, when the authentication server 100 receives the information for registration of the IoT device 230 from the IoT device 230, the authentication server 100 to the management terminal DB 130 in the authentication server 100 The integrity verification key of the application of the registered mobile terminal (Master) 210 is compared with the integrity verification key of the application of the mobile terminal (Master) 210 received from the IoT device 230.

As a result of the above comparison, when the integrity verification keys match each other, the authentication server 100 stores the information of the IoT device 230 in the management terminal DB 130, the mobile terminal (Master) to the IoT device 230 A registration completion message indicating that the IoT device 230 is normally registered is sent to 210. When the integrity verification key is inconsistent as a result of the comparison, the authentication server 100 transmits a non-registration message indicating that registration of the IoT device 230 is impossible to the IoT device 230.

Then, the IoT device 230 transmits a registration completion message or a non-registration message received from the authentication server 100 to the mobile terminal (Master) 210.

Meanwhile, if the login password for the IoT device 230 is set as a default, an application installed in the mobile terminal 210 may request a password change of the IoT device 230.

Accordingly, the user of the mobile terminal (Master) 210 can change the password set by default on the IoT device 230 in the password change screen, if the password is changed in this way the mobile terminal (Master) (210) In the password change for the IoT device 230 may be transferred to the IoT device 230.

Then, the login password is changed in the IoT device 230, and when the password change of the IoT device 230 is completed, the password change completion message is notified to the mobile terminal (Master) 210, and the password change process is terminated.

On the other hand, in the case of the process of changing the information of the IoT device 230 registered in the mobile terminal (Master) 210, after logging in to the IoT device 230 from the mobile terminal (Master) 210, the application of The integrity verification key and the terminal information of the mobile terminal (Master) (210) is transmitted to the IoT device (230).

Subsequently, the IoT device 230 converts the terminal information of the mobile terminal (Master) 210 and the integrity verification key of the application of the mobile terminal (Master) 210 and the change information of the IoT device 230 into the authentication server 100. send.

Then, the authentication server 100 is a mobile terminal (Master) previously registered in the integrity verification key of the application of the mobile terminal 200 received from the IoT device 230 and the management terminal DB 130 in the authentication server 100. The integrity verification key of the application of 210 is compared.

Subsequently, if two integrity verification keys match, the authentication server 100 changes the information of the IoT device 230 registered in the mobile terminal 200 to the change information of the IoT device 230, and the IoT device ( In step 230, a message indicating that the information change procedure of the IoT device 230 is completed is transmitted, and if there is a mismatch, a change impossible message is transmitted to the IoT device 230.

Then, the IoT device 230 transmits the change procedure completion message or the change impossible message received from the authentication server 100 to the mobile terminal 210.

Meanwhile, in this case, if the login password for the IoT device 230 is continuously set as a default that was initially set, the user may change the login password for the IoT device 230.

Accordingly, the mobile terminal 200 may change the login password of the IoT device 230 and transmit it to the IoT device 230. Then, the IoT device 230 modifies the login password, notifies the mobile terminal 200 of the modification result, and ends the password change process.

Meanwhile, in the description, for example, only the change process of the change / deletion process has been described. However, even when the information on the IoT device 230 is deleted, the deletion of the information on the registered IoT device 230 is performed through the same process as the change procedure. It is possible.

4 is a flowchart illustrating a procedure for registering / modifying / deleting a mobile terminal (Family) 220 to control the IoT device 230 in the mobile terminal (Master) 210 according to an embodiment of the present invention.

4, in order to register / change / delete the mobile terminal (Family) 220 to the mobile terminal (Master) 210, the application for controlling the IoT device to the mobile terminal (Master) 210 and the mobile terminal ( Family) 220 should be installed and driven respectively.

First, in the case of the process of registering the mobile terminal (Family) 220 to the mobile terminal (Master) 210, after logging in from the mobile terminal (Master) 210 to the mobile terminal (Family) 220, The terminal information of the mobile terminal (Master) 210 and the integrity verification key of the application for controlling the IoT device of the mobile terminal (Master) is transmitted.

Then, the mobile terminal (Family) 220 is the terminal information of the mobile terminal (Master) 210 and the terminal information of the mobile terminal (Family) 220 together with the integrity verification key of the application of the mobile terminal (Master) (210) And transmits the integrity verification key of the application of the mobile terminal (Family) 220 to the authentication server (100).

As described above, when the authentication server 100 receives the information for registering the mobile terminal (Family) 220 to the mobile terminal (Master) 210, the authentication server 100 to the management terminal DB (130) The terminal information of the pre-registered mobile terminal (Master) 210 and the mobile terminal (Master) 210 received from the mobile terminal (Family) 220 is compared.

As a result of the comparison, when the two terminal information is matched with each other, the authentication server 100 registers the mobile terminal (Family) 220 to the mobile terminal (Master) 210 registered in the management terminal DB (130). .

Subsequently, the authentication server 100 transmits a non-registration message indicating that registration or completion of registration indicating that information on the mobile terminal 220 has been normally registered in the mobile terminal Master 210 is not possible. (220).

When the two terminal information is inconsistent as a result of the comparison, the authentication server 100 transmits a non-registration message indicating that registration with respect to the mobile terminal 220 is impossible to the mobile terminal (Family 220).

Then, the mobile terminal (Family) 220 transmits a registration completion message or a non-registration message received from the authentication server to the mobile terminal (Master) (210). At this time, when receiving a registration completion message, the mobile terminal (Master) 210 transmits a registration approval message to the mobile terminal (Family) 220, and then, the mobile terminal (Family) 220 is a mobile terminal (Master) The registration completion message is transmitted to the mobile terminal (Master) 210 according to the registration approval message from the (210), and the registration procedure for the mobile terminal (Family) 220 is terminated.

Next, in the case of the process of changing / deleting the information of the mobile terminal (Family 220) registered in the mobile terminal (Master) 210, the mobile terminal (Master) 210 is a mobile terminal (Family 220) After logging in, the terminal 220 transmits the terminal information of the master terminal 210, the integrity verification key of the application, and the changed terminal information of the mobile terminal 220 to the mobile terminal 220.

Then, the mobile terminal (Family) 220 and the terminal information of the mobile terminal (Master) 210, the integrity verification key and the changed terminal information of the application of the mobile terminal (Family) 220 together with the application integrity verification key Send to the authentication server (100).

Subsequently, the authentication server 100 receives the terminal information of the mobile terminal (Master) 210 registered in the management terminal DB 130 and the mobile terminal (Master) 210 received from the mobile terminal (Family) 220. Compare the terminal information.

At this time, the authentication server 100 is the terminal information of the mobile terminal (Family) 220 registered in the mobile terminal (Master) 210 stored in the management terminal DB (130) when the two terminal information is matched as a result of the comparison Register to change to the requested terminal information. Subsequently, the authentication server 100 transmits a non-registration message indicating that the change registration is completed or not registered to the mobile terminal (Family) 220.

Then, the mobile terminal (Family) 220 transmits the change registration complete message or the change registration impossible message received from the authentication server 100 to the mobile terminal (Master) (210).

In this case, when the change registration completion message is received, the mobile terminal (Master) 210 transmits the change registration approval message to the mobile terminal (Family) 220, and the mobile terminal (Family) 220 is a mobile terminal (Master). The change registration completion message is transmitted to the mobile terminal (Master) 210 according to the change registration approval message from the 210 and the change registration procedure for the mobile terminal (Family) 220 is terminated.

Meanwhile, in the description, only the change process of the change / deletion process has been described as an example. However, even when information on the mobile terminal 220 is deleted, the mobile terminal 220 is registered through the same process as the change procedure. It is possible to delete information about.

5 is a flowchart illustrating a procedure for registering / modifying / deleting an IoT device 230 in a mobile terminal 220 according to an embodiment of the present invention.

Referring to FIG. 5, for a process such as registering / modifying / deleting an IoT device 230 in a mobile terminal 220, an application for controlling an IoT device may be a mobile terminal (Master) 210 and a mobile terminal (Family). It must be installed and driven at 220.

First, in the case of the process of registering the IoT device 230 in the authentication server 100 in the mobile terminal (Family) 220, after logging in to the IoT device 230 in the mobile terminal (Family) 220, The integrity verification key of the application of the mobile terminal 220 and the terminal information of the mobile 220 and the terminal information of the master 210 are transmitted to the IoT device 230.

Then, the IoT device 230 is the authentication server 100, the integrity verification key, the terminal information of the application of the mobile terminal (Family) 220, the terminal information of the mobile terminal (Master) 210, the IoT device 230 Send the information.

When the authentication server 100 receives the information for registration of the IoT device 230 in the mobile terminal (Family) 220 from the IoT device 230 as described above, the authentication server 100 is the management terminal DB (130) ) Compares the terminal information of the mobile terminal (Family) 220 registered with the terminal information of the mobile terminal (Family) 220 received through the IoT device (230).

As a result of the comparison, when the two terminal information is matched with each other, the authentication server 100 requests the use of the mobile terminal (Master) (210). In this case, the use approval may mean approval for registering the IoT device 230 in the mobile terminal (Family) 220, for example.

Then, the mobile terminal (Master) 210 may confirm that the mobile terminal (Family) 220 is authenticated, and may approve the registration of the IoT device 230 in the mobile terminal (Family) 220.

Subsequently, when approving the registration of the IoT device 230 in the mobile terminal (Family) 220 as described above, the mobile terminal (Master) 210 is the integrity of the registration approval message and the application of the mobile terminal (Master) 210 The verification key is transmitted to the authentication server 100.

Then, the authentication server 100 is the application integrity verification key of the mobile terminal (Master) 210 registered in the management terminal DB 130 and the application integrity verification key transmitted from the mobile terminal (Master) 210 is the same If the two integrity verification keys match, the information of the IoT device 230 is stored in the management terminal DB 130 and the IoT device 230 is registered with the mobile terminal 220.

Subsequently, the authentication server 100 transmits an approval message of the mobile terminal (Master) 210 to the IoT device 230. Then, if the IoT device 230 transmits a registration completion message to the mobile terminal (Family) 220, the mobile terminal (Family) 220 notifies the registration confirmation message to the mobile terminal (Master) 210 and ends. Finally, registration is canceled when the mobile terminal (Master) 210 does not receive a confirmation message from the mobile terminal (Family) 220 within a specified time.

Next, in the case of changing the IoT device 230 registered in the mobile terminal (Family) 220, after logging in to the IoT device 230 from the mobile terminal (Family) 220, the mobile terminal ( Terminal information and application integrity verification key of the family (220), the terminal information of the mobile terminal (Master) 210, and the change information of the IoT device 230 is transmitted to the IoT device 230.

Subsequently, the IoT device 230 transmits the integrity verification key of the application of the mobile terminal 220, the terminal information of the mobile terminal 220, and the change information of the IoT device 230 to the authentication server 100. send.

Then, the authentication server 100 is the terminal information of the mobile terminal (Family) 220 registered in the management terminal DB 130 and the terminal of the mobile terminal (Family) 220 received through the IoT device 230 Compare the information.

As a result of the comparison, when the two terminal information is matched with each other, the authentication server 100 requests a change approval to the mobile terminal (Master) (210).

Then, the mobile terminal (Master) 210 confirms that the mobile terminal (Family) 220 is authenticated, and approves to change the information of the IoT device 230 registered in the mobile terminal (Family) 220 Can be.

Then, when the change of the IoT device 230 registered in the mobile terminal (Family) 220 is approved as above, the mobile terminal (Master) 210 is a change approval message and the application of the mobile terminal (Master) 210 Send the integrity verification key to the authentication server (100).

Then, the authentication server 100 is the application integrity verification key of the mobile terminal (Master) 210 registered in the management terminal DB 130 and the application integrity verification key transmitted from the mobile terminal (Master) 210 is the same If the two integrity verification keys match, the change information of the IoT device 230 is stored in the management terminal DB 130.

Subsequently, the authentication server 100 transmits a change approval message of the mobile terminal (Master) 210 to the IoT device 230. Then, if the IoT device 230 transmits the change registration completion message to the mobile terminal (Family) 220, the mobile terminal (Family) 220 notifies the registration confirmation message to the mobile terminal (Master) 210 and ends. . Finally, if the mobile terminal (Master) 210 does not receive a confirmation message from the mobile terminal (Family) 220 within a specified time, the change registration is canceled.

Meanwhile, in the description, only the change process of the change / deletion process has been described as an example. However, when deleting information on the IoT device, the information on the registered IoT device may be deleted through the same process as the change procedure.

6 to 7 illustrate a signal processing flow for authenticating a mobile terminal accessing an IoT device in a security authentication system between the mobile terminal 200 and the IoT device 230 according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 1 to 7.

First, the mobile terminal 200 drives an application for IoT device control to log in to the IoT device 230 (S600). At this time, if the login to the IoT device 230 is not normally performed, the number of failures is counted, and if the authentication fails by going to the initial authentication application step and proceeding with the authentication process from the beginning again, the failure number is increased to the threshold number specified by the failure number. When exceeded, the IoT device 230 ends the authentication process (S603).

If the IoT device 230 is normally logged in, the IoT device 230 approves the login of the mobile terminal 200. If the login is approved, the mobile terminal 200 from the mobile terminal 200 to the IoT device 230. The terminal information and the integrity verification key (version information, checksum, etc.) of the IoT device control application installed in the mobile terminal 200 is transmitted (S604). At this time, the GPS information is transmitted together from the terminal information of the mobile terminal 200.

Then, the IoT device 230, the terminal information (including GPS information) of the mobile terminal received from the mobile terminal 200 and the integrity verification key of the application for controlling the IoT device installed in the mobile terminal 200 and the information of the IoT device 230 To transmit to the authentication server 100 (S606).

Accordingly, the authentication server 100 checks the integrity verification key of the application for controlling the IoT device installed in the mobile terminal 200 transmitted from the IoT device 230, confirms that there is no abnormality in the application program, and receives the received GPS information. Compare with the stored main GPS information (S608). In this case, checking whether there is no abnormality may mean, for example, checking whether the application program is forged / modulated through hacking or the like, but is not limited thereto.

The received GPS information is compared with the predominantly used local GPS information stored in the management terminal DB 130 (S608), and if it matches, initializes the count variable to '0' (S608-1), and if it is not, count variable Increases to '1' (S608-2). When the count variable becomes more than a predetermined number of times (for example, '30'), the IoT device 230 instructs the login initialization of the mobile terminal 200 (S608-3), and the IoT device 230 commands the corresponding device. Is transmitted to the mobile terminal 200 (S608-4), and the mobile terminal 200 deletes the login ID and password stored in the device (S608-5). Although the steps S608, S608-1 to S608-5 are not shown in the drawing, the mobile terminal 200 holder, who is not a legitimate user, is prevented from logging in anymore.

In addition, in the operation of checking whether the application program is abnormal in the authentication server 100, for example, the integrity verification key of the IoT device control application installed in the mobile terminal 200 is pre-registered in the management terminal DB 130. After comparing with the integrity verification key of the application for controlling the IoT device of the mobile terminal 200, if it matches, it can be confirmed that there is no abnormality in the application program, but is not limited thereto.

As a result of the above confirmation, if there is an error in the application program for IoT device control installed in the mobile terminal 200 (S610), the authentication server 100 transmits an authentication failure message to the IoT device 230 (S634), The authentication failure message is transmitted from the IoT device 230 back to the mobile terminal to notify that authentication has failed (S636).

As a result of the check, when there is no abnormality in the application program for IoT device control installed in the mobile terminal 200 (S610), the authentication server 100 is abnormal to the application program for IoT device control installed in the mobile terminal 200 as the IoT device 230. Notify that there is no (S612).

Then, the IoT device 230 generates a random number value of the IoT device 230 for authentication of the mobile terminal 200 and transmits it to the mobile terminal 200 (S614). At this time, the IoT device 230 may include a random number generator for generating the random number, but is not limited thereto.

When the random number value is received from the IoT device 230 as described above, the mobile terminal 200 generates a first authentication key (receive key) using the random number value (S616), and transmits it to the IoT device 230 ( S618).

In this case, the first authentication key may mean a key for authenticating whether the mobile terminal 200 is a mobile terminal registered in the authentication server 100, and the first authentication key may be, for example, the mobile terminal 200. The key generated using the terminal information and the random number of) may be a one-time key, but is not limited thereto. In addition, the terminal information may be a physical code, location and equipment identification information for identifying the mobile terminal 200, such physical code may be information including the MAC address information and USIM information of the mobile terminal 200, but It is not limited. In addition, the location and equipment identification information is information to confirm where the equipment to be transmitted and the equipment is correct when transmitting data, for example, installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be information included.

Subsequently, the IoT device 230 receives the first authentication key transmitted from the mobile terminal 200, and receives the first authentication key, the random number, the terminal information of the mobile terminal 200, and the IoT device 230. ) The information is transmitted to the authentication server 100 (S620).

As described above, when the first authentication key generated in the mobile terminal 200 is received from the IoT device 230, the authentication server 100 of the mobile terminal 200 previously registered in the management terminal DB (130) A second authentication key (generation key) is generated using the terminal information and the random number generated by the IoT device 230 (S622).

Subsequently, the authentication server 100 compares the second authentication key and the first authentication key generated as described above and checks whether they match with each other (S624).

In this case, when the first authentication key and the second authentication key does not match each other (S626), the authentication server 100 transmits an authentication failure message to the IoT device 230 (S634), the authentication failure message is IoT The device 230 is transmitted back to the mobile terminal 200 to notify that the authentication failed (S636).

When the first authentication key and the second authentication key match each other (S626), the authentication server 100 authenticates the mobile terminal 200 logged into the IoT device 230 as a legitimate mobile terminal, the authentication result information and authentication The terminal information of the mobile terminal 200 and the information of the IoT device 230 is registered in the authentication DB 120 (S628).

Subsequently, the authentication server 100 transmits an authentication success message to the IoT device 230 (S630), and the authentication success message is transmitted from the IoT device 230 to the mobile terminal 200 again so that authentication is successful. It is notified (S632). Accordingly, it is possible to remotely control the IoT device 230 from the mobile terminal 200.

8 to 9 illustrate a signal processing flow for authenticating a mobile terminal accessing an IoT device in a mobile terminal and an IoT term security authentication system according to another embodiment of the present invention. Unlike the system configuration shown in FIG. 1, the mobile terminal authentication illustrated in FIGS. 8 to 9 illustrates a signal processing flow when the random number generator 340 is located in the authentication server 300.

Hereinafter, another embodiment of the present invention will be described in detail with reference to FIGS. 8 to 9.

First, the mobile terminal 400 drives the application for IoT control to log in to the authentication server 300 (S800). At this time, if the authentication server 300 does not normally log in, counting the number of failures, go to the initial authentication application step and proceed with the authentication process again from the beginning, if the authentication fails, increasing the number of failures, the number of failures specified threshold number When exceeding the authentication server 300 ends the authentication process (S803).

When the login is normally performed in the authentication server 300, the authentication server 300 approves the login of the mobile terminal 400. When the login is approved, the mobile terminal 400 is transferred from the mobile terminal 400 to the authentication server 300. Terminal information including the GPS information of) and the integrity verification key (version information, checksum, etc.) of the application for controlling the IoT device installed in the mobile terminal 400 is transmitted (S804).

Accordingly, the authentication server 100 checks the integrity verification key of the application for controlling the IoT device installed in the mobile terminal 400 to check whether there is no problem in the application program, and uses the received GPS information mainly stored with local GPS information. Comparison is made (S806). In this case, checking whether there is no abnormality may mean, for example, checking whether the application program is forged / modulated through hacking or the like, but is not limited thereto.

In addition, in the operation of checking whether the application program is abnormal in the authentication server 300, for example, the integrity verification key of the IoT device control application installed in the mobile terminal 400 is pre-registered in the management terminal DB 330. After comparing with the integrity verification key of the IoT device control application of the mobile terminal 400, if it matches, it can be confirmed that there is no abnormality in the application program, but is not limited thereto.

The received GPS information is compared with the predominantly used local GPS information stored in the management terminal DB 130 (S806), and if the match is initialized to the count variable '0' (S806-1), if the count variable is not matched Is increased to '1' (S806-2). When the count variable becomes more than a predetermined number of times (for example, '30'), the IoT device 230 instructs the login initialization of the mobile terminal 200 (S806-3), and the IoT device 230 commands the corresponding device. Is transmitted to the mobile terminal 200 (S806-4), and the mobile terminal 200 deletes the login ID and password stored in the device (S608-5). Although the steps S806, S806-1 to S608-5 are not shown in the drawing, the mobile terminal 200 holder, who is not a legitimate user, is prevented from logging in anymore.

As a result of the above check, if there is an error in the application program for controlling the IoT device installed in the mobile terminal (S808), the authentication server 300 transmits an authentication failure message to the mobile terminal 400 (S826).

As a result of the check, if there is no abnormality in the application program for IoT device control installed in the mobile terminal (S808), the authentication server 300 notifies the mobile terminal 400 that there is no abnormality in the application program for IoT device control installed in the mobile terminal 400. do.

Subsequently, the authentication server 300 generates a random number value for authentication of the mobile terminal 400 and transmits it to the mobile terminal 400 (S810). In this case, the random number generator 900 may be included in the authentication server 300 to generate such a random number, but is not limited thereto.

Then, when the random number is received as described above, the mobile terminal 400 generates a first authentication key (receive key) using the received random number and (S812), and the first authentication key to the IoT device 430 And transmits the terminal information of the mobile terminal 400 (S814).

In this case, the first authentication key may mean a key for authenticating whether the mobile terminal 400 is a mobile terminal registered in the authentication server 300, and the first authentication key may be, for example, the mobile terminal 400. The key generated using the terminal information and the random number of) may be a one-time key, but is not limited thereto. In addition, the terminal information may be a physical code, location and equipment identification information identifying the mobile terminal 400, such physical code may be information including the MAC address information and USIM information of the mobile terminal, but is not limited thereto. It doesn't happen. In addition, the location and equipment identification information is information to confirm where the equipment to be transmitted and the equipment is correct when transmitting data, for example, installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be information included.

Subsequently, the IoT device 430 receives the first authentication key transmitted from the mobile terminal 400, and receives the received first authentication key, the terminal information of the mobile terminal 400, and the information of the IoT device 430. The authentication server 300 is transmitted (S816).

As described above, when the first authentication key generated in the mobile terminal 400 and the information of the IoT device 430 are received from the IoT device 430, the authentication server 300 is pre-registered in the management terminal DB 330. The second authentication key (generated key) generated using the terminal information and the random number of the corresponding mobile terminal 400 is compared with the first authentication key (S818).

At this time, in the generation of such a second authentication key, the authentication server 300 after transmitting the random number value to the mobile terminal 400, previously registered in the management terminal DB 330 for comparison with the first authentication key. By using the terminal information and the random number of the corresponding mobile terminal 400 can be generated in advance before receiving the first authentication key (S813), but is not limited thereto.

Subsequently, the authentication server 300 compares the second authentication key and the first authentication key generated as described above and checks whether they match each other.

At this time, when the first authentication key and the second authentication key does not match each other (S820), the authentication server 300 transmits an authentication failure message to the mobile terminal 400 notifies that the authentication failed (S826).

When the first authentication key and the second authentication key match each other (S820), the authentication server 300 authenticates the mobile terminal 400 as a legitimate mobile terminal, the authentication result information and the terminal of the authenticated mobile terminal 400 The information and the information of the IoT device 430 is registered in the authentication DB 320 (S822).

Subsequently, the authentication server 300 transmits an authentication success message to the mobile terminal 400 to notify that authentication is successful (S824). Accordingly, it is possible to remotely control the IoT device 430 from the mobile terminal 400.

10 is a block diagram illustrating a configuration of a mobile terminal and an IoT period third party security authentication system according to another embodiment of the present invention. Referring to FIG. 10, in the security authentication system according to another embodiment of the present invention, unlike in FIG. 1, an authentication server 500, a mobile terminal 600, an IoT device 630, an application verification server 700, and a wired / wireless internet are provided. It may be configured as a network, and the group (type) of the terminal may be connected to the mobile terminal-IoT period (1: m, n: 1, n: m) terminal group. Here, the wired / wireless internet network may be a communication network that can directly connect to IoT devices such as a voice communication network, a data communication network, and a Wi-Fi network.

Hereinafter, an operation of each component of the security authentication system according to another embodiment of the present invention will be described in detail with reference to FIG. 10.

First, the authentication server 500 may be a server for authenticating whether the mobile terminal 600 accessing the IoT device 630 and performing remote control is a legitimate mobile terminal.

That is, when the authentication server 500 receives an authentication request for accessing the IoT device 630 from the mobile terminal 600 according to an embodiment of the present invention, the authentication server 500 is registered with the terminal information transmitted from the mobile terminal 600. By comparing the terminal information of the mobile terminal 600, and checking whether the application program for controlling the IoT device is changed, etc. to authenticate the mobile terminal 600, it is possible to remotely control the IoT device 630 in the mobile terminal 600 You can do that.

Such, the authentication server 500, the management log DB 510, authentication DB 520, packet deodorization prevention unit 511, ID / Password (ID / Password) management unit 521, authentication unit 514, mobile terminal Modules such as a Master / Family management unit 516, an IoT device management unit 517, a log management unit 518, and an inquiry management unit 519 may be mounted.

The authentication DB 520 stores result values for authentication approval, authentication rejection, and authentication error, version information management of authenticated applications and application programs, and application integrity verification key information received from a mobile terminal or an IoT device. The management log DB 510 records the log of all operations executed by the authentication server 500 and manages information data such as status inquiry and statistics.

The packet deodorization prevention unit 511 prevents a packet transmitted and received between the mobile terminal 600 and the authentication server 500 from being stolen.

The ID / password manager 512 manages information on the login ID / password assigned to the mobile terminal 600 to log in to the authentication server 500.

If there is a remote control request for the IoT device 630 from the mobile terminal 600, the authenticator 514 authenticates whether the corresponding mobile terminal 600 is a legitimate mobile terminal having a remote control authority.

The mobile terminal (Master / Family) manager 516 manages the mobile terminal 200 registered in the authentication DB 520.

The IoT device manager 517 manages information on the IoT device 630 registered in the authentication server 500. The log manager 518 manages various log records of the mobile terminal 600 logging in to the authentication server 500. The inquiry management unit 519 manages information that the mobile terminal 600 accesses the authentication server 500 and inquires.

The mobile terminal 600 may refer to a user terminal device for remotely controlling the IoT device 630 by accessing the IoT device 630 through a wired or wireless Internet network. The mobile terminal 600 may be, for example, a terminal device such as a mobile phone, a smartphone, a PAD, or a tablet using a voice communication network, a data communication network, and a Wi-Fi network to control the IoT device 630. It is not limited to this.

In addition, the mobile terminal 600 is registered in the authentication server 500 to perform the remote control of the IoT device 630, the remote to the IoT device 630 through the authentication process through the authentication server 500. The control authority may be authorized to perform remote control on the IoT device 630.

The mobile terminal 600 is, for example, the transmission packet management unit 611, ID / password management unit 612, terminal approval management unit 613, login management unit 614, authentication management unit 615, security key management unit ( 616, a module such as an IoT device operation management unit 617 may be mounted.

The transmission packet manager 611 manages packet transmission and reception of data (security key, mobile terminal information, etc.) to be transmitted. The ID / password manager 612 manages an ID / password for logging into the authentication server 600 and the IoT device 630. The terminal approval management unit 613 manages the use approval for the IoT device 630 with respect to the mobile terminal (Family) 620 accessing the IoT device 630.

The login manager 614 manages information on which the mobile terminal 600 logs in to the IoT device 630 or the authentication server 600. The authentication manager 615 manages the integrity verification key information of the application for controlling the IoT device installed in the mobile terminal 600.

The security key manager 616 generates and manages terminal information of the mobile terminal 600 as a security key. The terminal information of the mobile terminal 600 generated as the security key is the authentication server 500 for the mobile terminal 600. It may be used for registration of a furnace and performing authentication for remote control of the IoT device 630. The IoT device operation management unit 617 manages information on the IoT device 630 registered in the mobile terminal 600.

The IoT device 630 refers to an electronic device capable of wired and wireless Internet communication, and may include security devices for controlling various sensors, smart home appliances, heating and cooling devices, CCTVs, lighting devices, temperature control devices, hub equipment, and the like. That is, the IoT device 630 may be a device such as a refrigerator, a smart TV, or the like, which is equipped with a communication function, and may be a home automation control device that controls various indoor devices connected by home automation. It may be.

In addition, the IoT device 630 may perform communication with the mobile terminal 600 through a wired or wireless Internet communication network, and receive a remote control command transmitted from the mobile terminal 600 authenticated by the authentication server 500 to remotely control the command. The operation corresponding to the operation may be performed.

The IoT device 630 includes a transmission packet manager 631, an ID / password manager 632, an operation terminal register 633, a login verifier 634, an authentication manager 636, a security key manager 637, and the like. Mount the module.

The transmission packet manager 631 manages information about packets transmitted and received between the mobile terminal 600 and packets transmitted and received between the authentication server 500. The ID / password manager 632 manages an ID and password set to log in to the IoT device 630. The operation terminal registration unit 633 registers and manages information on the mobile terminal 600 registered to perform remote control on the IoT device 630. The login verification unit 634 checks whether the login attempt is justified by checking the ID / password input from the mobile terminal 600 for the mobile terminal 600 attempting to log in to the IoT device 630.

The authentication manager 636 manages the integrity verification key information of the application for controlling the IoT device installed in the IoT device 630. The security key manager 637 manages security key information generated by using terminal information of the mobile terminal 600 transmitted from the mobile terminal 600.

The application verification server 700 may be a server that verifies whether the application for controlling the IoT device mounted on the mobile terminal is changed. In addition, the application verification server 700 is an operation such as registering / changing / deleting the mobile terminal 600 and the IoT device 630 in place of the application verification and equipment management registration function of the authentication server 100 of FIG. Can be performed.

The main function of the application verification server 300 firstly performs the terminal information management operation for the mobile terminal 600 and the IoT device 630 registered in the management terminal DB 710. Secondly, a random number may be generated to generate an authentication key of the program, and the authentication key generated as described above is provided to the authentication server 500. Third, the integrity verification of the application for controlling the IoT device mounted on the mobile terminal 600 is performed. In addition, the source code modulation check unit is used to check whether the forgery or modulation of the application for controlling the IoT device installed in the mobile terminal 600. At this time, in the modulation check of the source code, the application verification server 700, for example, forgery or modulation of the application using the checksum information of the application included in the integrity verification key of the application transmitted from the mobile terminal 600. It may be checked, but is not limited thereto.

The application verification server 700 is a management terminal DB 710, packet deodorization prevention unit 711, ID / password management unit 712, source code modulation check unit 713, mobile terminal management unit 714, login management unit The module 715, the inquiry manager 716, the authentication application manager 717, and the like may be mounted.

The management terminal DB 710 manages terminal information on the registered mobile terminal 600 and the IoT device 630. The packet deodorization prevention unit 711 prevents a packet transmitted and received between the mobile terminal 200 and the application verification server 700 from being stolen. The ID / password manager 712 manages information on the login ID / password assigned to the mobile terminal 600 to log in to the application verification server 700.

The source code modulation checker 713 checks forgery or modulation of an IoT device control application installed in the mobile terminal 600. In this case, the source code modulation check unit 713 may check forgery or modulation of the application using, for example, checksum information of the application included in the integrity verification key of the application transmitted from the mobile terminal 600. It is not limited.

The mobile terminal (Master / Family) management unit 714 manages the mobile terminal 600 registered in the application verification server 700. At this time, such a mobile terminal 600 may be a mobile terminal (Master) 610 divided into a master and a mobile terminal (Family) 620 divided into a family according to the control authority for the IoT device 630, the mobile When the terminal 610 wants to register / change / delete the IoT device 630 in the mobile terminal 620, the authority for granting such registration / change / delete may be set. have.

The login manager 715 manages the information of the mobile terminal 600 that logs in to the application verification server 700. The inquiry management unit 716 manages the information that the mobile terminal 600 accesses and queries the application verification server 700. The authentication application manager 717 manages the version information and the integrity verification key of the authenticated IoT device control application. The random number generator 718 generates a random number value for security authentication of the mobile terminal 600. The random number may be generated when the mobile terminal 600 registered in the application verification server 700 performs authentication for remotely controlling the IoT device 630. The generated random number may be generated by the mobile terminal 600 and the authentication server ( 100) may be provided respectively.

Data transmitted between the mobile terminal 600 and the IoT device 630 in the security authentication system may be transmitted through a wired or wireless Internet network, the transmitted packet is an authentication application installed in the mobile terminal 600, IoT device 630 or By using the authentication module to perform its own security check (packet deodorization prevention) it is possible to secure the security of the transmitted packet, it is possible to secure communication between the mobile terminal 600, IoT device 630.

11 is a flowchart illustrating a procedure for registering / changing / deleting a mobile terminal 600 for controlling an IoT device according to another embodiment of the present invention to an application verification server.

The mobile terminal 600 controls the IoT device 630 by registering with a mobile terminal (Master) 610 and a mobile terminal (Master) 610 which perform a master role having a main control authority for the IoT device 630. The mobile terminal (Family) 620 may be divided into, but is not limited thereto. In addition, both of the mobile terminal (Master) 610 and the mobile terminal (Family) 620 need to be registered in the authentication server (500). Therefore, hereinafter, in the description of FIG. 11, both the mobile terminal (Master) 610 and the mobile terminal (Family) 620 will be collectively referred to as a mobile terminal 600.

Referring to FIG. 11, in order to perform a process such as registering / modifying / deleting the mobile terminal 600 in the management terminal DB 710 of the application verification server 700, the application for IoT device control is performed by the mobile terminal 600. It should be installed and driven in

First, in the case of the process of registering the mobile terminal 600 to the application verification server 700, after logging in from the mobile terminal 600 to the application verification server 700, the application integrity verification key and the mobile terminal 600 The terminal information of) is transmitted to the application verification server 700. In this case, the integrity verification key is information for determining whether the application program is forged / modulated by hacking or the like, and may include, for example, version information or checksum information of the application, but is not limited thereto. . In addition, the physical code that is part of the terminal information of the mobile terminal 600 may be used as security key information for authentication for the mobile terminal 600 in the application verification server 700, such terminal information is the physical code, location information and There is equipment identification information, and may be, for example, a physical code of the mobile terminal 600. In addition, the physical code may be MAC address information or USIM information of the mobile terminal 600, and location and equipment identification information may be information for confirming where the equipment to be transmitted and the equipment are suitable for data transmission. For example, it may be information including an installation place, GPS location information, an IP address, a mobile terminal number (phone number), etc., but is not limited thereto.

At this time, in performing the login to the application verification server 700, the mobile terminal 600, for example, user ID (ID), password (password), etc. pre-allocated to access the application verification server 700, etc. Received from the input can be performed to log in to the application verification server 700. The ID, password, etc. may be pre-assigned from the application verification server 700 before registration, and may be recognized by the user of the mobile terminal 600.

Then, the application verification server 700 registers the terminal information of the mobile terminal 600 and the integrity verification key of the application to the management terminal DB 710 of the application verification server 700.

Subsequently, when the application verification server 700 performs the registration on the mobile terminal 600 that requests the registration by logging in as described above, the terminal information of the mobile terminal 600 and the integrity verification key of the application are stored in the mobile terminal 600. Notify the authentication DB 520 and the management terminal DB 710 that registration is completed normally.

Next, in the case of the process of changing the terminal information of the mobile terminal 600 registered in the application verification server 700, the mobile terminal 600 performs a login to the application verification server 700. Subsequently, the mobile terminal 600 transmits the integrity verification key of the application installed in the mobile terminal 600 and the changed terminal information of the mobile terminal 600 to the application verification server 700. At this time, the changed terminal information is the mobile terminal 600

The physical code, location information and equipment identification information of the new mobile terminal 600 may be changed according to the change, and the physical code may be MAC address information or USIM information of the mobile terminal as described above, and also the location and equipment identification information. Is information for checking where the equipment to be transmitted and the equipment are suitable for data transmission. For example, the information may include an installation location, GPS location information, an IP address, and a mobile terminal number (phone number). .

Then, the application verification server 700 compares the integrity verification key of the application received from the mobile terminal 600 with the application integrity verification key of the registered mobile terminal 600, the changed terminal of the mobile terminal 600 The information is stored in the management terminal DB 710.

Subsequently, when the application verification server 700 normally performs the terminal information change on the mobile terminal 600 that requests the information change by logging in as described above, the application verification server 700 transmits a change operation completion message to the mobile terminal 600 and completes the change operation. do.

Meanwhile, in the description, only the change process of the change / deletion process has been described as an example. However, even in the case of deleting the terminal information for the mobile terminal 600, the terminal information for the registered mobile terminal 600 through the same process as the change procedure is described. Can be deleted.

12 is a flowchart illustrating a procedure for registering / modifying / deleting an IoT device in a mobile terminal during initial purchase of an IoT device according to an embodiment of the present invention. In this case, the mobile terminal 600 for registering / modifying / deleting the IoT device 630 will be described with an example of a mobile terminal (Master) 610 registered as a master in the application verification server 700.

Referring to FIG. 12, in order to perform a process such as registering / modifying / deleting the IoT device 630 in the mobile terminal (Master) 610, the mobile terminal (Master) 610 is connected to the application verification server 700. Similar to the case of registering / changing / deleting, an IoT device control application must be installed and driven in the mobile terminal (Master) 610.

First, in the case of the process of registering the IoT device 630 in the mobile terminal (Master) 610, after logging in to the IoT device 630 from the mobile terminal (Master) 610, the mobile terminal (Master) ( The 610 requests the terminal information of the IoT device 630, and the IoT device 630 transmits the terminal information to the mobile terminal (Master) 610. At this time, in performing the login to the IoT device 630, the mobile terminal 600, for example, when the first purchase of the IoT device 630, the ID, password, etc. assigned to the IoT device 630, the mobile terminal 600 The user may log in to the IoT device 600 by receiving an input from the user. In this case, the information of the IoT device 630 may refer to, for example, a unique identification code recognized through an operation portable, attached, imprinted, or serial number assigned to the IoT device 630, but is not limited thereto. no.

Then, the mobile terminal (Master) 610 application verification of the integrity verification key of the application installed in the mobile terminal (Master) 610, the terminal information of the mobile terminal (Master) 610 and the terminal information of the IoT device 630 Send to server 700. In this case, the terminal information of the mobile terminal 600 may be a physical code, location information, equipment identification information, and the like, and may be, for example, a physical code of a mobile terminal (Master) 610 such as MAC address information or USIM information. Location and equipment identification information is information to check where the equipment to be transmitted and the equipment is suitable for data transmission. For example, installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be information included.

When receiving information for registration of the IoT device 630 from the mobile terminal (Master) 610 as described above, the application verification server 700 is a mobile terminal (Master) 610 previously registered in the management terminal DB (710) ) Compares the integrity verification key of the application of the application with the integrity verification key of the received application of the mobile terminal (Master) (610).

As a result of the above comparison, when the integrity verification keys of the applications match each other, the application verification server 700 stores the information of the IoT device 630 in the management terminal DB 710, the mobile terminal (Master) 610 The mobile terminal (Master) 610 sends a registration completion message indicating that the IoT device 630 is normally registered. When the comparison result of the integrity verification key of the application is inconsistent, the application verification server 700 transmits a non-registration message indicating that registration of the IoT device 630 is impossible to the mobile terminal (Master) (610).

Next, in the case of changing the information of the IoT device 630 registered in the mobile terminal (Master) 610, after logging in to the IoT device 630 in the mobile terminal (Master) 610, the mobile The terminal 610 requests the changed terminal information of the IoT device 630, and the IoT device 630 transmits the changed terminal information to the mobile terminal (Master) 610.

Then, the mobile terminal (Master) 610 is the integrity verification key of the application installed in the mobile terminal (Master) 610, the terminal information of the mobile terminal (Master) 610 and the terminal information of the IoT device 630 and the changed terminal The information is transmitted to the application verification server 700.

When receiving information for changing the IoT device 630 from the mobile terminal (Master) 610 as described above, the application verification server 700 is a mobile terminal (Master) 610 received from the mobile terminal (Master) 610 Compare the integrity verification key of the application of the application of the mobile terminal (Master) 610 registered in the management terminal DB (710) in the application verification server 700.

Subsequently, when two integrity verification keys match, the application verification server 700 compares the information of the IoT device 630 registered in the corresponding mobile terminal (Master) 610 in the application verification server 700 to the IoT device. Change to the change information of the 630, and transmits a message indicating that the information change procedure of the IoT device 630 is completed to the mobile terminal (Master) (610), and if there is a mismatch transmits a change impossible message.

Meanwhile, in the description, for example, only the change process of the change / deletion process has been described, but in the case of deleting information on the IoT device 630, the information on the registered IoT device 630 is deleted through the same process as the change procedure. Is possible.

FIG. 13 illustrates a procedure diagram of registering / modifying / deleting a mobile terminal (Family) to a mobile terminal (Master) to control an IoT device according to an embodiment of the present invention.

Referring to FIG. 13, in order to register / change / delete a mobile terminal (Family) 620 to a mobile terminal (Master) 610, an application for controlling an IoT device may be a mobile terminal (Master) 610 and a mobile terminal ( Family 620 must be installed and run.

First, in the case of the process of registering the mobile terminal (Family) 620 to the mobile terminal (Master) 610, after logging in from the mobile terminal (Master) 610 to the mobile terminal (Family) (620), The mobile terminal (Master) 610 requests the terminal information and the application integrity verification key of the mobile terminal (Family) 620, and the mobile terminal (Family) 620 sends the terminal information and the application integrity verification key to the mobile terminal (Master) 610).

Then, the mobile terminal (Master) 610 is an application verification server to verify the terminal information of the mobile terminal (Master) 610 and the integrity verification key of the application and the terminal information of the mobile terminal (Family) 620 and the integrity verification key of the application. Send to 700.

As described above, when receiving the information for registering the mobile terminal (Family) 620 to the mobile terminal (Master) 610, the application verification server 700 is a mobile terminal previously registered in the management terminal DB (710) The application integrity verification key of the (Master) 610 is compared with the application integrity verification key of the received mobile terminal (Master) 610.

As a result of the comparison, when the two integrity verification keys match each other, the application verification server 700 sets the mobile terminal (Family) 620 to the mobile terminal (Master) 610 registered in the management terminal DB (710) Register.

Subsequently, the application verification server 700 transmits a registration completion message to the mobile terminal (Master) 610 informing that the information on the mobile terminal (Family) 620 is normally registered in the mobile terminal (Master) 610.

As a result of the comparison, when the two terminal information is inconsistent, the application verification server 700 transmits a non-registration message indicating that registration with respect to the mobile terminal 620 is impossible to the mobile terminal (Master) 610.

Next, in the case of the process of changing the information of the mobile terminal (Family) 620 registered in the mobile terminal (Master) 610, log in from the mobile terminal (Master) 610 to the mobile terminal (Family) (620) After performing the operation, the mobile terminal (Master) 610 requests the changed terminal information of the mobile terminal (Family) 620, and the mobile terminal (Family) 620 sends the changed terminal information to the mobile terminal (Master) 610 To send).

The mobile terminal (Master) 610 then verifies the terminal information of the mobile terminal (Master) 610 and the integrity verification key of the application and the changed terminal information of the mobile terminal (Family) 620 and the integrity verification key of the application. Send to server 700.

As described above, when receiving the information for changing the information of the mobile terminal (Family) 620 registered in the mobile terminal (Master) 610, the application verification server 700 is pre-registered in the management terminal DB (710) The application integrity verification keys of the received mobile terminal (Master) 610 and the mobile terminal (Family) 620 and the received application integrity verification key of the received mobile terminal (Master) 610 and the mobile terminal (Family) 620 do.

Subsequently, when the integrity verification key is matched with the comparison result verification server 700, the terminal information of the mobile terminal (Family) 620 registered in the mobile terminal (Master) 610 stored in the management terminal DB 710. Register to change to the requested terminal information. Subsequently, the application verification server 700 sends a change registration completion message to the mobile terminal (Family) 620.

As a result of the comparison, when the two terminal information is inconsistent, the application verification server 700 transmits a change impossible message indicating that the information of the mobile terminal 620 cannot be changed.

Meanwhile, in the description, only the change process of the change / deletion process has been described as an example. However, even when information on the mobile terminal 620 is deleted, the mobile terminal 620 registered through the same process as the change procedure is used. It is possible to delete information about.

14 is a flowchart illustrating a process of registering / modifying / deleting an IoT device in a mobile terminal according to another embodiment of the present invention.

Referring to FIG. 14, in order to register / change / delete the IoT device 630 in a mobile terminal 620, an application for controlling an IoT device may be a mobile terminal (Master) 610 and a mobile terminal (Family) ( It must be installed and operated at 620.

First, in the case of the process of registering the IoT device 630 in the application verification server 700 in the mobile terminal (Family) 620, after logging in to the IoT device 630 in the mobile terminal (Family) 620 The mobile terminal 620 requests terminal information of the IoT device 630, and the IoT device 630 transmits terminal information of the IoT device 630 to the mobile terminal 620.

Then, the mobile terminal (Family) 620 is the integrity verification key of the application installed in the mobile terminal (Family) 620, the terminal information of the mobile terminal (Family) 620, the terminal information of the mobile terminal (Master) 610 And transmit terminal information of the IoT device 630 to the application verification server 700. In this case, the terminal information of the mobile terminal (Family) 620 includes a physical code, location and equipment identification information. For example, it may be a physical code of a mobile terminal (Family) 620 such as MAC address information or USIM information. In addition, the location and equipment identification information is information to confirm where the equipment to be transmitted and the equipment to be transmitted during data transmission, for example, installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be information included.

As described above, when receiving the information for registration of the IoT device 630 from the mobile terminal (Family) 620, the application verification server 700 is a mobile terminal (Family) pre-registered in the management terminal DB (710) ( The integrity verification key of the application of the application of 620 and the received mobile terminal (Family) (620) of the integrity verification key of the application is compared.

As a result of the comparison, when the two integrity verification keys match each other, the application verification server 700 requests the mobile terminal (Master) 610 to approve the registration. At this time, such a registration approval may mean approval for registering the IoT device 630 in the mobile terminal (Family) 620, for example.

Then, the mobile terminal (Master) 610 may confirm that the mobile terminal (Family) 620 is authenticated, and may approve the registration of the IoT device 630 in the mobile terminal (Family) 620.

Subsequently, when approving the registration of the IoT device 630 in the mobile terminal (Family) 620 as described above, the mobile terminal (Master) 610 is the integrity of the registration approval message and the application of the mobile terminal (Master) 610 The verification key is transmitted to the application verification server 700.

Then, the application verification server 700 is the application integrity verification key of the mobile terminal (Master) 710 previously registered in the management terminal DB 710 and the application integrity verification key transmitted from the mobile terminal (Master) 710 When the two integrity verification keys match, the information of the IoT device 630 is stored in the management terminal DB 710 to register the IoT device 630 in the application verification server 700.

Subsequently, when the application verification server 700 transmits a registration completion message to the mobile terminal (Family) 620, the mobile terminal (Family) 220 notifies the registration confirmation message to the mobile terminal (Master) 210 and terminates. . Finally, registration is canceled when the mobile terminal (Master) 210 does not receive a confirmation message from the mobile terminal (Family) 220 within a specified time.

Next, in the process of changing the IoT device 630 registered in the mobile terminal (Family) 620 to the application verification server 700, login from the mobile terminal (620) to the IoT device 630. After performing, the mobile terminal (Family) 620 requests the changed terminal information of the IoT device 630, the IoT device 630 transmits the changed terminal information to the mobile terminal (Family) (620).

Then, the mobile terminal (Family) 620 is the integrity verification key of the application installed in the mobile terminal (Family) 620, the terminal information of the mobile terminal (Family) 620, the terminal information of the mobile terminal (Master) 610 And changes the terminal information of the IoT device 630 to the application verification server 700. At this time, the terminal information of the mobile terminal (Family) 620 includes the physical code, location and equipment identification information. For example, it may be a physical code of a mobile terminal 620 such as MAC address information or USIM information, and the location and equipment identification information may be used to determine where the equipment is to be transmitted and whether the equipment is correct. The information to be confirmed may be information including an installation location, GPS location information, an IP address, a mobile terminal number (phone number), and the like.

When receiving information for changing the IoT device 630 from the mobile terminal (Family) 620 as described above, the application verification server 700 is a mobile terminal (Family) 620 pre-registered in the management terminal DB (630) Compare the integrity verification key of the application of the application and the received application of the integrity of the mobile terminal (Family) (620).

As a result of the comparison, when the two integrity verification keys match each other, the application verification server 700 requests a change registration approval from the mobile terminal (Master) 610. In this case, the change registration approval may mean approval for changing the information of the IoT device 630 in the mobile terminal 620, for example.

Then, the mobile terminal (Master) 610 may confirm that the mobile terminal (Family) 620 is authenticated, and may approve the change registration of the information of the IoT device 630 to the mobile terminal (Family) 620. have.

Subsequently, when the mobile terminal (Family) 620 to approve the change registration of the IoT device 630, the mobile terminal (Master) 610 is a change registration approval message and the application of the mobile terminal (Master) 610 The integrity verification key of the transmission to the application verification server 700.

Then, the application verification server 700 is the application integrity verification key of the mobile terminal (Master) 610 registered in the management terminal DB 710 and the application integrity verification key transmitted from the mobile terminal (Master) 610 is When the two integrity verification keys match, the change information of the IoT device 630 is stored in the management terminal DB 710 to register the IoT device 630 with the application verification server 700.

Subsequently, when the application verification server 700 transmits a change registration completion message to the mobile terminal (Family) 620, the mobile terminal (Family) 220 notifies the registration confirmation message to the mobile terminal (Master) 210 and ends. do. Finally, registration is canceled when the mobile terminal (Master) 210 does not receive a confirmation message from the mobile terminal (Family) 220 within a specified time.

Meanwhile, in the description, for example, only the change process of the change / deletion process has been described. However, when the information on the IoT device 630 is deleted, the deletion of the information on the registered IoT device 630 is performed through the same process as the change procedure. It is possible.

15 to 16 illustrate a signal processing flow for authenticating a mobile terminal accessing an IoT device in a security authentication system between the mobile terminal 600 and the IoT device 630 according to another embodiment of the present invention.

In the mobile terminal authentication illustrated in FIGS. 15 to 16, unlike the system configuration illustrated in FIG. 1, the authentication server 500 and the application verification server 700 are separated, and the random number generator 718 is an application verification server 700. Shows a signal processing flow when

Hereinafter, embodiments of the present invention will be described in detail with reference to FIGS. 10 to 16. First, the mobile terminal 600 drives the application for IoT control to log in to the application verification server 700 (S900). At this time, if the login is not normally performed in the application verification server 700, the number of failures is counted. If the authentication fails by going to the initial authentication application step and proceeding with the authentication process from the beginning again, the failure number is designated by increasing the number of failures. When the threshold is exceeded, the authentication process ends.

When the login is normally performed in the application verification server 700 (S902), the application verification server 700 approves the login of the mobile terminal 600, and when the login is approved, the application verification server 700 is applied to the mobile terminal 600. In step S904, the terminal information of the mobile terminal 600 and the integrity verification key (version information, checksum, etc.) of the application for controlling the IoT device installed in the mobile terminal 600 are transmitted.

Accordingly, the application verification server 700 checks the integrity verification key of the IoT device control application installed in the mobile terminal 600 to confirm whether there is no abnormality in the application program (S906). In this case, checking whether there is no abnormality may mean, for example, checking whether the application program is forged / modulated through hacking or the like, but is not limited thereto.

In addition, the application verification server 700 in the operation of checking whether the application program is abnormal, for example, previously registered the integrity verification key of the IoT device control application installed in the mobile terminal 600 to the management terminal DB (710). After comparing with the integrity verification key of the IoT device control application of the mobile terminal 600, it can be confirmed that there is no abnormality in the application program, but is not limited thereto.

As a result of the above check, if there is an error in the application program for controlling the IoT device installed in the mobile terminal 600, the application verification server 700 transmits an authentication failure message to the mobile terminal 600.

As a result of the check, when there is no abnormality in the IoT device control application program installed in the mobile terminal 600 (S908), the application verification server 700 notifies that there is no abnormality in the IoT device control application program installed in the mobile terminal 600. (S912).

As described above, when the application verification server 700 is notified that there is no abnormality in the application program, the mobile terminal 600 transmits the terminal information including the GPS information of the mobile terminal 600 to the IoT device 630 (S914). ).

Then, the IoT device 630 receives the terminal information including the GPS information transmitted from the mobile terminal 600, and transmits the received terminal information and the information of the IoT device 630 to the authentication server 500 ( S916).

The authentication server 500 compares the received GPS information with mainly used local GPS information stored in the management terminal DB 130 (S916-1), and if it matches, initializes the count variable to '0' (S916-). 2), if there is a mismatch, the count variable is increased to '1' (S916-3). When the count variable is more than a predetermined number of times (for example, '30'), the mobile terminal 200 instructs the login initialization (S916-4), and the mobile terminal 200 stores the login ID and password stored in the device. Deletion is performed (S916-5). Although the steps S916-1 to S916-5 are not shown in the drawing, the mobile terminal 200 holder who is not a legitimate user by these steps prevents the user from logging in any more.

As described above, when the terminal information of the mobile terminal 600 and the information of the IoT device 630 is received from the IoT device 630, the authentication server 500, the terminal information and the application verification server of the received mobile terminal 600 A second authentication key is generated using the random number provided from 700 (S918).

On the other hand, if the check result, there is no abnormality in the application program for controlling the IoT device installed in the mobile terminal 600 (S908), the application verification server 700 generates a random number, and generates a first authentication key using the random number value (S920).

Subsequently, the application verification server 700 transmits the terminal information, the random number value, and the first authentication key of the mobile terminal 600 to the authentication server 500 (S922). In this case, the random number generator 718 may be included in the application verification server 700 to generate the random number, but the present invention is not limited thereto.

In addition, in this case, the first authentication key (receive key) may mean a key for authenticating whether the mobile terminal 600 is a legitimate mobile terminal registered in the authentication server 500. For example, the key generated using the terminal information and the random number of the mobile terminal 600 may be a one-time key, but is not limited thereto. In addition, the terminal information may be a physical code for identifying the mobile terminal 600, location information and equipment identification information, and the like, this physical code is the information including the MAC address information and USIM information of the mobile terminal 600 But it is not limited thereto. In addition, the location and equipment identification information is information to confirm where the equipment to be transmitted and the equipment is correct when transmitting data, for example, installation location, GPS location information, IP address, mobile terminal number (phone number), etc. It can be information included.

Subsequently, the authentication server 500 compares the second authentication key (generated key) and the first authentication key generated as described above and checks whether they match with each other (S924).

At this time, if the first authentication key and the second authentication key does not match each other (S926), the authentication server 500 transmits an authentication failure message to the mobile terminal 600 notifies that the authentication failed (S932).

When the first authentication key and the second authentication key match each other (S926), the authentication server 500 authenticates the mobile terminal 600 as a legitimate mobile terminal 600, the authentication result information and the authenticated mobile terminal 600 Terminal information and information of the IoT device 630 is registered in the authentication DB (520) (S928).

Subsequently, the authentication server 500 transmits an authentication success message to the mobile terminal 600 and notifies that the authentication is successful (S930). Accordingly, it is possible to remotely control the IoT device 630 in the mobile terminal 600.

As described above, according to the present invention, in the third-party security authentication of the mobile terminal and the IoT period, forgery / modulation check of the application program for remote control of the IoT device in preparation for hacking of the mobile terminal by introducing a third-party security authentication server. In addition, by applying a process of checking and authenticating a security authentication packet between a mobile terminal and an IoT device by a third party, the integrity and security of the mobile terminal and the IoT term security authentication process can be strengthened.

Meanwhile, in the above description of the present invention, specific embodiments have been described, but various modifications may be made without departing from the scope of the present invention. Therefore, the scope of the invention should be determined by the claims rather than by the described embodiments.

100,300,500: authentication server 112,511: packet deodorization prevention unit
110, 510: Management log DB
114: source code modulation check unit 116,512: ID / password management unit
118,516 mobile terminal (M / F) management unit 120,320,520: authentication DB
122,514: authentication unit 124: authentication APP management unit
126,517: IoT device management unit 128,519: inquiry management unit
129,518: log management unit 130,310,710: management terminal DB
200,400: Mobile terminal (Master / Family)
210,410: Mobile terminal (Master)
211: dedicated packet management unit 212: ID / password management unit
213: terminal approval management unit 214: login management unit
215: Authentication management (APP version, PRG) part 216: Security key management unit
217: IoT device operation management unit 220: mobile terminal (Family)
230,430: IoT device 231: Transmission packet management unit
232: ID / password management unit 233: operation terminal register
234: login verification unit 236: authentication management (APP version, PRG)
237: security key management unit 238, 132: random number generation unit
340: Random Number Generator
600: mobile terminal (Master / Family) 610: mobile terminal (Master)
611: dedicated packet management unit 612: ID / password management unit
613: terminal approval management unit 614: login management unit
615: authentication management (APP version, PRG) part 616: security key management unit
617: IoT device operation management unit 620: mobile terminal (Family)
630: IoT device 631: transmission packet management unit
632: ID / password management unit 633: operation terminal registration unit
634: login verification unit 636: authentication management (APP version, PRG) unit
637: security key management unit 700: application verification server
711: packet deodorization unit 712: ID / password management unit
713: source code modulation check unit 714: mobile terminal (M / F) management unit
715: log management unit 716: inquiry management unit
718: Random Number Generator

Claims (9)

IoT devices capable of transmitting and receiving data through wired and wireless Internet communication networks,
A mobile terminal for performing data transmission and reception with the IoT device through the wired / wireless internet communication network, remotely controlling the operation of the IoT device through the data transmission and reception, and having an automatic login function for automatically logging in to the IoT device;
When the mobile terminal is pre-stored with the GPS information of the area mainly used, register the IoT device to be the remote control target to the mobile terminal, when there is a remote control request for the IoT device from the mobile terminal, If the GPS information received from the mobile terminal and the GPS information of a region mainly used are inconsistent for a predetermined number of times, the mobile terminal requests automatic login and deletion, and the mobile terminal is a valid mobile registered for remote control of the IoT device. An authentication server for authenticating whether the terminal is the terminal and approving remote control of the IoT device when the mobile terminal is the legitimate mobile terminal;
The authentication server may be configured to register the mobile terminal into a master and a family according to the control authority for the IoT device, and register the IoT device in the first mobile terminal classified into the family. A third party security authentication system for registering the IoT device to the first mobile terminal with the approval of the second mobile terminal classified as a master.
The method of claim 1,
The authentication server,
When there is a remote control request for the IoT device from the mobile terminal, a first authentication key is generated by using a random number value and terminal information of the mobile terminal transmitted from the IoT device, and the random number value is generated by the mobile terminal. Receiving a second authentication key generated using the terminal information from the IoT device to compare the first authentication key and the second authentication key, and if the first authentication key and the second authentication key match the mobile A third party security authentication system that determines the terminal as the legitimate mobile terminal.
The method of claim 1,
The authentication server,
Upon registration of the IoT device, it is checked whether the terminal information of the mobile terminal matches the terminal information of the mobile terminal pre-registered in the authentication server, and if the terminal information coincides with each other, the IoT is transmitted to the mobile terminal that requested the registration. Third party security authentication system for registering devices.
The method of claim 1,
The authentication server,
When changing or deleting the information of the registered IoT device, it is checked whether the terminal information of the mobile terminal requesting to change or delete the information of the IoT device matches the terminal information of the mobile terminal previously registered in the authentication server, And a third party security authentication system that changes or deletes information on the IoT device when the terminal information matches each other.
The method of claim 4, wherein
The authentication server,
Receiving the integrity verification key of the control application of the IoT device installed in the mobile terminal, and after checking whether the program of the application is changed using the integrity verification key, if the program of the application is not changed the mobile A third party security authentication system for registering the IoT device in the terminal.
The method of claim 2,
The random number is,
The third party security authentication system generated once in the IoT device or the authentication server and provided to the mobile terminal.
The method of claim 2,
The terminal information,
The third party security authentication system which is MAC address information, USIM information, location information of the terminal and identification information of the terminal.
The method of claim 5,
The integrity verification key,
A third party security authentication system which is a key generated by using version information of the application or checksum information of source code.
As a third party security authentication method in a third party security authentication system including a mobile terminal, an IoT device, and an authentication server connected through a wired or wireless Internet communication network,
Registering the mobile terminal for requesting remote control of the IoT device in the authentication server;
Registering the IoT device to be the remote control target with the mobile terminal;
A third step of authenticating whether the mobile terminal is a legitimate mobile terminal registered for remote control of the IoT device when there is a remote control request for the IoT device from the mobile terminal;
A fourth step of approving remote control of the IoT device when the remote control requesting mobile terminal is the legitimate mobile terminal;
A fifth step of pre-registering GPS information about a region where the mobile terminal is mainly used;
A sixth step of receiving GPS information of the mobile terminal;
Comprising a seventh step of comparing the GPS information about the area where the mobile terminal is mainly used with the GPS information received in the sixth step, and deletes the login ID and password stored in the mobile terminal if there is a mismatch over a certain number of times,
The authentication server may be configured to register the mobile terminal into a master and a family according to the control authority for the IoT device, and register the IoT device in the first mobile terminal classified into the family. A third party security authentication method for registering the IoT device to the first mobile terminal with the approval of the second mobile terminal classified as a master.

Images